Railway cybersecurity from ENISA

Security measures in the Railway Transport Sector

The railway sector enables goods and passengers to be transported within countries and across borders, and is key to the development of the European Union. The main players within this sector are the railway undertakings (RU), in charge of providing services for the transport of goods and/or passengers by rail; and the infrastructure managers (IM), in charge of establishing, managing and maintaining railway infrastructure and fixed installation, including traffic management, control-command and signalling, but also station operation and train power supply. Both are in the scope of the NIS Directive, and their identification as operator of essential service (OES) respects the transposition of laws to the majority of member states.

Trends

According to surveys and interviews conducted under this study, overall trends for the implementation of the NIS Directive for operator of essential service (OES) in the railway sector are as follows:

- The general implementation of security measures regarding governance and the ecosystem is heterogeneous and low compared to other types of measures. Most mature OES have already been applying these measures for a long time. Meanwhile for less mature OES, implementation of these measures has just started.

- Protective security measures seem to be the best implemented. While cybersecurity basics appear to be already implemented, security measures requiring advanced technical expertise show a lower level of implementation. In the special context of operational technology (OT) (legacy, number of systems, dependence on suppliers, safety concerns), it is often impossible to implement security basics without applying compensating countermeasures,

- For defensive security measures, the simplest security measures (e.g. communications with competent authorities and computer security incident response teams) seem to be well implemented. Others, however, are rarely or not implemented, as they require considerable cybersecurity expertise and maturity (e.g. log correlation and analysis),

- For resilience measures, the level of implementation appears to be good. Managing crises and incidents is part of the daily business of the railway sector. However, this must be qualified: there are still opportunities to improve the full integration of new cybersecurity threats into existing processes for dealing with crises and ensuring resilience.

Challenges

The study also identifies the main challenges faced by the sector to enforce the NIS Directive:

- Railway stakeholders must strike a balance between operational requirements, business competitiveness and cybersecurity, while the sector is undergoing digital transformation which increases the need for cybersecurity.

- Railway stakeholders depend on suppliers with disparate technical standards and cybersecurity capabilities, especially for operational technology.

- OT systems for railways have been based on systems that were at a point in time secure according to the state-of-the art but due to the long lifetime of systems they eventually become outdated or obsolete. This makes it difficult to keep them up-to-date with current cybersecurity requirements. Furthermore, these systems are usually spread across the network (stations, track, etc.), making it difficult to comprehensively control cybersecurity.

- Railway operators report issues of low cybersecurity awareness and differences in culture, especially among safety and operations personnel.

- Existing rail specific regulation doesn’t include cybersecurity provisions. OES often have to comply with non-harmonized cybersecurity requirements deriving from different regulations.

ERTMS is also covered in this study as a separate infrastructure due to its special requirements and its cross-European nature.

Finally, trying to address some of the challenges described above, several European initiatives which are presented in this report take place. ENISA is teaming up with the European Railway Agency and the overall Railway community to bring these activities in the forefront.

1. INTRODUCTION

Representing 472 billion passenger-kilometres, 216,000 km of active railways and 430 billion tonne-kilometres for freight transport, the railway sector plays an important and fast-growing role. Railway infrastructure and systems are key assets, crucial to developing and protecting the European Union.

The railway sector is undergoing a major transformation of its operations, systems and infrastructure due to the digitisation of OT and IT systems and infrastructure, the automation of railway processes, the issues of mass transit and the increasing numbers of interconnections with external and multimodal systems. This sector is also evolving as it gradually opens up to competition. This leads to the reallocation of responsibilities and the separation of railway systems and infrastructure, which also affect IT systems.

In this context, it is becoming even more crucial for the railway sector to tackle cyber threats.

1.1 POLICY AND REGULATORY CONTEXT

Several bodies define and enforce regulations for the railway sector at International, EU or national levels.

The railway sector is historically bound by regulations controlling interoperability, safety, dangerous goods management and certification, at international, European and national levels.

At international level, the first initiative concerning the railway sector was the creation of the International Union of Railways (UIC) in 1922, with 194 members across 5 continents. Today it plays an important role in standardising and classifying railways through its UIC Codes, facilitating the sharing of best practice, promoting interoperability and developing skill centres.

