1、 0 RAILWAY CYBERSECURITY Good practices in cyber risk management NOVEMBER 2021 RAILWAY CYBERSECURITY November 2021 1 ABOUT ENISA The European Union Agency for Cybersecurity,ENISA,is the Unions agency dedicated to achieving a high common level of cybersecurity across Europe.Established in 2004 and st

2、rengthened by the EU Cybersecurity Act,the European Union Agency for Cybersecurity contributes to EU cyber policy,enhances the trustworthiness of ICT products,services and processes with cybersecurity certification schemes,cooperates with Member States and EU bodies,and helps Europe prepare for the

3、cyber challenges of tomorrow.Through knowledge sharing,capacity building and awareness raising,the Agency works together with its key stakeholders to strengthen trust in the connected economy,to boost resilience of the Unions infrastructure,and,ultimately,to keep Europes society and citizens digital

4、ly secure.More information about ENISA and its work can be found here:www.enisa.europa.eu.CONTACT To contact the authors,please use resilienceenisa.europa.eu For media enquiries about this paper,please use pressenisa.europa.eu.AUTHORS Theocharidou Marianthi,Stanic Zoran,ENISA De Mauroy Louise,Lebain

5、 Loc,Haddad Jules,Wavestone.ACKNOWLEDGEMENTS We would like to warmly thank all the experts that took part in our workshops and provided comments.Their contributions and inputs were essential for the creation of this report.ENISA would like to thank the European Railway Agency(ERA),the European Railw

6、ay Information Sharing and Analysis Centre(ER-ISAC)and UNIFEs cybersecurity working group for their support.Andersson Johan A.,Tranfikverket Boff Sacha,Banenor Bos Stoffel,Prorail Boss John,Prorail Brouwer Riemer,Prorail Cabral Pereira Mrio Jorge,Infraestruturas de Portugal Chatelet Thomas,ERA Cianc

7、abilla Attilio,RFI Cosic Jasmin,DB Netz De Visscher Olivier,ER-ISAC Dyrlie Rune,Banenor Fernandez Gonzalez Lola,Knorr-Bremse Fritz Jrme,CFL Garcia Marta,UNIFE Garnier Yseult,SNCF Reseau Gomez Nieto Antonio,Adif Hausman Francois,Alstom group Houbion Catherine,Infrabel Korving Evertjan,Prorail Mager J

8、oseph,NS Magnanini Giulio,RFI Meulders Philippe,CFL Meyer,Andreas,Selectron RAILWAY CYBERSECURITY November 2021 2 Ooms-Geugies Klaasjan,NS Pizzi Giorgio,Ministero Infrastrutture e Trasporti Paulsen Christian,Siemens Pouet Nicolas,SNCF Reseau Remberg Tom,Banenor Rodrigues Susano Ana Beatriz,Infraestr

9、uturas de Portugal Thesse Eddy,Alstom group Van den Bossche Peter,Infrabel Van Zantvliet Dimitri,NS LEGAL NOTICE This publication represents the views and interpretations of ENISA,unless stated otherwise.It does not endorse a regulatory obligation of ENISA or of ENISA bodies pursuant to the Regulati

10、on(EU)No 2019/881.ENISA has the right to alter,update or remove the publication or any of its contents.It is intended for information purposes only and it must be accessible free of charge.All references to it or its use as a whole or partially must contain ENISA as its source.Third-party sources ar

11、e quoted as appropriate.ENISA is not responsible or liable for the content of the external sources including external websites referenced in this publication.Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publicati

12、on.ENISA maintains its intellectual property rights in relation to this publication.COPYRIGHT NOTICE European Union Agency for Cybersecurity(ENISA),2021 Reproduction is authorised provided the source is acknowledged.For any use or reproduction of photos or other material that is not under the ENISA

13、copyright,permission must be sought directly from the copyright holders.ISBN 978-92-9204-545-6,DOI 10.2824/92259 RAILWAY CYBERSECURITY November 2021 3 TABLE OF CONTENTS 1.INTRODUCTION 6 1.1 OBJECTIVES,SCOPE AND AUDIENCE 6 1.2 METHODOLOGY 7 1.3 STRUCTURE OF THE REPORT 7 2.CYBER RISK MANAGEMENT 8 2.1

14、RISKS MANAGEMENT STEPS 8 2.2 RISK MANAGEMENT APPROACHES FOR THE RAILWAY SECTOR 9 3.RAILWAY ASSETS AND SERVICES 13 3.1 TAXONOMY 14 4.CYBER-RELATED THREATS 18 4.1 TAXONOMY 18 4.2 CYBER RISK SCENARIOS 20 4.2.1 Scenario 1 Compromising a signalling system or automatic train control system,leading to a tr

15、ain accident 21 4.2.2 Scenario 2 Sabotage of the traffic supervising systems,leading to train traffic stop 22 4.2.3 Scenario 3 Ransomware attack,leading to a disruption of activities 23 4.2.4 Scenario 4 Theft of clients personal data from the booking management system 24 4.2.5 Scenario 5 Leak of sen

16、sitive data due to unsecure,exposed database 25 4.2.6 Scenario 6 DDoS attack,blocking travellers from buying tickets 26 4.2.7 Scenario 7 Disastrous event destroying the datacentre,leading to disruption of IT services 27 5.CYBERSECURITY MEASURES 28 5.1 APPLYING CYBERSECURITY MEASURES 30 5.2 CYBERSECU

17、RITY MEASURES 30 6.CONCLUSIONS 33 7.BIBLIOGRAPHY 34 A ANNEX:ASSET DESCRIPTIONS 35 B ANNEX:THREATS DESCRIPTION 42 C ANNEX:SECURITY MEASURES 45 RAILWAY CYBERSECURITY November 2021 4 EXECUTIVE SUMMARY European railway undertakings and infrastructure managers systematically address cyber risks as part o

18、f their security risk management processes,especially after the Network and Information Security(NIS)Directive came into force in 2016.Addressing cyber risks in the railway sector can raise entirely new challenges for railway companies who often lack the internal expertise,organisational structure,p

19、rocesses or the resources to effectively assess and mitigate them.The nature of railway operations and the interconnectedness of railway undertakings,infrastructure managers,and the supply chain requires all involved parties to achieve and maintain a baseline level of cybersecurity.European RUs and

20、IMs use a combination of good practices,approaches,and standards to perform cyber risk management for their organisations,as they need to assess cyber risks for all functions and for both OT and IT.This report gathers insights on these current practices in a single document and can assist railway un

21、dertakings and infrastructure managers in their efforts to apply them.It provides examples of reference material,such as available taxonomies of assets and services,threat taxonomies,seven comprehensive threats scenarios,derived from real incidents,and available cyber risk mitigation measures,derive

22、d by guidelines and standards.This report aims to be a reference point for current good practices for cyber risk management approaches that are applicable to the railway sector.It offers a guide for railway undertakings and infrastructure managers to select,combine or adjust cyber risk management me

23、thods to the needs of their organisation.It builds upon the 2020 ENISA report on cybersecurity in the railway sector(ENISA,2020),which assessed the level of implementation of cybersecurity measures in the railway sector.This report provides actionable guidelines,lists common challenges associated wi

24、th the performance of the relevant activities,and outlines good practices that can be readily adopted and tailored by individual organisations.Additionally,a list of useful reference material is available,together with practical examples and applicable standards.RAILWAY CYBERSECURITY November 2021 5

25、 ABBREVIATIONS ATP Automatic train protection CCS Command,Control and Signalling CCTV Closed-Circuit Television CVSS Common Vulnerability Scoring System CIO Chief Information Officer CISO Chief Information Security Officer CTO Chief Technology Officer CSIRT Computer Security Incident Response Team D

26、oS/DDos Denial of Service/Distributed Denial of Services DSP Digital Service Provider EC European Commission ER-ISAC European Railway Information Sharing and Analysis Centre ERTMS European Rail Traffic Management System ETCS European Train Control System EU European Union GDPR General Data Protectio

27、n Regulation GSM/GSM-R GSM-Railway HR Human Resources HVAC Heating,ventilation,and air conditioning ICS Industrial Control System ICT Information and Communication Technology IEC International Electrotechnical Commission IM Infrastructure Manager ISO International Organisation for Standardization IS

28、P Internet Service Provider ISSP Information System Security Policy IT Information Technology LAN Local Area Network MS Member State NIS Directive Directive on Security of Network and Information Systems NIST National Institute of Standards and Technology OES Operator of Essential Service OT Operati

29、onal Technology PKI Public Key Infrastructure RU Railway Undertaking SOC Security Operation Centre VLAN Virtual LAN VPN Virtual Private Network RAILWAY CYBERSECURITY November 2021 6 1.INTRODUCTION Directive 2016/1148(NIS Directive)is the first legislative document focusing on cybersecurity in the EU

30、.It identifies Operators of Essential Services(OES)in the railway sector as:Infrastructure managers(IM),as defined in point(2)of Article 3 of Directive 2012/34/EU,include:“any person or firm responsible in particular for establishing,managing and maintaining railway infrastructure,including traffic

31、management and control-command and signalling.The functions of the infrastructure manager on a network or part of a network may be allocated to different bodies or firms”.Railway undertakings(RU),as defined in point(1)of Article 3 of Directive 2012/34/EU,include:“any public or private undertaking li

32、censed according to this Directive,the principal business of which is to provide services for the transport of goods and/or passengers by rail with a requirement that the undertaking ensures traction.This also includes undertakings which provide traction only”.This also includes operators of service

33、 facilities as defined in point(12)of Article 3 of Directive 2012/34/EU as“any public or private entity responsible for managing one or more service facilities or supplying one or more services to railway undertakings”.The NIS Directive requires IMs and RUs to conduct risk assessments that“cover all

34、 operations including the security and resilience of network and information systems”.According to the NIS Directive,these risk assessments,along with the implementation of appropriate mitigation measures,should promote“a culture of risk management”to be developed through“appropriate regulatory requ

35、irements and voluntary industry practices”.This need for cyber risk management in the European railway sector was also identified as a key priority by the participants of the ENISA-ERA conference“Cybersecurity in Railways”,which took place online on 16-17 March 2021 and brought together more than 60

36、0 experts from railway organisations,policy,industry,research,standardisation,and certification.While some EU Member States(MS)have issued relevant national guidance to OESs on how to conduct cyber risk assessments,most railway operators choose to adopt one of the different methodologies introduced

37、by industry standards.Indeed,there are currently varying approaches to tackle risk in the railway sector and for now,there is no single approach that covers both information technology(IT)and operational technology(OT)cyber risks.This document offers a guide to these different approaches,enabling ra

38、ilway operators to select,combine or adjust cyber risk management methods to the needs of their organisation.It builds upon the 2020 ENISA report on cybersecurity in the railway sector(ENISA,2020),which assessed the level of implementation of cybersecurity measures in the railway sector.1.1 OBJECTIV

