RAILWAY

CYBERSECURITY
Good practices in cyber risk management

NOVEMBER 2021
0
 RAILWAY CYBERSECURITY
November 2021

ABOUT ENISA

The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common
level of cybersecurity across Europe. Established in 2004 and strengthened by the EU Cybersecurity Act, the
European Union Agency for Cybersecurity contributes to EU cyber policy, enhances the trustworthiness of ICT
products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU
bodies, and helps Europe prepare for the cyber challenges of tomorrow. Through knowledge sharing, capacity
building and awareness raising, the Agency works together with its key stakeholders to strengthen trust in the
connected economy, to boost resilience of the Union’s infrastructure, and, ultimately, to keep Europe’s society and
citizens digitally secure. More information about ENISA and its work can be found here: www.enisa.europa.eu.

CONTACT
To contact the authors, please use [email protected]
For media enquiries about this paper, please use [email protected].

AUTHORS
Theocharidou Marianthi, Stanic Zoran, ENISA

De Mauroy Louise, Lebain Loïc, Haddad Jules, Wavestone.

ACKNOWLEDGEMENTS
We would like to warmly thank all the experts that took part in our workshops and provided comments. Their
contributions and inputs were essential for the creation of this report.

ENISA would like to thank the European Railway Agency (ERA), the European Railway Information Sharing and
Analysis Centre (ER- ISAC) and UNIFE's cybersecurity working group for their support.

Andersson Johan A., Tranfikverket

Boff Sacha, Banenor
Bos Stoffel, Prorail
Boss John, Prorail
Brouwer Riemer, Prorail
Cabral Pereira Mário Jorge, Infraestruturas de Portugal
Chatelet Thomas, ERA
Ciancabilla Attilio, RFI
Cosic Jasmin, DB Netz
De Visscher Olivier, ER-ISAC
Dyrlie Rune, Banenor
Fernandez Gonzalez Lola, Knorr-Bremse
Fritz Jérôme, CFL
Garcia Marta, UNIFE
Garnier Yseult, SNCF Reseau
Gomez Nieto Antonio, Adif
Hausman Francois, Alstom group
Houbion Catherine, Infrabel
Korving Evertjan, Prorail
Mager Joseph, NS
Magnanini Giulio, RFI
Meulders Philippe, CFL
Meyer, Andreas, Selectron

1
 RAILWAY CYBERSECURITY
November 2021

Ooms-Geugies Klaasjan, NS
Pizzi Giorgio, Ministero Infrastrutture e Trasporti
Paulsen Christian, Siemens
Pouet Nicolas, SNCF Reseau
Remberg Tom, Banenor
Rodrigues Susano Ana Beatriz, Infraestruturas de Portugal
Thesse Eddy, Alstom group
Van den Bossche Peter, Infrabel
Van Zantvliet Dimitri, NS

LEGAL NOTICE

This publication represents the views and interpretations of ENISA, unless stated otherwise. It does not endorse a
regulatory obligation of ENISA or of ENISA bodies pursuant to the Regulation (EU) No 2019/881.

ENISA has the right to alter, update or remove the publication or any of its contents. It is intended for information
purposes only and it must be accessible free of charge. All references to it or its use as a whole or partially must
contain ENISA as its source.

Third-party sources are quoted as appropriate. ENISA is not responsible or liable for the content of the external
sources including external websites referenced in this publication.

Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information
contained in this publication.

ENISA maintains its intellectual property rights in relation to this publication.

COPYRIGHT NOTICE
© European Union Agency for Cybersecurity (ENISA), 2021
Reproduction is authorised provided the source is acknowledged.

For any use or reproduction of photos or other material that is not under the ENISA copyright, permission must be
sought directly from the copyright holders.

ISBN 978-92-9204-545-6, DOI 10.2824/92259

2
 RAILWAY CYBERSECURITY
November 2021

TABLE OF CONTENTS

1. INTRODUCTION 6
1.1 OBJECTIVES, SCOPE AND AUDIENCE 6

1.2 METHODOLOGY 7

1.3 STRUCTURE OF THE REPORT 7

2. CYBER RISK MANAGEMENT 8

2.1 RISKS MANAGEMENT STEPS 8

2.2 RISK MANAGEMENT APPROACHES FOR THE RAILWAY SECTOR 9

3. RAILWAY ASSETS AND SERVICES 13

3.1 TAXONOMY 14

4. CYBER-RELATED THREATS 18
4.1 TAXONOMY 18

4.2 CYBER RISK SCENARIOS 20

4.2.1 Scenario 1 – Compromising a signalling system or automatic train control system, leading to a train accident 21
4.2.2 Scenario 2 – Sabotage of the traffic supervising systems, leading to train traffic stop 22
4.2.3 Scenario 3 – Ransomware attack, leading to a disruption of activities 23
4.2.4 Scenario 4 – Theft of clients’ personal data from the booking management system 24
4.2.5 Scenario 5 – Leak of sensitive data due to unsecure, exposed database 25
4.2.6 Scenario 6 – DDoS attack, blocking travellers from buying tickets 26
4.2.7 Scenario 7 – Disastrous event destroying the datacentre, leading to disruption of IT services 27

5. CYBERSECURITY MEASURES 28
5.1 APPLYING CYBERSECURITY MEASURES 30

5.2 CYBERSECURITY MEASURES 30

6. CONCLUSIONS 33
7. BIBLIOGRAPHY 34
A ANNEX: ASSET DESCRIPTIONS 35
B ANNEX: THREATS DESCRIPTION 42
C ANNEX: SECURITY MEASURES 45

3
 RAILWAY CYBERSECURITY
November 2021

EXECUTIVE SUMMARY

European railway undertakings and infrastructure managers systematically address cyber risks
as part of their security risk management processes, especially after the Network and
Information Security (NIS) Directive came into force in 2016. Addressing cyber risks in the
railway sector can raise entirely new challenges for railway companies who often lack the
internal expertise, organisational structure, processes or the resources to effectively assess and
mitigate them.

The nature of railway operations and the interconnectedness of railway undertakings,

infrastructure managers, and the supply chain requires all involved parties to achieve and
maintain a baseline level of cybersecurity. European RUs and IMs use a combination of good
practices, approaches, and standards to perform cyber risk management for their organisations,
as they need to assess cyber risks for all functions and for both OT and IT. This report gathers
insights on these current practices in a single document and can assist railway undertakings
and infrastructure managers in their efforts to apply them. It provides examples of reference
material, such as available taxonomies of assets and services, threat taxonomies, seven
comprehensive threats scenarios, derived from real incidents, and available cyber risk mitigation
measures, derived by guidelines and standards.

This report aims to be a reference point for current good practices for cyber risk management
approaches that are applicable to the railway sector. It offers a guide for railway undertakings
and infrastructure managers to select, combine or adjust cyber risk management methods to the
needs of their organisation. It builds upon the 2020 ENISA report on cybersecurity in the railway
sector (ENISA, 2020), which assessed the level of implementation of cybersecurity measures in
the railway sector.

This report provides actionable guidelines, lists common challenges associated with the
performance of the relevant activities, and outlines good practices that can be readily adopted
and tailored by individual organisations. Additionally, a list of useful reference material is
available, together with practical examples and applicable standards.

4
 RAILWAY CYBERSECURITY
November 2021

ABBREVIATIONS

ATP Automatic train protection

CCS Command, Control and Signalling
CCTV Closed-Circuit Television
CVSS Common Vulnerability Scoring System
CIO Chief Information Officer
CISO Chief Information Security Officer
CTO Chief Technology Officer
CSIRT Computer Security Incident Response Team
DoS/DDos Denial of Service/Distributed Denial of Services
DSP Digital Service Provider
EC European Commission
ER-ISAC European Railway Information Sharing and Analysis Centre
ERTMS European Rail Traffic Management System
ETCS European Train Control System
EU European Union
GDPR General Data Protection Regulation
GSM/GSM-R GSM-Railway
HR Human Resources
HVAC Heating, ventilation, and air conditioning
ICS Industrial Control System
ICT Information and Communication Technology
IEC International Electrotechnical Commission
IM Infrastructure Manager
ISO International Organisation for Standardization
ISP Internet Service Provider
ISSP Information System Security Policy
IT Information Technology
LAN Local Area Network
MS Member State
NIS Directive Directive on Security of Network and Information Systems
NIST National Institute of Standards and Technology
OES Operator of Essential Service
OT Operational Technology
PKI Public Key Infrastructure
RU Railway Undertaking
SOC Security Operation Centre
VLAN Virtual LAN
VPN Virtual Private Network

5
 RAILWAY CYBERSECURITY
November 2021

1. INTRODUCTION

Directive 2016/1148 (NIS Directive) is the first legislative document focusing on cybersecurity in the EU. It identifies
Operators of Essential Services (OES) in the railway sector as:

Infrastructure managers (IM), as defined in point (2) of Article 3 of Directive 2012/34/EU, include: “any person or
firm responsible in particular for establishing, managing and maintaining railway infrastructure, including traffic
management and control-command and signalling. The functions of the infrastructure manager on a network or part
of a network may be allocated to different bodies or firms”.

Railway undertakings (RU), as defined in point (1) of Article 3 of Directive 2012/34/EU, include: “any public or
private undertaking licensed according to this Directive, the principal business of which is to provide services for the
transport of goods and/or passengers by rail with a requirement that the undertaking ensures traction. This also
includes undertakings which provide traction only”. This also includes operators of service facilities as defined in point
(12) of Article 3 of Directive 2012/34/EU as “any public or private entity responsible for managing one or more service
facilities or supplying one or more services to railway undertakings”.

The NIS Directive requires IMs and RUs to conduct risk assessments that “cover all operations including the security
and resilience of network and information systems”. According to the NIS Directive, these risk assessments, along
with the implementation of appropriate mitigation measures, should promote “a culture of risk management” to be
developed through “appropriate regulatory requirements and voluntary industry practices”. This need for cyber risk
management in the European railway sector was also identified as a key priority by the participants of the ENISA-
ERA conference “Cybersecurity in Railways”, which took place online on 16-17 March 2021 and brought together
more than 600 experts from railway organisations, policy, industry, research, standardisation, and certification.

While some EU Member States (MS) have issued relevant national guidance to OESs on how to conduct cyber risk
assessments, most railway operators choose to adopt one of the different methodologies introduced by industry
standards. Indeed, there are currently varying approaches to tackle risk in the railway sector and for now, there is no
single approach that covers both information technology (IT) and operational technology (OT) cyber risks. This
document offers a guide to these different approaches, enabling railway operators to select, combine or adjust cyber
risk management methods to the needs of their organisation. It builds upon the 2020 ENISA report on cybersecurity
in the railway sector (ENISA, 2020), which assessed the level of implementation of cybersecurity measures in the
railway sector.

1.1 OBJECTIVES, SCOPE AND AUDIENCE

This report aims at providing railway stakeholders with applicable methods and practical examples on how to assess
and mitigate cyber risks. These good practices are gathered based on feedback from railway stakeholders and
include tools, such as assets and services list, threat scenarios, mapping of security measures. These resources can
be used as a base for cyber risk management for railway companies. The study aims at being a reference point to
promote collaboration between railway stakeholders across the EU and raise awareness of relevant threats.

This report is concerned with the European railway sector, and it covers cyber risk management applicable to both
the IT and OT systems of railway organisations. Other railway stakeholders such as rolling stock manufacturers and
component vendors are not considered in the scope of this report.

The primary target audience of this study includes people responsible for cybersecurity (CISOs, CIOs, CTOs, etc.)
within RUs and IM networks. This report aims to provide them with the means to understand their cybersecurity
ecosystem, assess the risks to their assets or services and manage them via appropriate cybersecurity measures. In
addition, the National Competent Authorities, who may wish to develop guidance for railway operators in conducting
cyber risk management, may consult this document to understand the current practices in the sector and potential
challenges.

6
 RAILWAY CYBERSECURITY
November 2021

1.2 METHODOLOGY
The report was created with cooperation of European IMs and RUs in an iterative process with multiple rounds of
validation as follows:

Step 1 - Definition of the project scope and identification of experts. The first step consisted of defining the
scope of the project and selecting subject matter experts whose input and insights could be considered for the
development of the report. The experts chosen are mainly RU and IM stakeholders in charge of cybersecurity, as well
as members of national and European agencies.

Step 2 - Desk research. During this step, extensive desk research for relevant documents in the context of the
project was conducted. The identified sources served as a reference to develop good practices, a list of assets and
threats, threat scenarios, and list of measures.