Moreover, the first and unprecedented regulatory framework was the Convention Concerning International Carriage by Rail (COTIF) of 9 May 1980, amended by the Vilnius Protocol of 3 June 1999 ("the Accession Agreement"), which resulted in the creation of the Intergovernmental Organisation for Carriage by Rail (OTIF) with, in 2019, 51 members (the European Union acceded to COTIF in 2011). The objectives are to develop uniform laws and rules for the carriage of passengers and freight by rail, through technical functional requirements and model contracts.

At European level, to develop a competitive railway transport system, promote the Single European Railway Area and align with international regulations, the European Commission has enforced several directives – mostly in four railway legislation packages listed in the Appendix. To fulfil these objectives, three main priorities have been defined:

- opening the railway transport market up to competition,

- improving the interoperability and safety of national networks, and

- developing railway infrastructure.

However, the existing regulatory framework described above does not fully consider security, particularly the cybersecurity issues specific to the railway sector. Over the past few years, the European Commission has enforced directives and regulations regarding cybersecurity, but which are applicable to all markets and sectors.

Directive 2016/1148 (NIS Directive) is the first legislative document focusing on cybersecurity, extending the scope also to the railway sector. The following Operators of Essential Services (OES) are identified:

- Infrastructure managers as defined in point (2) of Article 3 of Directive 2012/34/EU namely: “any person or firm responsible in particular for establishing, managing and maintaining railway infrastructure, including traffic management and control-command and signalling. The functions of the infrastructure manager on a network or part of a network may be allocated to different bodies or firms”.

- Railway undertakings as defined in point (1) of Article 3 of Directive 2012/34/EU namely “any public or private undertaking licensed according to this Directive, the principal business of which is to provide services for the transport of goods and/or passengers by rail with a requirement that the undertaking ensures traction. This also includes undertakings which provide traction only”;

o including operators of service facilities as defined in point (12) of Article 3 of Directive 2012/34/EU namely “any public or private entity responsible for managing one or more service facilities or supplying one or more services to railway undertakings”

In 2018, the UIC launched several events and publications to address cybersecurity issues in the railway sector (e.g. Guidelines for Cyber-Security in Railways). Moreover, the Shift2Rail Joint Undertaking was launched under the Horizon 2020 programme to seek focused research and innovation (R&I) and market-driven solutions and promote competitiveness in the European railway industry. The initiative included cybersecurity issues in the railway sector, for example, under the CYRAIL (CYbersecurity in the RAILway sector) project, or under the X2Rail-1 project and X2Rail-3 projects which included cybersecurity work packages.

2. THE RAILWAY SECTOR

To date, the railway sector does not seem to have been a direct target for cyber criminals, however several cyberattacks and incidents have taken place indicating the vulnerability of the sector. Below a detailed list (not extensive) of the most referenced ones is presented (always with a focus on the EU). Note that no OT and IT combined related incidents have occurred to this day (based on publicly available information at the time of editing).

- 2015, Ukraine, DoS attack. An advanced persistent threat (APT) actor carried out a large-scale coordinated attack to destabilize the Ukrainian government by targeting power stations, mining and railway infrastructure. The aim of these attacks was to paralyse public and critical infrastructure by disabling industrial control systems (ICS).

- July 2015-2016, United Kingdom, Intrusion. Between July 2015 and July 2016, four cyberattacks were discovered on the UK railway network. After analysis, these attacks were considered as part of a reconnaissance operation before an APT (Advanced Persistent Threat) attack, probably led by a national state threat actor. No disruption or modification of data was detected.

- May 2017, Germany, Ransomware. Deutsche Bahn was a victim of the WannaCry ransomware. Some devices were corrupted and due to this could show no information to the passengers anymore. Train operation was not disrupted.

- October 2017, Sweden, DoS attack. The first attack took place on 11th of October, affecting the Sweden Transport Administration (Trafikverket) via its two internet service providers, TDC and DGC. The DDoS attack reportedly affected the IT system that monitors trains' locations. It also took down the federal agency's email system, website, and road traffic maps. Customers during this time were unable to make reservations or receive updates on the delays. As a result, train traffic and other services reportedly had to be managed manually, using back-up processes. The next day, a second DDoS attack impacted the website of the Swedish Transport Agency, a separate governmental body responsible for regulating and inspecting transportation systems. It also affected Western Sweden public transport operator Vasttrafik, reportedly crashing its ticket booking app and online travel planning service.

- May 2018, Denmark, DDoS. A DDoS attack impacted the ticketing systems of DSB. The Danish travellers could not purchase tickets from ticket machines, the online application, website and certain station kiosks. DSB estimated that approximately 15,000 customers were affected.

- March 2020, United Kingdom, Data breach. The email addresses and travel details of about 10.000 people who used the free Wi-Fi provided UK railway stations have been exposed online. Network Rail and the service provider C3UK confirmed the incident. The database contained 146 million records, including personal contact details and dates of birth. A breach involved the app ‘Indian Rail’ which is a top app on the Apple App Store. It was due to an exposed Firebase database. The breach contained 2.357.684 rows of emails, usernames and plain-text passwords.

- May 2020, Switzerland, Malware. Swiss rail vehicle manufacturer Stadler was hit by a malware attack that impacted all of its locations and may have allowed attackers to steal sensitive company data. After compromising Stadler systems, attackers reportedly infected its systems with malware that was then used to exfiltrate sensitive corporate data from breached systems. Internal documents stolen during the cyber-attack on Stadler’s headquarters have been published online after the manufacturer refused to give in to ransom demands.

- July 2020, Spain, Ransomware. Spanish Infrastructure Manager ADIF has been hit by a ransomware not affecting critical infrastructure but exposing gigabytes of personal and business data.

2.1 RAILWAY STAKEHOLDERS

The rail ecosystem is well defined and organised, with several roles and responsibilities shared between the stakeholders. The table and figure below depict and describe the ecosystem actors.

Infrastructure Manager. In Directive 2012/34/EU, the European Union defines an infrastructure manager as “any person or firm responsible particularly for establishing, managing and maintaining railway infrastructure, including traffic management and control-command and signalling. The functions of the infrastructure manager on a network or part of a network may be allocated to different bodies or firms”.

Railway Undertakings. In Directive 2012/34/EU, the European Union defines a railway undertaking as “any public or private undertaking licensed according to this Directive, the principal business of which is to provide services for the transport of goods and/or passengers by rail with a requirement that the undertaking ensure traction. This also includes undertakings which provide traction only”.

Supply chain. Supply chain stakeholders provide railway and IT/OT assets to RUs and IMs. They may be vendors of trains, ICS systems, IT systems, etc. The railway sector is dependent on these suppliers, and their collaboration is vital to ensuring cybersecurity in the railway sector.

Service providers. Service providers can be any third party contracted by RUs or IMs to perform all or part of a service, which could be a business service (e.g. entity in charge of train maintenance) or an IT/OT service (e.g. IT monitoring). Service providers include advisors, works contractors, project management consultants, system providers, integrators.

Delivery chain. The delivery chain consists of all stakeholders involved in delivering the transport service to customers, for freight (e.g. freight agencies, logistical companies) or passengers (e.g. travel agencies, tourist brokers). It covers also third parties who interact with the railway for service delivery (e.g. road transport companies).

Authorities and bodies. Authorities and bodies consist of all stakeholders in charge of applying policies and regulations in the railway sector (e.g. railway regulators, national and European authorities for safety or cybersecurity, conformity assessment bodies, as notified body and designated body).

Public areas. Public areas consist of all third parties who use railway premises to deliver goods or services (more specifically in stations). They include providers of services for passengers (e.g. sitting areas, lounges), as well as restaurants or retail outlets in stations.

Other entities. Other entities (e.g. banks, freight insurance) have relations with railway stakeholders. In particular, several associations or working groups focus on certain topics in the railway sector.

2.1.1 NIS Directive implementation – Authorities.

All EU Member States (MS) have already transposed the NIS Directive in their national regulatory framework. The European Commission published in October 2019 a report establishing a first assessment on the different approaches chosen by Member States to enforce the NIS Directive and develop a special focus on the railway subsector.

The report highlights the fact that MS have chosen different approaches to enforcing NIS implementation, and explains the variations between MS. Several variations are explained, the identification methods chosen by each national authority, the definition of the list of essential services, and the identification of OES.

2.2 ESSENTIAL RAILWAY SERVICES.

The above-mentioned report by the European Commission shows that member states have chosen approaches of varying levels of granularity to define the essential services of the railway sector. In particular, member states have chosen:

- not to specify rail-specific essential services,

- to distinguish between RU and IM, as two essential rail services,

- to distinguish between separate activities such as freight and passenger transport, or

- to draw a detailed list of essential services, such as dangerous goods management, or maintenance.

