What does the NIS Regulation mean for Rail cyber security?

Updated: Sep 16

As railways become automated through the adoption of wireless and connected technologies, their critical assets have become exposed to new and more sophisticated types of cyber security threats. Modern technology is now a fundamental cornerstone of the successful delivery of train services. It is critical to signalling and rolling stock that are heavily dependent on IT systems and the digital connectivity within the modern railway.

An extensive range of regulations and standards have therefore appeared, around the world, to ensure organisations are becoming compliant with their essential requirement to ensure their operations are secure.

Within Europe, the European Commission has introduced several regulation initiatives designed to ensure critical infrastructure meets the modern requirements for cyber security. The Network Information Security (NIS) Directive was the first EU-wide legislation to cover cyber security in rail. Following a review from industry leaders, they chose to develop technical standards based on IEC62443; integration of industrial systems in communication networks.

The NIS Directive was put together specifically to enforce the improvement of the resilience of network and information systems. It sets out strict compliance obligations for organisations to ensure they “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations”.

In broad terms, compliance with NIS will include;

  • Securing network and information systems by taking technical and organisational measures appropriate to the risk.

  • Ensuring service continuity by taking appropriate measures to prevent and minimise the impact of any cyber security incidents.

  • Notifying the regulator of any cyber security incident that has an significant impact/effect on the public

It is down to each member country in the EU to set the standards for their own critical infrastructure, but many of them follow a common set of standards that are aligned strongly with the NIST Cybersecurity Framework for Critical Infrastructure.

Is compliance with NIS actually relevant to the rail industry?

Yes, it absolutely is.

Across different industries, there are many systems that are vulnerable to cyber security attacks, with each system targeted and impacted uniquely. Within the NIS regulation, the European commission has highlighted “critical infrastructure” as the key focus for regulation. Organisations that function within critical infrastructure are referred to as ‘Operators of Essential Services’.

These organisations play a vital role in our economy, providing our supplies of water, gas, electricity and providing both passenger and freight transport. They are public or private sector organisations that are dependent upon network and information systems to provide an essential service to the public, that could be significantly disrupted by a cyber security attack. Their reliability and security are crucial to both our everyday activities, and protecting the national security of each country.

Transport is directly indicated as critical infrastructure; particularly rail transport. Operators of railway assets (trains, networks, stations) for domestic, international rail and underground services, all fit within the classification of an OES and must follow guidelines set by the NIS Regulations.

The regulatory role, under NIS, is handled by the legislation referred to as a ‘Competent Authority’. These are the regulatory bodies, agencies or government departments, that act as guardians of standards for industries. For UK transport, which includes rail, the competent authority is the Department for Transport (DfT).

The rail industry is no stranger to regulations for safety, but cyber security is different. It is still relatively novel for organisations within rail, which have not typically assigned a budget or dedicated staff to it. And, unlike safety, it is more dynamic and unpredictable due to its developing threat landscape. It is not a checkbox that can be completed when the train is delivered, cyber security must be managed over the life of the asset. With wide ranging potential consequences across the rail industry from rolling stock to signalling, cyber security is vital for ensuring a safe and reliable rail network.

One key element that many operators do not consider with rolling stock is the number of systems that are onboard a modern digital train, numbering into the thousands across a train fleet. Rail rolling stock networks have been designed to common standards such as EN61375, however these standards were written prior to the awareness of potential cyber attacks. There are common vulnerabilities within rolling stock where monitoring should be deployed. The areas of vulnerability are points in the train network where hackers could gain access to the devices and the networks. A selection of key points of risk include:

  • The mobile communication gateways - the train to shore communication device.

  • Network switches - spare ports are used for maintenance.

  • Security gateways - used to bridge the operational network to the TCMS networks.

  • Event recorder, JRU, OTMR - contains access to download journey information

Installing a solution, such as RazorSecure, to monitor the above devices is essential and forms a key part of NIS compliance.

