Security in the SERA – policy considerations: “The need for common understanding, guidelines and best practices”

Carlos Mestre, Head of DG Move Unit “Security” presented the broad coverage of security issues addressed by DG Move, and confirmed the rapidly growing emphasis on cyber security, including focus on the Single European Rail Area (SERA). It was noted that traditionally, security relies on “inspection”, and until now the idea of inspecting firewalls, etc., was a challenge, but it is increasingly the case that organisations emphasise deployment of good practice, and we can examine if and how good practice is deployed. The threat from cyber-crime and the recent impacts were considered in some detail, and it was noted that 80% of EU companies experience at least one cyber security incident, with many companies experiencing numerous attacks. The impacts and potential impacts on the transport sector are increasing, and cyber is recognised as the new frontier in fighting crime. European Commission advice and guidance on prevention of cyber-crime has been published and updated since 2013, and it is clear that we need to keep updating our knowledge of threats and solutions, not just annually but continuously - and so cooperation and exchange of knowledge is critical. While many organisations are capable in dealing with cyber security, the Commission emphasises the need to support all business, and to reduce fragmentation in the cyber security market – this will include a certification scheme for cyber security products.

The NIS directive includes emphasis on transport, and on collaboration between regulators, governments, business, and especially operators of “essential services” to exchange knowledge and cooperate in ensuring European resilience, especially of critical infrastructures. However, each Member State may interpret NIS requirements differently, and so in European transport we need to ensure a common understanding, supported by common guidelines and best practices. Cyber Security needs to become a core part of business operations and business continuity thinking. The lack of cyber security knowledge in staff dealing with routine IT practices is a challenge, and DG Move aims to deliver a toolbox to support training of staff in this regard.

It is up to all of us to implement measures to fight cyber-crime, and none of us can do it alone.

“CyberSecurity4Rail” Railway Industry Conference - Brussels 4th October 2017

Conference Report

  1. Welcome and overview: “Co-operation is essential in the quest to manage technology and people for security”
  2. Cyber security – don’t be a victim: “Information is power and control of information has unexpected consequences”
  3. The regulators’ view on cyber security: “Multi-modal transport requires data exchange and interconnection”
  4. Security in the SERA – policy considerations: “The need for common understanding, guidelines and best practices”
  5. The Network and Information Security Directive (NIS Directive): “A host of European actions in cyber security”
  6. The railway sector perspective on cyber security: “Integrated approach to security and safety without duplication”
  7. How airlines protect against cyber-attack: “Adversaries are not systems, but people who are smart and who pursue goals”
  8. Secure networks for collaborative services: “Networks are the risk – meshed networks provide a segmented and secure response”
  9. First panel discussion: Product liability, staff training & awareness, information sharing in both safety and security…”
  10. Cyber security and resilience of transport infrastructure: “Current European initiatives in cyber security supporting Rail”
  11. Perspectives from a European railway operator: “Trains as data centres – protecting train IT as a cyber-crime target”
  12. Lessons learned from EU projects SECRET and CYRAIL: “Rail as critical infrastructure requires strong projects to protect it”
  13. Perspectives of a railway infrastructure manager: “Extensive premises, public accessibility – DB managing security risks”
  14. The telecommunications view: “Risk management depends on agility”
  15. The IT provider view: “Understand vulnerability and develop avoidance and mitigation strategies”
  16. Second panel discussion: “The need for co-ordinated action”
  17. Closing keynote address: “Achieving an EURail-ISAC, without replication or over-regulation….”
  18. The Way Forward: “Establishing a European Railway ISAC based on a common understanding”
  19. Annexe - Conference Evaluation Summary – Consensus


Media Partners: