NIS Directive Is a Good Start for Railway Cybersecurity - But It's Not Enough

Written by

With 5,207 documented incidents and 7.8 billion records exposed, 2017 was a grim year for data security breaches – and things only seem to be getting worse.

As malicious actors continue to exploit vulnerable attack vectors, essential service providers like our railway systems are acutely exposed. Cyber-attacks on our railways and metros potentially jeopardize commuting and travelling services, productivity, and overall passenger safety. 

While heightened consciousness regarding cybersecurity issues has inspired the creation of tools like the U.S. National Vulnerability Database – where known vulnerabilities are made public – the sharing of information regarding highly sensitive critical infrastructures like the railways is not so simple.

To address the unique vulnerabilities of such critical infrastructure systems, the European Parliament approved the Network and Information Systems (NIS) Directive in the summer of 2016. This directive gave EU member states until May 9, 2018 to translate the directive into nationwide regulations and procedures for achieving “a high common level of security of network and information systems” across the European Union. Member states will then have until November 9th to identify critical service operators to be governed by the new regulations.

Although the NIS Directive represents an essential step towards securing critical infrastructure, its shortcomings are palpable with regard to the rail industry.

Under the terms of the directive, member states must ensure that essential service operators notify authorities of cyber incidents “having a significant impact” on services – an incident’s significance determined by the number of users affected, its duration, and its geographic spread.

Yet the nature of cyber-attacks is such that incidents which initially seem insignificant may quickly spiral into critical events. When a vulnerability is discovered, it can take months or even years to develop a patch, test for functionality and safety, and secure approval from the relevant authorities. In the meantime, though a known, common vulnerability exists, no solution is implemented.

How can we protect critical services like the railways? Continuously updated cybersecurity solutions are paramount. For the rail industry, a cyber solution tailored to the unique, connected technologies upon which the rails rely should provide ongoing risk and threat assessments, work seamlessly with legacy systems, and have the ability to respond in real-time to attempted infiltrations.

Such tailored solutions will help thwart malicious actors before they can compromise essential services. When threats do emerge, however, it is essential for stakeholders to be apprised of breaches from the detection stage forward.

Unfortunately, the NIS Directive emphasizes sharing information in the response stage, well after threats have been detected. A more proactive approach will better inoculate essential services providers against threats.

If a railway operator in one EU member state is compromised, informing relevant stakeholders upon detection of the breach will allow other rail operators in the EU to preempt similar attacks.

To its credit, the NIS Directive does feature language calling on member states to “take appropriate and proportionate technical and organizational measures” to manage cyber risks. Moreover, the directive makes clear that while the guidelines it delineates represent a minimum set of guidelines, member states are free to implement more stringent standards. 

Ultimately, the directive’s effectiveness will be evaluated according to the strength of the national laws imposed by member states. Research by Deloitte highlights encouraging signs, including a draft law in the Netherlands that would impose fines of up to €5 million on violators.

Even outside the EU, the directive is likely to inspire new measures to safeguard critical services. The United Kingdom, currently negotiating its exit terms with the EU, has announced that critical services providers failing to demonstrate strong cybersecurity systems will face fines as high as £17 million. These measures will provide powerful incentives for service providers to deploy sophisticated cyber defenses.

Moving forward, EU member states as well as regulators worldwide should implement robust information-sharing protocols from the detection stage onward; evaluate operators’ cyber defenses according to how nimble they are and whether they can continuously update themselves in response to new and emerging threats; and stress the importance of cyber solutions that reflect specific needs of different service providers.

What works for healthcare systems will not translate directly into a railway environment, given the vastly different legacy and connected technologies underpinning the rails. Much work remains to be done on these crucial fronts, but the NIS Directive deserves three cheers for getting the train wheels rolling.

What’s hot on Infosecurity Magazine?