An insight into CENELEC TC9X and Working Group 26, in a discussion with Robert Brown.

What is CENELEC TC9X Working Group 26, and how did it start?

When the rail industry builds and operates trains, and signaling systems, there are many European standards (EN) and regulations to abide by.  There are several industry bodies in Europe within Rail, such as ENISA, ERA and Shift2Rail; all bodies that support train and signaling suppliers, and train operators, in improving the rail industry in general. They are mainly focused on safety. 

We also have various European government, and country agencies, that are all also involved with rail cyber security in some form. There has been a recognition that for the industry to continue to be safe it also has to be secure.  The European rail industry said we need one body to provide a common approach to cyber security for rolling stock, signaling and infrastructure to provide consistency for both new builds and the upgrading of legacy systems.

CENELEC is a European standards body, like BSI, who have standards and technical specifications for all sorts of areas within engineering. They were the obvious body to pick this up and take it forward. CENELEC TC9X is a technical committee to cover everything to do with electrical systems and electronics for railways. Underneath TC9X we set up what is now called ‘Working Group 26’, where we invite specialists in the area of rail cyber security to work on a technical specification, TS50701. The aim of the technical specification is to introduce the requirements, as well as recommendations, for addressing cybersecurity within the railway sector. It is anticipated that TS50701 is the forerunner to an EN, European standard, and an IEEE international standard for rail cyber security.

Who is involved with the TS50701 process?

We have many of the top people in the industry working with us. There are around 80 members, of which 25 are actively involved. These include members from industry leading organisations such as Siemens, Bombardier, CAF, SNCF, Hasler, Alstom, OBB, SBB, Thales, TUV, and RazorSecure.

During the process we have had requests from America, China, Israel, and other parts of Asia, that want to be involved with development of the specification. The European body rejected this for the moment, as we want to complete this as a European piece of work. Eventually we will discuss, after its finalised, extending the invitation out more broadly so that other countries can use it.

How did you get involved?

Our UK standard body for the Rail industry is the RSSB, Rail Safety and Standards Board, based in London. I had previously worked with the RSSB on another standard, EN61375, which defines how onboard train networks should be designed and implemented. I was part of the UK team writing the documentation for that standard.

Because of my knowledge of that area of on-train networks, I asked the RSSB if I could join the CENELEC WG26 group. There was only one other person involved with CENELEC in the UK at the time. There are one or two more now, but at the time no one in the UK was taking an interest in it. I recognised the importance of a cyber security standard within the rail industry, and wanted to get involved.

What challenges is the group planning to solve with the new technical specification?

Due to digitization, the need for more performance and better maintainability; previously isolated rail systems are now connected to large networks and increasingly use standard protocols and commercial off the shelf (COTS) components. Trains are becoming mobile data centres. Because of this evolution from analogue to digital systems cyber security has become an important topic for these rail systems; especially as rail is part of our critical national infrastructure.

As a group we identified a number of cyber security issues that needed to be considered; the railway has specific unique challenges, attackers can have easy physical access to systems, the train is only one part of a diverse cross-border eco-system and there are safety critical and non-safety critical systems in the environment. One of the biggest risks the industry is challenged with, is the potential threat from a knowledgeable insider who has knowledge, has passwords and has been compromised. 

We have had many safety requirements on trains for years. Safety is clearly defined by several EN standards and SIL levels, and you always make sure to build trains to a SIL level. With that, you prove it is compliant, and it ticks a box. The challenge we have in the rail industry with cybersecurity coming along in the last few years is that if something is designed as a safe system, you can’t say it is completely safe unless it is also cyber secure. On-going monitoring of systems is the only way to ensure the systems have not been compromised and rendered unsafe

Will a difference in safety and cyber security then be addressed in the documentation?

This is the biggest challenge the industry has now. How do you change attitudes and how do you ensure systems not only have a SIL, safety level, but also have an SL, a cyber security level.

The first thing the group had to decide was do we have a separate cyber security document or does it just enrol into the various EN safety documents such as EN50129. It is really important that they are seen as two different things. Safety you design it once, and it is done. Security is an ongoing thing. 

We concluded that safety and security are different and that they cannot easily be merged. Security cannot simply be regarded as an add-on to safety or vice versa

This can be illustrated by the fact that a fundamental shift in the mind set is required.  For cyber security you can’t just test the system once, conduct a pen test, and leave it alone.  For robust cyber security it is essential to monitor systems to identify any unusual activity and prevent a cyber incident, before it happens.

How will the document differentiate itself from existing cyber security regulations that affect rail?

If we go back 5 or 6 years; when cyber security was first talked about, there has been some very good work done, mainly in the US, but a little in Europe, on cyber security. The first focus was looking at how to design and manage industrial control systems, such as power stations. How do we manage and control those systems and networks, so that they are cyber secure? The industry produced a document, called ISA  64223, which covers cyber security for industrial control systems. That is now an international standard and has been used by the train and signaling builders as a guide. The Cenelec Working Group 26 has taken the essence of what is in that standard and focused key elements to be adapted and made suitable for the rail industry.

We also have NIST, which is a US recommendation and isn’t enforceable in Europe. Whereas NIS, the EU critical national infrastructure Network Information Regulation, is a regulation, and is enforceable. However in the UK, it seems to be still open to interpretation when discussing it within rail. The CENELEC TS50701 will greatly help the rail industry from a technical point of view, and will provide a framework for cyber requirements for both new procurement and how to include a cyber risk assessment as part of the Change Control Process for legacy fleets and systems. 

How do you think the rail industry will react to the technical specification?

The ideal scenario for WG26 is for the technical specification to become an EN standard. Then there isn’t an argument, and everyone must comply with it.

Cyber security should be applied to both new, and existing trains, and signaling systems, when they are modified. There are many programmes that are updating trains with better Wi-Fi, new event recorders, better communication along the train, and remote condition monitoring. In those circumstances – cybersecurity should be a key part of that upgrade. Train operators and signaling managers should be thinking carefully that when they improve connectivity, they are exposing themselves to more risks. Unfortunately, some of the train companies are trying to resist it because it costs money however the train owners are taking a longer term view and wish to make sure their assets are both cyber secure and compliant with the NIS regulations.

We are seeing an increasing number of organisations in the UK and EU rail sector that are already committed to working with our upcoming CENELEC cyber technical specification. TS50701 is already setting the framework for defining cyber requirements for new procurement, and also for additional cyber requirements that will form part of the Change Control Process for all upgrades to legacy trains and signaling systems.TS50701 will define a way of doing business in the future.  

In summary systems must be secure by design, have defence in depth, and on-going monitoring and intrusion detection of systems, devices and networks are all a ‘must have’.  

Finally, when will it be released as an official document?

We have finished the first draft version, which experts from each European country have reviewed. A final draft has now been reissued with a project timetable for it to become a fully issued CENELEC technical specification in June 2021.