39、ES,SCOPE AND AUDIENCE This report aims at providing railway stakeholders with applicable methods and practical examples on how to assess and mitigate cyber risks.These good practices are gathered based on feedback from railway stakeholders and include tools,such as assets and services list,threat sc

40、enarios,mapping of security measures.These resources can be used as a base for cyber risk management for railway companies.The study aims at being a reference point to promote collaboration between railway stakeholders across the EU and raise awareness of relevant threats.This report is concerned wi

41、th the European railway sector,and it covers cyber risk management applicable to both the IT and OT systems of railway organisations.Other railway stakeholders such as rolling stock manufacturers and component vendors are not considered in the scope of this report.The primary target audience of this

42、 study includes people responsible for cybersecurity(CISOs,CIOs,CTOs,etc.)within RUs and IM networks.This report aims to provide them with the means to understand their cybersecurity ecosystem,assess the risks to their assets or services and manage them via appropriate cybersecurity measures.In addi

43、tion,the National Competent Authorities,who may wish to develop guidance for railway operators in conducting cyber risk management,may consult this document to understand the current practices in the sector and potential challenges.RAILWAY CYBERSECURITY November 2021 7 1.2 METHODOLOGY The report was

44、 created with cooperation of European IMs and RUs in an iterative process with multiple rounds of validation as follows:Step 1-Definition of the project scope and identification of experts.The first step consisted of defining the scope of the project and selecting subject matter experts whose input

45、and insights could be considered for the development of the report.The experts chosen are mainly RU and IM stakeholders in charge of cybersecurity,as well as members of national and European agencies.Step 2-Desk research.During this step,extensive desk research for relevant documents in the context

46、of the project was conducted.The identified sources served as a reference to develop good practices,a list of assets and threats,threat scenarios,and list of measures.Step 3-Series of workshops with selected subject matter experts.Four workshops were conducted to discuss and validate the key finding

47、s of the study,namely the list of assets,list of threats,threats scenarios,and list of measures.Additionally,the workshops were used as an opportunity to collect feedback on the challenges and good practices of risk management in the railway sector.The 20 experts originated from 10 European railway

48、companies from Belgium,Germany,Italy,Luxembourg,Netherlands,Norway,Portugal,Spain,and Sweden.The European Rail Information Sharing and Analysis Centre(ER-ISAC)was also represented in the experts pool.Step 4-Analysis of collected material and report development.The input collected from desk research

49、and the stakeholder workshops were analysed.Based on this analysis,the first draft of this report was developed.Step 5-Review and validation.The report was then validated by 24 experts(primarily RUs and IMs)from Belgium,France,Germany,Italy,Luxembourg,Netherlands,Norway,Portugal,Spain,and Sweden,the

50、 ER-ISAC and the UNIFE cybersecurity working group.The experts reviewed the report and provided comments and suggestions for improvement.These were the basis for the final version of this document.1.3 STRUCTURE OF THE REPORT The report is organised in 6 chapters:Chapter 2 describes cyber risk manage

51、ment concepts and the current approaches identified for the railway sector.It can help railway stakeholders to choose a risk management methodology.Chapter 3 contains a list of railway assets and services(definitions and taxonomy),along with guidelines on how to identify those assets and services.Ra

52、ilway stakeholders can use this information to build their own list of assets and services.Chapter 4 focuses on cyber threats,with a list of threats,their definitions and a list of risk scenarios applicable to the railway sector.Stakeholders can use those tools to identify the main risks to their as

53、sets and evaluate what should be prioritised for protection.The list of threats would be useful to conduct risk assessments,along with the abovementioned list of assets and services.Chapter 5 examines current cybersecurity measures based on EU guidelines(NIS Directive)and international standards.It

54、can help stakeholders to define a risk management plan.Chapter 6 offers some concluding remarks.RAILWAY CYBERSECURITY November 2021 8 2.CYBER RISK MANAGEMENT The purpose of this chapter is to outline the risk management approaches that were used in the study and are applicable to the railway sector.

55、Many definitions and concepts exist,thus making it difficult to choose one that is most relevant to the individuals case.To ensure a common risk management frame,this document proposes a set of definitions and principles extracted from ISO 31000:2018“Risk management Principles and guidelines”,ISO-IE

56、C 27005:2018“Information security risk management”and the ISO-IEC 62443 series.The information security risk management process is the coordination of activities to direct and control an organisation with regard to risk.It consists of context establishment,risk assessment,risk treatment,risk accepta

57、nce,risk communication and risk monitoring and review.The information security risk management process can be iterative for risk assessment and/or risk treatment activities.An iterative approach to conducting risk assessment can increase the depth and detail of the assessment at each iteration.It al

58、so provides a good balance between minimising the time and effort spent in identifying controls,while ensuring that strong risks are appropriately assessed.As mentioned in the ISO 31000 principles chapter,risk management is not a stand-alone activity that is separate from the main activities and pro

59、cesses of the organisation.Risk management is part of the responsibilities of management and an integral part of all organisational processes,including strategic planning and all project and change management processes.For terms and definitions,please consult ISO 31000:2018“Risk management Principle

60、s and guidelines”,ISO-IEC 27005:2018“Information security risk management.2.1 RISKS MANAGEMENT STEPS ISO 27005:2015 defines a risk management process which integrates all necessary key activities to deploy a risk management methodology.Figure 1:Risk management The first step of launching a risk mana

61、gement process is establishing the context,both external and internal.It involves setting the basic criteria necessary for information security risk management(approach,risk evaluation criteria,impact criteria and risk acceptance criteria),defining the scope and boundaries(ensuring that all relevant

62、 RAILWAY CYBERSECURITY November 2021 9 assets are taken into account in the risk assessment),and establishing an appropriate organisation to manage the information security risk management.The second step is launching a risk assessment,i.e.,quantifying or qualitatively describing risks and enabling

63、managers to prioritise them according to their perceived seriousness or other established criteria.The risk assessment consists of three distinct tasks:Risk identification,to determine what could happen to cause a potential loss and to gain insight into how,where,and why the loss could occur.Risk an

64、alysis,to understand the nature of the risk and to determine the level of risk.A risk analysis methodology may be qualitative,quantitative,or a combination of both depending on the circumstances.Risk evaluation,to compare the level of risks against risk evaluation criteria and risk acceptance criter

65、ia.The purpose is to produce a list of risks prioritised according to risk evaluation criteria in relation to the incident scenarios that lead to those risks.The third step is the risk treatment,which consists of defining a list of controls to reduce,retain,avoid,or share the risks.Then,a risk treat

66、ment plan can be defined.The risk treatment plan description will be elaborated in chapter 5 of this present document.The fourth step is risk acceptance,i.e.,the decision to accept the risks and responsibilities for the decision.Finally,a list of accepted risks with justification for those that do n

67、ot meet the organisations normal risk acceptance criteria is established.The fifth step is the risk communication.Information about risks should be exchanged and/or shared between the decision-maker and other stakeholders.The final step is risk monitoring and review.It consists of the monitoring and

68、 reviewing the risks and the various factors(i.e.,value of assets,impacts,threats,vulnerabilities,likelihood of occurrence)that help to identify any changes in the context of the organisation at an early stage,and to maintain an overview of all risks.2.2 RISK MANAGEMENT APPROACHES FOR THE RAILWAY SE

69、CTOR Workshops with relevant European railway sector stakeholders were conducted to identify the most common risk management methods currently used by RUs and IMs.During these workshops,stakeholders indicated their chosen methods.They are complemented or combined with other approaches to reach the d

70、esired level of sophistication and to cover both IT and OT requirements for risk management.Their approaches are also linked to the overall enterprise risk method used by the organisation and have to offer adequate level of compliance with both EU and national cybersecurity requirements.For RUs and

71、IMs operating in multiple EU Member States(MS),national requirements under the NIS Directive may not be fully harmonised,so these organisations face additional challenges in compliance.For all EU RUs and IMs to meet the cybersecurity requirements of their national competent authorities,support is ne

72、eded from the railway industry.RUs and IMs rely on their suppliers,both for more accurate threat and vulnerability analyses,but especially for implementing cybersecurity requirements.Indeed,existing approaches are multiple and varying across the railway companies,but they may present different scope

73、 and level of detail in terms of analysis.For the risk management of railway IT systems,the most cited approaches were the requirements of NIS Directive at a national level,the ISO 2700 x family of standards,and the NIST cybersecurity framework.For OT systems,the frameworks cited were ISA/IEC 62443,

74、CLC/TS 50701,and the recommendations of the Shift2Rail project X2Rail-3,or the ones from the CYRail Project.Those standards or approaches are often used in a complementary way to adequately address both IT and OT systems.While IT systems are normally evaluated with broader and more generic methods(s

75、uch as ISO 2700 x or NIS Directive),OT systems need specific methods and frameworks that have been designed for industrial train systems.For instance,the ISA/IEC 62443 standards are the most cited frameworks used for specific OT assets and risk identification,while many contributors to this report s

76、tated they intend to use the recently released CLC/TS50701 in the future.RAILWAY CYBERSECURITY November 2021 10 Stakeholders that participated in this study indicated that they use a combination of the abovementioned international and European approaches to tackle risk management,which they then com

77、plement with national frameworks and methodologies.Examples include the Dutch A&K analysis1,the German BSI Risk Management Standard 200-32 and the French E-BIOS Risk Manager method3.Moreover,other stakeholders designed their own modified versions of methodologies based on existing frameworks.The dif

78、ference between standards completeness can also be tackled by building a bridge between the high-level company risk assessment,and the lower application,or asset risk,assessment level.The generic framework and standards can be used at a high level and the more technical or precise ones can be used a

79、t the applications and assets level.The risks and measures issued at the end of each process are consolidated in a global risk mapping and risk treatment plan.A multitude of different approaches and methods have been recommended by national and international authorities regarding cyber risk manageme

80、nt.This next section analyses a sample of European and international good practices.ISO 27001,27002 and 27005 standards.The ISO 2700 x family are among the most used and cited standards for information security.ISO 27001 is the standard dedicated to establishing,implementing,maintaining and continua

81、lly improving an information security management system within the context of the organisation.ISO 27001 and 27002 contain a list of requirements to consider when implementing a risk treatment plan and will be studied in more detail in chapter 5 of the present document.ISO 27005 is focused on risk m

82、anagement.It is the one selected in the present document as a reference for defining the risk management principles presented above.According to CLC/TS 50701(see below),ISO27K series can be applied to the business part of railway infrastructure,which primarily includes IT systems.NIS Directive Coope

83、ration Group guidelines.In 2018,the NIS cooperation group4 issued a“reference document”which provides a summary of the Groups main findings on cybersecurity measures for OESs(NIS Cooperation Group,2018).The reference document primarily covers the risk treatment phase of risk management.It does not e

84、stablish a new standard nor duplicate existing ones(e.g.,ISO)but provides MS with a clear and structured picture of their current and often common approaches to the security measures of OESs.Beyond OESs,this reference document may be considered useful by other public or private actors looking to imp

85、rove their cybersecurity.As it focuses on security measures,it will be studied in more detail in chapter 5.ISA/IEC 62443 standards.The ISA/IEC 62443 series of standards provides a framework to address and mitigate security vulnerabilities in industrial automation and control systems(IACS).They descr

86、ibed both technical and process-related aspects of industrial cybersecurity and provide a risk management approach,especially for OT systems,which can be applied to OT used in the railway sector.In particular,the ISA/IEC 62443-3-2,“Security Risk Assessment,System Partitioning and Security Levels”sta

87、ndard defines a set of engineering measures to guide organisations through the process of assessing the risk of a particular IACS and identifying and applying security countermeasures to reduce that risk to tolerable levels.A key concept is the application of IACS security zones and conduits,which w

88、ere introduced in ISA/IEC 62443-1-1,Concepts and Models.The standard provides a basis for 1 The method Afhankelijkheids-en Kwetsbaarheidsanalyse(A&K analysis)was developed in draft form by the Dutch public company RCC.The Dutch Ministry of Internal Affairs completed its development in 1996 and publi

89、shed a handbook describing the method.The method has not been updated since that time.The A&K analysis is the unique and preferred method for risk analysis by Dutch government bodies since 1994.In addition to the Dutch government,Dutch companies often use A&K analysis.https:/www.enisa.europa.eu/topi

90、cs/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_dutch_ak_analysis.html 2 With the BSI Standard 200-3,the BSI provides an easy-to-apply and recognised procedure which allows organisations adequate and targeted control of their information security risk

91、s.The procedure is based on the elementary threats described in the IT-Grundschutz Compendium on the basis of which the IT-Grundschutz-modules were drawn up.https:/www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi-standard-2003_en_pdf.html;jsessionid=A26D9630FC3E530CDEECEACC0

92、0297837.internet461?nn=128620 3 EBIOS Risk Manager(EBIOS RM)is the method for assessing and treating digital risks,published by National Cybersecurity Agency of France(ANSSI)with the support of Club EBIOS.It provides a toolbox that can be adapted,the use of which varies according to the objective of

93、 the project.EBIOS Risk Manager is compatible with the reference standards in effect,in terms of risk management as well as in terms of cybersecurity.https:/www.ssi.gouv.fr/en/guide/ebios-risk-manager-the-method/4 The NIS Cooperation Group is composed of representatives of Member States,the Commissi

94、on,and ENISA,has been established under the NIS Directive.It facilitates strategic cooperation between the Member States regarding the security of network and information systems.https:/digital-strategy.ec.europa.eu/en/policies/nis-cooperation-group RAILWAY CYBERSECURITY November 2021 11 specifying

95、security countermeasures by aligning the identified target security level with the required security level capabilities set forth in ISA/IEC 6244333,System Security Requirements and Security Levels.CLC/TS 50701.Following this standard,the Technical Specification 50701 was issued(CLC/TS 50701,2021).T

96、his European Technical Specification applies ISA/IEC 62443 to the railway sector.It applies to the communications,signalling,processing,rolling stock and fixed installations domains.It provides references to models and concepts from which requirements and recommendations can be derived and which are

97、 suitable to ensure that the residual risk from security threats is identified,supervised,and managed to an acceptable level by the railway system duty holder.CLC/TS 50701 can be used to define a list of OT components for the railway sector,and to build a list of OT-specific security measures.Shift2

98、Rail Risk Assessment Methods(projects X2Rail-1 and X2Rail-3).Shift2Rail proposes a risk assessment based on IEC 62443-3-2(X2Rail-1,2019;X2Rail-3,2020).It proposes a common railway framework,which includes:Attacker landscape dedicated to railway Threat landscape dedicated to railway based on(ISO 2700

99、5,ENISAs 2016 Threat Taxonomy 2016 and BSI:Threats Catalogue)Impact matrix Approach for high-level risk assessment and estimation of the security level targets based on the STRIDE threat classification Process for detailed risk assessment.Based on this common approach,Shift2Rail performed a risk ass

100、essment of a generic railway signalling system compliant with the IEC 62443 and proposed target security levels for the different identified zones.X2Rail-3 proposed a Simplified Risk assessment approach in 2020(X2Rail-3,2020)which consists of the following workflow:1.Description of the zone under as

101、sessment 2.Division of the assessment into six STRIDE threat domains5 3.Estimation of likelihood and impact 4.Risk computation 5.Security level mapping to risk level 6.Foundational Requirements6 security level mapping to six STRIDE threat domains security levels CYRail recommendations on cybersecuri

102、ty of rail signalling and communication systems.The EU-funded project CYRail7 issued a guide published in September 2018(Cyrail,2018).This guide provides an analysis of threats targeting railway infrastructures,in addition to the development of attack detection and alerting techniques,mitigation pla

103、ns and Protection Profiles for railway control and signalling applications to ensure security by design of new rail infrastructures.It relies on the IEC62443 standard.The security assessment consists of the following 5 steps:Identification of the system under consideration(SUC)Performing a high-leve

104、l cybersecurity risk assessment to identify the worst-case risks Partition of the SUC into zones and conduits and definition of the vulnerabilities Realisation of detailed risk assessment in each zone and conduit in 10 steps(identify threats,identify vulnerabilities,determine consequence and impact,

105、determine unmitigated likelihood,calculate unmitigated 5 The STRIDE model is a model of threats developed by Microsoft to identify computers security threats,as the first step in a proactive security analysis process.The next steps in the process are identifying the vulnerabilities in the implementa

106、tion and then taking measures to close security gaps.STRIDE model defines a threat as any potential occurrence,malicious or otherwise,that can have an undesirable effect on the system resources.STRIDE stands for 6 main threats:Spoofing of user identity,Tampering with data,Repudiability,Information d

107、isclosure(privacy breach),Denial of Service(DoS)and Elevation of privilege.Vulnerability is an unfortunate characteristic that makes it possible for a threat to occur.An attack is an action taken by a malicious intruder to exploit certain vulnerabilities to enact the threat.It was created to be appl

108、ied to a specific system or during the development of a product;therefore,it is less relevant at a company level,as it does not encompass the whole risk management process.Nevertheless,it can be used with a more global methodology when defining the threats.https:/ 6 According to IEC62443,security ca

109、pabilities are organised according to seven Foundational requirements(FR1 Identification and Authentication Control,FR2 Use Control,FR3-System Integrity,FR4 Data Confidentiality,FR5 Restricted Data Flow,FR6 Timely Response to Events,and FR7 Resource Availability.7 https:/cyrail.eu/about-cyrail-proje

110、ct-1 RAILWAY CYBERSECURITY November 2021 12 cyber security risk,determine security level target,identify and evaluate existing countermeasures,revaluate likelihood and impact,calculate residual risk,document and communicate results)Documentation of the process This guide is useful to conduct risk an

111、alysis within the railway sector,particularly on control and signalling applications,using the IEC62443 standard.EULYNX,RCA,and OCORA approach.EULYNX is a European initiative led by 13 IMs to standardise interfaces and elements of signalling systems.EULYNX Reference Architecture defines the complete

112、 EULYNX system,describing the overall architecture,cross-cutting architectural concepts,and all generic functions of the system.Baseline Set 3 was completed in 20208.RCA stands for Reference Control,Command&Signalling(CCS)Architecture.It is an initiative led by members of the ERTMS Users Group(EUG)a

113、nd EULYNX to define a harmonised architecture for the future railway CCS,with the main goal of substantially increasing the performance/total cost of ownership(TCO)ratio of CCS.The RCA Baseline Set 0 Release 1 was updated with the Cyber Security guidelines created by OCORA,RCA and EULYNX.It defines

114、a risk assessment process taking IEC 62443 and CLC/TS 50701 as security standards and gives an example on how to apply it to trackside CCS.The following process is defined:Definition of system under consideration Initial zoning concept based on risk assessment Definition of attacker types Evaluation

115、 of the attackers,strength,motivation Supplementation of threats Sorting of threats into foundational requirements Definition of the initial security level per threat Entering the foundational requirement value into the vector of the preliminary zone Application of reduction factors to determine the

116、 final security level Application of the measures according to IEC62443 The focus of RCA is on the architecture of the CCS trackside.There is a similar initiative,named OCORA,which addresses the architecture of the CCS on-board side9.It is a joint initiative by 5 European railway companies10 which h

117、as been set up to define the architecture and interfaces for the next generation of on-board European Train Control System(ETCS)systems.UIC Guidelines for Cyber-Security in Railways.In 2018,the UIC ARGUS WG decided to produce an enforced document to provide specific guidance to the Railway(UIC,2018)

118、.This guidance document is designed to support the rail industry in reducing its vulnerability to cyber-attacks and to ensure availability,integrity,confidentiality of railway systems and data at all times.The document has a particular but not exclusive focus on signalling and telecommunication with

119、in railway.The document is based on the ISO 27001 and 27002 standards and offers guidance specific to railway.It also describes common risk management steps such as:establishment of the security context,assets identification(primary and supporting),impact analysis(supported by operational impact sce

120、narios),threat identification,selection of applicable threat scenarios,estimation of risk level for each applicable threat scenario based on the likelihood and the impact of those threat scenario,selection of risk treatment options,and selection of a list of additional controls.8 https:/www.eulynx.e

121、u/index.php/documents/published-documents/open-availability/baseline-set-3/257-20200623-eulynx-documentation-plan-eu-doc-11-v3-4-0-a/file 9 https:/ 10 Deutsche Bahn(DB),Socit nationale des chemins de fer franais(SNCF),Nederlandse Spoorwegen(NS),sterreichische Bundesbahnen(BB)and Schweizerische Bunde

122、sbahnen(SBB RAILWAY CYBERSECURITY November 2021 13 3.RAILWAY ASSETS AND SERVICES For RUs and IMs to manage cyber risks,it is crucial that they identify their railway assets and services that need to be protected.The railway sector is composed of multiple stakeholders who are responsible for their ow

123、n infrastructure,assets and services,but they are strongly interconnected and interact with one another to deliver services.These interactions complicate risk assessment,because interdependencies between external stakeholders or suppliers must be considered in the analysis.The list resulting from th

124、is identification of assets and services should contain services the stakeholders have to deliver,and assets,such as devices,physical infrastructure,people and data needed to support these services.In addition,stakeholders may develop indicators to assess cyber risk impact on the availability,integr

125、ity and confidentiality of these assets and services(e.g.,number of users affected,economic impact,environmental impact,recovery time objectives,etc.).Eight essential high-level railway services have been considered during the 2020 ENISA study(ENISA,2020):Operating traffic on the network Ensuring th

