Global perspective on dealing with complexities of rail network cybersecurity using regulations, collaborations

In an era defined by pervasive digital connectivity, the safety and security of global rail networks and infrastructure have emerged as paramount, leading to an increasing need to safeguard legacy cyber systems threatening their operational landscape. Within this intricate landscape, rail asset owners and operators grapple with multifaceted challenges, while addressing cybersecurity safety regulations and strategies across these continents, as cyber hackers continue to threaten their operations. 

Recent rail cyberattacks have heightened the urgency of robust regulations across Asia, Europe, and the U.S., as rail operators find themselves confronted by a constantly shifting cyber threat landscape, emphasizing the importance of stringent cybersecurity regulations. Additionally, they must simultaneously navigate the complex realm of cybersecurity safety regulations and strategies that span across these continents. Furthermore, they work towards actively participating in collaborative endeavors aimed at fortifying the resilience and security of rail networks within an increasingly interlinked world.

In Asia, a rapidly expanding rail infrastructure faces a growing threat landscape, compelling regulators to fortify defenses. Europe, amidst the harmonization of diverse member states, has witnessed increased collaboration and standards alignment. Meanwhile, the U.S. grapples with the intricate interplay of federal and state dynamics in its pursuit of cybersecurity measures. More often than not, these cybersecurity incidents transcend borders, highlighting the imperative for international cooperation and unified regulations to protect rail networks from evolving cyber threats and ensure the continued safety of passengers and critical transportation infrastructure.

Implications of rail network cybersecurity safety and regulations 

Industrial Cyber engaged with cybersecurity experts in the rail sector to illuminate the commonalities and distinctions in emerging cybersecurity regulations for rail operators across Asia, Europe, and the U.S. Furthermore, these experts delve into the impact of these regulatory variations on the safety and cybersecurity of rail networks, exploring potential collaborative initiatives among these regions aimed at fortifying cybersecurity within the rail industry.

“Cybersecurity regulations such as the European NIS directive first came into force in 2016, followed by a reinforced NIS2 in January 2023,” Nicolas Goupil, director of technical solutions at Cylus, told Industrial Cyber. “The directive has driven up cybersecurity across the board, both in terms of visibility and concrete actions. The political setup in the EU is such that once a directive is approved, it still has to be implemented in each EU country’s regulation, so we still have some way to go, but it is a very positive step.”

Goupil pointed out that the latest TSA directive from October last year targeted freight and passenger operators in the U.S. “It had a more immediate impact on the cybersecurity activities of operators due to its more direct legislative approach. Other countries in Asia, such as Australia and Singapore, also have legislation in place to address cybersecurity for their critical infrastructure, of which rail is a significant component. All of these regulations have the fact that they address governance (risk and vulnerability management, reporting) in common, and to some extent impose some technical controls (continuous monitoring, network segmentation),” he added.

“At the same time, the rail industry is also tackling cybersecurity, both from the operators and supply industry side,” Goupil highlighted. “International bodies such as UITP and UNIFE have dedicated cybersecurity working groups advocating cybersecurity towards their respective members. APTA in the US also has a cybersecurity working group, and there is ongoing liaison between them.”

Goupil added that on the technical side, while the OT industry, in general, relies on the IEC62443 suite of standards, “the rail industry is now busy developing its own IEC standard that will become the standard set to requirements and recommendations for the railway sector. So, as you can see, the legislators, the suppliers, the operators, and the standardization bodies are all working together to provide cybersecurity approaches and recommendations that are common across the board – very critical as the rail industry is highly globalized.”

Andrzej Bartosiewicz, CISO #Poland President told Industrial Cyber that in the rail transport sector, “we have one interconnected railway network, divided into individual fragments (lines or railway stations), using IACS from various suppliers, which must exchange control data with each other and with onboard systems (here again other IACS suppliers appear) ensuring safety and availability.”

“The rail transport sector is quite specific, the specificity of which results from 30-40 years lifetime for signaling systems, large infrastructures, national specificity, and the role of incumbents,” Bartosiewicz said. “Rail traffic management systems used in individual countries did not have to, and usually were not, standardized between countries, let alone integrated between large geographical regions.”

Chandan Singh Kumbhawat, cybersecurity specialist for OT/ICS at a confidential rail infrastructure company, provided insights into how each global region has its unique set of cybersecurity guidelines. 

Speaking with Industrial Cyber, he highlighted that the CLC/TS 50701:2023 guideline was lauded for its adaptability and flexibility; though critics frequently raised concerns about its non-mandatory nature, leading to inconsistent implementation. Regarding NIS2, he noted that Europe’s directive is comprehensive and emphasizes collaboration among EU member states. However, its expansive scope can occasionally pose challenges for operators in defining specific actions.

Moving on to the U.S. NIST CSF framework, Kumbhawat observed its robustness and detailed guidelines, though some operators found it a bit overwhelming due to its extensive requirements. Australian standard AS 7770:2018 emphasized the significance of safeguarding both IT and OT systems. However, its recent introduction meant that many rail networks were still in the early stages of complete adoption. 

He added that the ISA/IEC 62443 framework, stands as a globally recognized model that delineates clear boundaries for IT and OT systems. Its broad applicability is advantageous, yet customizing it for specific rail scenarios necessitates additional effort.

Kumbhawat highlighted the promise of the upcoming IEC 63452 was on the horizon, with hopes of it serving as a unifying international standard. “These disparities arise due to regional differences in threat landscapes, technological adoption, and regulatory priorities. Collaborative efforts include global conferences, workshops, and shared research initiatives to standardize practices and improve cybersecurity.”

Evolving threats and regulations in rail network cybersecurity

Exploring the evolving cyber threat landscape and its impact on cybersecurity regulations for rail operators in Asia, the U.S., and Europe, the rail network cybersecurity experts also delve into how these regulations prioritize passenger safety and the security of data within the rail industry.

Goupil said that to understand the changing cybersecurity landscape, looking at concrete examples is important. “Although the EU’s first NIS directive was issued in 2016, the growth in cyber-attacks and the threat of digitalization triggered the NIS2 Directive a few years later. It strengthens security requirements, addresses supply chain security, streamlines reporting obligations, and introduces more stringent supervision and enforcement measures, including harmonized sanctions across the EU.” 

He also noted that NIS2 also expanded the scope, effectively obliging more entities and sectors to take measures, assisting in increasing the level of cybersecurity in Europe in the longer term.

Similarly in the U.S., Goupil said that the TSA has been bolstering the cybersecurity requirements applicable to the railroads. “While the first security directives were about reporting, responding, and assessing vulnerabilities, the latest TSA directives focus on performance-based measures to achieve critical cybersecurity outcomes.”

“Similarly, Singapore has been updating its Cybersecurity Code of Practice for Critical Information Infrastructure (part of the Cybersecurity Act) due to the evolving cyber threat landscape with threat actors using sophisticated tactics, techniques, and procedures (TTPs) to attack those infrastructures,” according to Goupil. “One of the major differences between safety and cybersecurity is that safety has been a static and constant topic over time, while security constantly evolves and is a big challenge for our industry.”

Bartosiewicz said that with the development of railway infrastructure and the integration of the European network, there were activities in the field of system integration between countries in the European Union, also adopted outside Europe, e.g., mainly in Asia but also in the Middle East and Africa.

“The European Rail Traffic Management System (ERTMS) serves as a unified signalling and speed control system across Europe, guaranteeing compatibility among railway networks. Moreover, it has the potential to boost railway infrastructure capacity while also enhancing the average and maximum train speeds,” according to Bartosiewicz. “ERTMS demands a high level of availability and safety due to their role in the overall rail transportation sector. If we take cybersecurity into account, these requirements extend to the availability (A from C-I-A) and integrity (I from C-I-A) of information and communication technology systems.” 

Additionally, he added that confidentiality requirements primarily pertain to safeguarding access control information within relevant systems or protecting cryptographic keys.

Another important detail that Bartosiewicz pointed to was the key aspects of cybersecurity of the architecture of ERTMS come from the Control Command and Signalling Technical Specifications for Interoperability (CCS TSI). “The development of ETCS is according to European standards (including EN50128, EN50129) and complies with safety integrity level 4 (SIL4) requirements. Especially, CENELEC EN50129 includes a new chapter No. 6.4 that requires cybersecurity to be dealt with as part of the safety demonstration case and included in the safety case,” he added.

Kumbhawat evaluated that cyber threats have rapidly evolved in sophistication, prompting a shift in cybersecurity regulations across all regions. “Modern regulations now account for both passenger safety and data security. They address not only traditional IT systems but also the specialized operational technology (OT) integral to rail systems. The adoption of standards like the ISA/IEC 62443 framework illustrates the importance of protecting both realms. The recent cyber incidents on rail networks emphasize the need for comprehensive cybersecurity frameworks.”

Role of lead agencies in rail network cybersecurity

The rail experts delve into the pivotal roles played by agencies such as the European Union Agency for Railways (ERA) and the U.S. Federal Railroad Administration (FRA) when it comes to shaping cybersecurity guidelines for rail operators. With the escalating threat of cyberattacks, they contemplate the future directions these agencies are likely to pursue.

“There are differences between the ERA and the FRA. ERA was only established in 2004, and cybersecurity is not one of its core missions. The ERA is involved with ensuring a sustainable and safe railway system without frontiers in Europe,” Cylus’ Goupil said. “However, it also issues safety certificates, vehicle-type authorizations across Europe, and the technical direction of the main European signaling system, ERTMS. Safety standards now require cybersecurity to be part of the safety case, and implementing a system such as ERTMS also requires that the cybersecurity topic be covered. Therefore, there is a call for ERA to become more involved in cybersecurity and cover the topic in TSIs to define the technical and operational standards that each subsystem must meet.”

