Perspectives from a European railway operator: “Trains as data centres – protecting train IT as a cyber-crime target”

Gertjan Tamis, Information Security Officer, NS, provided cyber security perspectives from a European railway operator emphasising Train IT. Mr Tamis emphasised how NS started with practical solutions rather than policies. A train is conceived as a “data centre on wheels”, connected to a network that coordinates other data centres on wheels. Threat modelling uses a risk-based approach, noting that both external hackers and insider threats can challenge passenger wi-fi, comfort IT, and train IT. These are points of interest to be protected, and are connected via networks, so can provide routes to other systems and processes.

Prevention is the key, and relies on careful management of traffic to ensure nothing can happen that should not. To achieve that, certain challenges must be faced:

Train suppliers should collaborate on cyber security:

  • Include security requirements in RFI and RFP (request for information / proposals).
  • Assist in interpretation of requirements.

Continuous communication and open exchange of information.

Create a common understanding of risks using a standard process covering:

  • Business Impact Analysis.
  • Threat and Vulnerability analysis.
  • Risk Determination.
  • Selection and implementation of controls.
  • Implementation testing for security.

Lessons from practice at NS also indicate a need to:

  • Specify Information Security Requirements beforehand.
  • Protect all software (logical and physical) up to current levels of security standards.
  • Include physical security as an important aspect (safety versus cyber).
  • Ensure train builders comply on process level. It is harder to improve hardware level when buying off-the-shelf trains.
  • Define an internal process to manage residual risk including stakeholders and ownership.

NS experience demonstrates that Information technology enables new business and operational models. Information security for Train IT is quite new but is key in keeping trains safe in the (very) near future. Threat analysis provides a good basis for mitigating risks efficiently. Close co-operation is needed (Rail Operators; Suppliers; Maintenance Companies; Regulators).

While many of these messages emphasise Train IT, they can be generalised to the wider networks to which trains are connected, and on which they depend.

“CyberSecurity4Rail” Railway Industry Conference - Brussels 4th October 2017

Conference Report

  1. Welcome and overview: “Co-operation is essential in the quest to manage technology and people for security”
  2. Cyber security – don’t be a victim: “Information is power and control of information has unexpected consequences”
  3. The regulators’ view on cyber security: “Multi-modal transport requires data exchange and interconnection”
  4. Security in the SERA – policy considerations: “The need for common understanding, guidelines and best practices”
  5. The Network and Information Security Directive (NIS Directive): “A host of European actions in cyber security”
  6. The railway sector perspective on cyber security: “Integrated approach to security and safety without duplication”
  7. How airlines protect against cyber-attack: “Adversaries are not systems, but people who are smart and who pursue goals”
  8. Secure networks for collaborative services: “Networks are the risk – meshed networks provide a segmented and secure response”
  9. First panel discussion: Product liability, staff training & awareness, information sharing in both safety and security…”
  10. Cyber security and resilience of transport infrastructure: “Current European initiatives in cyber security supporting Rail”
  11. Perspectives from a European railway operator: “Trains as data centres – protecting train IT as a cyber-crime target”
  12. Lessons learned from EU projects SECRET and CYRAIL: “Rail as critical infrastructure requires strong projects to protect it”
  13. Perspectives of a railway infrastructure manager: “Extensive premises, public accessibility – DB managing security risks”
  14. The telecommunications view: “Risk management depends on agility”
  15. The IT provider view: “Understand vulnerability and develop avoidance and mitigation strategies”
  16. Second panel discussion: “The need for co-ordinated action”
  17. Closing keynote address: “Achieving an EURail-ISAC, without replication or over-regulation….”
  18. The Way Forward: “Establishing a European Railway ISAC based on a common understanding”
  19. Annexe - Conference Evaluation Summary – Consensus


Media Partners: