Digitalisation of the rail systems increases cybersecurity threats for IT systems for Rail Infrastructure Managers (IMs) but also Railway Undertakings (RUs). On EU level, cybersecurity is regulated by Directive (EU) 2016/1148 on the ‘Security of Network and Information Systems’ (NIS). According to NIS, Member States have to develop contingency plans against cyberattacks. As IMs are identified as ‘operators of essential services’ and represent potential targets for cyberattacks, the application of measures according to the NIS Directive is compulsory. IMs also participate in the pan-European Rail ISAC (Information Sharing and Analysis Centre) Platform, whose objective is to develop and share best practices related to cybersecurity.
EIM in action
- EIM has set up a Working Group related to ‘Cybersecurity’ (Cyber WG) which deals with cybersecurity issues. It aims at advocating the importance of promoting security guidelines instead of mandatory measures due to the different security environments and IT landscapes in the EU;
- EIM promotes best practices in cybersecurity amongst its members and the wider sector;
- EIM participates in RAIL ISAC meetings of the EC to exchange on cybersecurity issues with other stakeholders.
- EIM participates in the LandSec meetings of the EC.
- EIM coordinates with the sector and ERA, ENISA, DG MOVE the enhancement of the NIS directive (NIS2) which aims to cover railways as an essential service.
- EIM responded to EU surveys on possible future cybersecurity actions;
- EIM and its members are actively participating in the RAIL ISAC Platform focusing on information and knowledge sharing in the field of cybersecurity.
- EIM participated in the LandSec and ENISA/ERA activities and webinars related to cybersecurity.
- EIM’s CYBER WG foresees an increasing participation in the Rail ISAC platform dedicated to cybersecurity. Rail ISAC insights will be monitored among EIM members; EIM will coordinate with other EU associations for a coordination within Rail ISAC.
- EIM will continue to promote best practice exchange between its members on cybersecurity matters;
- Development of common areas of interest as: cyber-risk management, Incident Response, Skills and training and awareness growth
- ERTMS approach in view of near future new EU framework.
Directive (EU) 2016/1148 of the European Parliament
Infrastructure security covers several aspects: terror attacks, vandalism, suicides and metal theft. Risk mitigation and exchange of best practice are crucial for all sensitive sectors, especially rail infrastructure. The latest developments in terrorism have had a significant impact on the perception of security of public transport systems. While no specific binding European legislation exists in this domain, best practices and an ‘Action Plan’ to improve the security of rail passengers are being developed at European level. Each Rail Infrastructure Manager (IM) ensures the security of its network.
EIM in action
- EIM’s Cybersecurity Working Group (SEC WG) gathers security and cybersecurity experts who exchange on security and cybersecurity issues and measures. The group has continued to meet remotely throughout the pandemic to consider ongoing security threats.
- EIM advocates the importance of promoting proportional security guidelines instead of mandatory measures due to the different systems in the EU;
- EIM participates in the EU ‘RAILSEC’ meetings organised by the European Commission.
- EIM contributed to RAILSEC exchanges on the major challenges for the IMs related to the passengers’ security during the COVID 19 pandemic.
- EIM provided input on the definition of the new EC voluntary Guidelines on rail security programmes and rail security plans. The guidelines provide advices to IMs and RUs on how to draft a company’s security programme taking into account the relevant national security strategy and the national security plan.
- The measures adopted so far by the European Commission are in line with the position promoted by EIM.
- The EC will approve the Guidelines and promote them to the Members States and rail stakeholders.
- The current mandate of RAILSEC expires at end of 2021. EIM will contribute to the definition of the new mandate of this Group on rail security, which may also be extended to cyber threats
- EIM will continue to promote best practice exchange between its members on security matters.
- The EIM’s SEC WG will also look to forge stronger links with other EIM groups e.g. the business continuity group to drive a coherent and holistic approach to rail resilience. Sec WG will also seek to (re)build links with other rail industry membership bodies to promote enhanced security and resilience.