The morning panel discussion raised a range of questions for debate.
The issue of regulation of technologies for security and risk was raised, and revealed a range of views on how to test and certify, and to maintain such an approach. The question of liability for products claiming to be cyber security products was suggested to be beyond current regulation, and required more attention. It was generally emphasised that liability for risk in software / hardware is an extremely complex area, and further underlines the need for railways to ensure usage of the most secure solutions so as to avoid risks.
Further discussion highlighted the need for railways to train and equip staff as specialists in cyber security. Debate underlined lack of maturity within railways in relation to this new area of challenges, and there is clear opportunity to share knowledge and experience around training to deliver the new capacities required.
The exchange of cyber security information was discussed in the context of common occurrence reporting, but speakers noted differences in objectives and the difference in focus. The special nature of Cyber Security may not easily be fitted into the current project which, in itself, faces difficulties in acceptance by Member States, some of which question the need for information exchange around physical safety (the original poject focus).
Other discussions focused the need to encompass all digital technologies that may provide cyber security risks, and the need to continually update that perspective, as well as each railway recognising and addressing system changes within a well-managed cyber security strategy.
“CyberSecurity4Rail” Railway Industry Conference - Brussels 4th October 2017
- Welcome and overview: “Co-operation is essential in the quest to manage technology and people for security”
- Cyber security – don’t be a victim: “Information is power and control of information has unexpected consequences”
- The regulators’ view on cyber security: “Multi-modal transport requires data exchange and interconnection”
- Security in the SERA – policy considerations: “The need for common understanding, guidelines and best practices”
- The Network and Information Security Directive (NIS Directive): “A host of European actions in cyber security”
- The railway sector perspective on cyber security: “Integrated approach to security and safety without duplication”
- How airlines protect against cyber-attack: “Adversaries are not systems, but people who are smart and who pursue goals”
- Secure networks for collaborative services: “Networks are the risk – meshed networks provide a segmented and secure response”
- First panel discussion: Product liability, staff training & awareness, information sharing in both safety and security…”
- Cyber security and resilience of transport infrastructure: “Current European initiatives in cyber security supporting Rail”
- Perspectives from a European railway operator: “Trains as data centres – protecting train IT as a cyber-crime target”
- Lessons learned from EU projects SECRET and CYRAIL: “Rail as critical infrastructure requires strong projects to protect it”
- Perspectives of a railway infrastructure manager: “Extensive premises, public accessibility – DB managing security risks”
- The telecommunications view: “Risk management depends on agility”
- The IT provider view: “Understand vulnerability and develop avoidance and mitigation strategies”
- Second panel discussion: “The need for co-ordinated action”
- Closing keynote address: “Achieving an EURail-ISAC, without replication or over-regulation….”
- The Way Forward: “Establishing a European Railway ISAC based on a common understanding”
- Annexe - Conference Evaluation Summary – Consensus