Risk Management: Helping the EU Railways Catch the Cybersecurity Train

European railway undertakings (RUs) and infrastructure managers (IMs) need to address cyber risks in a systematic way as part of their risk management processes. This need has become even more urgent since the Network and Information Security (NIS) Directive came into force in 2016.

Objectives of the Railway Cybersecurity report

The purpose of the report is to provide European RUs and IMs with applicable methods and practical examples on how to assess and mitigate cyber risks.

The good practices presented are based on feedback from railway stakeholders. They include tools, such as assets and services list, cyber threat scenarios and applicable cybersecurity measures, based on the standards and good practices used in the sector. These resources can be used as a basis for cyber risk management for railway companies. They are therefore intended to be a reference point and to promote collaboration between railway stakeholders across the EU while raising awareness on relevant threats.

The main takeaways

  • Existing risk management approaches vary for railway IT and OT systems

For the risk management of railway Information Technology (IT) systems, the most cited approaches were the requirements of NIS Directive at a national level, the ISO 2700x family of standards, and the NIST cybersecurity framework.

For Operational Technology (OT) systems, the frameworks cited were ISA/IEC 62443, CLC/TS 50701, and the recommendations of the Shift2Rail project X2Rail-3, or the ones from the CYRail Project.

Those standards or approaches are often used in a complementary way to adequately address both IT and OT systems. While IT systems are normally evaluated with broader and more generic methods (such as ISO 2700x or NIS Directive), OT systems need specific methods and frameworks that have been designed for industrial train systems.

There is no unified approach available to railway cyber risk management yet. Stakeholders who participated in this study indicated that they use a combination of the abovementioned international and European approaches to tackle risk management, which they then complement with national frameworks and methodologies.

  • Asset taxonomies

For RUs and IMs to manage cyber risks, identifying what needs protection is essential. In this report, a comprehensive list is broken down to 5 areas; the services that stakeholders provide, the devices (technological systems) that support these services, the physical equipment used to provide these services, the people that maintain or use them, and the data used.

  • Threats taxonomies and risk scenarios

RUs and IMs need to identify which cyber threats are applicable to their assets and services. The report reviews available threat taxonomies, and provides a list of threats that can be used as the basis.

Examples of cyber risk scenarios are also analysed, which can assist railway stakeholders when performing a risk analysis. They show how asset and threat taxonomies can be used together and are based on the known incidents of the sector and the feedback received during the workshops.

  • Applying cybersecurity measures

Each scenario is associated with a list of relevant security measures. The report includes cybersecurity measures derived from the NIS Directive, current standards (ISO/IEC 27002, IEC 62443) and good practises (NIST’s cybersecurity framework).

Risky business or a leap of faith? A risk based approach to optimise cybersecurity certification

The European Union Agency for Cybersecurity (ENISA) has launched a cybersecurity assessment methodology for cybersecurity certification of sectoral multistakeholder ICT systems.

The Methodology for a Sectoral Cybersecurity Assessment - (SCSA Methodology) was developed to enable the preparation of EU cybersecurity certification schemes for sectoral ICT infrastructures and ecosystems. SCSA aims at market acceptance of cybersecurity certification deployments and supports the requirements of market stakeholders and the EU Cybersecurity Act (CSA). In particular, SCSA endorses the identification of security and certification requirements based on risks associated with the “intended use” of the specific ICT products, services and processes.

The SCSA Methodology makes available to the ENISA stakeholders a comprehensive ICT security assessment instrument that includes all aspects pertinent to sectoral ICT systems and provides thorough content for the implementation of ICT security and cybersecurity certification.

While SCSA draws from widely accepted standards, in particular ISO/IEC 27000-series and ISO/IEC 15408-series, the proposed enhancements tackle multi-stakeholder systems and the specific security and assurance level requirements concerning ICT products, processes and cybersecurity certification schemes.