Meanwhile, Goupil said that “the FRA mission is to ‘enable the safe, reliable, and efficient movement of people and goods for a strong America, now and in the future.’ The ecosystem of agencies in the US is different. The Transportation Security Administration issues the Security Directives, in which the FRA is an active contributor. It will, therefore, likely continue with TSA in the lead and the FRA very much involved. For example, TSA intends to begin a rulemaking process, establishing regulatory requirements for the rail sector.”

The ERA and the FRA play pivotal roles in setting cybersecurity benchmarks for rail operators, Kumbhawat said. “Beyond establishing guidelines, these agencies monitor compliance, promote best practices, and ensure that rail networks remain resilient against emerging threats. With the growing intensity and sophistication of cyber threats, it’s anticipated that these agencies will push for stricter regulations, enhanced international collaboration, and deeper integration of advanced cybersecurity technologies.”

Global rail cybersecurity collaborations examined

The rail cybersecurity experts explore the existence of international collaborations or information-sharing platforms among rail operators across Asia, Europe, and the Americas, aimed at bolstering cybersecurity resilience. They also investigate the presence of global organizations or initiatives promoting worldwide cooperation in rail network cybersecurity and assess their level of success.

“International information sharing for what has been designated as national critical infrastructures will always be a challenge,” Goupil assessed. “There are dedicated ISACs within countries, some dedicated to Public Transport, such as the US APTA PT-ISAC, or have a larger coverage (usually everything OT), such as the OT-ISAC in Singapore.” 

He added that there are ongoing efforts to have sectorial ISACs across borders, like in the EU. “In fact, there is an ER (European Railways)-ISAC. However, it is still early, and not all EU operators collaborate there. In this respect, rail is lacking compared to the aviation sector.”

Bartosiewicz expressed the expectation that the NIS2 Directive would undergo more effective implementation across Member States, leading to harmonization of the minimum requirements and scope encompassed by the directive within the railway sector. “We hope that the exchange of information between railway sector entities, as well as between countries, will be strengthened by the implementation of the NIS2 directive.” 

“According to the directive where appropriate, Member States should put in place an automatic and direct reporting mechanism that ensures systematic and immediate sharing of information with the CSIRTs and encourage the sharing of significant cyber threats with the CSIRTs,” according to Bartosiewicz. “The single points of contact should therefore be tasked with forwarding notifications of significant incidents with cross-border impact to the single points of contact of other affected Member States upon the request of the CSIRT or the competent authority.”

He added that “there remains the issue of financing the implementation of cybersecurity solutions in the new installations in the rail sector.”

Cross-regional collaborations are paramount to strengthening global cybersecurity resilience, Kumbhawat said. “Various platforms and forums foster these interactions, allowing for the exchange of threat intelligence, best practices, and mitigation strategies. Organizations like the International Union of Railways (UIC) often spearhead initiatives, conferences, and workshops to encourage global cooperation. Their success is evident in the adoption of universally recognized standards and the swift global response to emerging threats,” he added.

Balancing cybersecurity and aging infrastructure

The experts also analyze how rail operators across geographies navigate the delicate balance between complying with cybersecurity regulations and managing operational and budgetary constraints. This challenge becomes even more pronounced in the face of a complex threat landscape and aging infrastructure that spans extensive geographic areas.

Goupil said that this is a mixed bag and will depend on the operators. “Most follow a risk-based approach that will inform where investment should be made first. There are also windows of opportunity when major upgrades/overhauls happen on existing infrastructure not designed with cybersecurity in mind. For example, operators can also receive additional grant funding from national funds and agencies,” he added.

“Ordering parties should define cybersecurity requirements using both the transposition of the NIS2 directive into national law and technical standards such as IEC 62443/ CENELEC 50701/ IEC 63452,” Bartosiewicz said. “This will ensure the harmonization of requirements on the domestic market, which will still be a significant progress. Subsequently, consistency of requirements should be ensured between countries through the European Union Agency for Railways, EU Cooperation Group, industry organizations such as ISAC as well as organizations such as EULYNX.”

However, Bartosiewicz added that infrastructure managers as well as railway undertakings must ensure that they determine the appropriate system architecture, risk assessment, security level vector, etc. before the purchasing process starts for new installations. “The biggest challenge in ensuring cybersecurity arises with legacy systems – to be addressed as part of NIS2 deployment.”

“Rail operators often grapple with the dichotomy of ensuring robust cybersecurity while managing the constraints of operational demands and limited budgets. Aging infrastructure complicates this challenge,” according to Kumbhawat. “However, adhering to standards such as AS 7770:2018 provides a structured approach to managing these challenges. By leveraging guidelines from a blend of standards, operators can prioritize investments, ensuring maximum security benefits without overburdening their operational capacities.” 

He concluded that having experienced Subject Matter Experts (SMEs) and a well-staffed cybersecurity team is crucial, helping reduce mean time to detect (MTTD) and optimize mean time to respond (MTTR) to cyber incidents.