Cyber Security
As a critical infrastructure component, the railway system is a potential target for cyberattacks. This is especially true for the ongoing digitalisation of the railway system, which is progressing rapidly. The challenges of cybersecurity lie both in the digital infrastructure (IT) and in the operational technology (OT). The integration of these two disciplines brings numerous benefits, but also risks in terms of cyberattacks and data integrity. Additionally, companies in the railway industry must comply with regulatory requirements regarding cybersecurity (e.g.: FOT CySec-Rail Directive, CLS/TS 50701, IEC 62443, etc.), to ensure data protection and operational safety.
The Enotrac team supports customers in implementing the requirements according to the BAV guideline (CySecRail) and cybersecurity in projects (cyber risk analysis,design process, cybersecurity architecture, etc.). We also offer comprehensive support throughout the entire project lifecycle, both an OT and IT perspective. Additionally, we can manage cybersecurity challenges with suppliers on your behalf, including defining cybersecurity requirements, preparing tenders and supplier management. Enotrac has the necessary expertise in both OT and IT security.
Other fields of activity in Cyber Security
-
Does safety necessarily require cybersecurity?
In a world where the rail system is a system-relevant infrastructure, the growing threat of cyber attacks is coming into focus. A glance at the 21st International Signal+Draht Congress 2021 in Fulda, Germany, makes this clear. Even preventive maintenance of the rail system is not spared from this threat, as the sources of diagnostic data, the communication channels and the landside users of the information are potential gateways for cyber attacks.
The interaction of safety and cybersecurity
Linguistic differentiation and definitions
In the rail system, as in many other areas, safety and security are of great importance. These two terms differ not only linguistically but also in their definitions and objectives. In German, we often use the word ‘Sicherheit’ for both, which can lead to confusion.
Safety generally aims to protect people and the environment from a system’s failures or malfunctions. It focuses on unintended events and their causes or consequences. Security, on the other hand, aims to protect the system from human interference. It deals with intended events, whether intentional or malicious.
Mutual dependence
The connection between safety and security is closer than it might initially appear. An adequate security environment must protect the safety functions so that they can fulfil their task – the protection of people and the environment. Problems can arise if the security protection is insufficient or if the security measures impair the safety functions. In both cases, systematic errors are usually the main cause of problems. In the case of safety, they result in protection not being guaranteed, while in the case of security, vulnerabilities arise that can be exploited by attackers.
Understanding of terms in context
In this article, ‘system’ usually refers to a technical system, possibly with an operator, and ‘safety’ is understood to mean operational safety or functional safety. When we refer to ‘security’ in relation to technical systems, we mainly mean IT security, possibly including physical aspects.
The importance of security in railway signalling
Security has been an important factor in railway signalling for some time, particularly with regard to its impact on safety, and is also considered in the safety case, at least in terms of freedom from interference. Until now, security has been thoroughly tested mainly when major changes are made to existing systems, particularly when new communication technologies are introduced. These tests will need to be expanded in the future and should be based on international standards such as IEC 62443.
The challenges of digitalisation
As digitalisation advances in the railway system, the systems are becoming ever more powerful and complex. This leads to additional challenges in the area of the interaction between security and safety. In some cases, optimal solutions cannot be found, but acceptable compromises are essential. In addition to technical solutions, the future also requires increased attention to monitoring, updating and promoting a safety culture through training and awareness-raising. There is no question that digitalisation without safety and cybersecurity is doomed to fail.
The importance of coordination
Safety and cybersecurity are interdependent and require careful alignment to ensure both personal safety and cybersecurity. The CENELEC Technical Specification TS 50701 has put this principle at the centre and puts it succinctly: ‘If it is not cyber secure, it is unlikely to be safe.’
In today’s world, where our society is increasingly dependent on connected infrastructure and devices, cyber security is of the utmost importance. In the railway sector, connected trains and infrastructure are seen as a significant source for improving traffic management, energy efficiency and network communication. However, this development also brings with it increased potential for cyber attacks. To protect the rolling stock and fixed installations, adequate tools and requirements are needed.
CENELEC is helping to ensure this protection with the brand new CLC/TS 50701 ‘Railway applications – Cyber security’, developed by CLC/TC 9X ‘Electrical and electronic applications for railways’. This technical specification represents a milestone for the European railway sector, as it provides requirements and recommendations for the uniform treatment of cyber security in the railway sector.
CLC/TS 50701 applies to the communication, signalling and processing area, as well as to the area of rolling stock and fixed installations. It provides references to models and concepts from which requirements and recommendations can be derived to ensure that the residual risk of security threats is identified, monitored and managed by the rail system operator in an acceptable manner.
CLC/TS 50701 takes into account relevant safety-related aspects (EN 50126) and is aligned with various sources (IEC 62443-3-3, CSM-RA) that have been adapted to the context of railway operations. It covers numerous key topics, including an overview of the railway system, cybersecurity during the life cycle of a railway application, risk assessment, security design, cybersecurity assurance and system acceptance, vulnerability management and security patch management.
The valuable contribution of CLC/TS 50701 enables the European railway sector to develop the necessary applications for tomorrow’s train network more securely.
The urgency of cybersecurity in the rail sector
Social and economic impact
Cybercriminals can cause significant social and economic impact by attacking the rail system. Since public transport is an integral part of many people’s daily lives, this may increase the motivation of some hacker groups. A successful cyber attack on rail systems would have serious consequences, such as significant economic damage and even endangering numerous lives.
Lack of awareness and training
Another crucial factor in the increased risk of cyber attacks is the lack of awareness in dealing with the ever-digitising rail world. Many employees in the rail sector may not be aware of the dangers of cyber attacks or may not have sufficient training to watch out for suspicious activity or respond appropriately.
Threat of ransomware attacks
Ransomware attacks, in which files or data are encrypted and only released again after a ransom has been paid, are a particular cause for concern. Particularly in rail technology, where many systems are closely linked, such attacks can quickly lead to a chain reaction and paralyse large parts of the system.
Rapid increase in cyber attacks
The growing number of threatening cyber attacks underscores the urgency of implementing effective cyber security measures for the systemically important rail system. This is becoming even more important in view of the digitalisation of rail transport. Projects such as ‘Digital Rail for Germany’ and the accompanying ‘Fast Tracker Programme’ in Germany, and ‘Smartrail 4.0’, ‘Systemintegration Bahnsteuerung (SIBS)’ and ‘ERTMS Evolution Sicherungsanlagen (EESA)’ in Switzerland, are progressing rapidly.
Measures required for greater resilience
In the face of these complex challenges, it is essential that companies and authorities in the rail sector take appropriate measures to strengthen their resilience to cyber attacks. These measures include raising employee awareness, training employees and securing networks. Railway operators should regularly identify vulnerabilities in their networks and deploy updated security software to protect themselves from attacks.
Software updates and backups
Special attention should be paid to software updates, as they fix known vulnerabilities and minimise the risk of attacks. Similarly, regular backups of all important data and systems should be made to enable quick recovery in the event of an attack.
Unpredictability of vulnerabilities
Despite all the precautions taken, rail operators must be aware that every system may have unknown vulnerabilities, especially in view of the advancing digitalisation and networking. Therefore, a comprehensive emergency plan is crucial, which includes measures to contain attacks, to maintain operations despite attacks and to restore systems after attacks. Clear responsibilities, effective communication channels and cooperation with authorities and external experts are of central importance here.
Continuously update security measures
All these measures can help to reduce the risk of cyber attacks in the field of rail technology. However, it is important to emphasise that the threat of cyber attacks is constantly growing. It is therefore essential that companies and authorities regularly review and update their security measures.
Start of form
End of form
The need for standards
Ensuring the legally prescribed personal safety in the railway system requires comprehensive compliance with the safety requirements as defined in the established safety standards EN 50126, EN 50128, EN 50129, EN 50657 and EN 50159. However, the credibility of the safety integrity and the corresponding documentation in the safety case depends to a large extent on the implementation of appropriate cybersecurity requirements. These special requirements are anchored in the CENELEC technical specification TS 50701 and in the IEC 62443 series of standards.
Conclusion
In the challenging world of rail systems, characterised by their ever-increasing complexity and networking, as well as shared responsibility for cyber security, intensive professional exchange is becoming increasingly important. Tackling these complex challenges requires close collaboration between experts and all parties involved.
Enotrac excels in this field due to its in-depth knowledge of the interaction between rolling stock, infrastructure, and signalling systems. Our long-standing expertise in implementing demanding requirements in the area of personal security and cyber security is closely interwoven with strict compliance with the applicable standards. Our primary goal is to ensure the highest standards of security and protection against cyber threats in the rail system.
Simultaneously meeting the requirements for ensuring the safety of people from system failures and protecting against cyber attacks is undoubtedly an extremely complex challenge. Successfully meeting this challenge requires a comprehensive understanding of the interactions between rail vehicles, infrastructure and signalling systems, as well as in-depth experience in meeting the demanding requirements for personal and cybersecurity.
The interaction between safety and security is essential, as an effective safety environment must protect the safety functions in order to fulfil their task of protecting people and the environment from unintended events. At the same time, the protection of the security functions must not be neglected in order to protect against wilful or malicious acts. Systematic errors can lead to problems, whether in safety, where protection is not guaranteed, or in security, where vulnerabilities are exploited by attackers. Our in-depth expertise in the interaction between rail vehicles, infrastructure and signalling systems, combined with our extensive experience in successfully implementing demanding requirements in the areas of personal safety and cyber security, while strictly observing the applicable standards, makes us a trusted partner in the design of safety systems for rail systems.