Christian Schlehuber, IT Security, CCS, DB NETZ, provided practical perspectives from the railway Infrastructure Manager (IM). DB owns the largest business premises in Germany, and most of it is publicly accessible, and so the challenge for security is immense. For this reason, there is strong emphasis on security standards, including:
Railway transport significantly contributes to society’s mobility, and also to its economy - business staff and goods move by rail. The railway is a Critical Infrastructure, and in Germany the TEN-T Corridors are categorised as critical because failures would disrupt public safety and security, and would cause supply shortages.
The impact of the NIS directive was presented and shown to involve costs and efforts for a wide network of key actors supporting railway transport (components, systems, services). Having a common approach would help reduce this impact. However, changes to laws and regulations may take significant time.
Herr Schlehuber emphasised that operationally, safety relies on specific elements: Secure asset and configuration management; Physical access detection; Data Filtering; Data logging and aggregation; Reaction to critical events; Authentication and key exchange.
Security-Applied Design in the wider systems architecture is critical since vulnerabilities can be found in any segment or component.
Specific challenges to be faced include:
- Vulnerability Analysis and recommendations
- Is knowledge about systems available?
- Can Recommendations be implemented?
- Preventive Vulnerability Scanning
- Is my system capable of a scan?
- Penetration Testing
- Will the test result in outages?
- Staff Training and Awareness
- Can staff understand cyber security?
- Forensic Analysis versus Fast Recovery
Despite success at DB in addressing cyber security, duplication of efforts was observed: Safety and Security Departments worked in parallel with minimum interaction; Safety and Security performed their own analyses, estimated impacts and derived requirements. Cooperation and open exchange can reduce efforts and cost, as well as ensuring that nothing is overlooked, and that a common approach is achieved.
2 EN 50128 – Railways applications: Communications and Signalling – https://shop.bsigroup.com/ProductDetail?pid=000000000030299071
3 EN 50159 – Railway applications: Safety-related communication in transmission systems - https://shop.bsigroup.com/ProductDetail?pid=000000000030202175 Industrial communication networks system security
“CyberSecurity4Rail” Railway Industry Conference - Brussels 4th October 2017
- Welcome and overview: “Co-operation is essential in the quest to manage technology and people for security”
- Cyber security – don’t be a victim: “Information is power and control of information has unexpected consequences”
- The regulators’ view on cyber security: “Multi-modal transport requires data exchange and interconnection”
- Security in the SERA – policy considerations: “The need for common understanding, guidelines and best practices”
- The Network and Information Security Directive (NIS Directive): “A host of European actions in cyber security”
- The railway sector perspective on cyber security: “Integrated approach to security and safety without duplication”
- How airlines protect against cyber-attack: “Adversaries are not systems, but people who are smart and who pursue goals”
- Secure networks for collaborative services: “Networks are the risk – meshed networks provide a segmented and secure response”
- First panel discussion: Product liability, staff training & awareness, information sharing in both safety and security…”
- Cyber security and resilience of transport infrastructure: “Current European initiatives in cyber security supporting Rail”
- Perspectives from a European railway operator: “Trains as data centres – protecting train IT as a cyber-crime target”
- Lessons learned from EU projects SECRET and CYRAIL: “Rail as critical infrastructure requires strong projects to protect it”
- Perspectives of a railway infrastructure manager: “Extensive premises, public accessibility – DB managing security risks”
- The telecommunications view: “Risk management depends on agility”
- The IT provider view: “Understand vulnerability and develop avoidance and mitigation strategies”
- Second panel discussion: “The need for co-ordinated action”
- Closing keynote address: “Achieving an EURail-ISAC, without replication or over-regulation….”
- The Way Forward: “Establishing a European Railway ISAC based on a common understanding”
- Annexe - Conference Evaluation Summary – Consensus