ENISA releases guidance on building cybersecurity zones and conduits for railway systems

The European Union Agency for Cybersecurity (ENISA) and the European Rail Information Sharing and Analysis Center (ISAC) released guidance on building cybersecurity zones and conduits for railway systems this week. 

Based on the recently published CENELEC Technical Specification 50701 (CLC/TS 50701:2021) and the need to help railway systems and operators with the practical implementation of the zoning process, the guide draws upon the experience of the European Rail ISAC and their members. The associates, such as European infrastructure managers and railway undertakings, are Operators of Essential Services (OES) as defined in the security of network and information systems (NIS) directive.  

The guide has been designed to help them implement the cybersecurity measures needed in the zoning and conduits processes of railways systems. In addition, the entities work together to engage expertise from many types of functions in joint efforts to analyze threats, vulnerabilities, incidents, solutions, and opportunities. 

Initially, a guiding question must be defined that aims at explaining why the activity must be performed and what the expected outcome might look like. Once that is carried out, the relevant parts of CLC/TS 50701:2021 or the IEC 62443 series are indicated, the ENISA guide said. Design considerations for the process step follow this, and then comes the detailed guidance on how to perform the action and ensure that the desired results are produced. Finally, each section identifies and explains domain-specific stipulations and provides hints on implementation.

The framework has several requirements, such as identifying all assets and basic process demands, identifying global corporate risks, performing zoning, and checking threats. A risk assessment process is developed based on standards for determining assets and the system considered and partitioning zones and conduits, the guide added. It also provides detailed zoning and conduits methodology for railway systems and operators.

The ENISA guide determined that ZCR 1 identifies assets and basic process demands that determine all assets and creates a ‘draft architecture’ or a ‘proposal zone model’ following EN62443-3-2. ZCR 2 recognizes global corporate risks through an initial risk assessment. 

ZCR 3 covers ‘perform zoning,’ which defines the basic system context, outlines the zone, conduits, communication lines, and ZC-levels, and shifts from draft or proposal zone model to the high-level zone model, the guide said. It also defines proposals for target security level (SL-T) for each conduit (zone and SuC) and establishes the high-level zone model by verifying the proposal zone model. The SuC (system under consideration) provides details of how the system was designed, configured, installed, the changes made, and how it is being operated and maintained. 

The ENISA guide said that ZCR 4 covers high-level risk assessment with the high-level zone model and the designated SL for exceeding risk. ZCR 5 checks the high-level zone model against cybersecurity threats, identifies countermeasures (following EN62443-3-3), and modifies the high-level zone model to become the final zone model. It also verifies the ‘final zone model’ through a detailed risk assessment. Finally, ZCR 6 documents all information and results, and ZCR 7 gets approval from all stakeholders, it added.

The guide also addresses the cybersecurity requirements of railway systems and operators in terms of documentation and suggests a step-by-step approach to follow. It also includes standards required in each step and processes that need to be performed while addressing the procedure in which documentation should be created during each step and guidance. 

During the zoning process, zoning models have developed over three iterations. These include the ‘proposal railway zoning model,’ which is used in the first steps, ranging from first collecting information and designing initial zones (ZCR 1) up to the stage where zones, conduits, communication lines, and security levels get verified briefly for the first time (ZCR 3). The proposal zone model is generic and can be aligned with but need not fit the corporate structure. 

After this comes the ‘high-level railway zoning model,’ which contains a concrete and defined risk verified architecture (ZCR 4) and is implemented via cybersecurity measures (ZCR 5), the ENISA guide said. The company-specific high-level zone model should be oriented to the corporate structure. 

The ENISA guide then moves on to the ‘final railway zoning model,’ which covers a detailed and verified version of the high-level model, reflecting the corporate structure within all zones, conduits, and communication lines, the SL ZC, and other information (ZCR 6 to ZCR 7).

Addressing the issue of cybersecurity for positive train control (PTC) and the rail industry, Christian Hager, director of business development at Fend Inc., wrote in a LinkedIn post that the most effective way to keep the real-time PTC data flowing and support Command & Control (C2) functionality while avoiding rail catastrophes is via LTE and cellular transmission. 

“This is being enabled by the construction of significant numbers of cell towers along most rail lines, including Class 1 routes and the Short Line and Regional railroad right-of-ways,” according to Hager. “The only way to protect that data stream is to guarantee that it is encrypted, isolated and flows ONLY in one direction,” he added.

Last November, ENISA released a railway cybersecurity report for the sector to provide European infrastructure managers and railway undertakings information on assessing and managing cyber risks. The railway cybersecurity report also covers existing risk management approaches that vary for railway IT and OT (operational technology) systems, asset taxonomies, threats taxonomies, and risk scenarios. It also addresses applying appropriate cybersecurity measures.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.