To ensure that data is comparable, and for drafting this report, eight essential railway services have been defined and specified in the survey:

- operating traffic on the network,

- ensuring the safety and security of passengers and/or goods,

- maintaining railway infrastructure and/or trains,

- managing invoicing and finance (billing),

- planning operations and book resources,

- information for passengers and customers about operations,

- carrying goods and/or passengers, and

- selling and distributing tickets.

The respondents to the survey were asked to assess which of these services were essential for their organisation. The essential services identified by the majority of respondents are “operating traffic on the network” (72%), “ensuring the safety and security of passengers and/or goods” (69%), and “maintaining railway infrastructure and/or trains” (59%).

2.3 RAILWAY SYSTEMS.

Based on desk research and the feedback by the survey respondents, a high-level overview of the main railway systems was prepared for this report.

3. CYBERSECURITY MEASURES.

3.1 CYBERSECURITY CHALLENGES.

Based on answers to the survey, interviews and findings shared by experts with ENISA, the following cybersecurity challenges for OES in the railway sector seeking to implement security measures can be highlighted:

- Low digital and cybersecurity awareness in the railway sector.

- Difficulty in reconciling safety and cybersecurity worlds.

- Digital transformation of railway core business.

- Dependence on the supply chain for cybersecurity.

- Geographic spread of railway infrastructure and the existence of legacy systems.

- The need to balance security, competitiveness and operational efficiency.

- Complexity of regulations for cybersecurity.

Low digital and cybersecurity awareness in the railway sector. Overall, staff awareness of the need for cybersecurity remains quite low, but OES report that awareness is slowly increasing, as cyber incidents targeting the railway sector increase and become public. For instance, after the Wannacry and NotPetya attacks, the cybersecurity teams of some OES in the railway sector have grown in numbers, following the examples of other sectors.

Difficulty in reconciling safety and cybersecurity worlds. In the railway sector, the importance of safety requirements is undisputable. For each update to introduce provisions for cybersecurity, safety teams need to ensure that safety mechanisms remain intact. This requires extra time and money. Moreover, stakeholders in charge of safety issues are not historically aware and trained to deal with cybersecurity. This complicates relations between safety and cybersecurity staff.

Additionally, it appears to be difficult to deal simultaneously with safety and security authorities. Each have their own requirements that may sometimes overlap or contradict each other (e.g. managing system updates for cybersecurity, while obsolete IT components may still be accredited for the highest level of safety). This actually indicates that the discrepancy is evident not only from a technical perspective but in governance issues as well.

Digital transformation of railway core business.

Most railway OES are currently undergoing digital transformation and a wide range of IT and connected devices (IoT) are introduced to railway systems, often without being properly procured, mapped and managed.

These changes introduce new vulnerabilities and highlight the need for OT systems to comply with the same, or even higher, cybersecurity provisions as IT systems. Network assets, network connected devices, software developments should be treated with the same (or greater) care in the operational field.

Like IT systems, OT systems should come with monitoring, supervision and administration tools offered or even embedded. Moreover new OT systems should have integrated already safety and cybersecurity requirements by design.

Dependence on the supply chain for cybersecurity.

OES report that are heavily reliant on their suppliers, providers and other third parties for system updates, patch management, and lifecycle management (supplier as a term can even include cloud service providers).

Reasons for this dependence include safety, operational and financial responsibilities, compliance with safety, cybersecurity and technical standards, cost, and contractual obligations. RUs and IMs rely on multiple suppliers for their IT systems, and even more so when it comes to OT systems on board trains or on trackside and OCC.

Each supplier may adopt individual techniques to satisfy similar functional requirements. This can increase the challenge of standardization and the ability to define and implement baseline cybersecurity measures for all systems.

Awareness of the need for cybersecurity and the associated skills vary according to each supplier. This leads to disparate levels of cybersecurity in OT systems. Moreover, provisions for suppliers are not defined under the NIS Directive, so they have less stringent statutory requirements to apply cybersecurity.

Finally, several years may elapse between a tender process for a system and its deployment. In the meantime, cybersecurity requirements change and the supply chain may not be agile enough to integrate the new requirements.

