UITP report outlines cybersecurity needs for public transport operators, authorities during tender process
The UITP (Union Internationale des Transports Publics) released a report that provides a general framework to help public transport and railway operators integrate cybersecurity requirements into their tender process, whenever the System under Consideration (SuC) to be purchased can be considered OT (operational technology) related. The model seeks to offer public transport operators and authorities, procurement officers, and CISOs/CIOs a comprehensive set of tools and good practices that can be adopted in their procurement process.
The process should start by clearly differentiating IT and OT systems and continue by choosing the relevant frameworks and standards relevant for the OT segment. It should also take into consideration the provisions of the TS-50701 which is, as of today, the most comprehensive and detailed guideline for cybersecurity in railways systems, as it is derived from the IEC 62443 family of standards, with added considerations for extended security levels and safety.
The UITP report, titled ‘Practical Guidance on Cybersecurity: Requirements in Tendering’ explores the regulation and legal framework, procurement process and specification framework, information security system specification, cybersecurity technological specification, quick reference guide for cybersecurity procurement, references, and provides examples of procurements for PIS/AVLS and signaling system. The report has been sponsored by AXIS Communications, Cylus, INIT, and Waterfall Security Solutions.
The European Union Commission instructed CENELEC to incorporate EU directives into a Technical Specification to address the rising number of threats and complexity. TS 50701 is that security standard specifically designed for rail networks that protect communications, signaling, processing, rolling stock, and fixed installations domains. Rail and cybersecurity professionals have recently created the TS 50701 document to illustrate the implementation of a cutting-edge cyber-defense system in railway systems.
The UITP document establishes the minimum requirements for protection against cybersecurity attacks on a network of a public transport operator (PTO). Often regrouped under the terminology ‘Enterprise Security Systems’ (ESSs) these solutions should be implemented to prevent unacceptable physical, business, and other consequences of cyberattacks for the PTO.
Cybersecurity protection in public transport and railways is a new but growing concern. Nowadays, almost any product incorporates firmware or software, and – because computing tools usage has become universal, it is one of the few cross-functional subject matters that PTOs must face. Unfortunately, few employees have the relevant proficiency to deal with such complicated issues, particularly when it comes to cybersecurity for the automation of physical operations, such as rail system communications, signaling, and processing.
Hence, the dilemma facing PTOs: should IT/OT specialists be spearheading all functional processes? Role definition, particularly in this area, is a complex matter and is one that we will tackle later, describing the specific contributions that IT, OT, and other cybersecurity specialists can bring to the protection of railways. “That said, we strongly suggest that whenever necessary, IT/OT specialists should support their functional colleagues in creating appropriate processes and intervening on the very technical topics,” the UITP report added. “It also means over and above the usual training that all employees should have, these functional managers should rely on guidelines to help them address the cybersecurity issues in their process.”
When it comes to cybersecurity, it is important to acknowledge the differences between IT and OT environments, according to the UITP report. OT systems are those for which the worst-case impact of compromise is physical consequences, such as sustained service outages, material damage to rolling stock and other equipment, environmental disasters, public safety threats, and worker or public casualties. Common examples of OT systems are networks supporting automation for physical access controls, rolling stock, electrical power distribution, and signaling systems.
“It is always the case that cybersecurity priorities, programmes, and management systems differ materially between the two domains,” according to the UITP report. “Cybersecurity is important for both types of automated processes. In many cases, somewhat similar risk assessments and risk mitigation measures can be applied.”
The UITP admits that integrating OT cybersecurity requirements is easier said than done. Currently, very few operators and authorities have OT specialists who can support the tendering process. Buyers don’t even provide guidelines that are easily consultable to assist them in managing this cross-functional process. As a result, there is often a misalignment between the operator and authorities’ cybersecurity expectations and the Vendors’ cybersecurity deliverables.
“To eliminate the gap, both parties should have well-defined responsibilities, clearly stated through contractual arrangements that consider cyber expectations in terms of Procedure, Personnel, and Technologies throughout the System’s complete life cycle,” the report added.
UITP also calls for security requirements to be included in all procurement contracts, irrespective of the SuC, to ensure that both parties have clearly defined responsibilities, supported by contractual arrangements. This remains true even when the cybersecurity solution applied to the SuC is part of another procurement process.
“These contractual arrangements should apply throughout the SuC’s lifecycle and be based on standardised security clauses, relevant standard specifications, and selected risk reduction measures,” the UITP report said. “The Procurement department should be proactive, and prepare the ground with the entire supply chain prior through effective dialogue about their security needs.”
It also added that by adopting the secure development processes described in IEC 62443 and TS 50701, including security functions in systems and products and – where appropriate – teaming up with existing security product vendors to identify and clarify risks, procurement will ensure that cybersecurity threats are well understood by all stakeholders and taken seriously by the vendor’s proposal. Furthermore, TS 50701 complements IEC 62443, the international standard for industrial control systems (ICS), by integrating rail-specific requirements, especially safety.
The UTIP document addresses the main requirements that railway and public transport operators should consider in their RFP (Request for Proposal) to help vendors understand their current and future security posture, and how it will affect the procurement process for their SuCs.
Although not all procurement processes require following the cybersecurity assessment, a PTO acquiring a complex SuC, particularly when interfacing with other subsystems, should provide the vendors with an initial risk assessment and a requirement to comply with the appropriate standards. The move also ensures that the supply chain takes into consideration dedicated cybersecurity measures adapted to its product or system type, including not only the technology but also those relating to data handling.
The security requirements provided during procurement should be used to rank the vendor’s solution and be part of the tender evaluation process. This ensures that vendors compete on the SuC’s functionality requirements and the security aspects. By clearly specifying security design requirements, the procurement avoids unfairly treating a vendor who priced the adequate cyber-protection solution. Ensuring a level playing field is in the interest of the PTO, who will avoid costly design modifications that always involve litigation measures.
The concept of trusted vendors can also be used to build security into the procurement process by creating a list of trusted suppliers that have gone through a cybersecurity certification process, including test and development tools, facilities, and processes, follow a secure development life cycle, and ensure security integrity through delivery, installation and commissioning phases, the UTIP report said. “Without being overly prescriptive, the contract should clearly state which cybersecurity requirements are mandatory and which are optional. This document will give the Procurement Managers guidance on what should be the minimum mandatory requirements,” it added.
Last June, the U.S. Department of Energy (DOE) released the National Cyber-Informed Engineering (CIE) Strategy that looks at guiding the efforts of the energy sector to incorporate cybersecurity practices into the design life cycle of engineered systems to reduce cyber risk. Earlier in April, the U.S. Department of Health & Human Services (HHS) Food and Drug Administration (FDA) agency rolled out a draft guidance that provides recommendations to the healthcare industry regarding cybersecurity device design, labeling, and the documentation that the agency recommends to be included in premarket submissions for devices with cybersecurity risks.
Related