This is achieved by introducing the following features and capabilities:

- Business processes, roles of sectoral stakeholders and business objectives are documented at ecosystem level, overarching the ICT subsystems of the individual stakeholders. Stakeholders are invited to actively contribute to the identification and rating of ICT security risks that could affect their business objectives.
- A dedicated method associates the stakeholders’ ratings of risks with the security and assurance level requirements to dedicated ICT subsystems, components or processes of the sectoral ICT system.
- SCSA specifies a consistent approach to implement security and assurance levels across all parts of the sectoral ICT system and provides all information required by the sectoral cybersecurity certification schemes.

Benefits of the SCSA Methodology for stakeholders

The sectoral cybersecurity security assessment provides a comprehensive approach of the multi-faceted aspects presented by complex multi-stakeholder ICT systems and it features the following benefits:

- The security of a sectoral system requires synchronisation across all participating stakeholders. SCSA introduces comparability of security and assurance levels between different stakeholders’ systems and system components. SCSA enables building open multi-stakeholder ecosystems even among competitors to the benefit of suppliers and customers.
- The risk-based approach supports transparency and a sound balance between the cost for security and certification and the benefit of mitigating ICT-security-related business risks for each concerned stakeholder.
- Security measures can focus on the critical components, optimising the security architecture of the sectoral system, hence minimising cost of security.
- SCSA generates accurate and consistent information on security and certification level requirements for all relevant ICT subsystems, components or processes. On this basis, suppliers can match their products to their customers’ requirements.
- SCSA supports the integration of existing risk management tools and information security management systems (ISMS).
- Due to a consistent definition of assurance levels, the re-use of certificates from other cybersecurity certification schemes is supported.

Understanding the increase in Supply Chain Security Attacks

The European Union Agency for Cybersecurity mapping on emerging supply chain attacks finds 66% of attacks focus on the supplier’s code.
Supply chain attacks have been a concern for cybersecurity experts for many years because the chain reaction triggered by one attack on a single supplier can compromise a network of providers. Malware is the attack technique that attackers resort to in 62% of attacks.
According to the new ENISA report - Threat Landscape for Supply Chain Attacks, which analysed 24 recent attacks, strong security protection is no longer enough for organisations when attackers have already shifted their attention to suppliers.
This is evidenced by the increasing impact of these attacks such as downtime of systems, monetary loss and reputational damage.
Supply chain attacks are now expected to multiply by 4 in 2021 compared to last year. Such new trend stresses the need for policymakers and the cybersecurity community to act now. This is why novel protective measures to prevent and respond to potential supply chain attacks in the future while mitigating their impact need to be introduced urgently.
Why is a good level of cybersecurity not good enough?
Composed of an attack on one or more suppliers with a later attack on the final target, namely the customer, supply chain attacks may take months to succeed. In many instances, such an attack may even go undetected for a long time. Similarly to Advanced Persistence Threat (APT) attacks, supply chain attacks are usually targeted, quite complex and costly with attackers probably planning them well in advance. All such aspects reveal the degree of sophistication of the adversaries and the persistence in seeking to succeed.
The report reveals that an organisation could be vulnerable to a supply chain attack even when its own defences are quite good. The attackers explore new potential highways to infiltrate organisations by targeting their suppliers. Moreover, with the almost limitless potential of the impact of supply chain attacks on numerous customers, these types of attacks are becoming increasingly common.
In order to compromise the targeted customers, attackers focused on the suppliers’ code in about 66% of the reported incidents. This shows that organisations should focus their efforts on validating third-party code and software before using them to ensure these were not tampered with or manipulated.
For about 58% of the supply chain incidents analysed, the customer assets targeted were predominantly customer data, including Personally Identifiable Information (PII) data and intellectual property.
For 66% of the supply chain attacks analysed, suppliers did not know, or failed to report on how they were compromised. However, less than 9% of the customers compromised through supply chain attacks did not know how the attacks occurred. This highlights the gap in terms of maturity in cybersecurity incident reporting between suppliers and end-users.

ENISA Report: New Light Shed on Capabilities in Energy & Healthcare

A new report released by the EU Agency for Cybersecurity (ENISA) showcases the product vulnerability management landscape, unveiling challenges faced by sectoral CSIRTs and PSIRTs.
Europeans can count on more than 500 Computer Incident Response Teams (CSIRTs) and on the CSIRTs network to respond to cybersecurity incidents and attacks.
In addition to CSIRTs, Product Security Incident Response Teams (PSIRTs) have emerged more recently. Their role is to manage the vulnerabilities of a company’s products and services.
PSIRTs have been mostly developed in a heterogeneous way. For instance, while some of them are well developed and independent from the main Incident Response (IR) team of the host company, others belong to their Security Operations Centre (SOC) or are just part of the development team.
Why a report on CSIRTs and PSIRTs capabilities?
The Directive on Security of Network and Information Systems (NISD) adopted in 2016 provides legal measures to boost the level of cybersecurity in the EU. Both CSIRTs and PSIRTs are essential players in the global Incident Response (IR) ecosystem.
The study published today - PSIRT Expertise and Capabilities Development - provides recommendations on the role of PSIRTs in the IR setup of the Member States according to the NISD, specifically in the energy and health sectors.
ENISA had already explored in details the IR setup across all sectors of the NISD in a study published in 2019: “EU Member States incident response development status report”.
Sectoral PSIRTs as energy or healthcare ones may benefit from an aligned approach in terms of processes and collaboration to ensure legal compliance in relation to their business partners, clients and possibly Operators of Essential Services or other actors subject to EU cybersecurity regulation.

Recommendations for measures to prevent hospital fires

The European Commission’s Joint Research Centre (JRC) issued a series of recommendations to help prevent the hospital fires associated with medical oxygen needed for Covid-19 severely ill patients, from electrical maintenance to administrative measures and largely spread training and guidance on prevention and risk management strategies for oxygen hazards.

Since the outbreak of the pandemic in March 2020, at least 36 incidents of hospital fires associated with intense oxygen use have been found to have occurred in various countries around the world, causing the deaths of over 200 people and injuring many more.

The majority of the dead and injured were patients extremely ill with the novel Coronavirus and others were their health care providers. Most deaths resulted directly from the fire but there were also several deaths from patients deprived of oxygen because of the event.

In comparison, up until 2020, the media shows an average of just over one such event per year since 2011.

According to the JRC recommendations, the strategies to prevent and mitigate the fire risk in intensive care units should evolve around three main elements:

• Guidance on oxygen therapy for Covid-19 and other diseases needs to identify specific prevention measures that can reduce the risk of oxygen-enriched environments in these settings;

• All hospitals should establish a risk management strategy for oxygen hazards led by hospital management, involving all staff, including healthcare workers, maintenance, housekeeping and administration;

• As part of this policy, all hospitals should track the number of patients having medical gas treatment and, when elevated, an appropriate fire risk management policy should be applied.

The hospitals should use as examples strategies developed for chemical process safety to manage flammable and explosive atmospheres. The management procedures should involve medical and non-medical staff, and prevention and emergency preparedness should take into account potential intensive care unit fires.

Exploring Research Directions in Cybersecurity

ENISA, the European Union Agency for Cybersecurity, has identified key research directions and innovation topics in cybersecurity to support the efforts of the EU towards a Digital Strategic Autonomy.
Resilience, technological sovereignty and leadership are essential for the EU and as such, they are addressed by the new EU Cybersecurity Strategy. In an effort to support this cybersecurity strategy, the European Union Agency for Cybersecurity releases today a report intended to look into digital strategic autonomy in the EU and suggests future research directions.
What is Digital Strategic Autonomy?
Digital strategic autonomy can be defined as the ability of Europe to source products and services designed to meet the EU’s specific needs and values, while avoiding being subject to the influence of the outside world. In the digital world, such needs may encompass hardware, software or algorithms, manufactured as products and/or services, which should comply with the EU values, and thus preserve a fair digital ecosystem while respecting privacy and digital rights.
To ensure the sourcing of such products and/or services complies with the EU’s needs and values, the EU has the option to self-produce them autonomously, or in the case where products and services are acquired from third countries, to certify them and validate their compliance.
However, in cases where there is a high dependence on sourcing, the EU should still be capable of operating its digital infrastructures without giving rise to any possible detrimental influence. Hence, Europe needs to maintain the capability to produce its critical products and services independently.
In short, digital strategic autonomy means the capacity for the EU to remain autonomous in specific areas of society where digital technologies are used.
Why such a move?
The new challenges brought about by the digitalisation of our environment raise questions on our capacity to retain ownership and control of our personal data, of our technological assets and of our political stand. Such are the main dimensions to be considered under the idea of digital strategic autonomy.
Furthermore, the COVID-19 pandemic highlighted the importance of cybersecurity and the need for the EU to continue to invest in research & development in the digital sector. Within this context, ENISA’s report sets and prioritises the key research and innovation directions in cybersecurity.
Key Research Directions: which are they?
The report identifies the following seven key research areas:
- Data security;
- Trustworthy software platforms;
- Cyber threat management and response;
- Trustworthy hardware platforms;
- Cryptography;
- User-centric security practices and tools;
- Digital communication security.
For each of these areas, the report introduces the current state-of-play in the EU, includes an assessment of current and expected issues. The analyses included serve the purpose of issuing recommendations on cybersecurity related research topics. Such recommendations intend to highlight the bases needed to bolster the EU’s digital autonomy.

Guidelines for Cybersecurity in Hospitals: New Online tool

The new tool helps healthcare organisations identify best practices in order to meet cybersecurity needs when procuring products or services.
To facilitate the use of the Procurement Guidelines for Cybersecurity in Hospitals published in 2020, ENISA releases an online tool today to support the healthcare sector in identifying procurement good practices to meet cybersecurity objectives when procuring products or services.
In addition, the Agency also publishes a concise version of the procurement guidelines dedicated to the sector in each of the 24 EU official languages.
Cybersecurity in Healthcare: why does it matter?
The COVID-19 pandemic demonstrated the value of eHealth services such as telemedicine and remote patient care.
Since it has become increasingly digital and interconnected, the healthcare sector needs to consider cybersecurity as an enabler and as a key factor for ensuring the resilience and availability of key healthcare services.
Cybersecurity needs to be envisaged throughout the procurement lifecycle. IT departments should be involved in procurement activities as the cybersecurity implications in the procurement of any product or service should be well understood and consistently addressed by healthcare organisations.
EU Agency for Cybersecurity Executive Director, Juhan Lepassaar, declared: “Securing eHealth today means ensuring the resilience of the EU’s life support system, the healthcare sector. ENISA is committed to shape the ICT environment needed to prevent cybersecurity incidents and attacks on our healthcare sector.”
Procurement Guidelines and online tool: What for?
The online tool was developed as a complement to the procurement guidelines for cybersecurity in hospitals. Its purpose is:
- To help healthcare organisations to quickly identify the guidelines that are most relevant to their procurement context such as assets procured or related threats;
- To promote the importance of a good procurement process to ensure appropriate security measures.
To facilitate the dissemination of good practices across all healthcare organisations across the EU, a concise version of the procurement guidelines is now made available in the 22 official EU languages and the full version is available in english and spanish languages.
The report on procurement guidelines has already generated a significant interest in the healthcare cybersecurity community.
Stakeholders in the sector, including members of the eHealth Security Experts Group suggested the idea of an interactive format of the guidelines making it possible to customise searches and help decision making through informed procurement.
The guidelines were translated in order to allow health organisations across Member States to directly access the content in their own language.
Who is it meant for?
- Procurement officers of healthcare organisations;
- Healthcare professionals with technical positions or in charge of IT systems and equipment;
- Chief level executives such as CIO, CISO, CTO;
- The EU citizens involved in or seeking to develop knowledge and awareness on such processes.

Building Trust in the Digital Era: ENISA boosts the uptake of the eIDAS regulation

The European Union Agency for Cybersecurity issues technical guidance and recommendations on Electronic Identification and Trust Services helping Member States to implement the eIDAS regulation.
The European Union Agency for Cybersecurity (ENISA) completed a package of five reports in order to boost the implementation of the eIDAS regulation and promote the uptake of Electronic Identification and Trust Services. This work falls under the scope of the EU Cybersecurity strategy for the Digital Decade.
ENISA has been in the forefront of the developments on eIDAS since 2013 and with the Cybersecurity Act, established in 2019, the Agency has an extended mandate to support and assist the European Commission and the Member States in the area of electronic identification.
In this challenging period, the “EU digital ID scheme for online transactions across Europe” initiative will drive the revision of the eIDAS and will promote digital identities for all Europeans. ENISA in order to support the Commission has undertaken activities to explore the security considerations for trust service providers and remote identity proofing.
Four of the reports on trust services form an update of ENISA’s guidelines for qualified trust service providers. They represent a voluntary toolset designed to help those trust service providers comply with eIDAS. Specifically, they include:
- technical guidance on the security framework for Qualified Trust Service Providers (QTSP) and for the non-Qualified ones;
- security recommendations for Qualified Trust Service Providers based on Standards;
- guidelines on Conformity Assessment of Trust Service Providers.
A fifth report includes an analysis of the methods used to carry out identity proofing remotely and exploring security considerations. Remote identification allows customers to have their identification information collected and validated without the need for physical presence to the premises of the operator. This has become crucial during the COVID-19 pandemic as it allows access to cross-border online services offered by Member States.
Technical Guidelines on Trust Services
ENISA issued the reports in order to update existing recommendations and guidelines issued in 2017 for qualified trust services. The purpose of these reports is therefore to focus on the requirements set by the eIDAS regulation and the emergence of new standards and new TSP services.
The new guidelines are presented in four different reports according to the following topics:
- trust service providers (qualified or not) looking for guidance on how to meet the requirements of the eIDAS Regulation;
- service providers seeking to clarify whether they qualify as a trust service provider according to the provisions under the eIDAS regulation;
- relying parties seeking to evaluate to what extent their trust service provider complies with the eIDAS requirements.
As a result, the set of recommendations include:
- Security Framework for Qualified Trust Service Providers and for Non-Qualified Trust Service Providers. These guidelines consider the greater potential variety encountered in non-qualified trust service providers;
- Security Recommendations for Qualified Trust Service Providers based on Standards, and Guidelines on Conformity Assessment of Trust Service Providers.
These guidelines have been consulted with and validated by experts in the eIDAS field from various sectors.

