Building a Resilient Railway Infrastructure

2021 has been chosen as the European Year of Rail by the European Commission. The European initiative aims to highlight the benefits of rail as a sustainable, smart and safe means of transport to support the delivery of its European Green Deal objectives in the transport field.
Cybersecurity is a key requirement to enable railways to deploy and take advantage of the full extent of a connected, digital environment.
However, European infrastructure managers and railway undertakings face a complex regulatory system that requires a deep understanding of operational cybersecurity actions. In addition, European rail is undergoing a major transformation of its operations, systems and infrastructure due to digitalisation, mass transit and, increasing interconnections. Therefore, the implementation of cybersecurity requirements is fundamental for the digital enhancement and security of the sector.
ENISA, the EU Agency for Cybersecurity, and ERA, the EU Agency for Railways, have joined forces to organise a virtual Conference on Rail Cybersecurity.
Policy
The European Commission has proposed the revision of the Network Information Security Directive (NIS2) to strengthen the cybersecurity measures to be adopted by the Member States and applied, among others, by European railway undertakings (RU) and infrastructure managers (IM).
The European Commission’s Directorate-General for Mobility and Transport (DG MOVE) also encourages awareness-raising of railway stakeholders by promoting the use of its Land Transport Security platform. A cybersecurity toolkit was also developed and shared with the participants. Cybersecurity is now a major concern for National Safety Authorities. The French rail safety authority, l’établissement public de sécurité ferroviaire (the EPSF) compiled the related challenges in a white paper, jointly with the French IM and main RU, the French Cybersecurity Agency, ANSSI and ERA.
Standardisation & Certification
The Working Group 26 of the European Committee for Electrotechnical Standardisation (CENELEC) delivered the promising Technical Specification 50701 on cybersecurity for railways, now under review by the National Committees. A published version of the technical specification is expected before the summer. A voluntary reference to this standard will be made through the application guides developed by ERA. Railway stakeholders expect the technical specification to lay the foundations of a common risk analysis methodology. As demonstrated by the case study proposed by the Italian railway stakeholders, such methodology will link the security analysis to the safety case.
Research & Innovation
Shift2Rail the Joint Undertaking has gained maturity, and the Technical Demonstrator 2.11 on cybersecurity will soon demonstrate the applicability of their findings on specific projects such as Automatic Train Operation or Adaptable Communication Systems.
Technical interoperability standards for EU railway automation are being proposed for consideration in the railway regulatory framework, proposing "secure by design" shared railway services. In addition, The International Union of Railways (UIC), recently launched a Cyber Security Solution Platform, taking a pragmatic approach in building a solutions catalogue to risks and vulnerabilities identified by railway users.
Information Sharing & Cooperation
The European Railway-ISAC is attracting an increasing number of participants willing to share concerns or even vulnerabilities to trusted members and ensuring a collective response to the cybersecurity challenge. An open call by Shift2Rail, namely the 4SECURERAIL project, is developing a proposal for a European Computer Security Incident Response Team, allowing for identified threats to be instantly shared with targeted railway stakeholders.
With such developments, the railway industry, represented by the European Rail Industry Association (UNIFE), discussed how ready the sector is to increase the level of cybersecurity. UNIFE highlighted several priorities, such as: the approval and usage of the TS 50701, the need for adequate certification schemes on product level,the need for specific protection profiles on interface-specific devices and subsystems. This would allow for a more harmonized approach for manufacturers and system integrators.
Conclusions
The participants voted topics for future conferences and these include, among others:
- new technologies;
- cyber risk management for railways;
- cyber threat landscape;
- the update of Technical Specifications for Interoperability (TSI);
- cyber skills and training and cyber incident response.
Both agencies are paying very close attention to all the developments in the field of railway cybersecurity.
The success of the online conference of the last two days shows how railway stakeholders can benefit from close cooperation to ensure that both the cybersecurity and the railway regulatory framework are cross-fertilised.

One ICT regulator’s journey to 5th-generation regulation

The global regulatory and technology landscape is complex and fast-moving.
Regulators find themselves grappling with an ever-growing array of challenges, chief among them achieving the Sustainable Development Goals (SDGs) by the 2030 deadline, now just a decade away.
The Kingdom of Saudi Arabia’s ICT regulator is no exception, as the country continues to prioritize the rapid growth of its ICT sector and pursue sustainable economic diversification as part of its Vision 2030.
But what is 5th-generation in the first place? And how is Saudi Arabia’s Communications and Information Technology Commission (CITC) planning to get there?
The evolving role of the ICT regulator
If we think in terms of regulatory “generations”, the first employed a “command and control approach”, which often took the form of public or national telecom monopolies. The second-generation regulatory landscape saw the opening of markets, facilitating partial liberalization and privatization of telecommunications. By generation three, we saw accelerated investment, innovation, and access opportunities emerge, with regulators placing a dual focus on stimulating competition while ensuring consumer protection.
Fourth generation features integrated regulation, led by economic and social policy goals. A 4th-generation regulator is one that ensures or is working towards universal access, consults stakeholders regularly, and promotes international and regional cooperation, equitable spectrum management, and stronger consumer protection.
Where do regulators stand globally?
According to ITU’s Global ICT Regulatory Outlook 2020, 8 per cent of countries now has holistic, forward-looking regulatory frameworks enabling digital transformation across the economy.
40 per cent of countries remain in regulatory generations 1 and 2, missing development opportunities and remaining disconnected from the digital transformation of their economies. While one third of countries have achieved G4, characterized by thriving markets for ICT services and the lowest proportion of unconnected populations, some have already set 5th-generation regulation in their sights. In a 5th-generation regulatory environment, collaboration among even more stakeholders is key to shaping decisions in a harmonized way not only within the telecommunications realm, but across a broad range of sectors now dependent on ICTs.
CITC’s regulatory transformation
With a guiding vision of a “connected nation for a thriving digital economy”, CITC is stepping up to meet the 5th-generation regulation challenge with an ambitious new digital transformation strategy. Their vision also emphasizes safeguarding the public, providing reliable service, ensuring fair competition, and balancing the diverse needs of multiple stakeholders.
Historically, the Commission’s mandate focused on regulating the telecommunication and information technology sectors. But the last two years have seen that mandate evolve to reflect a changing global regulatory and technology landscape.
The Saudi Arabian regulator has met the challenges of an increasingly complex regulatory environment with a series of initiatives, including, among others:
• Promoting investment and infrastructure development while ensuring access to high-quality services. CITC reported investing 15 billion USD in infrastructure, including meeting major deployment milestones on network infrastructure and quality. Mobile broadband download speed reached 77.55 Mbps in August 2020, and mobile coverage increased to 99 per cent of the population for 3G and 94 per cent for 4G, according to CITC estimates.
• Establishing a National Regulatory Committee that will bring together 8 core regulators to collaborate on ICT and digital cross-sectoral topics like blockchain, smart cities and digital platforms, and proactively anticipate emerging topics. Additional public and private entities will be involved as needed. This collaboration was set up to accelerate regulation-to-adoption and seeks to drive innovation, job creation, and investor confidence by promoting coherence and efficiency across Saudi Arabia’s ICT ecosystem.
• Acting collaboratively to deploy ICTs during the COVID-19 pandemic. As the pandemic reached Saudi Arabia, CITC collaborated quickly and effectively with telecom operators to meet the surge in demand for online access and data with increased speeds and data capacity, free services, expanded spectrum use, and enhanced network configurations and connectivity. This rapid response played a critical role in enabling remote work, business continuity, delivery apps, e-government services, and remote learning across Saudi Arabia.
[courtesy of ITU]

