With 470 billion passenger kilometers and many routes per year in Europe, the rail industry plays a large and rapidly growing role in transportation. However, this poses IT security challenges for the industry, according to the European cybersecurity Enisa.
The agency reports that the train industry has an overall lack of awareness of cybersecurity. In addition, there would be problems due to the complex digitization used. Even the simplest security measures on networks often cannot be fully implemented. A change in awareness is therefore necessary in order to build up more knowledge about IT security. Otherwise there will be nothing with the transformation in this area, which would reduce its competitiveness.
Cyber Attacks On Railway Companies
The cyber experts point to incidents that have already bothered the railway companies. These include for example, a denial of attack in Ukraine in 2015. This year alone, a railway company in Great Britain had to contend with a huge data outflow of 150 million entries on around 10,000 people who had used the free internet.The experts state that a wide range of IT and networked devices are currently being introduced into railway sector. However, those responsible often did not procure and manage the system properly. This leads to weak points.
Outdated Sector Holds Back Cybersecurity
Enisa assesses the implementation of the NIS in the member states. Over the years, the agency has worked closely with railway companies and infrastructures. In order to find out the state of affairs, the auditors carried out an online survey in the sector with 45 participants from 21 member states.
In general, the experts noted that the companies surveyed had a large number of legacy and a large number of devices that needed to be secured. Many of them are based on the state but are now out of date or outdated due to the long provider life. This makes it difficult to bring them in line with current cybersecurity requirements. Furthermore, the networks are usually distributed over many stations and tracks, which makes comprehensive control difficult.
The strong dependence on the supply chain does not make things any easier, the report says. With regard to network updates and lifecycle management, the networks are dependent on their suppliers and other third parties. Cybersecurity awareness and related skills varied among these too.
According to the report, there are also conflicts between different security thinking. For example, with any update to introduce cybersecurity provisions, those responsible would have to ensure that networks for the protection of passengers remain intact. This requires additional time and money. In addition, those responsible are usually not trained in IT security.