In a nutshell, what standards and regulations apply to railway cybersecurity?
In an attempt to raise the level of cybersecurity to a shared high level for OT and IT systems in critical infrastructure, the EU issued legislation, the NIS2 Directive. By October 2024, member states must adopt and publish the measures necessary to comply with the NIS 2 Directive.
The EU NIS2 Directive measures for railways’ compliance must include at least:
CENELEC, the European Committee for Electrotechnical Standardization, contributes to greater cybersecurity protection with the CLC/TS 50701 ‘Railway applications – Cybersecurity.’ This Technical Specification is a major landmark for the European railway sector, as it aims to provide requirements and recommendations to handle cybersecurity in a unified way for the railway sector.
The 50701 Technical Specification for the European Railway industry aims to provide requirements and recommendations to handle cybersecurity in a unified way. This Technical Specification applies to the areas of communications, signaling, and processing to rolling stock and to fixed installations domains. It provides references to models and concepts from which requirements and recommendations can be derived and that are suitable to ensure that the residual risk from security threats is identified, supervised, and managed to an acceptable level by the railway system.
CLC/TS 50701 takes into consideration relevant safety-related aspects and other sources such as IEC 62443-3-3, and CSM-RA, adapting them to the railway context. It covers numerous key topics such as railway system overview, cybersecurity during a railway application life cycle, risk assessment, security design, cybersecurity assurance and system acceptance, vulnerability management, and security patch management.
IEC 62443 is an international series of standards that address cybersecurity for operational technology in automation and control systems. But was extended to critical infrastructure including transit systems.
The IEC 62443 series was developed to secure industrial automation and control systems (IACS). IEC 62443 was initially developed for the industrial process sector but was extended to critical infrastructure including transit systems. Implementing IEC 62443 can mitigate the effects and often prevent successful cyber-attacks, bolster security throughout the lifecycle, and reduce costs. IEC 62443 addresses not only the technology that comprises a control system, but also the work processes, countermeasures, and employees.
The IEC 62443 takes a risk-based approach to cyber security, which is based on the concept that it is neither efficient nor sustainable to try to protect all assets in equal measure. Instead, users must identify what is most valuable and requires the greatest protection and identify vulnerabilities. They must then erect defense-in-depth architecture that ensures business continuity. The IEC 62443 series of standards is organized into four parts: general terminology, concepts, and models; policies and procedures to establish a security program; system requirements for security including risk assessment for design and; components and requirements for secure product development and technical security requirements.
The NIST framework recommends and guides how to build a cybersecurity program that enables rail to be better prepared in identifying and detecting cyber-attacks, and also provides guidelines on how to respond, prevent, and recover from cyber incidents.
NIST’s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. NIST is a federal, non-regulatory agency of the U.S. Department of Commerce. NIST’s Framework role is reinforced by the Cybersecurity Enhancement Act of 2014 (P.L. 113-274), which calls on NIST to facilitate and support the development of voluntary, industry-led cybersecurity standards and best practices for critical infrastructure.
The Framework is organized by five key Functions – Identify, Protect, Detect, Respond, Recover. These five widely understood terms, when considered together, provide a comprehensive view of the lifecycle for managing cybersecurity risk over time. The NIST framework recommends and guides how to build a cybersecurity program that enables rail to be better prepared in identifying and detecting cyber-attacks and also provides guidelines on how to respond, prevent, and recover from cyber incidents.
In October 2022, the updated TSA (Transportation Security Administration of the U.S.) Rail Security Directive 1580/82-2022-01 for passenger and freight railroad carriers came into effect. The latest update is indicative of the effort to establish a preventative, resilience-based approach that enhances the cybersecurity preparedness of the nation’s railroads. Owner/Operators have 120 days from the effective date to submit a Cybersecurity Implementation Plan to the TSA for approval. Owners/Operators must implement the following cybersecurity measures: