ENISA publish report for cyberecurity measures in Railway Transport Sector

Representing 472 billion passenger-kilometres, 216,000 km of active railways3 and 430 billion tonne-kilometres for freight transport, the railway sector plays an important and fast-growing role. Railway infrastructure and systems are key assets, crucial to developing and protecting the European Union.
The railway sector enables goods and passengers to be transported within countries and across borders, and is key to the development of the European Union. The main players within this sector are the railway undertakings (RU), in charge of providing services for the transport of goods and/or passengers by rail; and the infrastructure managers (IM), in charge of establishing, managing and maintaining railway infrastructure and fixed installation, including traffic management, control-command and signalling, but also station operation and train power supply. Both are in the scope of the NIS Directive, and their identification as operator of essential service (OES) respects the transposition of laws to the majority of member states.
The study also identifies the main challenges faced by the sector to enforce the NIS Directive:
- Railway stakeholders must strike a balance between operational requirements, business competitiveness and cybersecurity, while the sector is undergoing digital transformation which increases the need for cybersecurity.
- Railway stakeholders depend on suppliers with disparate technical standards and cybersecurity capabilities, especially for operational technology.
- OT systems for railways have been based on systems that were at a point in time secure according to the state-of-the art but due to the long lifetime of systems they eventually become outdated or obsolete. This makes it difficult to keep them up-to-date with current cybersecurity requirements. Furthermore, these systems are usually spread across the network (stations, track, etc.), making it difficult to comprehensively control cybersecurity.
- Railway operators report issues of low cybersecurity awareness and differences in culture, especially among safety and operations personnel.
- Existing rail specific regulation doesn’t include cybersecurity provisions. OES often have to comply with non-harmonized cybersecurity requirements deriving from different regulations.
ERTMS is also covered in this study as a separate infrastructure due to its special requirements and its cross-European nature.