The SAFETY4RAILS project supports railway and metro system operators in mitigating risks against their critical infrastructures and increasing their resilience. Transport, and specifically rail and metro, is a category of critical infrastructure increasingly exposed to cyber, physical or combined cyber-physical threats. According to the 2021 EU Strategic Foresight Report, factors that could pose a risk to EU transport include climate change and other environmental challenges, security threats and terrorism, digital hyperconnectivity, and technological transformation.
Indeed, in the past, several terrorist attacks or attempts have targeted rail transport (e.g., the 2016 attack in Brussels; the 2005 attack in London; the 2004 attack in Madrid). Such attacks have become more sophisticated recently, targeting the digital components of rail or metro infrastructure (e.g., the ransomware attack against Trenitalia in March 2022). At the same time, natural disasters can also cause major disruptions and risks to passengers’ lives (e.g., the July 2021 floods in Belgium and Germany).
The security and safety of rail and metro infrastructure is therefore a key consideration for the EU and its Member States. In addition to the well-established EU rail safety framework (e.g., Directive 2004/49/EC), railway and metro system operators are also subject to a series of physical security and cybersecurity requirements as ‘critical’ or ‘essential’ entities. These requirements aim to guide operators in managing and mitigating the risks posed to their systems by cyber, physical or hybrid threats. In this environment, the SAFETY4RAILS project and its results can support operators in complying with their legal obligations.
A first relevant area for the SAFETY4RAILS project is the protection of critical infrastructure under EU law. Rail transport is identified as a ‘European critical infrastructure’ (ECI) sector under the current EU framework (Council Directive 2008/114/EC). The Directive recognises that rail transport is ‘essential for the maintenance of vital societal functions’ and imposes a requirement on operators to identify their critical assets as well as the security solutions implemented for their protection, if they are “European critical infrastructure” i.e. “the disruption or destruction of which would have significant cross-border impacts in at least two Member States”. Operators must include their conclusions in an ‘operator security plan’ which is assessed by the relevant authorities in their Member State, and regularly update it.
EU legislators have recently approved a proposed revision of the existing framework (proposed Directive on the resilience of critical entities), which will also affect the rail transport sector more broadly. The new framework will repeal the existing legislation, enlarge the sectoral scope covered and introduce more detailed obligations for operators in order to strengthen the resilience of critical entities. It will not be limited to infrastructure with cross-border impacts.
Specifically, it will require critical entities, such as railway and metro, in EU Member States to conduct risk assessments and take resilience enhancing measures against all relevant man-made and natural non-cyber risks, as well as to notify disruptive incidents without undue delay to the relevant national authorities.
The proposed Directive enumerates a series of such resilience enhancing measures, including:
- disaster risk reduction and climate adaption measures;
- fencing, barriers and perimeter monitoring tools;
- implementation of risk and crisis management procedures and protocols and alert routines;
- business continuity measures and the identification of alternative supply chains;
- employee security management and training.
At this stage, the political agreement reached by the European Parliament and the Council is subject to formal approval by the co-legislators. Once agreed at the EU level, the Directive will enter into force 20 days after publication in the Official Journal and the measures outlined above will have to be transposed into national law within 21 months.
The EU is also paying particular attention to cybersecurity and cyber risk management; another area of importance for SAFETY4RAILS. Under the applicable framework (Directive 2016/1148), rail and metro operators are already recognised as operators of essential services and are obliged to take measures to manage the risks posed to the security of their network and information systems; prevent and minimise any incidents and their impact on the network; and notify competent authorities of such cyber-incidents.
This framework is also currently being reviewed by EU legislators under the proposed Directive on measures for a high common level of cybersecurity across the Union. The new rules will streamline and further specify the already existing obligations for railway and metro operators.
A notable addition is the fact that all risk management measures will have to be based on an ‘all-hazards approach’, aiming to protect both the network and information systems and their physical environment from incidents. The legislation is thus promoting measures to protect rail and metro infrastructure not only from cyber, but also from hybrid threats.
The new Directive enumerates the baseline of measures that railway and metro operators are obliged to take to comply with this obligation:
- risk analysis and information system security policies;
- business continuity, such as backup management and disaster recovery, and crisis management;
- supply chain security;
- vulnerability handling and disclosure;
- testing and auditing to assess the effectiveness of cybersecurity risk management measures;
- use of cryptography and encryption;
- basic cybersecurity training.
Member States may also choose to oblige operators to certify certain ICT products, ICT services and ICT processes under specific European cybersecurity certification schemes, while having the right to encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.
The new Directive is currently awaiting formal approval from the EU legislators (expected in autumn 2022). Once adopted at the EU level, Member States will have to transpose the relevant measures into their national laws within 21 months.
In addition to this legislative framework, it is also worth mentioning that ENISA has published a report on ‘Railway Cybersecurity’, providing operators with good practices for cyber risk management approaches that are specifically applicable to the railway sector.
The contribution of SAFETY4RAILS
Against this background, SAFETY4RAILS fits into the wider framework of EU rail transport security.
The project has brought together in the SAFETY4RAILS Information System (S4RIS) platform a series of cutting-edge risk management tools that could assist railway and metro system operators mitigate risks posed by cyber and physical threats in five phases: Identification, Prevention, Protection, Detection, Response and Recovery. Project partners have provided among others crowd monitoring (e.g., iCrowd), object detection (e.g, GANIMEDE), anomaly detection (e.g., CURIX and WINGSPARK), prediction (e.g., CAESAR and DATAFAN) and railway-component-specific risk assessment tools (e.g., SecuRail) as well as decision-support systems (e.g., RAM2), that could be used together to assist operators in complying with their legal obligations. The S4RIS platform could be used as an example of a multi-tool platform that could address operators’ concerns as critical entities.
By the end of the project, SAFETY4RAILS will also have produced ethical guidelines for crisis communication, as well as a citizen’s engagement concept that could assist operators with implementing their own communication frameworks and training their personnel.
Through these contributions, SAFETY4RAILS acts as a stepping stone to support operators in complying with the legal obligations stemming from both from current and future legislations.
July 2022 – EOS