Step 3 - Series of workshops with selected subject matter experts. Four workshops were conducted to discuss
and validate the key findings of the study, namely the list of assets, list of threats, threats scenarios, and list of
measures. Additionally, the workshops were used as an opportunity to collect feedback on the challenges and good
practices of risk management in the railway sector. The 20 experts originated from 10 European railway companies
from Belgium, Germany, Italy, Luxembourg, Netherlands, Norway, Portugal, Spain, and Sweden. The European Rail
Information Sharing and Analysis Centre (ER-ISAC) was also represented in the experts’ pool.

Step 4 - Analysis of collected material and report development. The input collected from desk research and the
stakeholder workshops were analysed. Based on this analysis, the first draft of this report was developed.

Step 5 - Review and validation. The report was then validated by 24 experts (primarily RUs and IMs) from Belgium,
France, Germany, Italy, Luxembourg, Netherlands, Norway, Portugal, Spain, and Sweden, the ER-ISAC and the
UNIFE cybersecurity working group. The experts reviewed the report and provided comments and suggestions for
improvement. These were the basis for the final version of this document.

1.3 STRUCTURE OF THE REPORT

The report is organised in 6 chapters:

 Chapter 2 describes cyber risk management concepts and the current approaches identified for the railway
sector. It can help railway stakeholders to choose a risk management methodology.
 Chapter 3 contains a list of railway assets and services (definitions and taxonomy), along with guidelines on
how to identify those assets and services. Railway stakeholders can use this information to build their own
list of assets and services.
 Chapter 4 focuses on cyber threats, with a list of threats, their definitions and a list of risk scenarios
applicable to the railway sector. Stakeholders can use those tools to identify the main risks to their assets
and evaluate what should be prioritised for protection. The list of threats would be useful to conduct risk
assessments, along with the abovementioned list of assets and services.
 Chapter 5 examines current cybersecurity measures based on EU guidelines (NIS Directive) and
international standards. It can help stakeholders to define a risk management plan.
 Chapter 6 offers some concluding remarks.

7
 RAILWAY CYBERSECURITY
November 2021

2. CYBER RISK
MANAGEMENT

The purpose of this chapter is to outline the risk management approaches that were used in the study and are
applicable to the railway sector. Many definitions and concepts exist, thus making it difficult to choose one that is
most relevant to the individual’s case. To ensure a common risk management frame, this document proposes a set of
definitions and principles extracted from ISO 31000:2018 “Risk management – Principles and guidelines”, ISO-IEC
27005:2018 “Information security risk management” and the ISO-IEC 62443 series.

The information security risk management process is the coordination of activities to direct and control an
organisation with regard to risk. It consists of context establishment, risk assessment, risk treatment, risk acceptance,
risk communication and risk monitoring and review. The information security risk management process can be
iterative for risk assessment and/or risk treatment activities. An iterative approach to conducting risk assessment can
increase the depth and detail of the assessment at each iteration. It also provides a good balance between
minimising the time and effort spent in identifying controls, while ensuring that strong risks are appropriately
assessed.

As mentioned in the ISO 31000 principles chapter, risk management is not a stand-alone activity that is separate from
the main activities and processes of the organisation. Risk management is part of the responsibilities of management
and an integral part of all organisational processes, including strategic planning and all project and change
management processes.

For terms and definitions, please consult ISO 31000:2018 “Risk management – Principles and guidelines”, ISO-IEC
27005:2018 “Information security risk management.

2.1 RISKS MANAGEMENT STEPS

ISO 27005:2015 defines a risk management process which integrates all necessary key activities to deploy a risk
management methodology.

Figure 1: Risk management

The first step of launching a risk management process is establishing the context, both external and internal. It
involves setting the basic criteria necessary for information security risk management (approach, risk evaluation
criteria, impact criteria and risk acceptance criteria), defining the scope and boundaries (ensuring that all relevant

8
 RAILWAY CYBERSECURITY
November 2021

assets are taken into account in the risk assessment), and establishing an appropriate organisation to manage the
information security risk management.

The second step is launching a risk assessment, i.e., quantifying or qualitatively describing risks and enabling
managers to prioritise them according to their perceived seriousness or other established criteria. The risk
assessment consists of three distinct tasks:

 Risk identification, to determine what could happen to cause a potential loss and to gain insight into how,
where, and why the loss could occur.
 Risk analysis, to understand the nature of the risk and to determine the level of risk. A risk analysis
methodology may be qualitative, quantitative, or a combination of both depending on the circumstances.
 Risk evaluation, to compare the level of risks against risk evaluation criteria and risk acceptance criteria.
The purpose is to produce a list of risks prioritised according to risk evaluation criteria in relation to the
incident scenarios that lead to those risks.

