With 472 billion passenger and 430 billion ton-kilometers for the Freight traffic on 216. 000 kilometers of active routes per year in Europe, the railway sector plays a large and rapidly growing role in transport. However, digitization poses major IT security challenges for the sector, the European cybersecurity authority Enisa has found.

The agency attests to this The rail transport sector, in a report just released, “an overall lack of cybersecurity awareness”. In addition, there would be problems due to the complex operating technology used. Even the simplest security measures on operational systems can often not be fully implemented. A change in awareness is therefore necessary in order to build up more specialist knowledge about IT security. Otherwise there would be nothing with the digital transformation in the area, which would reduce its competitiveness.

Cyber ​​attacks on railway companies The authors point to incidents that have already bothered the sector. These include, for example, a 2015 denial-of-service attack in Ukraine and the WannaCry attack on Deutsche Bahn 2017. Among other things, display boards were damaged. In this year alone, a railway company in Great Britain with a huge data outflow of 146 million entries over around 10. 000 People struggled who would have used the free WiFi.

The Swiss rail vehicle manufacturer Stadler was hit by a malware attack in which the attackers stole internal documents and published them online Study. The Spanish infrastructure manager Adif was also affected by a ransom demand.

A wide range of IT functionalities and networked devices related to the Internet of Things are currently being introduced into railway systems, the authors state. However, those responsible often did not procure and manage the technology properly. This leads to weaknesses.

Outdated systems slow down cybersecurity With this report, Enisa assesses the implementation of the directive on network and information security (NIS) in the Member States. Over the years, the agency has worked closely with railway companies and infrastructure operators. In order to find out the state of affairs, the auditors carried out an online survey in the sector with 41 participants 21 Member states including Germany and Norway. 71 Percent of the participants were operators of “essential services”.

In general, the authors registered that among those questioned Companies have a large number of legacy systems as well as a large number of devices and networks to be secured. Many of them are based on the state of the art of yesteryear, are now out of date or outdated due to the long service life. This makes it difficult to bring them in line with current cybersecurity requirements. Furthermore, the systems are usually distributed over many train stations and tracks, which makes comprehensive control difficult.

The strong dependence on the supply chain does not make things any easier, the report says. With regard to system updates, patch and lifecycle management, the operators are dependent on their suppliers, external providers and other third parties. The cybersecurity awareness and the associated skills also varied among these.

In addition, according to the study, there are conflicts between different forms of security thinking. For example, with any update to introduce cybersecurity provisions, those responsible would have to ensure that mechanisms for the general protection of passengers remain intact. This requires additional time and money. In addition, those responsible are usually not trained in the area of ​​IT security.

Between security and competitiveness The authors emphasize the need to strike the right balance between cybersecurity, competitiveness and operational efficiency. There is a lot of cost pressure here, as customers otherwise resort to alternative means of transport such as the car or plane. Railways also required nationwide investment. If the security of IT systems is increased, data flows and the availability of the systems could be severely impaired.

53 Percent of the essential service providers surveyed have implemented at least basic cybersecurity measures such as access control or system separation, according to the results. Procedures that required a higher level of technical expertise, such as encryption or the inclusion of industrial control systems, would, however, be implemented to a lesser extent. Only 38 percent would have at least partially defined safety indicators and set up a test procedure for them. 41 Percent said they had examined their ecosystem, only 31 Percentage but also the relationships with third parties.

Your systems also only configured 45 Percentage of the important operators appropriate, the auditors found. Only 24 percent used cryptographic solutions. The participants also did not do well in the categories of defense and resilience. Better-positioned railway organizations, however, carried out emergency exercises to simulate cyber attacks.

Enisa also sees room for improvement in the ERTMS European rail traffic control system for controlling signals and driving speed. It includes the ETCS security and control system, GSM-R radio data transmission and operating regulations. Some precautions for IT security are already included, but a detailed analysis of potential threats, attack vectors and the measures to be derived from them are still pending. Here too, software updates are “complex, expensive and time-consuming”. A few years ago, hackers had already identified attack surfaces around networked train control systems.

(olb)