In our increasingly digitized world, cybersecurity has become a crucial concern for all those involved in railway systems, from railway operators to passengers, from infrastructure manufacturers to businesses sending cargo freights, and of course, to governments. With its heavy reliance on computerized systems for everything from train dispatching to passenger information, it is obvious why many of these interest groups support taking steps to ensure that railway systems are secure and protected against cyber threats.
The Establishment of European Railway Cybersecurity Regulations
Precisely for this reason, in 2016, the European Union (EU) established a comprehensive set of cybersecurity regulations for rail transport, which consists of the Network and Information Systems (NIS) Directive and the Cybersecurity Act. These regulations apply to all railway companies that operate in the EU. The NIS Directive sets out the requirements for the protection of critical infrastructure, including railway networks. The directive requires operators of essential services (OES), meaning companies providing essential services to take measures to manage the risks challenging the security of their networks and information systems.
How NIS2 Improves European Cybersecurity
On 16 January 2023, Directive (EU) 2022/2555 (known as NIS2) entered into force replacing Directive (EU) 2016/1148. ENISA considers that NIS2 improves the existing cyber security status across the EU in different ways by:
1. Creating the necessary cyber crisis management structure (CyCLONe)
2. Increasing the level of harmonization regarding security requirements and reporting obligations
3. Encouraging Members States to introduce new areas of interest such as supply chain, vulnerability management, core internet, and cyber hygiene their national cybersecurity strategies
4. Bringing novel ideas such as peer reviews for enhancing collaboration and knowledge sharing amongst the Member States
5. Covering a larger share of the economy and society by including more sectors means that more entities are obliged to take measures in order to increase their level of cybersecurity.
The Cybersecurity Act and the ENISA Framework
The Cybersecurity Act which came into effect in December 2018 aimed to establish a certification framework for information and communication technology (ICT) products, services, and processes, including those in the railway industry. ICT systems used in the railway industry will be subject to the European cybersecurity certification framework, which is currently under development by the European Union Agency for Cybersecurity (ENISA). The framework will define the criteria and requirements that ICT systems must meet to be certified as secure and trustworthy.
It is worth noting that companies failing to comply with the EU’s cybersecurity regulations for railways may face significant fines and other penalties. Beyond the safety and operational consequences, railways’ compliance with cybersecurity regulations must be realized via a proactive approach.
These cybersecurity regulations, combined with the increasing digitization of critical infrastructure, make it imperative to have robust dedicated cybersecurity solutions in place to protect against cyber threats and ensure the safe and reliable operation of railways.
Why European Railway Cybersecurity Regulations are Not Enough
One of the primary reasons for the importance of such solutions in the railway industry is the sheer scale and complexity of railway infrastructure. Modern railway systems incorporate advanced technologies like the European Rail Traffic Management System (ERTMS) and Global System for Mobile Communications-Railway (GSM-R) for efficient communication and control. These technologies, while bringing improvements in operational efficiency, also expose the railway systems to an increased risk of cyber threats. Cybersecurity solutions tailored specifically for the railway industry can help not only to comply with the new cybersecurity regulations but also to identify and mitigate these risks effectively.
Another factor that underscores the importance of specialized rail cybersecurity solutions in the railway sector is the potential consequences of a successful cyberattack. A breach in the railway industry could not only disrupt services, causing significant economic losses but also compromises the safety of passengers and employees. In this context, the implementation of robust and end-to-end cybersecurity measures is essential to protect critical infrastructure and maintain public trust in the industry.