126、e safety and security of passengers and/or goods Maintaining railway infrastructure and/or trains Managing invoicing and finance(billing)Planning operations and booking resources Information for passengers and customers about operations Carrying goods and/or passengers Selling and distributing ticke

127、ts.Railway stakeholders can use various taxonomies as the basis to identify their key cyber-related assets and services and adapt it to their own operational environment.Based on the desk research and information collected during the workshops,the key point is to maintain an asset inventory for cybe

128、r-related assets.Assets should be identified and registered in the asset inventory based on the system they relate to,the service they support and the information they handle.As mentioned,interdependencies between systems and third-party hardware and software,vendors,or other stakeholders must be co

129、nsidered.They should be identified in the specifications of technical interface(and/or data exchange)requirements.Finally,the department/division responsible for cybersecurity should be included in procurement contract review and implementation to ensure cybersecurity is addressed.The identification

130、 of all interdependencies of the systems can be a real challenge.This is the case for external dependencies,but also for internal dependencies.Specifically,IT and OT interdependencies are complex because their boundaries are increasingly blurring,and OT and IT have different levels of maturity in te

131、rms of cybersecurity.Maintaining an exhaustive inventory is complex as systems are evolving fast,and the digitalisation of all processes is adding more and more systems that must be considered.This is exacerbated by the fact that the people responsible for the inventory often are unaware knowledge o

132、f all the assets and rely on systems engineers or security experts of the asset owner to maintain the inventory.Third-party-managed systems are also complicated to integrate in internal inventories due to this mix of responsibilities.To support this inventory,automated tools for asset management(ide

133、ntification,logging and monitoring)can be deployed,but the deployment of such tools requires strong interactions with systems that dont always support such interactions.For asset identification,IT/OT asset discovery tools can be deployed,but care needs to be taken during their configuration so as no

134、t to affect the performance of systems.RAILWAY CYBERSECURITY November 2021 14 3.1 TAXONOMY To help RUs and IMs choose which assets and services to include in their risk assessment,a comprehensive list has been compiled.It is based on the systems list described in the ENISA Report-Railway Cybersecuri

135、ty of 202011.It has been constructed from existing literature,validated during interviews with railway stakeholders in 2020,and enriched based on the feedback received during the 2021 workshops.It gives a robust and high-level overview of railway assets,with relevant categories.Other,more detailed t

136、axonomies exist in the sector and have been reviewed in order to complement and align(especially for the names and associated descriptions)this list with approaches on asset taxonomies,such as X2Rail Deliverables12,RCA-OCORA-Eulynx Security Guideline13 and TS50701.Indeed,RCA,OCORA,and Eulynx have cr

137、eated comprehensive asset architecture models specific to OT systems(on-board and trackside systems).They present assets at a more detailed level up to the component level and can be used for the risk assessment of a particular system,where such detail is required.This list has been broken down to 5

138、 areas;the services that stakeholders provide,the devices(technological systems)that support these services,the physical equipment used to provide these services,the people that maintain or use them,and the data used.Fourteen service categories,together with sub-categories,are defined and depicted i

139、n Figure 2.For each service listed on(ENISA,2020),assets have been identified.These are based on the list of systems by(ENISA,2020),desk research,CLC/TS50701 and complemented with additions such as supply chain or freight assets.Supply chain assets refer to the assets provided by suppliers;as this p

140、resent list may not be exhaustive,suppliers threats can be additionally covered by defining a list of suppliers and applying specific measures to them.Freight assets are especially relevant as railways amount for a significant amount of EU freight transport.They can be targeted by specific attacks t

141、hat are more focused on financial gain rather than disruption or passenger safety.In addition,each asset has been characterised according to the kind of resources the asset uses:IT systems:refers to all components,devices and software used to store and process the information and realise IT operatio

142、ns.OT systems:refers to all components,devices and software used to conduct physical railway operations.Network and communications systems:refers to all components and devices used to physically convey information fluxes.Supply chain:refers to the assets provided by suppliers.Four device categories

143、have been identified,namely:Telecom IT&OT infrastructure Infrastructures and trackside On-board These categories illustrate the systems to which the assets belong to and it is used to define the operation where the asset will be used:passenger comfort,signalling,corporate operations,etc.(see figure

144、3)Moreover,physical equipment can be found either on infrastructure and trackside(buildings,tracks,etc.),or on-board(trains,wagon,lighting,etc.)(see Figure 4)Finally,the different categories of people that are using these systems(clients or employees)and the different categories of data used by thos

145、e systems are listed(see Figure 5).These taxonomies can be used for developing an initial ontology-knowledge representation for the railway domain.For detailed descriptions of these five areas of assets,please consult Annex A.11 See https:/www.enisa.europa.eu/publications/railway-cybersecurity 12 Se

146、e X2R3-T8_3-D-SMD-004-06_-_Deliverable_D8.2-3c_Protection_profile_On-board_components and X2R3-T8_3-D-SMD-009-06_-_Deliverable_D8.2-3b_Protection_Profile_-_Trackside 13 See RCA Gamma published(eulynx.eu)RAILWAY CYBERSECURITY November 2021 15 Figure 2:Railway Service categories RAILWAY CYBERSECURITY

147、November 2021 16 Figure 3:Railway devices RAILWAY CYBERSECURITY November 2021 17 Figure 4:Railway Physical Equipment Figure 5:People and Data RAILWAY CYBERSECURITY November 2021 18 4.CYBER-RELATED THREATS In the railway sector,compromised OT systems can affect passengers safety,cause a train acciden

148、t,or interrupt traffic.OT systems are usually more vulnerable than IT systems,in part due to a lack of cybersecurity awareness in OT personnel,in part because they were not designed with cybersecurity in mind(long lifecycles of 30 years,presence of legacy systems)and because they are less controlled

149、 and decentralised compared to IT systems.While in the past they remained less exposed,often isolated from internet and other IT networks,they are now more and more interconnected with classic IT systems,which makes them even more vulnerable and exposed to cyber threats.RUs and IMs need to identify

150、which cyber threats are applicable to their assets and services.One of the common questions is whether threats,such as disasters,physical attacks,or outages,should be included or considered as not being specific to the“cyber”ecosystem.Most stakeholders include them,as they can affect information sec

151、urity.If they are not included,they should be considered in other risk management or business continuity management processes of the company,and this must be agreed on when the threat taxonomy is being developed.Another challenge faced by the railway sector is assessing the likelihood of a threat sc

152、enario.One would need to consider the level of capability required for an attack,the level of exposure of the targeted asset,and the intent of an attacker,all of which are information that RUs and IMs may have difficulty in assessing accurately.Several methods are proposed by the different cyber ris

153、k management frameworks.For example,X2Rail-314 proposes to rely on the Common Vulnerability Scoring System(CVSS).They have selected four CVSS Exploitability metrics in CVSS:Attack Vector(System Exposure),Attack Complexity,Privileges Required and User Interaction.Levels for these metrics have been de

154、fined,mathematically calculating the resulting likelihood.Other methods are less quantitative,but also simpler to apply,such as ISO27005,which combines the likelihood of occurrence of the threat(low,medium,high),the ease of exposure(low,medium,high)and the value of the asset(from 0 to 4)to calculate

155、 the likelihood of an incident scenario15.It is also very difficult to maintain this information because it changes through time as the threat landscape evolves.Finally,the railway sector faces challenges associated with supply chains.Security risks related to suppliers(e.g.,remote access to the rai

156、lway networks/systems)are less covered because of the heterogeneous and broad nature of the supplier landscape,but also because stakeholders do not have much control over the cybersecurity level of their suppliers and the cyber risks they may introduce.This topic can be reinforced by making an inven

157、tory of all the suppliers,categorising them in term of criticality(e.g.,do they have access to a critical system,is there a strong interconnection between systems,do they manipulate sensitive data,etc.)and assessing the cybersecurity maturity of the most critical suppliers as a starting point.4.1 TA

158、XONOMY RUs and IMs should decide on a list of threats to be used to perform their cyber risk analysis.There are several threat taxonomies available,without a consolidated version being available.For a detailed mapping of railway threat taxonomies,one can consult“Appendix to D8.2 Security Assessment:

159、A mapping of threat landscapes”(X2Rail-1,2019).This document maps various approaches to the proposed threat landscape by X2Rail-1 WP 8,which is based upon the ISO 27005 threat landscape with some improvements for railways.The ISO 27005:201116,ENISA Threat Taxonomy17 and BSI Threats Catalogues are ma

160、pped to the threats considered under the X2Rail-1 WP 8 Threat landscape.14 See X2Rail-3 Deliverable D8.1 Guidelines for railway cybersecurity 15 See ISO 27005,annex E,E.2 Detailed information security risk assessment 16 See ISO 27005,annex E,E.2 Detailed information security risk assessment 17 https

161、:/www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view RAILWAY CYBERSECURITY November 2021 19 Figure 6:Threat taxonomy RAILWAY CYBERSECURITY November 2021 20 To assist in this process,this report provides a comprehensive and tailored list o

162、f threats based on the 2016 ENISA Threat Taxonomy18,as this is a more extensive list.It can be used as the basis to identify threats that apply in the context of the company and to assess railway cyber threats.It has been simplified to better apply to railways,and to ensure stakeholders can effectiv

163、ely use it.The resulting list of categories was reviewed and validated with experts during dedicated workshops.The main categories are as follows:Disaster(natural,environmental)Unintentional damage/loss of information or IT assets Physical attack(deliberate/intentional)Failures/Malfunction Outages M

164、alicious activity/Abuse Each threat belongs to a category and is applicable to one or more railway assets.This taxonomy has been represented graphically in Figure 6 and the threats are described in more detail in Annex B.For an updated view of the current threat landscape,i.e.the current top threats

165、,readers can consult the latest ENISA Threat landscape report19.For a more detailed analysis of adversary tactics,the MITRE ATT&CK knowledge base20 and the Common Attack Pattern Enumeration and Classification(CAPEC)21 can also be used.4.2 CYBER RISK SCENARIOS This section describes examples of cyber

166、 risk scenarios which can assist railway stakeholders when performing a risk analysis.They show how the asset and threat taxonomies can be used together and were based on the known incidents of the sector and the feedback received during the workshops.Each scenario is associated with a list of secur

167、ity measures,detailed later in chapter 28,which will mitigate the risk of this scenario occurring,and are derived from best practices.The following scenarios are described:Scenario 1:Compromising a signalling system or automatic train control system,leading to a train accident Scenario 2:Sabotage of

168、 the traffic supervising systems,leading to train traffic stop Scenario 3:Ransomware attack,leading to a disruption of activity Scenario 4:Theft of clients personal data from the booking management system Scenario 5:Leak of sensitive data due to unsecure,exposed database Scenario 6:Distributed Denia

