Digitalisation of the rail systems increases cybersecurity threats for IT systems for Rail Infrastructure Managers (IMs) but also Railway Undertakings (RUs). On EU level, cybersecurity is regulated by Directive (EU) 2016/1148 on the ‘Security of Network and Information Systems’ (NIS). According to NIS, Member States have to develop contingency plans against cyberattacks. As IMs are identified as ‘operators of essential services’ and represent potential targets for cyberattacks, the application of measures according to the NIS Directive is compulsory. IMs also participate in the pan-European Rail ISAC (Information Sharing and Analysis Centre) Platform, whose objective is to develop and share best practices related to cybersecurity.
EIM in action
- EIM’s Working Group on ‘Cybersecurity’ (Cyber WG) deals with cybersecurity issues. It aims at advocating the importance of promoting security guidelines instead of mandatory measures due to the different security environments and IT landscapes in the EU.
- EIM promotes exchanges of information and best practices in cybersecurity amongst its members and the wider sector.
- EIM participates in RAILSEC and LandSec meetings of the EC to exchange on cybersecurity issues with other stakeholders.
- EIM coordinates with the sector, ERA, ENISA, DG MOVE to enhance the NIS directive (NIS2) which aims to cover railways as an essential service.
EIM actions in 2021
- EIM responded to EU surveys on possible future cybersecurity actions.
- EIM and its members are actively participating in the RAIL ISAC Platform focusing on information and knowledge sharing in the field of cybersecurity.
- EIM participated in the LandSec and ENISA/ERA activities and webinars related to cybersecurity.
- EIM’s Cyber WG will continue to promote exchanges on best practice among its members on cybersecurity issues and practices.
- EIM’s Cyber WG will develop new initiatives to increase participation and exchanges both with other rail associations (CER and UNIFE) as well as in the Rail ISAC platform dedicated to cybersecurity. EIM will coordinate with other EU associations within Rail ISAC.
- EIM’s Cyber WG will work on the development of areas of common interest, such as: cyber-risk management, Incident Response, Skills and training and awareness growth. This will also include ERTMS, in view of the growing digitalisation of the related framework.
Directive (EU) 2016/1148 of the European Parliament
Infrastructure security covers several aspects: terror attacks, vandalism, suicides and metal theft. Risk mitigation and exchange of best practice are crucial for all sensitive sectors, especially rail infrastructure. The development of terrorism during these last few years has had a significant impact on the perception of security of public transport systems. While no specific binding European legislation exists in this domain, best practices and an ‘Action Plan’ to improve the security of rail passengers are being developed at European level. Each Rail Infrastructure Manager (IM) ensures the security of its network.
EIM in action
- EIM’s Cybersecurity Working Group (Cyber WG) gathers security and cybersecurity experts who exchange on security and cybersecurity issues and measures.
- EIM advocates the importance of promoting proportional security guidelines instead of mandatory measures due to the different systems in the EU.
- EIM participates in the EU ‘RAILSEC’ meetings organised by the European Commission.
EIM actions in 2021
- EIM contributed to exchanges in the EC RAILSEC group on the major challenges for IMs related to the security of passengers during the COVID 19 pandemic.
- EIM provided input to the definition of the new EC voluntary Guidelines on rail security programmes and rail security plans. The guidelines provide advice to IMs and RUs on how to draft a company’s security programme taking into account the relevant national security strategy and the national security plan.
- The measures adopted so far by the European Commission are in line with the position promoted by EIM.
- The EC will approve the Guidelines and promote them vis à vis the Member States and rail stakeholders.
- The current mandate of RAILSEC expires at the end of 2021. EIM will contribute to the definition of the new mandate of this Group on rail security, which may also be extended to cyber threats.
- EIM will continue to promote the exchange of best practice between its members on security matters.
- EIM’s Cyber WG will also look to forge stronger links with other EIM groups, e.g. the business continuity group to drive a coherent and holistic approach to rail resilience.