Securing the Rail Sector – What considerations should be in the Regulator’s Point of View?

Cyber security threats are an increasing source of concern in the rail sector. In line with this, there is a clear upwards trend in reported cyber-attacks that are targeting Industrial Control Systems (ICS) and Operational Technology (OT)[1]. Within the rail sector, digital transformation, Industry 4.0 and IIoT technologies are increasing the connectivity of infrastructure and rolling stock systems. These technological advances can, however, introduce new cyber vulnerabilities, in addition to existing threats from the rail supply chain, commercial off-the-shelf (COTS) products and legacy systems. Therefore, to improve governance and security across the rail industry, new regulations have been created. These oblige railway stakeholders to take action.

To protect rail systems from cyber threats and comply with regulations, organisations must build a holistic security strategy that considers people, process and technology. The strategy should ensure that it targets the organisational level, the overall rail system level, and the individual components level.

The strategy should comprise of the following:

• Understand the cyber threat landscape, vulnerabilities and risks, as well as their impact on the railway environment and assets.
• Protect the environment and assets by implementing secure-by-design methods, providing resiliency against malicious behaviour or cyber-attacks, and limiting their likelihood.
• Detect and report abnormal behaviour by implementing a functional and innovative detection and prevention security monitoring system.
• Respond to cyber incidents and ensure recovery of railway services by implementing a Security Operations Centre (SOC).

Railway stakeholders can utilise several standards and guidelines to help build their strategy. For example, within the business organisational level, they can look to NCSC risk management guidance, ISO 27001, and IEC 62443-2-1 standards. For overall rail systems, they could consider NCSC secure design principles, IEC 62443-3-2, and IEC 62443-3-3. Whereas at the individual components level, ISO 55001:2014 – Asset Management, IEC 62443-4-1, and IEC 62443-4-2 standards should be considered.

Creating an ongoing cyber security Risk Management Framework (RMF) is essential. This should be applied to railway assets and infrastructure. The RMF must be systematic and repeatable, so that organisations can use it to conduct regular risk assessments and treatment. Figure 1 below illustrates the process:

Consider the above “Inputs” section. First, is Business Impact Criteria, which covers the railway sector’s availability, reliability, safety, integrity, and confidentiality. Threats and vulnerabilities databases should be updated periodically by sourcing feeds from Cyber Threat Intelligence, as well as conducting regular vulnerability assessments and pentesting exercises.

In the “Assessment” stage from Figure 1, one of the most important activities is to identify the risk level for each railway service (e.g., passenger information service), then map it with a corresponding business impact. Alongside that, it’s important to estimate the likelihood of occurrence.

The “Treatments” stage aims to generate an up-to-date risk register that contains all risks for the business. Once these are defined, the risk treatment plan can be developed. This process is systematic, so the assessor (internal or external) can ensure consistency in every risk assessment and treatment exercise. Many tools are available to assist in performing a systematic risk management activity.

Building CNI resilience

In 2018, the NIS Directive (Network & Information Systems) came into force, which aims to raise the levels of cyber security and resilience of key systems within critical national infrastructure. Under the Directive, railway stakeholders are responsible for their operations and networks. However, applying NIS regulation is challenging in this sector due to the high level of shared responsibilities between stakeholders – including rolling stock owners, infrastructure managers, train operators, train manufacturers, the Department for Transport (DfT) and supply chains. An ideal approach to managing cyber security and NIS compliance is to have a clear shared responsibility between stakeholders, so that everyone understands their roles and responsibilities throughout the entire lifecycle: Design, Engineering, Procurement, Manufacturing, Testing, Installation, Operation and Maintenance.

Following cyber security best practices is essential during the implementation of a cyber security programme. Moreover, knowledge-sharing between railway stakeholders is vital to raise awareness of the rail sector’s threat landscape and assist stakeholders in defending against potential cyber-attacks. Several entities (e.g. NCSC, ISA, NIST, etc.) have released guidelines to help the rail sector assess, protect, and manage its infrastructure. The table below lists some of these guidelines, security standards, whitepapers, and reports:

In summary, the key aim of recent regulation, such as the NIS Directive, is to ensure the overall cyber security and resilience of an increasingly interconnected rail sector . In response, rail stakeholders must build an effective cyber security strategy that can be implemented in a defined roadmap. In addition, collaboration between rail stakeholders and the regulator is essential to manage overall security and gain further visibility into the constantly evolving threat landscape.

[1]https://www.sans.org/reading-room/whitepapers/analyst/2019-state-ot-ics-cybersecurity-survey-38995