169、l of Service(DDoS)attack,blocking travellers from buying tickets Scenario 7:Disastrous event destroying the datacentre facility,leading to disruption of IT services 18 See https:/www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view 19 https

170、:/www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends 20 https:/attack.mitre.org/21 https:/capec.mitre.org/RAILWAY CYBERSECURITY November 2021 21 4.2.1 Scenario 1 Compromising a signalling system or automatic train control system,leading to a train accident Figure 7:Compromising a s

171、ignalling system or automatic train control system,leading to a train accident This scenario requires high motivation of the attacker and in-depth knowledge of railway systems and networks.It is considered a low likelihood scenario.It has been included as the potential impact can be very high and th

172、is is one of the primary concerns of railway stakeholders when considering cyber risks.A similar incident took place in the city of Lodz,Poland in 2008 when an attacker managed to hack into a tram system.Attack details An attacker gathers information(type of requests,IP address,etc.),o either trespa

173、ssing on railway undertaking train facilities(e.g.,depos,maintenance centre,etc.),o or from a malicious employee,o or using phishing to steal information from an employee;An attacker builds a device or a software to command-and-control junctions and trains according to gathered information;An attack

174、er uses of the device to control the junctions and the trains;An attacker provides false information to the system,leading to a major disruption or even a train accident.Impacts Stakeholders Assets affected Train casualties Human casualties Disruption of activity Loss of reputation Railway undertaki

175、ng Infrastructure manager Automatic train control system Interlocking systems Tracks,trains Passengers Security Measures High level security measures Examples of specific measures NIS-PR.10-Physical and environmental security NIS-GV.6 Human resource security NIS-PR.4 Cryptography NIS-PR.8 Access rig

176、ht NIS-DF.3 Logs correlation and analysis NIS-DF.1 Detection NIST-PR.AT Awareness&Trainings(1,2,3,4,5)CLC/TS50701 SR 1.2-Software process and device identification and authentication RAILWAY CYBERSECURITY November 2021 22 4.2.2 Scenario 2 Sabotage of the traffic supervising systems,leading to train

177、traffic stop Figure 8:Sabotage of the traffic supervising systems,leading to train traffic stop This scenario is a targeted attack using a specific Industrial Control System(ICS)malware to disrupt the traffic supervising systems,thus leading to an urgent stop of train traffic.Such an incident has no

178、t yet occurred in the railway sector.This scenario could also be applied to freight docking systems,and thus disturb or interrupt freight activity.Attack details An attacker introduces an ICS malware,through phishing emails sent to employee or removable devices used on OT systems;The ICS malware pro

179、pagates,takes over of the system,and gains remote access;The malware allows the attackers to easily communicate with traffic supervising systems and remotely manipulate the systems memory to inject shellcodes,eventually injecting a payload that disrupts traffic supervising systems;The traffic superv

180、ising systems stop,preventing their supervision and leading to an urgent stop of train traffic.Impacts Stakeholders Assets affected Disruption of activity Loss of reputation Railway undertaking Infrastructure manager Remote monitoring Temporary speed restriction Interlocking Train control Automatic

181、train protection Freight docking Security Measures High level security measures Examples of specific measures NIS-GV.6 Human resource security NIS-PR.9 IT security maintenance procedure NIS-GV.5 Security Audit NIS-DF.1 Detection NIS-DF.3 Logs correlation and analysis NIST-PR.AT Awareness&Trainings(1

182、,2,3,4,5)CLC/TS50701-SR 3.2-Malicious code protection CLC/TS50701-SR 3.3-Security functionality verification CLC/TS50701-SR 3.4-Software and information integrity RAILWAY CYBERSECURITY November 2021 23 4.2.3 Scenario 3 Ransomware attack,leading to a disruption of activities Figure 9:Ransomware attac

183、k,leading to a disruption of activities In 2021,ransomware attacks are considered the top threat scenario and are targeting the transport sector.In this case,the attacker infiltrates the information system,exploits a vulnerability,and deploys a ransomware on a large amount of assets.A similar incide

184、nt happened in May 2017 when Germanys Deutsche Bahn rail infrastructure was infected with WannaCry ransomware22,leading to messages appearing on station information screens.Attack details An attacker infiltrates the information system by phishing or stealing credentials;They scan the network for vul

185、nerabilities,to exploit them and gather information;They discover vulnerabilities on systems(e.g.due to inadequate patch management);They deploy a ransomware that encrypts the data on all vulnerable systems;The infected systems and devices cannot be used anymore;They demand a ransom in bitcoins in a

186、 limited amount of time in exchange for data to be decrypted.They further extort employees and customers by threatening to expose personal or confidential data.Impacts Stakeholders Assets affected Disruption of activity Loss of data and information Loss of reputation Financial loss Railway undertaki

187、ng Infrastructure manager IT systems in services and devices Data,information and knowledge Security Measures High level security measures Examples of specific measures NIS-PR.9 IT security maintenance procedure NIS-PR.2 System segregation NIS-PR.3 Traffic filtering NIS-GV.6 Human resource security

188、NIS-DF.1 Detection NIS-DF.3 Logs correlation and analysis CLC/TS50701-SR 3.2 Malicious code protection CLC/TS50701-SR 3.4-Software and information integrity CLC/TS50701-SR 5.2 Zone boundary protection CLC/TS50701-SR 5.1 Network segmentation NIST-PR.AT Awareness&Trainings(1,2,3,4,5)22 See https:/ CYB

189、ERSECURITY November 2021 24 4.2.4 Scenario 4 Theft of clients personal data from the booking management system Figure 10:Theft of clients personal data from the booking management system This scenario is a targeted attack,where the attacker steals the identity of an administrator and is therefore ab

190、le to connect to a cloud-based booking management system and exfiltrate customer data.A similar incident happened in November 2017 with Rail Europe North America(RENA)suffering due to a 3-month long data breach23 and in January 2019 when China Railways official online booking platform suffered a mas

191、sive data breach,with information later being sold on the dark web24.Attack details Attackers identify and retrieve authentication data(credentials)to get access to useful systems:o by gathering information on railway systems through social engineering;o by identifying the targeted systems used for

192、booking management and fetching the identity of the people using them;o once systems and their operators/users are identified,attackers launch phishing attacks to retrieve credentials to access to those systems;The attacker gets direct access,accesses the system using the administrator credentials;T

193、hey get unauthorised access to customer data and retrieve it;They leak the data or sell them.Impacts Stakeholders Assets affected Tarnished reputation Regulatory sanction(GDPR)Railway undertaking Booking management Clients personal information Passengers Security Measures High level security measure

194、s Examples of specific measures NIS-GV.5 Security Audit NIS-PR.2 System segregation NIS-PR.3 Traffic filtering NIS-PR.7 Authentication and identification NIS-PR.8 Access rights NIST-PR.AT Awareness&Trainings(1,2,3,4,5)CLC/TS50701-SR 1.1 Human user identification and authentication CLC/TS50701 SR 4.1

195、-Information confidentiality CLC/TS50701-SR 5.1 Network segmentation CLC/TS50701-SR 5.2 Zone boundary protection 23 See https:/ See https:/ RAILWAY CYBERSECURITY November 2021 25 4.2.5 Scenario 5 Leak of sensitive data due to unsecure,exposed database Figure 11:Leak of sensitive data due to unsecure

196、,exposed database This scenario is also related to data leakage,but the starting point here is a supplier with a low cybersecurity level.The attacker uses this third-party weakness to exfiltrate sensitive data.A similar incident happened in February 2020 with a database of C3UK25,which offered Wi-Fi

197、 services to passengers in train stations.The database contained 146 million records,including personal contact details and dates of birth,and was exposed online without a password26.Attack details A supplier providing services stores sensitive data(e.g.,marketing company that manages a marketing ca

198、mpaign,data from an open Wi-Fi service available at a train station)in an unprotected database,exposed on internet,without password and without encrypting the information;Hackers connect to the database and exfiltrate the information;The database contains personal information,such as email addresses

199、,date of birth,name,reason to travel and travel arrangements;Hackers use the information for extortion attacks targeting employees and customers.Impacts Stakeholders Assets affected Loss of users data Regulatory sanction(GDPR)Tarnished reputation Railway undertaking Data,information and knowledge(se

200、nsitive data:personal,email,telephone,commercial and financial,train/traffic,supply chain data,freight data,IT infrastructure with audit/logs,other IT systems data)People(Passengers;employees-executives,drivers and all other)Security Measures High level security measures Examples of specific measure

201、s NIS-GV.5 Security Audit NIS-GOV.7 Ecosystem mapping NIS-GOV.8 Ecosystem relations NIST-ID.SC Supply Chain Risk(1,2,3,4,5)ISO27002-A.15 Supplier relationships CLC/TS50701 SR 4.1-Information confidentiality 25 Wi-Fi for transport service provider 26 See https:/ RAILWAY CYBERSECURITY November 2021 26

202、 4.2.6 Scenario 6 DDoS attack,blocking travellers from buying tickets Figure 12:DDoS attack,blocking travellers from buying tickets This scenario is a targeted attack,where the prerequisite for the attacker is to have created a botnet network(a set of compromised devices controlled by a hacker to pe

203、rform their attacks).The attacker can then use the botnet to flood devices with requests and make them unavailable.Another possibility to consider for a DDoS scenario is a non-targeted attack,where an Internet Service Provider(ISP)is targeted with this type of attack,thus affecting railway services

204、that use this ISP.Attack details An attacker has previously infected a number of computers,creating a botnet(a set of compromised devices controlled by a hacker to perform their attacks);The botnet is used to launch a DDoS attack on the railway networks:the networks and servers exposed to the intern

205、et are flooded with requests and connection attempts and thus shut down,unable to sustain the flow;All services and actions that need the internet-exposed devices are now unavailable:ticket-vending machines,sites or applications,and commercial websites.Passengers are unable to book tickets.Impacts S

206、takeholders Assets affected Tarnished reputation Loss of revenue Disruption of activities Administrative and resource burden Railway undertaking Booking management Automatic fare collection Security Measures High level security measures Examples of specific measures NIS-DF.1 Detection NIS-DF.3 Logs

207、correlation and analysis NIS-RS.1 Business continuity management NIS-RS.2 Disaster recovery management ISO27002-A.17.1 Information security continuity ISO27002-A.17.2 Redundancies CLC/TS50701-SR 7.1 Denial of service protection RAILWAY CYBERSECURITY November 2021 27 4.2.7 Scenario 7 Disastrous event

208、 destroying the datacentre,leading to disruption of IT services Figure 13:Disastrous event destroying the datacentre,leading to disruption of IT services This scenario is the consequence of a disastrous event which leads to disruption of activity.The event(natural disaster,fire,etc.),affects the dat