Croatia hit by multiple earthquakes affecting infrastructure and homes

At least seven people were killed and scores injured after a 6.4 magnitude earthquake struck central Croatia on December 29. The quake—the strongest recorded in 140 years—struck just after noon local time about 30 miles southeast of the capital Zagreb, and could be felt across the Balkans. The earthquake led to widespread damage to buildings and infrastructure, including the region’s largest hospital and a variety of other healthcare-related facilities. Hundreds of thousands of people were left without power, and travel has been widely disrupted as officials continue to assess damage to roads, bridges and local airports.
In recent days, the area has suffered from strong aftershocks. On January 6, a 4.9 magnitude earthquake occurred in the same area, with the epicenter near Petrinja, just 4 miles (7 kilometers) west-northwest of the December 29 quake.
Reports indicate significant damages to buildings and homes and possible utility disruptions in Petrinja, Zagreb, and Sisak in Croatia. Slovenia has also shut down power to its nuclear power plant, as a precaution due to the possibility of aftershocks. Some damage to infrastructure has also been reported in Bosnia and Herzegovina.
Within hours of the earthquake, International Medical Corps deployed more than $50,000 worth of personal protective equipment (PPE) to support Croatian health authorities involved in relief efforts. It also deployed an Emergency Response Team from the Croatia office to conduct an assessment of the damage and critical needs in Petrinja, Sisak, Glina and the surrounding villages.
The IMC team is working closely with the Croatian Ministry of Health’s Crisis Management Center to evaluate needs and coordinate opportunities to connect resources with those affected by the earthquake. Based on discussions with the Ministry of Health (MoH), a clear priority is to restore primary healthcare services in the affected region.
IACIPP Regional Director, Robert Mikac, who is actively involved in disaster management and relief in Croatia, is supporting the government response to the disaster.

Resilient buildings offer protection and boost recovery

Resilient infrastructure protects people during disasters and enables communities to recover quickly in the immediate aftermath of a crisis.
Two examples from Vanuatu during and after Tropical Cyclone Harold – a Category 5 storm – illustrate the point powerfully.
During the devastating storm, the two classrooms of Balon School on the island of Santo served as official cyclone shelters protecting around 10 families (approximately 50 people) over two days during the worst weather. One week after Harold passed over the island of Santo, Balon School played an important role in local recovery efforts through the hosting of a psycho-social workshop to help locals deal with the compounded stress from TC Harold.
School teachers shared important information to help families recover quickly in a workshop that was coordinated by School Improvement Officers from the Sanma Education Office.
“The classrooms were very strong, very resilient. Once we closed the wooden shutters, only a small amount of water came in, mostly through the crack under the door, even though we could hear the wind whistling outside, moving trees and branches around and the rain crashing on the roof,” said School Principal John Harry. “There was no damage to either of the classrooms after the storm which meant we could start teaching again soon after.”
The example of Balon School highlights the value of disaster resilient infrastructure in disaster-exposed countries such as Vanuatu, where many of rural schools act as social and educational hubs for local communities.
Balon School caters for 150 students ranging from kindergarten through to Year 6. It was selected as a pilot under the Australian Government-funded Pacific Humanitarian Social Infrastructure as part of the Recovery Acceleration through Prefabricated Infrastructure Deployment (RAPID) programme.
Another good example of resilient infrastructure is Market House in Luganville, Vanuatu’s second major city.
Built in 1977, Market House was renovated in 2019 to strengthen its disaster and climate resilience so that its many vendors – predominantly women and including persons with disabilities – could continue to trade. The renovation included a Category 5 cyclone-resistant roof, more durable flooring and a new water drainage system to reduce the risk of flooding and damage during extreme weather events.
Cyclone Harold hit the town only six months after the renovations. Despite wind speeds of up to 270 kilometers per hour, the Luganville Market House sustained only minor roof damage. As a result, many of the more than 3,000 registered market vendors were able to start selling goods and produce within a week of the storm.
It is a good example of how climate-informed design, construction and renovation of social infrastructure strengthens local and gender-sensitive resilience in the face of increasing climate change threats and disasters. The renovations were under UN Women’s Markets for Change programme, which is mainly funded by the Australian Government.

