Josef Doppelbauer of European Agency for Railways (ERA) welcomed the broad awareness of cyber security brought by the previous speakers, and brought the focus to railway-specific considerations. Herr Doppelbauer noted that railways themselves need to cooperatively identify the real risks to essential service operators in railway transport. We have a European Rail Area, yet we also have National rules, regulations and languages. The European rail policy aims to make rail more competitive, and has been very successful to date, especially around technical interoperability and safety. The remaining challenges of rail innovation, being largely focused on customer requirements around mobility and logistics, is even more dependent on digital technology. This is a disruptive innovation, bringing changes to very mature practices, and emphasising the security concerns. The multi-modal transport chain, including rail, requires data exchange between a wide range of actors and between a wide range of systems – their interconnection is the main risk to security.
While we are focused on data and the transport activities that depend on it, we must remember we are considering a range of critical life issues – security of passengers, security of freight, security of passenger- and freight-related data, and security of people and environments through which dangerous goods pass.
Current work is addressing a range of issues using different approaches. CENELEC standards on cyber security, along with the Shift2Rail response to rising demand for transport capacity, are also supported by the ERA Action Plan which takes account of emerging issues around cyber security. The ERA Action Plan development includes collaboration with other areas examining common interests (e.g. Maritime) and supports the formation of a European Rail ISAC1.
“CyberSecurity4Rail” Railway Industry Conference - Brussels 4th October 2017
- Welcome and overview: “Co-operation is essential in the quest to manage technology and people for security”
- Cyber security – don’t be a victim: “Information is power and control of information has unexpected consequences”
- The regulators’ view on cyber security: “Multi-modal transport requires data exchange and interconnection”
- Security in the SERA – policy considerations: “The need for common understanding, guidelines and best practices”
- The Network and Information Security Directive (NIS Directive): “A host of European actions in cyber security”
- The railway sector perspective on cyber security: “Integrated approach to security and safety without duplication”
- How airlines protect against cyber-attack: “Adversaries are not systems, but people who are smart and who pursue goals”
- Secure networks for collaborative services: “Networks are the risk – meshed networks provide a segmented and secure response”
- First panel discussion: Product liability, staff training & awareness, information sharing in both safety and security…”
- Cyber security and resilience of transport infrastructure: “Current European initiatives in cyber security supporting Rail”
- Perspectives from a European railway operator: “Trains as data centres – protecting train IT as a cyber-crime target”
- Lessons learned from EU projects SECRET and CYRAIL: “Rail as critical infrastructure requires strong projects to protect it”
- Perspectives of a railway infrastructure manager: “Extensive premises, public accessibility – DB managing security risks”
- The telecommunications view: “Risk management depends on agility”
- The IT provider view: “Understand vulnerability and develop avoidance and mitigation strategies”
- Second panel discussion: “The need for co-ordinated action”
- Closing keynote address: “Achieving an EURail-ISAC, without replication or over-regulation….”
- The Way Forward: “Establishing a European Railway ISAC based on a common understanding”
- Annexe - Conference Evaluation Summary – Consensus