Building a Resilient Railway Infrastructure

2021 has been chosen as the European Year of Rail by the European Commission. The European initiative aims to highlight the benefits of rail as a sustainable, smart and safe means of transport to support the delivery of its European Green Deal objectives in the transport field.
Cybersecurity is a key requirement to enable railways to deploy and take advantage of the full extent of a connected, digital environment.
However, European infrastructure managers and railway undertakings face a complex regulatory system that requires a deep understanding of operational cybersecurity actions. In addition, European rail is undergoing a major transformation of its operations, systems and infrastructure due to digitalisation, mass transit and, increasing interconnections. Therefore, the implementation of cybersecurity requirements is fundamental for the digital enhancement and security of the sector.
ENISA, the EU Agency for Cybersecurity, and ERA, the EU Agency for Railways, have joined forces to organise a virtual Conference on Rail Cybersecurity.
Policy
The European Commission has proposed the revision of the Network Information Security Directive (NIS2) to strengthen the cybersecurity measures to be adopted by the Member States and applied, among others, by European railway undertakings (RU) and infrastructure managers (IM).
The European Commission’s Directorate-General for Mobility and Transport (DG MOVE) also encourages awareness-raising of railway stakeholders by promoting the use of its Land Transport Security platform. A cybersecurity toolkit was also developed and shared with the participants. Cybersecurity is now a major concern for National Safety Authorities. The French rail safety authority, l’établissement public de sécurité ferroviaire (the EPSF) compiled the related challenges in a white paper, jointly with the French IM and main RU, the French Cybersecurity Agency, ANSSI and ERA.
Standardisation & Certification
The Working Group 26 of the European Committee for Electrotechnical Standardisation (CENELEC) delivered the promising Technical Specification 50701 on cybersecurity for railways, now under review by the National Committees. A published version of the technical specification is expected before the summer. A voluntary reference to this standard will be made through the application guides developed by ERA. Railway stakeholders expect the technical specification to lay the foundations of a common risk analysis methodology. As demonstrated by the case study proposed by the Italian railway stakeholders, such methodology will link the security analysis to the safety case.
Research & Innovation
Shift2Rail the Joint Undertaking has gained maturity, and the Technical Demonstrator 2.11 on cybersecurity will soon demonstrate the applicability of their findings on specific projects such as Automatic Train Operation or Adaptable Communication Systems.
Technical interoperability standards for EU railway automation are being proposed for consideration in the railway regulatory framework, proposing "secure by design" shared railway services. In addition, The International Union of Railways (UIC), recently launched a Cyber Security Solution Platform, taking a pragmatic approach in building a solutions catalogue to risks and vulnerabilities identified by railway users.
Information Sharing & Cooperation
The European Railway-ISAC is attracting an increasing number of participants willing to share concerns or even vulnerabilities to trusted members and ensuring a collective response to the cybersecurity challenge. An open call by Shift2Rail, namely the 4SECURERAIL project, is developing a proposal for a European Computer Security Incident Response Team, allowing for identified threats to be instantly shared with targeted railway stakeholders.
With such developments, the railway industry, represented by the European Rail Industry Association (UNIFE), discussed how ready the sector is to increase the level of cybersecurity. UNIFE highlighted several priorities, such as: the approval and usage of the TS 50701, the need for adequate certification schemes on product level,the need for specific protection profiles on interface-specific devices and subsystems. This would allow for a more harmonized approach for manufacturers and system integrators.
Conclusions
The participants voted topics for future conferences and these include, among others:
- new technologies;
- cyber risk management for railways;
- cyber threat landscape;
- the update of Technical Specifications for Interoperability (TSI);
- cyber skills and training and cyber incident response.
Both agencies are paying very close attention to all the developments in the field of railway cybersecurity.
The success of the online conference of the last two days shows how railway stakeholders can benefit from close cooperation to ensure that both the cybersecurity and the railway regulatory framework are cross-fertilised.

When & How to Report Security Incidents – ENISA releases new guidelines

The European Union Agency for Cybersecurity (ENISA) releases new guidelines to facilitate the reporting of security incidents by national telecom security authorities.
The guidelines published help national telecom security authorities in the reporting of significant incidents to ENISA and the European Commission under the European Electronic Communications Code (EECC).
These new guidelines replace the previous ones issued by ENISA on incident reporting under Article 13a of the EU Telecoms Framework Directive. This revised version takes into account the scope and the provisions of the EECC and provides non-binding technical guidance to national authorities supervising security in the electronic communications sector.
The following three types of incident reporting are provided for under article 40 of the EECC:
1. National incident reporting from providers to national security authorities;
2. Ad-hoc incident reporting between national security authorities and ENISA;
3. Annual summary reporting from national security authorities to the European Commission and ENISA.
The new guidelines focus firstly on the ad-hoc incident reporting between the security authorities and ENISA and secondly on the annual summary reporting. More specifically, the document includes information on how and when security authorities can report security incidents to ENISA, to the European Commission and to other security authorities.
The information provided considers the services and incidents within the scope of the EECC - incidents affecting confidentiality, availability, integrity and authenticity of networks and services.  The thresholds needed for the annual reporting are also defined.  These thresholds are both of a quantitative and of a qualitative nature.
The quantitative elements considered include the number of users affected and the duration of the incident. Qualitative information was also used, such as the geographical coverage of the incident and the impact on the economy, on society and on users.
The new guidelines also include an incident report template and draw the distinction between national and annual reporting.
This report was drafted by ENISA in close cooperation with the ECASEC expert group of national telecom security authorities.
1 2 3