Geographic spread of railway infrastructure and the existence of legacy systems.

Railway infrastructure is distributed over a wide territory shared between metropolitan areas - where critical nodes of railway systems and networks require maximum availability, and in the countryside – where protection and maintenance costs time and money. Trackside equipment updates, in particular, can have an important financial repercussion.

Moreover, IMs and RUs manage many legacy or obsolete systems – with lifecycles calculated in decades – which are difficult or even impossible to upgrade in order to implement cybersecurity measures. Some manufacturers have even lost the technical skills to upgrade them. Obsolescent OT requires procedures, policies and human intervention for patches and updates, to ensure an adequate security level. Lifecycle management which covers cybersecurity should be planned and anticipated for new systems.

The need to balance security, competiveness and operational efficiency.

Rail transport is often a public service, to be affordable for travellers. OES must keep ticket prices as low as possible, otherwise travellers will choose other transport modes. However, OES must implement cybersecurity measures which are costly, without being able to increase their own revenue by raising the price of train tickets. Therefore, OES often encounter major problems reserving budgets for cybersecurity projects. They have to tread a fine line between respecting the budget and increasing the level of security, as in other transport sub-sectors.

Additionally, railways require nationwide investment (for trackside systems) by IMs, which also need to be financed by service revenue. By comparison, transport by water or air travels do not require investment all over the territory. Moreover, reinforcing the security of systems can complicate data flows and systems (e.g. cryptography, system segregation). These can strongly impact system performance or availability if any issues arise (e.g. expiry of a certificate).

Complexity and lack of harmonization of regulations for cybersecurity.

For some OES, understanding statutory constraints, especially the NIS Directive, may be difficult. Compliance may require time-consuming work integrating large volumes of information and performing many administrative tasks, as OES try to comply with cybersecurity requirements imposed by different national regulations. Several report that beyond the NIS Directive, they have to comply with other national laws, such as national security or critical infrastructure ones. In general, OES recognise the importance of developing statutory cybersecurity requirements and initiatives at national and European levels. Benefits identified by OES include awareness raising, sharing of best practices, potential funding, and stronger requirements for cybersecurity on suppliers.

However, such requirements should be harmonized across the EU, as OES that operate in multiple MS often face different compliance requirements. Such harmonization is key for the suppliers as well, as they often offer products and services across the EU. Finally, the security measures promoted by the NIS Directive are not at present specific to each sector. Some OES have expressed the need for more flexible operational guidelines to fit the specificities and organisation of the railway sector.

3.2 MINIMUM SECURITY MEASURES.

The security measures examined in the survey were defined by the NIS Directive Cooperation Group.

Security measures related to governance, risk management and ecosystem management are either implemented or implemented and controlled by 47% of OES. Several such measures are partially implemented because, in fact, several OES report that they are currently launching organisation-wide cybersecurity programmes, to comply with the NIS Directive and other national cybersecurity requirements, and to improve their cybersecurity posture. These measures can be particularly important as they often are a requisite step to increasing the implementation level for all security measures.

Protection measures are implemented or implemented and controlled by 53% of OES. Basic cybersecurity seems to be already well implemented and under control, e.g. access control, or system segregation. However, the security measures that require higher technical expertise, such as cryptographic controls, or cybersecurity controls on industrial control systems (OT) are implemented at a lower rate. This can be explained by specific context of railway OT that poses challenges to OES in fully implementing such minimum protection security measures. Reasons include the presence of legacy systems, the high number of systems and complexity of IM networks, dependence on suppliers for security solutions and safety concerns when updating such systems.

Security measures regarding defence are either implemented or implemented and controlled by 52% of OES. Security measures that require less technical expertise, e.g. communications with competent authorities and CSIRTs, or incident reporting, appear to be well implemented and under control. Other measures that require resources, maturity and expertise (e.g. log correlation and analysis) appear to be more challenging for OES to implement.

Resilience measures are implemented or implemented and controlled by 57% of OES. OES report that managing crises and incidents is part of the daily business in the railway sector. The sector is already regulated for safety and security, and operational continuity. However, these statistics should be treated with caution. Although measures to protect operations and prevent safety or security incidents are generally well applied, the same level of preparedness is not observed when countering cybersecurity threats and incidents. Current processes for crisis and business continuity management need to be adapted to cover cybersecurity incidents.

