Why new legal requirements are necessary for better cyber security in rail
For most of its history, rail has been a sector rather closed to new technologies. In terms of its operation to date, the key aspect emphasised both at legislative and executive level has been security requirements understood as ‘safety’. Safe railways have been the domain of the EU for many years now, as can be seen from several pieces of legislation. Railway Safety and Interoperability expert Jakub Tomczak dives into this background and the upcoming new EU regulations regarding cyber security in this article.
The modern railway is becoming an open, interoperable system. The EU launched the initiative called the single European railway area (SERA) in which rail transport will be able to operate without obstacles which are also being dismantled through the digitalisation of the railways. This process should make it easier for many actors, especially infrastructure managers, operators, and manufacturers of signalling technology.
Railway infrastructure is primarily based on a computer network, both wired and wireless. This means that it can be realistically vulnerable to attack by cyber criminals, and the range of entities exposed to such an attack is wide. Each railway operator has some data that can be described as sensitive. For example, freight operators may transport hazardous materials. Information such as the timetable of a train carrying such goods is a potential target for attack.
EU legislation defines general safety as the freedom from unacceptable risk of harm. Examples of legislation in rail are the Safety Directives, the Interoperability Directives and the CSM RA Regulation. Cyber security is however a relatively new issue on the railways. Until recently, EU law has been quite poor in this area. Since the railways are facing an inevitable process of digitalisation, appropriate steps should be taken to secure them against cyber criminals. European CENELEC standards, such as EN 50126, EN50128 or EN50129, are currently applicable at the production stage of railway control equipment.
However, these are not requirements that would secure the entire railway system. This requires the cooperation of many actors, including the EU countries themselves. That is why Directive 2022/2055 on measures for a high common level of cybersecurity across the Union was drafted. It imposes specific obligations to be taken on by the states of the Union, but also identifies the actors that will be required to comply with its requirements.
Adapting for more cybersecurity
This new Directive should be implemented by EU countries by November 2024. By that time, each covered entity should adapt its security management systems to the new requirements. The entire transport sector has been identified in the Directive as a sector of high criticality, where its functioning is highly relevant to the Union. The provisions of the Directive will apply to all railway infrastructure managers. As far as railway undertakings and service facility operators are concerned, their size must be considered. If an operator exceeds the limits provided for medium-sized undertakings, then it will be bound by the provisions of the Directive.
Their primary obligations will be to implement a cyber security risk management policy. National legislation should specifically define what technical, operational, and organisational measures are to be taken. The provisions of the Directive only set out their framework. However, risk management measures should be proportionate to this (identified) cyber threat. At the same time, the measures should consider the state of the art as well as the applicable standards and the cost of implementation. For example, Article 21 states what kind of measures should be included by every entity in their policy bounded by the Directive:
- policies and procedures to assess the effectiveness of cybersecurity risk-management measures
- basic cyber hygiene practices and cybersecurity training
- policies on risk analysis and information system security
- human resources security, access control policies and asset management
More cyber-dependent infrastructure
Finally, it’s worth mentioning that legislative work on the new TEN-T EU Regulation for the development of the trans-European transport network is currently being finalised. It imposes specific obligations on infrastructure managers, rail operators and intermodal transport operators.
The regulation sets ambitious deadlines for the installation of the ERTMS digital safety system, as well as for the development of ICT applications for the exchange of information needed to manage rail infrastructure, capacity, and freight.
It also commits to cyber security and infrastructure resilience. It is proof that infrastructure will become more and more cyber-dependent, and every EU Member State will be obliged to take into consideration cyber security and resilience of infrastructure, with particular attention to cross-border infrastructure that would help prevent cyber attacks.
Jakub Tomczak is a lawyer focussed on railway safety and interoperability, and author of the expert blog PrawoKolei.pl