The European Union Agency for Cybersecurity (ENISA) released in November 2020 its “Cybersecurity in Railways” report to raise awareness about the cybersecurity challenges facing Europe’s railways. The report identifies the current cybersecurity status and challenges as well as proposes cybersecurity measures to combat these challenges and enhance the sector’s security posture. The report is based on data gathered over the last two years from the operators of essential rail services in 21 EU Member States.

The EU railway landscape

The railway sector is a critical infrastructure for the development of the European Union and its member states since it enables the transportation of goods and passengers within countries and across borders. The key entities for the provision of these services are:

  • The railway undertakings (RU), who are responsible for the transport of goods and passengers by rail.
  • The infrastructure managers (IM), who are responsible for the establishment, operation and maintenance of railway infrastructure including traffic management, command, control and signaling, station operation and train power supply.

Both entities and the railway sector in total are identified as Operators of Essential Services (OES) in the NIS Directive, and they must be compliant to the security requirements of the Directive. To establish and maintain compliance, railway entities must implement the cybersecurity measures defined by the NIS Directive Cooperation Group, which are grouped in four categories:

  • Governance and ecosystem – Information system security governance and risk management
  • Protection – identity and access management, physical security
  • Defense – Crisis management and business continuity
  • Resilience – Incident response and management, detection

The digital transformation of the railways, as in other sectors, presents new opportunities together with novel challenges. Consequently, cybersecurity is a key requirement to enable railways to deploy and exploit the full extent of digital technology.

Cybersecurity challenges

While the railway (Read more...)