Dr Florent Frederix of DG CNECT Trust and Security Unit presented the Network and Information Security Directive (NIS)1 and the requirement for railway collaboration. Dr Frederix confirmed the importance of the messages from preceding speakers, and introduced several European actions on cyber security supported by a range of examples. Automatic train operation in the freight sector, digital signalling, and railway management on networked IT platforms were demonstrated as inter-connected examples where intrusions in one area can be used to access others. Networks, by definition, are pathways to selected targets.
The EU Cybersecurity Strategy2: An Open, Safe and Secure Cyberspace, launched by DG Home Affairs, drives the NIS Directive3 and is aimed to increase national Cybersecurity Capability, EU Level cooperation, and improved Risk Management.
The CSIRT/CERT network, conceived by DG CNECT, includes a Cooperation Group (supported by EU, ENISA and Member States), as well as a network of National CSIRT/CERT organisations (Computer Security Incident Reporting Team – Computer Emergency Response Team). CSIRT/CERTs are driven by national competent authorities who provide a National Contact Point, and these in turn provide representation and active participation in the Cooperation Group. The EC will establish operational rules to support further development.
The NIS Directive emphasises “operators of essential services” and encourages Member States to interpret the Directive to meet needs for cooperation between such operators.
The Cybersecurity Contractual Public-Private Partnership will provide 450M Euros of grants as part of Horizon 2020 R&D budget to increase cybersecurity, including transport.
A Cybersecurity competence centre will also be established to address cybersecurity challenges.
2 EU Cybersecurity Strategy - https://ec.europa.eu/home-affairs/what-is-new/news/news/2013/20130207_01_en
3 NIS Directive source documents - http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG
“CyberSecurity4Rail” Railway Industry Conference - Brussels 4th October 2017
- Welcome and overview: “Co-operation is essential in the quest to manage technology and people for security”
- Cyber security – don’t be a victim: “Information is power and control of information has unexpected consequences”
- The regulators’ view on cyber security: “Multi-modal transport requires data exchange and interconnection”
- Security in the SERA – policy considerations: “The need for common understanding, guidelines and best practices”
- The Network and Information Security Directive (NIS Directive): “A host of European actions in cyber security”
- The railway sector perspective on cyber security: “Integrated approach to security and safety without duplication”
- How airlines protect against cyber-attack: “Adversaries are not systems, but people who are smart and who pursue goals”
- Secure networks for collaborative services: “Networks are the risk – meshed networks provide a segmented and secure response”
- First panel discussion: Product liability, staff training & awareness, information sharing in both safety and security…”
- Cyber security and resilience of transport infrastructure: “Current European initiatives in cyber security supporting Rail”
- Perspectives from a European railway operator: “Trains as data centres – protecting train IT as a cyber-crime target”
- Lessons learned from EU projects SECRET and CYRAIL: “Rail as critical infrastructure requires strong projects to protect it”
- Perspectives of a railway infrastructure manager: “Extensive premises, public accessibility – DB managing security risks”
- The telecommunications view: “Risk management depends on agility”
- The IT provider view: “Understand vulnerability and develop avoidance and mitigation strategies”
- Second panel discussion: “The need for co-ordinated action”
- Closing keynote address: “Achieving an EURail-ISAC, without replication or over-regulation….”
- The Way Forward: “Establishing a European Railway ISAC based on a common understanding”
- Annexe - Conference Evaluation Summary – Consensus