Rail cyber security regulations are mandatory, but the industry must look beyond just compliance

Every organisation faces cyber security threats. Although most organisations are focused on preventing data breaches, the railway industry faces a more unique threat landscape. Protection of data is only part of the challenge for rail operators, they face a more significant threat in attacks against their operational technology (OT) assets including signalling and rolling stock.

The trend towards increased connectivity in digital rail infrastructure is creating new risks across key systems within rail networks. This includes the control subsystems responsible for safe and reliable operations. As we have seen from other cyber security incidents amongst critical infrastructure, these systems are an attractive target for attackers.

Governments recognised this risk early, and have responded by putting in place new regulations and compliance requirements that are designed to adapt to evolving threats. Regulation standards such as NIS, NIST and CENELEC have increased the mandate for companies to make cyber security an essential business requirement. Within the NIS directive, rail systems have clearly been defined as critical infrastructures, and operators are now required to implement cyber security solutions against targeted cyber-attacks.

Despite the mandatory requirement, it is vital for operators to consider compliance as not just another tick box activity, but rather an opportunity to drive change and improvements in rail cyber security, with an increasing focus towards securing essential services and digital infrastructure. Cyber security differs from safety because it requires constant vigilance as well as detailed engineering considerations at the point of implementation.

Setting the foundations of cyber security within critical infrastructure

The NIS Directive is the groundwork of the EU’s response to the growing cyber threats and challenges within critical infrastructure. With potential for variation, compliance may seem ambiguous for organisations with rail. Despite the variations in each country, there are key competences that are clearly outlined in the NIS Directive. To guarantee compliance with the NIS Directive, regardless of your operating country or critical infrastructure function, you must:

• Secure the key systems and facilities used for the provision of essential services

• Protect IT and OT networks with comprehensive threat detection systems

• Gain critical network visibility to provide active and accurate incident reporting

Although the NIS Directive may seem daunting to organisations within rail that are yet to build a cyber security programme, the benefits of secure operations will outweigh the compliance burden. Working towards NIS compliance should be led with a ‘principle-based’ approach that builds overdue cyber security protection that becomes part of rail’s ‘business as usual’. Compliance is mandatory, with penalties for failing to adhere to the requirements. However, compliance with legislation should not distract organisations from ensuring the cyber security solution they implement can scale and evolve with changing operational needs and new cyber threats

Two years on from the implementation of the NIS directive legislation, many OT environments remain vulnerable to cyber security incidents and breaches that have impacted critical infrastructure for years. With the growing trend in rail of connecting OT technologies to IT networks, organisations are continuing to expose their systems to a wider range of threats than ever before, many of which they have yet to implement a security solution to combat.

The NIS Directive was created to make organisations accountable for securing their services from evolving threats that can affect people and the economy. The low level of maturity of cyber security within the critical infrastructure sector is a recognised issue in the UK and the rest of Europe, but there is no doubt that the directive has had a positive impact on Rails' rising approach to cyber security, as it becomes a more common topic of discussion when considering operational risk.

NIS has served to formalise the cyber security considerations that all critical infrastructure organisations should have been pro-actively engaging with before it became mandatory. Unfortunately, many organisations today still view cyber security as a tick-box exercise for compliance– and move on after the requirements are met. When it comes to cyber security, it’s vital to be proactive and look beyond just a set of legal obligations.

Mistaking compliance for good security is not an option within rail

Regulations and law can often lag behind new technology, and a growing threat landscape. Industries, such as rail, should consider security measures that cover the individual unique challenges they face, that may not be addressed specifically within compliance regulations encompassing a wide range of industries collectively.

Improving an emphasis on cyber security within rail will take time. Nevertheless, legislative changes such as NIS, which strive for stronger ‘business as usual’ security practices, are gestures showing steps in the right direction. Organisations are beginning to use NIS as their initial motivating factor in building a cyber security programme, that will go beyond just compliance. The cyber threat landscape is always evolving, and we can expect that the NIS Directive will evolve as well. To adapt to these changes, investing in the right solution for cyber security will be an important strategic decision. A number of cyber security solutions exist in the market, such as those based on signature-based threat detection, that can meet some requirements of regulations, but good cyber security in rail has the opportunity to be more than just achieving minimum levels of compliance.

A compliance first approach to security is a start, but it’s not enough. It's time for the rail industry to change the mindset, and go beyond simply meeting regulatory requirements and focus on truly protecting operations and passengers with a robust cyber security programme. It is essential to have flexible technology that provides visibility and control of the challenging networks onboard trains, with threat detection that will continue to adapt to unique risks that may appear in all corners of the network, regardless of if they are covered by compliance requirements.

Where to start with NIS Compliance

So a key question is where to start with implementing a NIS compliant cyber security programme. The good news is that many organisations already have some of the basics in place. When we look at the UK implementation of NIS, it is broadly down to four principle security outcomes:

1. Good governance,

2. Protection of key systems

3. Detection of cyber incidents

4. Response/recovery planning

Many companies already meet the requirements for governance and protection with their existing engineering and cyber security governance (i.e. ISO 27001).

We see that where train builders, train operators and key system suppliers often fall down is on the detection, response and recovery elements of compliance. At RazorSecure we work with leading companies to meet these challenges every day, and can work with you to put in place a comprehensive and compliant solution that is designed to meet the unique requirements of rail.