209、acentre and destroys part of it,leading to a physical destruction of IT systems and thus a disruption of activities related to these services.Depending on the redundancy strategy of the company(geo-redundancy,cloud,external back-ups,etc.),the disruption can last more or less time.A similar incident

210、happened in March 2021 when OVH27 had a fire in one of its datacentres,making millions of websites unavailable for days28.Attack details A disastrous event affects the datacentres and destroys part of it;it can be either a natural disaster(earthquake,flooding,storm,etc.)or a fire due to a physical m

211、alfunction;The railway servers supporting the IT systems are physically destroyed;The main IT systems are unavailable,leading to a disruption of all IT-supported services:corporate and support,sales and customers relations,timetable construction systems,asset management;The back-ups stored in the da

212、tacentres are physically destroyed as well;data are thus lost,prolonging the disruption.Impacts Stakeholders Assets affected Loss of information Disruption of activities Loss of revenue Railway undertaking Infrastructure manager IT systems in services and devices Data,information and knowledge Secur

213、ity Measures High level security measures Examples of specific measures NIS-RS.1 Business continuity management NIS-RS.2 Disaster recovery management NIS-PR.10-Physical and environmental security ISO27002-A.17.1 Information security continuity ISO27002-A.17.2 Redundancies NIST-RC.RP Recovery Plannin

214、g(1)CLC/TS50701-SR 7.3 Control system backup CLC/TS50701-SR 7.4 Control system recovery and reconstitution CLC/TS50701-SR 7.5 Emergency power 27 French Hosting and Cloud company 28 See https:/ RAILWAY CYBERSECURITY November 2021 28 5.CYBERSECURITY MEASURES Once risks have been identified and priorit

215、ised according to risk evaluation criteria in relation to the incident scenarios that lead to those risks,they should be treated via a risk treatment plan.Four options are usually proposed regarding risk treatment29:risk modification,risk retention,risk avoidance and risk sharing.Risk modification i

216、s modifying the level of risk by introducing,removing,or altering controls so that the residual risk can be reassessed as being acceptable.30 Risk retention is accepting the risk without further action,if the level of risk meets the risks acceptance criteria.31 Risk avoidance is avoiding the activit

217、y or condition that increases the particular risk.32 Risk sharing is sharing the risk with another party that can most effectively manage the particular risk.33 As described in the ISO 27005 standard,these options must be selected based on the outcome of the risk assessment,the expected cost for imp

218、lementing these options and the expected benefits from these options.At the end of the process,no risk exceeding the risk acceptance criteria should be left.In order to reduce the identified risks to acceptable levels,appropriate security measures should be identified and prioritised.Security measur

219、es can be defined internally,using best practices and building a remediation plan tailored to the information system.However,a common practice is to use already-defined security measures published in security frameworks.These security frameworks often contain a list of controls or security requireme

220、nts.NIS Directive cybersecurity measures.The NIS cooperation group issued a list of security measures directed to OESs in a Reference document on security measures for Operators of Essential Services.The purpose of this list is“to provide Member States with a clear and structured picture of Member S

221、tates current and often common approaches to the security measures of OES”.34 The document examines a high number of domains where cybersecurity measures should be applied.For each domain,it gives a set of broad measures alongside their definitions(Figure 14).These domains and measures could be used

222、 as the first basis for the risk treatment plan and complemented with measures from the CLC/TS 50701 regarding the OT cybersecurity and ISO/IEC 27002 security measures for IT cybersecurity.Indeed,during the workshops,it was discovered that RUs and IMs often choose a two-step approach,by selecting a

223、general framework for IT cyber risk treatment and complementing it with a more detailed,industry-driven one for the OT cyber risk treatment.ISA/IEC 62443 and CLC/TS 50701 are among the main references used for OT cybersecurity.For IT risk frameworks,NISD national security requirements,ISO27002 frame

224、work and the NIST Cybersecurity framework are among the more commonly used.Other less common frameworks have also been cited,such as the SANS Top 20 Critical Security Controls35,or the Forrester Information Security Model36.29 See for instance ISO 27005,chapter 9 Information security risk treatment

225、30 See ISO 27005,chapter 9.2 Risk modification 31 See ISO 27005,chapter 9.3 Risk retention 32 See ISO 27005,chapter 9.5 Risk avoidance 33 See ISO 27005,chapter 9.5 Risk sharing 34 Reference document on security measures for Operators of Essential Services,p.5 35 A list of 20 actions for cyber defenc

226、e,that are close to the NIST 23 categories,and published by the SANS Institute,an organisation that provides information,resources,and training regarding cybersecurity.36 A security model declined in 123 security components(controls)divided into 25 functions and 4 domains has been cited.It is publis

227、hed by the market research company Forrester.RAILWAY CYBERSECURITY November 2021 29 Figure 14:Domains of security measures for OESs(NIS Cooperation Group,2018)The ISO/IEC 27002 standard and Annex A of ISO2001 describe requirements for information security management and a set of security controls37.

228、These controls are organised in 12 categories38:Information security policies Organisation of information security Human resource security Asset management Access control Cryptography Operations security Communications security Supplier relationships Information security incident management Informat

229、ion security aspects of business continuity management Compliance Similar to the NIS Directive security measures,ISO 27002 could be used as a basis for the risk treatment plan,and complemented with additional national security requirements,while OT systems could be complemented with CLC/TS 50701.Som

230、e measures from the NIST framework could also be used as they can be described in more detail.The NIST Cybersecurity framework is accompanied by an exhaustive list of requirements.They are classified according to five functions(Identify,Protect,Detect,Respond,Recover)and 23 categories.Each of these

231、categories contain a list of precise security requirements(over 900 in total).Those controls are also mapped against the ISA 62443 series and the ISO/IEC 27001:2013.The framework is quite detailed and focuses primarily on IT security.The NIST cybersecurity framework can be used as is and complemente

232、d by CLC/TS 50701 for OT railway systems requirements,or it can be used to complete another generic frameworks or standards,such as the ISO 27001 or the NIS Directive security requirements.CLC/TS 50701 is based on or derived from IEC 62443 series standards.The purpose of the TS“is that,when a railwa

233、y system is compliant to this TS,it can be demonstrated that this system is at the state of the art in terms of cybersecurity,that it fulfils its targeted Security Level and that its security is maintained during its operation and maintenance.”It is best suited for industrial systems and designed sp

234、ecifically for the railway sector,as it applies to the Communications,Signalling and Processing domain,the Rolling Stock domain and to the Fixed Installations domain.It contains a list of security requirements for the OT components and services of the railway sector and thus 37 https:/www.enisa.euro

235、pa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_iso27001.html 38 ISO/IEC 27001 Standard-Information technology-Security techniques-Information security management systems Requirements,p9 RAILWAY CYBERSECURITY November 2021 30 should be compl

236、eted with a more generic approach,such as the ISO 27001,the NIST Cybersecurity Framework or the NIS Directive.5.1 APPLYING CYBERSECURITY MEASURES To help stakeholders implement the security measures,workshops were conducted with relevant experts and institutions to discuss challenges,priorities,and

237、best practices.The purpose was to gather concrete feedback on the risk treatment plans.Defining the list of measures that will be used was described as the top priority of the attendants of the workshops.To do so,operators draw a list of cybersecurity measures from known references.Assets maturity i

238、s assessed against those measures,and measures that are not met are included in the list of security measures that must be applied to these assets.This list of security measures can also be used as a common basis for the manufacturers to implement minimum cybersecurity requirements by design or for

239、security requirements to be included in contract specifications.To define the set of measures that will be used,organisations also assess the level of compliance with national cybersecurity requirements(primarily according to the NIS Directive,but also against other requirements stemming from laws o

240、n national security,transport security or critical infrastructure protection).During the workshops,stakeholders highlighted the importance of awareness raising and training sessions(especially against top threats,such as ransomware and phishing)or email security to prevent phishing.On the latter,the

241、 protection of endpoints and network segregation is also a top priority to reduce the risk of propagation of such attacks.As for OT security,the emphasis is placed mainly on network segregation and access control for critical systems.Adaptation of legacy systems is also a concern and should be consi

242、dered as a priority,but it is also a big challenge,considering the complexity of updating systems with long lifecycles.Additionally,particular emphasis is placed on incident response.Finally,applied security measures are often challenged by external audits or penetration testing.Some organisations u

243、se third parties to conduct such assessments.The systems tested can belong both on the IT and OT domains.In addition to technical audits,governance audits can also be conducted,such as an ISO-compliance audit.Furthermore,business continuity and recovery and incident response plans can also be tested

244、 with crisis exercises.A challenge cited by multiple RUs and IMs is the management of relationships with third parties and ensuring that the products and services supplied meet cybersecurity requirements.Often,compliance with NIS Directive security requirements does not apply to third parties.To eng

245、age more with the industry and to encourage the implementation of cybersecurity measures,one solution could be to design a baseline at EU level to make the manufacturers and providers align their systems compliance.Common baseline requirements should be reflected in tenders to allow for competing so

246、lutions achieving similar security capabilities across Europe.However,when considering minimum baseline requirements,there are risks involved,such as the minimum baseline not changing while the threat landscape changes,or that these minimum-security requirements do not meet the risks of the organisa

247、tion.The use of EU certification schemes for IT or OT cybersecurity(should these become available)could be also a way to assess whether such requirements are met by the industry.Another challenge that was identified is continuity,i.e.,ensuring that the security level remains adequate and that the ri

248、sks are continuously monitored.To do so,regular reviews and compliance assessments are needed.Maintaining an up-to-date threat landscape for the railway sector is equally important.An additional challenge is the separation between IT and OT,as it is often difficult to differentiate what is strictly

249、OT from what is IT.In this case,it is difficult to know which controls to apply.5.2 CYBERSECURITY MEASURES To help stakeholders define cybersecurity measures,a list of controls from the NIS Directive has been mapped against various references(ISO27001,NIST CSF and CLC/TS5070139).It is up to the stak

250、eholders to choose whether they will only select some measures from this list,use it as a basis for building their own list,or use it in entirety.Stakeholders should also remember that they may have to comply with national guidelines and specific 39 The security measures of CLC/CS 50701 are matching

251、 the measures described in IEC 62443-3-3:2013.RAILWAY CYBERSECURITY November 2021 31 national sectorial regulations.They should also verify which references apply to them and,if needed,complete the present list with the missing requirements.The mapping was done in two phases:first,the references wer

252、e reviewed and the most relevant measures were put in front of the NIS Directive measures,keeping these measures as the starting point of the review.Then,the reverse operation was carried out:the measures from the references that had been removed in the first phase were added to the most relevant NI

253、S Directive measures.This ensures that all NIS Directive measures have been covered;and that all the other referenced measures are integrated into the mapping.An example of a security measure is included below.It includes measures under the NIS Directive domain:Protection and the category of“Identit

254、y and Access Management”.The two measures of this category“Authentication and identification”,and“Access rights”are described according to the NIS Directive guidelines.They are then associated with relevant measures that can be found in ISO/IEC 27002,the NIST cybersecurity framework and CLC/TS50701.