New community benchmark on water infrastructure resilience released

The Alliance for National and Community Resilience (ANCR) released the third of its Community Resilience Benchmarks—the water benchmark, which addresses resilience of drinking water, wastewater and stormwater systems.
ANCR’s Community Resilience Benchmarks (CRBs) support communities in assessing their resilience and developing strategies for improvement. These benchmarks take a coordinated, holistic look at the people, services and processes that make communities work.
The water benchmark was developed by a committee of subject matter experts co-chaired by Andy Kricun, Managing Director at Moonshot Missions and Senior Fellow at the U.S. Water Alliance, and Jennifer Adams, an emergency management consultant. Committee members included representatives from the American Chemistry Council, American Water Works Association, Codes and Standards International, Denver Water, Ductile Iron Pipe Research Association, Dupont Water Solutions, McWane, New York City Department of Environmental Protection, North Carolina Department of Environmental Quality, and the U.S. Environmental Protection Agency.
“Water is such an essential aspect of communities. We’re grateful for the contributions made by committee members to help capture the policies and practices that support resilience in this sector,” said Evan Reis, Executive Director of the U.S. Resiliency Council and Chair of the ANCR Board of Directors.
“We look forward to working with communities to integrate the Community Resilience Benchmarks into their current resilience initiatives,” commented ANCR Executive Director Ryan Colker. “Not only does the Water Benchmark provide an excellent enhancement to the provisions contained the Buildings and Housing Benchmarks, but it also helps communities determine how their water systems and utilities contribute to their resilience goals to inform future investments that help protect residents and businesses from disaster.”
Communities are encouraged to pilot the benchmark and provide feedback to ANCR to support updates. For communities interested in piloting the water benchmark.
ANCR is a joint initiative of the International Code Council and the U.S. Resiliency Council that brings together representatives from the public and private sectors to advance a holistic approach to community resilience.

Latest issue of World Security Report has arrived

The Winter 2020-21 issue of World Security Report for the latest industry views and news, is now available to download.
In the Winter 20-21 issue of World Security Report:
- Priority of Protecting Digital Critical Infrastructure Will Grow in 2021, by Chuck Brooks
- A view of Facility Industrial Control System Security, by Ron Martin
- The Need for Higher Level Strategic Approaches to Cyber Security, by Bonnie Butler
- Critical Infrastructure Protection Starts at the Perimeter
- Effective Security Options for Healthcare Facilities
- African Terror Groups ‘Rebrand’ as Islamic State
- IACIPP Association News
- Industry news
Download your copy today at www.cip-association.org/WSR

NCSC defends UK from more than 700 cyber attacks while supporting national pandemic response

THE National Cyber Security Centre defended the UK from an average of 60 attacks per month during a year which saw its resources proactively focused on the coronavirus response, the organisation’s latest Annual Review revealed today.
The NCSC, which is a part of GCHQ, handled 723 incidents between 1 September 2019 and 31 August 2020, with around 200 related to coronavirus. In the previous three years since launching, they supported an average of 602 incidents annually (590 in 2017, 557 in 2018 and 658 in 2019).
The growth this year reflects ongoing NCSC efforts to proactively identify and mitigate threats, tips the organisation receives from its extensive network of partners and reports from victims themselves.
In a year heavily influenced by the pandemic, the review highlights the NCSC’s support for the healthcare sector, such as scanning more than 1 million NHS IP addresses for vulnerabilities leading to the detection of 51,000 indicators of compromise, and working with international allies to raise awareness of the threat of vaccine research targeting.
With cyber criminals looking to exploit public fear over the pandemic with coronavirus-related online scams, the NCSC and the City of London Police also launched the Suspicious Email Reporting Service, which received 2.3 million reports from the public in its first four months – resulting in thousands of malicious websites being taken down.
The NCSC also provided the technical assurances during the creation of the Virtual Parliament, as well as producing a wide range of advice for businesses and individuals switching to home working as a result of the pandemic.
A new remote working scenario was added to the NCSC’s ‘Exercise in a Box’ programme. The initiative, which allows people to test their cyber defences against realistic scenarios was used by people in 125 countries this year.