Will European Railway Cybersecurity Regulations Be Enough?

Israel Baron
March 27, 2023

In our increasingly digitized world, cybersecurity has become a crucial concern for all those involved in railway systems, from railway operators to passengers, from infrastructure manufacturers to businesses sending cargo freights, and of course, to governments. With its heavy reliance on computerized systems for everything from train dispatching to passenger information, it is obvious why many of these interest groups support taking steps to ensure that railway systems are secure and protected against cyber threats.

The Establishment of European Railway Cybersecurity Regulations

Precisely for this reason, in 2016, the European Union (EU) established a comprehensive set of cybersecurity regulations for rail transport, which consists of the Network and Information Systems (NIS) Directive and the Cybersecurity Act. These regulations apply to all railway companies that operate in the EU. The NIS Directive sets out the requirements for the protection of critical infrastructure, including railway networks. The directive requires operators of essential services (OES), meaning companies providing essential services to take measures to manage the risks challenging the security of their networks and information systems.

How NIS2 Improves European Cybersecurity

On 16 January 2023, Directive (EU) 2022/2555 (known as NIS2) entered into force replacing Directive (EU) 2016/1148. ENISA considers that NIS2 improves the existing cyber security status across the EU in different ways by:
1. Creating the necessary cyber crisis management structure (CyCLONe)

2. Increasing the level of harmonization regarding security requirements and reporting obligations

3. Encouraging Members States to introduce new areas of interest such as supply chain, vulnerability management, core internet, and cyber hygiene their national cybersecurity strategies

4. Bringing novel ideas such as peer reviews for enhancing collaboration and knowledge sharing amongst the Member States

5. Covering a larger share of the economy and society by including more sectors means that more entities are obliged to take measures in order to increase their level of cybersecurity.

The Cybersecurity Act and the ENISA Framework

The Cybersecurity Act which came into effect in December 2018 aimed to establish a certification framework for information and communication technology (ICT) products, services, and processes, including those in the railway industry. ICT systems used in the railway industry will be subject to the European cybersecurity certification framework, which is currently under development by the European Union Agency for Cybersecurity (ENISA). The framework will define the criteria and requirements that ICT systems must meet to be certified as secure and trustworthy.

It is worth noting that companies failing to comply with the EU’s cybersecurity regulations for railways may face significant fines and other penalties. Beyond the safety and operational consequences, railways’ compliance with cybersecurity regulations must be realized via a proactive approach.

These cybersecurity regulations, combined with the increasing digitization of critical infrastructure, make it imperative to have robust dedicated cybersecurity solutions in place to protect against cyber threats and ensure the safe and reliable operation of railways.

Why European Railway Cybersecurity Regulations are Not Enough

One of the primary reasons for the importance of such solutions in the railway industry is the sheer scale and complexity of railway infrastructure. Modern railway systems incorporate advanced technologies like the European Rail Traffic Management System (ERTMS) and Global System for Mobile Communications-Railway (GSM-R) for efficient communication and control. These technologies, while bringing improvements in operational efficiency, also expose the railway systems to an increased risk of cyber threats. Cybersecurity solutions tailored specifically for the railway industry can help not only to comply with the new cybersecurity regulations but also to identify and mitigate these risks effectively.

Another factor that underscores the importance of specialized rail cybersecurity solutions in the railway sector is the potential consequences of a successful cyberattack. A breach in the railway industry could not only disrupt services, causing significant economic losses but also compromises the safety of passengers and employees. In this context, the implementation of robust and end-to-end cybersecurity measures is essential to protect critical infrastructure and maintain public trust in the industry.

Meet Railway Cybersecurity Compliance with Cervello

The Cervello Railway Cybersecurity Platform enables railway companies in the EU to both comply with cyber regulations mentioned in this article and protect their most valuable assets in several ways:

1. Comprehensive Risk Assessment: railway cybersecurity platform can perform comprehensive risk assessments to identify vulnerabilities and potential cyber threats within railway systems. This helps companies prioritize and allocate resources to address the most critical risks and comply with regulatory requirements.

2. Threat Detection and Incident Response: The Cervello Platform provides real-time threat detection and playbooks for recommended incident response to help railways quickly detect and respond to cyber-attacks in the manner they chose. This reduces the risk of successful attacks and helps companies comply with regulations requiring incident reporting and response.

3. Continuous Monitoring and Network Visibility: Cervello provides continuous monitoring of railway systems to ensure that new vulnerabilities and threats are quickly identified and addressed. This helps companies comply with evolving regulations and maintain compliance over time.

4. Asset Management: Cervello enables railways to identify, secure, and manage your operations throughout your OT, IoT, and IT-connected devices, as well as signaling and rolling stock with deep actionable context. Our platform easily and quickly integrates into the operational workflow to understand issues faster and ensure safety measures are met.

Overall, the Cervello platform empowers rail operational and security teams to proactively manage digital risks and maintain resilient operations through a technology-enabled ecosystem that gives the tools to rail personnel to solve issues in the manner they determine. Our dedicated solutions are selected and deployed globally by leading critical infrastructure and smart transportation organizations in the industry.

Cervello is exhibiting at APTA Rail 24! Join us June 2-3.