255、A detailed list of security measures can be found in Annex C.Table 1:Domain:Protection-Category:Identity and Access Management RAILWAY CYBERSECURITY November 2021 32 Measure Description ISO/IEC 27002 NIST CSF CLC/TS50701 NIS-PR.7 Authentication and identification For identification,the operator sets

256、 up unique accounts for users or for automated processes that need to access resources of its Critical Information System(CIS).Unused or no-longer-needed accounts should be deactivated.A regular review process should be established.A.9.1 Business requirements of access control A.9.3 User responsibil

257、ities A.9.4 System and application access control A.9.4.2 Secure log-on procedures A.9.4.3 Password management system PR.AC Identity Management,Authentication and Access Control(1,4,6,7)PR.DS Data Security(5)SR 1.1-Human user identification and authentication SR 1.2-Software process and device ident

258、ification and authentication SR 1.3-Account management SR 1.4-Identifier management SR 1.5-Authenticator management SR 1.6-Wireless access management SR 1.7-Strength of password-based authentication SR 1.8-Public key infrastructure(PKI)certificates SR 1.9-Strength of public key authentication SR 1.1

259、0-Authenticator feedback SR 1.11-Unsuccessful login attempts SR 1.12-System use notification SR 1.13-Access via untrusted networks SR 2.1-Authorisation enforcement SR 2.2-Wireless use control SR 2.3-Use control for portable and mobile devices SR 2.4-Mobile code SR 2.5-Session lock SR 2.6-Remote sess

260、ion termination SR 2.7-Concurrent session control SR 5.2-Zone boundary protection NIS-PR.8 Access rights Among the rules defined in its systems security policy,the operator grants access rights to a user or an automated process only when that access is strictly necessary for the user to carry out th

261、eir mission or for the automated process to carry out its technical operations.A.9.1 Business requirements of access control A.9.2 User access management A.9.4.4 Use of privileged utility programs A.9.4.5 Access control to program source code ID.AM Assets management(5,6)PR.AC Identity Management,Aut

262、hentication and Access Control(1,4,6,7)PR.DS Data Security(5)PR.PT Protective Technology(3)SR 1.1-Human user identification and authentication SR 1.2-Software process and device identification and authentication SR 1.3-Account management SR 1.4-Identifier management SR 1.5-Authenticator management S

263、R 1.6-Wireless access management SR 1.7-Strength of password-based authentication SR 1.8-Public key infrastructure(PKI)certificates SR 1.9-Strength of public key authentication SR 1.10-Authenticator feedback SR 2.1-Authorisation enforcement RAILWAY CYBERSECURITY November 2021 33 6.CONCLUSIONS Europe

264、an RUs and IMs use a combination of good practices,approaches,and standards to perform cyber risk management for their organisations.This report gathers insights on these current practices in a single document and can assist railway undertakings and infrastructure managers in their efforts to apply

265、them.It provides examples of reference material,such as available taxonomies of assets and threats,comprehensive threats scenarios,derived from real incidents and cyber risk mitigation measures,derived by guidelines and standards.The report also highlights the challenges faced when applying such app

266、roaches.Most importantly,there is a lack of a single cyber risk management approach for railway organisations to cover both IT and OT in a unified manner.IT vs OT risk management approaches.The differentiation between IT and OT in the railway sector is increasingly difficult and having discrete appr

267、oaches and taxonomies for cyber risk management makes the issue more challenging.In many cases,it can be a complex process to identify which approach is better suited,whether a device can be considered IT or OT or which security measures and which standard should be applied.Having a more structured

268、and unified approach with respect to cyber risk management would help the sector to harmonise,thus facilitating risk discussions between the different entities of the railway ecosystem.It can also enable more collaboration with the supply industry of the sector.More harmonization and alignment of go

269、od practices.Future work could include further alignment of the sector-specific taxonomies and more guidance on the application of good practices.Wherever possible,further standardisation could be pursued,as this is also a request stemming from the railway supply industry,which advocates for more ce

270、rtification schemes at EU level.Significant sectoral challenges remain,including the cyber risk management of supply chains.This could be remedied with a regulatory approach encompassing the entire railway ecosystem under the same cyber risk management requirements.At present,key elements of the rai

271、lway supply chain,both IT and OT,do not fall under the same European regulatory framework.Keeping railway systems and cyber risk assessments up-to-date.Another significant issue specific to the sector is the plethora of legacy systems which add an additional degree of difficulty when managing cyber

272、risk.At present,it is not possible to provide relevant recommendations to address the cybersecurity of legacy systems in the railway sector.It would be necessary to involve the railway industry in such an exercise.Additionally,even for newly developed systems,there is the need to ensure that the res

273、ults of risk assessments remain current,that risks are continuously monitored,and that the security level remains adequate.Maintaining an up-to-date threat landscape for the railway sector could be a step towards this direction.Railway organisations lack of a single cyber risk management approach to

274、 cover both IT and OT in a unified manner RAILWAY CYBERSECURITY November 2021 34 7.BIBLIOGRAPHY CLC/TS 50701 Railway applications Cybersecurity,2021.https:/www.en-standard.eu/clc/ts-50701-2021-railway-applications-cybersecurity/Cyrail,2018.CYRail Recommendations on cybersecurity of rail signalling a

275、nd communication systems.September 2018.https:/cyrail.eu/IMG/pdf/final_recommendations_cyrail.pdf ENISA,2016.ENISA Threat Taxonomy v 2016.https:/www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/ENISA,2020.Railway Cybersecurity-Security measu

276、res in the Railway Transport Sector.November 2020.https:/www.enisa.europa.eu/publications/railway-cybersecurity ENISA,2021.Minimum Security Measures for Operators of Essentials Services(tool).https:/www.enisa.europa.eu/topics/nis-directive/minimum-security-measures-for-operators-of-essentials-servic

277、es IEC 62443-2-1:2010,Industrial communication networks-Network and system security-Part 2-1:Establishing an industrial automation and control system security program.IEC 62443-3-3:2013,Industrial communication networks-Network and system security-Part 3-3:System security requirements and security l

278、evels.ISO 31000:2018,Risk management Principles and guidelines.ISO/IEC 27001:2013,Information technology-Security techniques-Information security management systems Requirements.ISO/IEC 27002:2013,Information technology-Security techniques-Code of practice for information security controls ISO/IEC 2

279、7005:2018,Information technology-Security techniques-Information security risk management.ISO-IEC 62443 series.https:/www.isa.org/intech-home/2018/september-october/departments/new-standard-specifies-security-capabilities-for-c NIS Cooperation Group,2018.Reference document on security measures for O

280、perators of Essential Services.CG Publication 01/2018,February 2018.https:/digital-strategy.ec.europa.eu/en/policies/nis-cooperation-group NIST Cybersecurity Framework,2018.Cybersecurity Framework Version 1.1,April 2018.https:/www.nist.gov/cyberframework RCA OCORA Eulynx CS Guideline,2020.https:/www

281、.eulynx.eu/index.php/documents/rca/251-rca-publications Risk Management:Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools.https:/www.enisa.europa.eu/publications/risk-management-principles-and-inventories-for-risk-management-risk-assessment-methods-and-t

282、ools UIC,2018.Guidelines for cyber-security in railway,UIC-ETF,ISBN 978-2-7461-2732-6.https:/www.shop- X2Rail-1 Start-up activities for Advanced Signalling and Automation Systems(2016-2018).https:/projects.shift2rail.org/s2r_ip2_n.aspx?p=X2RAIL-1 X2Rail-1,2019.Deliverable D8.2-Security Assessment,re

283、v.2.https:/projects.shift2rail.org/s2r_ip2_n.aspx?p=X2RAIL-1 X2Rail-3,Advanced Signalling,Automation and Communication System(IP2 and IP5)Prototyping the future by means of capacity increase,autonomy and flexible communication(2018-2020).https:/projects.shift2rail.org/s2r_ip2_n.aspx?p=X2RAIL-3 X2Rai

284、l3,2020.Deliverable D8.1-Guidelines for railway cybersecurity part 1 Simplified Risk Assessment.December 2020.https:/projects.shift2rail.org/s2r_ip2_n.aspx?p=X2RAIL-3 RAILWAY CYBERSECURITY November 2021 35 A ANNEX:ASSET DESCRIPTIONS Table 1:Assets per device category Assets Description Attribute Ref

285、erence40 Telecom Radio transmission network Radio network used for all railway processes:communication with trains,signalling,safety and security operations,logistics management,etc.Network and communication systems ENISA,2020 Wired and wireless transmission network Wired and wireless systems used f

286、or network communications in LAN or Internet connection.Network and communication systems ENISA,2020 Operational telephone intercom Telephone-related devices such as loudspeaker systems,walkie-talkies,etc.Network and communication systems ENISA,2020 Mobile telephone devices(GSM)GSM/GSM-R phone devic

287、es.Network and communication systems ENISA,2020 IT&OT Infrastructure Computer&server Computers and servers used as support goods by all IT&OT systems.IT systems ENISA,2020 Infrastructures and trackside Automatic ticket distribution and verification infrastructures Devices and equipment to distribute

288、 and control the tickets.IT systems-CCTV(video surveillance)Devices used for video surveillance of assets and people at risk.OT systems CLC/TS 50701 Fixed infrastructure detectors Detectors such as track vacancy detectors,hot box detectors,avalanche detectors and fire detectors.OT systems CLC/TS 507

289、01 Wayside equipment Source and destination for information about approaching trains and their crews.OT systems-Station signalling(automatic train protection,interlocking,radio block centre)Equipment for station signalling regarding interlocking(safe setting of routes for trains by controlling signa

290、ls,points,and the track vacancy),automatic train protection(ATP)or radio block centre(controls the movement authorities for the trains in an ETCS Level 2/3 system).OT systems CLC/TS 50701 Fixed communication tools(GSM-R,MSC/BSC)Fixed devices to communicate with railway personnel and passengers.Netwo

291、rk and communication systems CLC/TS 50701 Radio transmission relays Relays antenna for radio communication.Network and communication systems CLC/TS 50701 Wired and wireless transmission internal network infrastructures Equipment to support network communications.Network and communication systems CLC

292、/TS 50701 40 When a reference to a document is not given,the element was added based on the consultation with experts(workshops).RAILWAY CYBERSECURITY November 2021 36 Assets Description Attribute Reference40 Public Wi-Fi and internet accesses Equipment to support public Wi-Fi and internet access.Ne

293、twork and communication systems CLC/TS 50701 On-Board On-board detectors Various on-board detectors such as ATP,fire detectors,alarms,anti-intrusion tools,diagnostics tools and energy metering.OT systems CLC/TS 50701 Driver tools On-board physical infrastructuresrelated to driver tools:traction,brak

