Attacks and Vulnerabilities
Critical infrastructure
Transportation

ENISA’s report for railway sector provides assistance on how to assess, mitigate cyber risks

November 29, 2021
railway sector

The EU Agency for Cybersecurity, ENISA, has released a report for the railway sector that will provide European railway undertakings (RUs) and infrastructure managers (IMs) information on how to assess and manage cyber risks. In addition, the report seeks to offer railway stakeholders applicable methods and practical examples of coping with these threats. ENISA was joined by the ERA, the EU Agency for Railways to present the state of play on cybersecurity in the sector. 

The main takeaways of the ENISA railway cybersecurity report cover existing risk management approaches that vary for railway IT and OT (operational technology) systems, asset taxonomies, threats taxonomies, risk scenarios, and addresses applying appropriate cybersecurity measures. The report builds upon ENISA’s last year’s report on cybersecurity in the railway sector, which assessed the level of implementation of cybersecurity measures in the railway sector. 

The ENISA report provides good practices based on feedback from railway stakeholders and includes tools, such as assets and services list, threat scenarios, and mapping of security measures. These resources can be used as a base for cyber risk management for railway companies. The study aims at being a reference point to promote collaboration between railway stakeholders across the EU and raise awareness of relevant threats and covers cyber risk management application for both the IT and OT systems of railway organizations. 

The primary target audience of the study includes people responsible for cybersecurity such as CISOs, CIOs, and CTOs, within RUs and IM networks. It also aims to provide them with the means to understand their cybersecurity ecosystem, assess the risks to their assets or services, and manage them using appropriate cybersecurity measures.

The ENISA report supports the development of cybersecurity capabilities of the railway sector by issuing guidance and recommendation papers together with the community, organizing physical and virtual events, participating in discussions with the railway community on regulatory matters, validating activities through the dedicated expert group in transport security (TRANSSEC), and contributing to standardization activities.

The railway cybersecurity report cited various frameworks, including ISA/IEC 62443, CLC/TS 50701, and the recommendations of the Shift2Rail project X2Rail-3, or the ones from the CYRail Project, to deal with risk management of railway OT systems. Those standards or approaches are often used in a complementary way to address both IT and OT systems. While IT systems are normally evaluated with broader and more generic methods, OT systems need specific strategies and frameworks that have been designed for industrial train systems.

The ENISA report said that there is no unified approach available to railway cyber risk management yet. Stakeholders who participated in the study indicated that they use a combination of the abovementioned international and European approaches to tackle risk management, which they then complement with national frameworks and methodologies, it added.

For RUs and IMs to manage cyber risks, identifying what needs protection is essential. In the ENISA report, a comprehensive li is broken down into five areas, including the services that stakeholders provide, the devices (technological systems) that support these services, the physical equipment used to provide these services, the people that maintain or use them, and the data used. The report also called for RUs and IMs to identify which cyber threats are applicable to their assets and services. The report reviews available threat taxonomies and lists threats that can be used as the basis.

Each scenario is associated with a list of relevant security measures. The ENISA report includes cybersecurity measures derived from the NIS Directive, current standards including ISO/IEC 27002 and IEC 62443, and good practices such as NIST’s cybersecurity framework.

Last month, ENISA released its annual report on the state of the cybersecurity threat landscape, which has grown in terms of sophistication of attacks, complexity, and impact. The trend has clearly been spurred by the ubiquity of online activity, transitioning of traditional infrastructures to online solutions, advanced interconnectivity, and exploitation of new features of emerging technologies, the report said.

The U.S. Department of Homeland Security (DHS) has also flagged cybersecurity concerns, with the Transportation Security Administration (TSA) preparing to impose new cybersecurity demands on the railroad and aviation industries. This will include reporting requirements as part of a department effort to force compliance in the wake of high-profile cyber attacks on the critical infrastructure sector.

“To strengthen the cybersecurity of our railroads and rail transit, TSA will issue a new security directive this year that will cover higher-risk railroad and rail transit entities and require them to identify a cybersecurity point person; report incidents to CISA; and put together a contingency and recovery plan in case they become a victim of malicious cyber activity,” Secretary of Homeland Security Alejandro N. Mayorkas said last month in a keynote address at the 12th Annual Billington CyberSecurity Summit. “We are coordinating and consulting with industry as we develop all of these plans.”

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration