Last week’s CyberSecurity4Rail conference, held in Brussels for senior members of the rail industry and information security experts, has strongly endorsed the formation of a sector-driven pan-European Rail ISAC (Information Sharing and Analysis Centre). Conference speakers and delegates heard wide-ranging debate on how to effectively combat cyber-crime and cyber-attack and the panel sessions revealed a strong consensus for a structured approach to co-operation in the future.
The conference, held in Brussels on 4th October, was attended by over 120 experts from the railway, IT and cybersecurity industries. Sponsored and hosted by Hit Rail B.V., specialists in the provision of secure cross border connectivity and interoperability solutions in the railway sector, it provided a platform for speakers, panellists and conference participants to be able to consider the current cyber security landscape, legislative responses within the EU and how the railway industry can cooperate to respond more effectively.
It also formed the basis for conference participants to be able to consider and debate on their support for the proposal for a EURail-ISAC and how this might be set up with the support of organisations such as ENISA (European Network and Information Security Agency). Discussions also centred around how this might be combined with initiatives in physical safety such as the Rail Common Occurrence Reporting System coordinated by ERA (European Union Agency of Railways), under an umbrella of shared concerns.
Antonio Lopez, General Manager of conference organisers Hit Rail B.V., said:
With so many senior representatives of rai bodies and experts in cyber security in one place at the same time, it made sense to discuss solutions on how best to cooperate. The speakers’ presentations, panel discussions and post-conference survey results revealed that most attendees were in favour of joint efforts and a common objective to maintain a cyber-secure Single European Railway Area (SERA) through the creation of an EU-wide ISAC.
The discussions were in response to the adoption in July 2016 by the European Parliament of a Directive on security of Network and Information Systems (the NIS Directive). This Directive requires Member States to designate National CSIRTs (Computer Security Incident Response Teams), which are also known as CERTs (Computer Emergency Response Teams). It also created a European cooperation group (EU-CSIRT Network), supported by ENISA, which will facilitate exchange of information between CSIRTs/CERTs concerning incidents within Member States and cross-border incidents.
The NIS Directive emphasises the need for operators of essential services and digital service providers to take appropriate security measures and to notify serious incidents to the relevant national authority (relevant CSIRT/CERT) when cyber security threats or breaches occur.
A full house at CyberSecurity4Rail in Brussels, 4th October
The CyberSecurity4Rail conference was an ideal occasion for progress to be made. The wide-ranging conference programme included presentations from senior representatives from across the industries, including representatives from two EU Directorates concerned with cyber security, Carlos Mestre-Zamarreño of DG-MOVE, and Dr Florent Frederix of DG-CONNECT. Speakers also included security expert Corrado Giustozzi of SELTA SpA, Dr Josef Doppelbauer from ERA, Dr Libor Lochman from the Community of European Railway and Infrastructure Companies (CER), Marie-Hélène Bonneau from the International Union of Railways (UIC), as well as Rossella Mattioli from ENISA and many senior information security officers from railway organisations and related industries. Hit Rail’s Technical Director Mick Haynes also gave a detailed presentation covering secure networks for collaborative services, and how a VPN can ensure secure traffic through segmentation of sensitive data away from other channels.
In his closing keynote, Carlo Borghini, Director of Shift2Rail concluded that the conference had been very constructive and he encouraged the attendees to take away the messages on how to collaborate together in practical ways, reducing replication and divergence, sharing innovation and combatting cyber threats.
Antonio Lopez, General Manager of Hit Rail, concluded:
We are delighted with the success of this conference. Demand for places meant we had to hire a bigger venue and we had an almost full house with 120 attendees on the day, demonstrating how important this topic has become for the industry. During the conference we made excellent progress, more than we as facilitators of the conference could have envisaged when we set out the initial concept. I am very encouraged by the spirit of cooperation and determination to combat the risks and fight back against the threats we all face in cyber security.
CyberSecurity4Rail is the third in a series of workshops that Hit Rail has held for the railway industry. For more information on the conference and its outcomes please visit the website at: https://www.hitrail.com/events/cyber-security-for-railways-conference-2017