In a previous blog we discussed 'Attack vectors you may not have considered for your rolling stock'

How can organisations begin to meet NIS requirements?

The NIS Regulations security objectives and principles are outcome based. Rather than set prescriptive measures, the competent authorities should advise on the appropriateness of the organisation’s security measures, and give directions by reference to a security framework.

The outcomes intend to provide a common set of expectations that organisations can meet, either through following guidance, using services or developing their own bespoke approach if they are self-sufficient.

An outcomes-based approach enables scaling to any size or complexity of organisation. The outcomes remain constant – it is how they are implemented that will differ.

This is necessary within the rail industry where there are unique challenges not seen in any other industry; rail cyber security needs more than a one-size-fits-all approach. Train operators must gain an understanding of their own cyber challenges, and should be capable of taking informed, balanced decisions about how they achieve the outcomes specified by the principles.

In the UK, the Department for Transport follows the guidelines set by the Cyber Assessment Framework (CAF), which was published by the NCSC. The NCSC, acting as an advisory, is responsible for supporting the OES by setting security principles consisting of 14 outcomes that sit across four top-level objectives:

  • Managing security risk (identify);

  • Protecting against cyber attack (protect);

  • Detecting cyber security events (detect); and

  • Minimising the impact of cyber security incidents (respond and recover).

These objectives and principles are intended to be relevant to all networks and information systems across each of the sectors covered by the NIS Regulation, although it will be for operators to establish how these principles apply to the various systems throughout their rolling stock fleet or track side signalling systems.

What will happen if organisations continue to ignore NIS regulations?

The NIS Directive should have been a wakeup call, and while it is beginning to raise awareness for organisations, many have not put in place budgets to implement the expected security outcomes. In fact, there are many organisations within the rail industry that have not yet begun to build a compliant cyber security programme. Some within rail believe the NIS regulation does not apply to them.

Clearer direction from the competent authorities is certainly needed. There is a definite need for regular feedback and compliance reviews by their relevant competent authority. The lack of feedback and clear scope definition is harming the adoption of NIS and undermining its implementation.

Within UK rail, following the CAF guidance, adherence to NIS principle is judged on how well a total of 39 outcomes are met. Each outcome is assessed based upon Indicators of Good Practice (IGPs). The CAF has been designed in such a way that a result in which all 39 contributing outcomes are ‘achieved’ would indicate a level of cyber security above the basic minimum ‘basic cyber hygiene’ level.

Member states are required to set their own rules on financial penalties and take measures to ensure that they are implemented. In the UK, non-compliant organisations may be fined up to £17 million. The level of this fine will be assessed by the relevant competent authority.

Becoming compliant with NIS is an important step towards a secure railway.

It is easy to feel lost in this sea of compliance, or to assume that your organisation will not be improved or affected by cyber security measures. However, regulations are a reality within today’s modern technology and digitally connected environment, and the cyber security threats they set out to address are not only sophisticated but also increasingly escalating. Therefore, while regulations may seem inconvenient, measures such as the NIS regulations will ultimately help keep your systems resilient and operations safe.

A cyber security programme that adopts RazorSecure’s technical capabilities to gain full visibility of your assets and behavioural based threat detection can help an organisation identify, and avoid being significantly affected, by disruptive incidents for the entire life of the assets. With a reduction in false positive alerts, operators will have the improved functionality for accurate alert data to comply with NIS requirements to report security incidents without delay.

One of the key requirements in the NIS regulations is that systems must be monitored with the objective of detecting cyber activity before a cyber attack occurs. All cyber attacks go through a process known as the Lockheed Martin cyber kill chain which has identified that if an attack can be identified at an early stage then it can be prevented, which is the ideal outcome. The RazorSecure monitoring and anomaly detection solutions are designed to identify and report on unusual activity which may include a cyber attack in the preparation phase.

Despite the mandatory requirement, operators should also consider compliance as not just another tick box activity, but rather an opportunity to drive change and improvements in rail cyber security.