294、ing driver machine interface,train control management tools.Traction is the system responsible for train movement.The driver machine interface includes all the technological objects used to manage communications between the train and the driver(e.g.,screens,buttons,handles,etc.).OT systems CLC/TS 50

295、701 Radio transmission relays On-board equipment that communicates with the networks and allows the train to communicate with corporate IT systems.Network and communication systems CLC/TS 50701 Wired and wireless transmission internal network infrastructures On-board equipment used for wired or wire

296、less transmission on internal network(Mobile Communication Gateway,cab radio).Network and communication systems CLC/TS 50701 Public Wi-Fi and internet accesses On-board equipment giving the users access to internet(through Wi-Fi,for example).Network and communication systems CLC/TS 50701 On-board CC

297、TV Equipment supporting CCTV on the train(cameras,recording systems),used for video surveillance of assets and people at risk.IT systems CLC/TS 50701 Table 2:Assets per service category Assets Description Attribute References41 Timetable construction Commercial offer construction Systems which allow

298、 commercial offers to be created for customers,including timetables for each train line(track usage for railway undertakers and commercial offers of train tickets for passengers or freight).IT Systems ENISA,2020 Staff planning Systems which allow the preparation of resource rosters(assets and staff)

299、,providing the staff planning for all people working in railway(drivers,controllers,railway worker,station employee,maintenance workers,etc.)IT systems ENISA,2020 Resources booking Systems which allow resource booking(locomotive,wagon,etc.)IT systems ENISA,2020 Sales,distribution,and customers relat

300、ions Marketing Systems that allow the management of customer relations(e.g.,claims,loyalty cards,marketing campaigns).IT systems ENISA,2020 Booking management Systems enabling customers to buy tickets or book a train seat,including commercial websites and applications.IT systems ENISA,2020 Automatic

301、 fare collection Systems enabling the automatic collection of customers fares.IT systems ENISA,2020 41 When a reference to a document is not given,the element was added based on the consultation with experts(workshops).RAILWAY CYBERSECURITY November 2021 37 Assets Description Attribute References41

302、Network allocation systems Operation planning construction Systems enabling RUs to construct and plan operations and to inform the IMs of any special characteristics of trains or loads(e.g.,dangerous goods,oversize).IT systems ENISA,2020 Operation billing Systems enabling IMs to apply costing polici

303、es to the RU for the use of the infrastructure.IT systems ENISA,2020 Corridors booking Systems enabling RUs to book infrastructure(corridors)to operate their trains on the network IT systems ENISA,2020 Assets management Asset inventory Systems enabling RUs and IMs to inventory their assets.IT system

304、s ENISA,2020 Logistics Systems enabling RUs and IMs to manage their asset logistics.IT systems ENISA,2020 Asset procurement Systems enabling RUs and IMs to account for their assets(infrastructure,or trains for example),and to procure new assets.IT systems ENISA,2020 Signalling Remote monitoring Syst

305、ems used to direct railway traffic and oversee the monitoring of train locations on tracks.OT systems ENISA,2020 Key management Systems used to direct railway traffic and secure communication between trains.OT systems ENISA,2020 Juridical recorder unit Systems used to direct railway traffic and reco

306、rd events on trains complying with the ERTMS/ETCS standard.OT systems ENISA,2020 Temporary speed restriction Systems used to direct railway traffic and reduce the speed of rail traffic to ensure safe passage on unsafe sections of tracks.OT systems ENISA,2020 Interlocking Systems used to direct railw

307、ay traffic and prevent conflict in signalling movements through an arrangement of tracks.It includes wayside systems that give information on approaching trains and their crews.OT systems ENISA,2020 Automatic train protection Systems which activate emergency brakes if train speed is faster than allo

308、wed.OT systems ENISA,2020 Command-Control Train control Master system to control all train elements(speed,doors,etc.).OT systems ENISA,2020 Automatic train control Systemresponsible forspeed control in response to external inputs.OT systems ENISA,2020 Automatic train supervision Systems used to enab

309、le movement of trains and manage traffic loads.OT systems ENISA,2020 Energy traction System overseeing the supply of the electrified rail network.OT systems ENISA,2020 Freight docking Systems and services related to freight docking:loading and unloading of goods,cranes,and platforms management.OT sy

310、stems-Auxiliary Energy System overseeing the management of power delivery.OT systems ENISA,2020 Heating,ventilating and air conditioning(HVAC)System overseeing the management of heating,ventilation,and air conditioning.OT systems ENISA,2020 Lighting System overseeing the management of lighting.OT sy

311、stems ENISA,2020 Water System overseeing the management of water.OT systems-Escalator and elevator System overseeing the management of escalators and elevators.OT systems-RAILWAY CYBERSECURITY November 2021 38 Assets Description Attribute References41 Development Bidding management systems Bidding s

312、ystems for the RU or IM to answer invitations to tender for train operations or infrastructure management.IT systems ENISA,2020 Research and engineering systems Centralise and coordinate research and engineering.IT systems ENISA,2020 Passenger services Passenger announcement System overseeing the pa

313、ssenger announcement management.IT systems ENISA,2020 Passenger information System managing the passengers general information about their trip:track number,time of arrival,delay,etc.IT systems ENISA,2020 Passenger entertainment System overseeing the management of passenger entertainment(internet ac

314、cess.).IT systems ENISA,2020 Telecom Operational time distribution system System which synchronises the clocks of the different IT equipment(servers,workstations,etc.).Network and communication systems ENISA,2020 Security Access control System allowing the control of physical access within buildings

315、.OT systems ENISA,2020 CCTV Video-surveillance systems.OT systems ENISA,2020 Network monitoring Network intrusion detection systems to detect abnormal activities.IT systems ENISA,2020 Cybersecurity Devices and software allowing cybersecurity activities:surveillance(SOC),firewalls,Endpoint Detection

316、and Response systems.IT systems ENISA,2020 Safety Fire detection Systems managing fire detection within buildings,stations,or datacentres.OT systems ENISA,2020 Emergency telephony and alerting System managing operational communication and sending alerts in case of emergency.OT systems ENISA,2020 Ope

317、rations safety Systems that keep operations safe and secure.OT systems ENISA,2020 Maintenance Asset inventory Systems enabling RUs and IMs to create an inventory of their assets related to maintenance(parts,equipment,etc.).IT systems ENISA,2020 Diagnosis System overseeing direct diagnosis or tele-di

318、agnosis with GSM communication from the train.IT systems ENISA,2020 Maintenance scheduling System scheduling and operating maintenance activities on track and trains.IT systems ENISA,2020 Service provisioning Systems enabling the provision of maintenance equipment.IT systems-Corporate&Support IT tic

319、keting systems IT ticketing systems to create and attribute tickets detailing IT users technical or help requests.IT systems ENISA,2020 Resource allocation systems System overseeing the management of allocation of resources used by RUs and IMs to perform usual business.IT systems ENISA,2020 RAILWAY

320、CYBERSECURITY November 2021 39 Assets Description Attribute References41 Documentation systems/Document management System overseeing the management of documents(shared folders,SharePoint,OneDrive,etc.).IT systems ENISA,2020 Alert escalation and crisis management Process and system used in case of cr

321、isis,in order to escalate and manage the situation.IT systems ENISA,2020 Administrative telephone systems Administration of the telephone systems used by employees.IT systems ENISA,2020 Administrative time distribution Network Time Protocol(NTP)systems that provide time management for all systems.IT

322、 systems ENISA,2020 Finance Manages all financial aspects(accounting,consolidation).IT systems ENISA,2020 HR System for employee management:recruitment,pay,training,evaluation,etc.IT systems ENISA,2020 IT-related(equipment,services)system supply Vendor systemsfor IT services and equipment.Supply cha

323、in-Table 3:Assets per physical equipment category(description)Assets Description Reference42 On-Board Doors Sub-system that controls the train doors.CLC/TS 50701 On-board lighting On-board physical infrastructuresrelated to lighting.Includes the electronics dedicated to ensuring correct illumination

324、 of railway cars both internally and externally;special case of external lighting are headlights.CLC/TS 50701 Heating,ventilating and air conditioning(HVAC)On-board physical infrastructuresrelated to heating,ventilating and air conditioning.This system provides crew and passengers with ambient comfo

325、rt conditions.CLC/TS 50701 Train Physical equipment of trains including embedded devices and their software.-Freight locomotives On-board physical infrastructuresrelated to freight locomotives.-Special wagons(Container transport,oil transport,refrigerated)On-board physical infrastructuresrelated to

326、special wagons.-On-board system supply On-board physical infrastructuresrelated to the system supply.-Infrastructure and trackside Energy systems supply Infrastructures that support providing energy to all facilities.-Tracks All physical equipment and infrastructures relatedto tracks.-Catenary Suppl

327、y of electric energy to trains.-42 When a reference to a document is not given,the element was added based on the consultation with experts(workshops).RAILWAY CYBERSECURITY November 2021 40 Assets Description Reference42 Train assembly facility Facilities where trains are assembled.-Stations-buildin

328、gs All buildings used for train stations.CLC/TS 50701 Other buildings(Administrative,facilities,)All building used for corporate,IT or OT purposes.-Electrical substations Physical infrastructures that support electrical substations.CLC/TS 50701 Level crossing Physical infrastructures supporting leve

329、l crossings.Protects the crossing area of rail and road traffic.CLC/TS 50701 Tunnels and bridges Physical infrastructures related to bridges or tunnels.Tunnels includes the electronics installed in railway tunnels to support tunnel specific infrastructure functions(e.g.,ventilation,alarm systems,fir

330、e and smoke detectors,fire extinguisher,etc.)Bridges includes the electronics installed in railway bridges to support bridge specific infrastructure functions(e.g.,monitoring systems,lift control,etc.).-Escalators and elevators Physical infrastructures related to escalators or elevators that allow p

331、assengers and employees to move in buildings and infrastructures.ENISA,2020 Lighting Physical infrastructures related to lighting.ENISA,2020 Water control Physical infrastructures related to water control(wells,etc.).-Fire management Physical infrastructures related to fire management(fire extinguis

332、her,etc.)-Freight docking platform Physical infrastructures related to freight docking platforms,allowing loading and unloading of goods.-Goods storage facilities Physical infrastructures related to goods storage(such as containers).-Heating,ventilating and air conditioning(HVAC)Heating and ventilat

333、ing equipment,providing crew and passengers with ambient comfort conditions.CLC/TS 50701 RAILWAY CYBERSECURITY November 2021 41 Table 4:People and data(description)Assets Description Data,Information and Knowledge Email Data used by email systems.Telephone Data used by telephone systems.Clients personal information Name,address,credit card information,usage,etc.Employee personal information Name,a