Are Railways Lost In A Sea Of Cyber Security Standards?
Cyber security probably always has been a crucial part of modern railways, but within the last five years the focus on ensuring protection is in place is even more acute.
Share This Article:
Stop me if you have heard these before, ISO 27001, ISO 27002, IEC 62243, IEC 62664, NIST 800, CYRAIL EU 730843; and in New South Wales alone, T-MU-SY-10014-GU and T-MU-SY-10010-ST, just to name a few.
I am sure you could list several more sources of authority based on your specific use cases, within your regulatory environment or specific railway operations.
Cyber security probably always has been a crucial part of modern railways, but within the last five years, the focus on ensuring protection is in place is even more acute.
This is due to the increased reliance on digital systems running all parts of the railway, including the signalling control system, interlockings, automation of rolling stock, communication networks, asset condition monitoring, passenger information and asset data analysis where relevant in either heavy haul, light rail, heavy passenger rail and metro systems.
Further to that reliance, Governments have realised that the threat to these systems (defined in Australia as Critical Infrastructure) is becoming more present and are racing to change the regulatory environment to ensure that these risks are managed accordingly.
This article provides a quick update on some relevant new standards before running through an Australia-specific standard, which you may not remember exists.
50701:2021 The latest standard on the scene
Most recently CENELEC (Comité Européen de Normalisation Électrotechnique), or the European Committee for Electrotechnical Standardization, a body that is responsible for European standardisation in the area of electrical engineering, has released CLC/TS 50701 “Railway applications – Cybersecurity”.
This Technical Specification provides further improvements for the European railway sector to provide requirements and recommendations to manage cyber security in a unified way. The good news for us is that this can be utilised as a source of authority when it comes to implementing cyber security in a local context.
Some important parts of the standard are that it approaches cyber security in the context of the EN 50126-1 RAMS (Reliability, Availability, Maintainability, and Safety) lifecycle process. Many of the standards mentioned earlier do not focus on RAMS, meaning that this new standard offers a distinctive engineering approach to the discipline of cyber security.
The 50701 standard also provides a consistent approach to the management of the security of railway systems and so can be applied to the security assurance of systems and components or equipment developed independently of EN 50126.
Like existing IEC standards, 50701 applies models and concepts from which requirements and recommendations can be derived, making it suitable for ensuring that residual security risk is identified, supervised and managed to an acceptable level by the railway operator.
The standard does not address functional safety requirements for railway systems but instead provides requirements arising from threats and related security vulnerabilities. Each requirement contains specific measures and activities that need to be taken and managed throughout the lifecycle – very similar to the approach that IEC 62443 takes.
The aim of the standard is to ensure that the RAMS characteristics of railway systems and subsystems cannot be reduced, lost or compromised in the case of intentional attacks.
The security models, the concepts and the risk assessment process are based on or derived from the IEC 62443 series standards. It is also consistent with the application of requirements contained within IEC 62443-2-1, which is based on the ISO 27001 and ISO 27002 standards.
Having a safety and reliability focus as the primary drivers of this standard is an improvement on some of the more generic approaches to Industrial Automation and Control System (IACS) standards. It provides a more comprehensive application of security alongside the concepts of safety and reliability, both of which are paramount in a railway environment.
AS7770 the forgotten local standard?
Looking at local sources of authority, in 2018 the Rail Industry Safety and Standards Board (RISSB) developed AS7770 Rail Cyber Security. Like many of my colleagues, I was incredibly lucky to have participated in the development group of this standard, which was led by both industry and the Commonwealth through the now Cyber & Infrastructure Security Centre (CISC).
The standard details technology, risk, controls, impacts, safety and design principles from a national perspective, which cover the lifecycle of railway systems and the ongoing management of them by rail infrastructure owners and operators.
I would encourage all railway infrastructure and rollingstock owners and operators within Australia to re-visit AS7770 and other sources of authority to identify the best approach for your organisation.
With enough support by the professional community, AS7770 can be developed further to improve the focus on RAMS and Safety, as well as to consider the changes in legislation brought on by the to-be-amended Security of Critical Infrastructure Act (SOCI).
Still feeling lost? Our team of Rail and Critical Infrastructure specialists can help you navigate the maze of standards. Feel free to reach out to any of the Anchoram team for a no-obligation chat about your challenges and concerns.
Cyber security probably always has been a crucial part of modern railways, but within the last five years the focus on ensuring protection is in place is even more acute.
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.