The very positive participation and contributions at this conference indicate that cooperation between key actors in European Railways to address cyber security is now a work in progress. The supportive and positive orientation of both speakers and participants indicates good prospects for collaboration of the supporting Railway Organisations, Agencies, and European Commission DGs. Based on the sharing of understanding, and the complementary perspectives on objectives and opportunities, a draft discussion paper will be tabled in support of planning for a future Rail ISAC.
The conference has confirmed a common understanding based on recent EU law:
- The Directive on security of network and information systems (the NIS Directive1) was adopted by the European Parliament on 6 July 2016, and entered into force in August 2016. Member States were provided 21 months to transpose the Directive into national law and 6 months more to identify “operators of essential services”.
- The NIS Directive ensures that Member States will designate National CSIRTs (Computer Security Incident Response Teams). These are also named in some Member States as CERTs (Computer Emergency Response Teams).
- The Directive creates a European cooperation group (EU CSIRTs Network) supported by ENISA (European Network and Information Security Agency).
- The NIS Directive emphasises the need for “operators of essential services” such as Rail, and their digital service providers, to collectively take appropriate security measures and to notify serious incidents to the relevant authority.
- Rail Transport (Infrastructure Managers, Railway Undertakings and supporting organisations including digital service organisations) provide essential services across Europe, and is cross-border in nature, requiring collaboration to inform each other of threats and incidents, as well as best practice in cyber security.
- European essential service operators are beginning to adopt the ISAC model2 - “sectorial member-driven organisations organised to collect, analyse and disseminate information on cyber-threats, and to help critical infrastructure owners and operators to protect facilities, staff and customers from cyber threats” - the objective is to organise, not to regulate or control information.
In response to the above statement of common understanding, made evident in the conference, some potential features of a Rail ISAC are identified in the presentations and discussions, and will be taken into account as the Railway sector progresses this debate.
2 ISAC Model from USA - https://www.nationalisacs.org
“CyberSecurity4Rail” Railway Industry Conference - Brussels 4th October 2017
- Welcome and overview: “Co-operation is essential in the quest to manage technology and people for security”
- Cyber security – don’t be a victim: “Information is power and control of information has unexpected consequences”
- The regulators’ view on cyber security: “Multi-modal transport requires data exchange and interconnection”
- Security in the SERA – policy considerations: “The need for common understanding, guidelines and best practices”
- The Network and Information Security Directive (NIS Directive): “A host of European actions in cyber security”
- The railway sector perspective on cyber security: “Integrated approach to security and safety without duplication”
- How airlines protect against cyber-attack: “Adversaries are not systems, but people who are smart and who pursue goals”
- Secure networks for collaborative services: “Networks are the risk – meshed networks provide a segmented and secure response”
- First panel discussion: Product liability, staff training & awareness, information sharing in both safety and security…”
- Cyber security and resilience of transport infrastructure: “Current European initiatives in cyber security supporting Rail”
- Perspectives from a European railway operator: “Trains as data centres – protecting train IT as a cyber-crime target”
- Lessons learned from EU projects SECRET and CYRAIL: “Rail as critical infrastructure requires strong projects to protect it”
- Perspectives of a railway infrastructure manager: “Extensive premises, public accessibility – DB managing security risks”
- The telecommunications view: “Risk management depends on agility”
- The IT provider view: “Understand vulnerability and develop avoidance and mitigation strategies”
- Second panel discussion: “The need for co-ordinated action”
- Closing keynote address: “Achieving an EURail-ISAC, without replication or over-regulation….”
- The Way Forward: “Establishing a European Railway ISAC based on a common understanding”
- Annexe - Conference Evaluation Summary – Consensus