For most of its history, rail has been a sector rather closed to new technologies. In terms of operation to date, the key aspect highlighted at both legislative and executive level has been security requirements understood as ‘safety’. Safe railways have been an EU responsibility for many years now, as evidenced by several pieces of legislation. Rail safety and interoperability expert Jakub Tomczak looks at this background and the upcoming new EU cybersecurity regulations in this article.
The modern railway is becoming an open and interoperable system. The EU has launched the initiative called the Single European Railway Area (SERA) in which rail transport will be able to operate without barriers which are also being dismantled through the digitalization of railways. This process should facilitate the task of many actors, in particular infrastructure managers, operators and manufacturers of signaling technologies.
The railway infrastructure is mainly based on a computer network, both wired and wireless. This means that it can realistically be vulnerable to attacks from cybercriminals, and the range of entities exposed to such an attack is wide. Each rail operator has certain data that can be described as sensitive. For example, freight operators may transport hazardous materials. Information such as the schedule of a train carrying such goods is a potential target for attack.
EU legislation defines general safety as the absence of an unacceptable risk of harm. Examples of legislation in the railway field are the safety directives, the interoperability directives and the MSC RA regulation. Cybersecurity, however, is a relatively new issue on the railways. Until recently, EU legislation was quite poor in this area. Since railways are facing an inevitable process of digitization, appropriate measures must be taken to protect them against cybercriminals. European CENELEC standards, such as EN 50126, EN50128 or EN50129, are currently applicable at the production stage of rail control equipment.
However, these are not requirements that would secure the entire railway system. This requires the cooperation of many actors, including EU countries themselves. This is why Directive 2022/2055 on measures to ensure a high common level of cybersecurity in the Union was drafted. It imposes specific obligations to be assumed by the States of the Union, but also identifies the actors who will be required to comply with its requirements.
Adapt for more cybersecurity
This new directive should be implemented by EU countries by November 2024. By then, each covered entity should adapt its safety management systems to the new requirements. The whole of the transport sector has been identified in the directive as a sector of high criticality, where its operation is very relevant for the Union. The provisions of the directive will apply to all railway infrastructure managers. As regards railway undertakings and operators of service facilities, their size must be taken into account. If an operator exceeds the limits laid down for medium-sized enterprises, he will be bound by the provisions of the directive.
Their main obligations will be to put in place a cybersecurity risk management policy. National legislation should specifically define the technical, operational and organizational measures to be taken. The provisions of the directive merely set their framework. However, risk management measures must be proportionate to this (identified) cyber threat. At the same time, the measures must take into account the state of the art as well as the applicable standards and the cost of implementation. For example, Article 21 indicates the type of measures that each entity must include in its policy bound by the directive:
- policies and procedures for evaluating the effectiveness of cybersecurity risk management measures
- basic cyber hygiene practices and cyber security training
- risk analysis and information systems security policy
- human resources security, access control policies and asset management
A more cyber-dependent infrastructure
Finally, it should be mentioned that the legislative work on the new European TEN-T regulation for the development of the trans-European transport network is being finalised. It imposes specific obligations on infrastructure managers, rail operators and intermodal transport operators. The regulation sets ambitious deadlines for the installation of the ERTMS digital safety system, as well as for the development of ICT applications for the exchange of information necessary for the management of railway infrastructure, capacity and freight.
It is also committed to cybersecurity and infrastructure resilience. This is proof that infrastructures will become more and more cyber-dependent, and each EU Member State will be obliged to take into consideration the cybersecurity and resilience of infrastructures, paying particular attention to cross-border infrastructures which would contribute to prevent cyberattacks.