3.2.1 Governance and ecosystem.

Key findings regarding the “Governance and ecosystem” security measures are as follows:

- The measure “Security Risk Analysis” seems to be partially implemented (55%). Indeed, when as IMs and RUs are identified as OES according to the NIS Directive, they are asked to identify their critical systems, based on a risk-based approach. Conducting a risk analysis is usually one of the first steps toward compliance with the NIS Directive. Most of the OES interviewed have on-going activities to fully apply this measure in the near future, coupled with updating their Security Policy to cover all systems of the organisation (66% have already implemented this measure).

- Regarding “Security Accreditation”, security assessments seem to be implemented by 48% of the OES. OES recognise the importance of protecting critical systems by including cybersecurity reviews in all projects. However, it is not so easy to include cybersecurity in all railway projects, particularly because of their special characteristics. The construction of railway infrastructure and systems are lengthy projects, involving third parties and suppliers who are not always familiar with cybersecurity. Moreover, the requirements of cybersecurity regulations are relative newcomers, unlike safety requirements which already require systems accreditation. Enforcing a cybersecurity accreditation process seems to be perceived as a secondary step after setting up security measures.

- Defining, assessing and monitoring security indicators seem to be only partially implemented (38%). Governance and policies must be fully enforced, and experience on several security measures must be acquired before taking a step back to define the relevant Key Performance Indicators (KPIs). Furthermore, it must be possible to collect and process data from a potentially wide range of sources, which can pose an additional challenge to OES.

- For the “Security audit” measure (52%), two main trends can be highlighted: the most mature OES conduct regular audits to check the level of cybersecurity and compliance with their security policy, whereas the least mature ones regard this as a secondary step, to be taken after implementing security measures. For some OES, audits of legacy systems and others may be difficult to conduct. Finally, most OES are aware of the measures that need to be implemented to better protect their critical systems, but they perceive an audit a waste of time and budget, if implementation of measures has not progressed beforehand.

- “Human resource security” seems to be partially implemented (48%) for two main reasons: key personnel have been appointed by most OES (chief information security officers (CISO) and cybersecurity project managers are already at work, there are plans to appoint more cybersecurity experts) and awareness campaigns are being planned or conducted. However, awareness campaigns take time to produce results, especially in the railway sector where the core business is closer to the physical than the digital world, and even further from cybersecurity issues.

- The two security measures related to “Ecosystem management” appear difficult to implement and control completely. 41% of OES report that they have mapped their ecosystem and 31% have mapped relations to third parties. The railway ecosystem is complex to map, due to the number of third parties and suppliers. For instance, for one single system there may be several suppliers, with widely differing levels of technology thus cybersecurity.

3.2.2 Protection.

- Security measures, such as “Traffic filtering”, and “Physical and environmental security” seem to be the most implemented (69% report that they have implemented them). “Traffic filtering” is considered as cybersecurity basics, is already set up for many years and every OES seem to have already deployed firewall systems and access control policies.

“Physical and environmental security” is covered in the existing safety and security regulatory requirements and widely deployed. This shall be balanced as the rail network is usually very wide and it seems complicated to keep a homogeneous physical security of all local IT assets, which can be located in stations or near the tracks;

- The security measure “System configuration” has low implementation rate of this category (45%). Indeed, it seems that this security measure is difficult to apply to legacy or old systems. As a result, most of the interviewed OES reserve this measure for the newest systems.

- The security measures “System segregation” seem to be the most implemented (50% for both) in this domain. Most OES have already segregated OT and IT systems and networks, but not yet tackled more advanced segregation (separating IT and OT systems based on business criticality for example). However, IT and OT tend to become more interconnected, so this could change the way of implementation and further complicate the segregation of critical systems from the others. European standards are seeking to propose a common definition as a solution to help solve this complexity.

- The security measure “Cryptography” seems to be the most difficult to implement (only 24%). Indeed, OT systems, often legacy systems, usually do not natively support cryptography mechanisms. Moreover, this measure requires setting up complex projects and defining special architecture for cybersecurity (e.g. public key infrastructure, certificate management) which requires specialised cybersecurity expertise. Lastly, implementing such measures can severely limit the availability of systems if they are not well managed (e.g. certificate lifecycle management).

