Compliance

In an attempt to raise the level of cybersecurity to a shared high level for OT and IT systems in critical infrastructure, the EU issued legislation, the NIS2 Directive. By October 2024, member states must adopt and publish the measures necessary to comply with the NIS 2 Directive.
The EU NIS2  Directive measures for railways’ compliance must include at least:

1. Policies on risk analysis and information system security;
2. Incident handling.
3. Business continuity, such as backup management disaster recovery, and crisis management.
4. Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.
5. Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure.
6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
7. Basic cyber hygiene practices and cybersecurity training.
8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
9. Human resources security, access control policies, and asset management.
10. The use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems within the entity, where appropriate.

CENELEC,  the European Committee for Electrotechnical Standardization,  contributes to greater cybersecurity protection with the CLC/TS 50701 ‘Railway applications – Cybersecurity.’ This Technical Specification is a major landmark for the European railway sector, as it aims to provide requirements and recommendations to handle cybersecurity in a unified way for the railway sector.

The 50701 Technical Specification for the European Railway industry aims to provide requirements and recommendations to handle cybersecurity in a unified way. This Technical Specification applies to the areas of communications, signaling, and processing to rolling stock and to fixed installations domains. It provides references to models and concepts from which requirements and recommendations can be derived and that are suitable to ensure that the residual risk from security threats is identified, supervised, and managed to an acceptable level by the railway system.

CLC/TS 50701 takes into consideration relevant safety-related aspects and other sources such as  IEC 62443-3-3, and CSM-RA, adapting them to the railway context. It covers numerous key topics such as railway system overview, cybersecurity during a railway application life cycle, risk assessment, security design, cybersecurity assurance and system acceptance, vulnerability management, and security patch management.

IEC 62443 is an international series of standards that address cybersecurity for operational technology in automation and control systems. But was extended to critical infrastructure including transit systems.

The IEC 62443 series was developed to secure industrial automation and control systems (IACS). IEC 62443 was initially developed for the industrial process sector but was extended to critical infrastructure including transit systems. Implementing IEC 62443 can mitigate the effects and often prevent successful cyber-attacks, bolster security throughout the lifecycle, and reduce costs. IEC 62443 addresses not only the technology that comprises a control system, but also the work processes, countermeasures, and employees.

The IEC 62443 takes a risk-based approach to cyber security, which is based on the concept that it is neither efficient nor sustainable to try to protect all assets in equal measure. Instead, users must identify what is most valuable and requires the greatest protection and identify vulnerabilities. They must then erect defense-in-depth architecture that ensures business continuity. The IEC 62443 series of standards is organized into four parts: general terminology, concepts, and models; policies and procedures to establish a security program; system requirements for security including risk assessment for design and; components and requirements for secure product development and technical security requirements.

The NIST framework recommends and guides how to build a cybersecurity program that enables rail to be better prepared in identifying and detecting cyber-attacks, and also provides guidelines on how to respond, prevent, and recover from cyber incidents.

NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. NIST is a federal, non-regulatory agency of the U.S. Department of Commerce. NIST’s Framework role is reinforced by the Cybersecurity Enhancement Act of 2014 (P.L. 113-274), which calls on NIST to facilitate and support the development of voluntary, industry-led cybersecurity standards and best practices for critical infrastructure.

The Framework is organized by five key Functions – Identify, Protect, Detect, Respond, Recover. These five widely understood terms, when considered together, provide a comprehensive view of the lifecycle for managing cybersecurity risk over time. The NIST framework recommends and guides how to build a cybersecurity program that enables rail to be better prepared in identifying and detecting cyber-attacks and also provides guidelines on how to respond, prevent, and recover from cyber incidents.

In October 2022, the updated TSA (Transportation Security Administration of the U.S.) Rail Security Directive 1580/82-2022-01 for passenger and freight railroad carriers came into effect. The latest update is indicative of the effort to establish a preventative, resilience-based approach that enhances the cybersecurity preparedness of the nation’s railroads. Owner/Operators have 120 days from the effective date to submit a Cybersecurity Implementation Plan to the TSA for approval. Owners/Operators must implement the following cybersecurity measures:

1.  Implement network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised.
2. Establish access control measures to secure and prevent unauthorized access to Critical Cyber Systems (meaning, any IT or OT system or data that, if compromised or exploited, could result in operational disruption).
3. Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect Critical Cyber System operations.
4. Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on Critical Cyber Systems in a timely manner using a risk-based methodology.