- The security measures “Administrative accounts”, “Access Rights” and “Authentication and identification” seems mostly implemented (59%, 69% and 59% respectively). It seems the railway sector is acutely aware of the criticality of administrative accounts and access rights. OES seem to have already set up the authentication and identification mechanisms (e.g. nominative accounts, strong passwords, logging registration), considered as cybersecurity basics. This is not always the case for legacy and embedded systems, usually OT, for which such measures (e.g. complex passwords) may not be possible. Projects are ongoing to fully implement this measure, while efforts are taken by OES to control better such access control processes.

- The security measure “Administration information systems” is relatively implemented (52%) which is expected due to the high dependencies the OES have against suppliers’ systems and services. This rate will rend cybersecurity configuration into a requirement during procurement.

- The security measure “IT Security Maintenance procedure” seems less difficult to implement for RUs (71%) than for IMs (28%). It appears to be more difficult for IMs to map and maintain their systems, geographically distributed over the national territory with strong local specificities. By contrast, it seems easier for RUs which have to maintain their fleet of trains (mobile systems). Moreover, due to the ongoing trend for deregulating the railway sector, the railway market is being shared out among RUs – including newcomers managing fleets of new and modern trains which are easier to maintain. In the meantime, IMs have to go on managing more-or-less the same infrastructure and systems, some of which are legacy and obsolete and are difficult to maintain.

- The security measure “Industrial control systems” (ICS) has a lower implementation rate (38%). Indeed, usual security measures are not always applicable for those systems, as often they are legacy systems, without security by design, and changes to them raises safety concerns. It requires strong cybersecurity expertise to enforce compensatory security measures on those systems and rail ecosystem has a strong dependency on the supply chain on this. For newest systems, OES need to adapt the procurement process to include cybersecurity requirements and involve cybersecurity experts from the beginning, for systems that may be deployed on the network up to 5 years after the process. A few RUs also reported that those systems are not directly under their responsibility but under the responsibility of train suppliers.

3.2.3 Defence.

- The security measure “Communication with competent authorities and computer security incident response teams (CSIRT)” seems to be the most widely implemented (69%). Indeed, most of the OES communicate with the competent authorities about the NIS Directive and its implementation. This is only natural, as communication with relevant authorities in case of an incident is nowadays a legal requirement.

- The security measure “Logging” seems to be the most partially implemented by the majority of OES (55%), including IMs and RUs. Logging seems to be perceived as a cybersecurity basic, especially for standard logs (e.g. authentication, management of account and access rights). However, works are ongoing in order to apply these measures to IT systems or to update log management (logs are stored for longer).

- The security measures “Detection” (31%) and “Log correlation and analysis” (31%) seem to be the most difficult to implement. Specialised cybersecurity expertise and complex projects are required to deploy detection and log correlation and analysis mechanisms (e.g. vulnerability monitoring, identification of feared events, definition of detection rules based on existing or feared events). This finding is even more pronounced for OT systems, managed more generally by IMs.

- “Information system security incident response” (55%) and “Incident reporting” (72%) seem to be widely implemented. Dealing efficiently with incidents and reporting are vital skills in the railway sector. RUs and IMS must deal with safety or security incidents daily. However, existing incident management processes may need to be reviewed, to fully cover the specificities of cyber incidents.

3.2.4 Resilience.

- Security measures “Business continuity management” and “Disaster recovery management” seem to be partially implemented (both at 52%), for the same reasons as incident management. In the railway sector, most RUs and IMS seem to have already defined and tested business continuity and disaster recovery plans for safety, security and disaster (e.g. fire or flood prevention), managed and followed up by business teams. These plans must be updated to include cyber threats and their evolution (e.g. offline backups for resilience in case of a ransomware attack).

- The security measures “Crisis management organization” (69%) and “Crisis management process” (55%) also seem to be well implemented. For the reasons described above, stakeholders of the railway sector are accustomed to managing crises as part of their daily work. However, crisis management processes and exercises appear to concern mainly physical security and safety incidents (e.g. derailment, obstacles on track, power outages), but cybersecurity scenarios are not fully covered yet, and they require a different approach to crisis management. Crises require rapid intervention by IT and cybersecurity experts, and they may be more widespread – occurring in many stations at once - than local safety incidents - in a specific station for example. Most mature OES perform emergency exercises to simulate cyberattacks.