The third step is the risk treatment, which consists of defining a list of controls to reduce, retain, avoid, or share the
risks. Then, a risk treatment plan can be defined. The risk treatment plan description will be elaborated in chapter 5 of
this present document.

The fourth step is risk acceptance, i.e., the decision to accept the risks and responsibilities for the decision. Finally,
a list of accepted risks with justification for those that do not meet the organisation’s normal risk acceptance criteria is
established.

The fifth step is the risk communication. Information about risks should be exchanged and/or shared between the
decision-maker and other stakeholders.

The final step is risk monitoring and review. It consists of the monitoring and reviewing the risks and the various
factors (i.e., value of assets, impacts, threats, vulnerabilities, likelihood of occurrence) that help to identify any
changes in the context of the organisation at an early stage, and to maintain an overview of all risks.

2.2 RISK MANAGEMENT APPROACHES FOR THE RAILWAY SECTOR

Workshops with relevant European railway sector stakeholders were conducted to identify the most common risk
management methods currently used by RUs and IMs. During these workshops, stakeholders indicated their chosen
methods. They are complemented or combined with other approaches to reach the desired level of sophistication and
to cover both IT and OT requirements for risk management. Their approaches are also linked to the overall enterprise
risk method used by the organisation and have to offer adequate level of compliance with both EU and national
cybersecurity requirements. For RUs and IMs operating in multiple EU Member States (MS), national requirements
under the NIS Directive may not be fully harmonised, so these organisations face additional challenges in
compliance. For all EU RUs and IMs to meet the cybersecurity requirements of their national competent authorities,
support is needed from the railway industry. RUs and IMs rely on their suppliers, both for more accurate threat and
vulnerability analyses, but especially for implementing cybersecurity requirements.

Indeed, existing approaches are multiple and varying across the railway companies, but they may present different
scope and level of detail in terms of analysis. For the risk management of railway IT systems, the most cited
approaches were the requirements of NIS Directive at a national level, the ISO 2700x family of standards, and
the NIST cybersecurity framework. For OT systems, the frameworks cited were ISA/IEC 62443, CLC/TS 50701,
and the recommendations of the Shift2Rail project X2Rail-3, or the ones from the CYRail Project. Those standards
or approaches are often used in a complementary way to adequately address both IT and OT systems. While IT
systems are normally evaluated with broader and more generic methods (such as ISO 2700x or NIS Directive), OT
systems need specific methods and frameworks that have been designed for industrial train systems. For instance,
the ISA/IEC 62443 standards are the most cited frameworks used for specific OT assets and risk identification, while
many contributors to this report stated they intend to use the recently released CLC/TS50701 in the future.

9
 RAILWAY CYBERSECURITY
November 2021

Stakeholders that participated in this study indicated that they use a combination of the abovementioned international
and European approaches to tackle risk management, which they then complement with national frameworks and
methodologies. Examples include the Dutch A&K analysis1, the German BSI Risk Management Standard 200-32 and
the French E-BIOS Risk Manager method3. Moreover, other stakeholders designed their own modified versions of
methodologies based on existing frameworks.

The difference between standards’ completeness can also be tackled by building a bridge between the high-level
company risk assessment, and the lower application, or asset risk, assessment level. The generic framework and
standards can be used at a high level and the more technical or precise ones can be used at the applications and
assets level. The risks and measures issued at the end of each process are consolidated in a global risk mapping
and risk treatment plan.

A multitude of different approaches and methods have been recommended by national and international authorities
regarding cyber risk management. This next section analyses a sample of European and international good practices.

ISO 27001, 27002 and 27005 standards. The ISO 2700x family are among the most used and cited standards for
information security. ISO 27001 is the standard dedicated to establishing, implementing, maintaining and continually
improving an information security management system within the context of the organisation. ISO 27001 and 27002
contain a list of requirements to consider when implementing a risk treatment plan and will be studied in more detail
in chapter 5 of the present document. ISO 27005 is focused on risk management. It is the one selected in the present
document as a reference for defining the risk management principles presented above. According to CLC/TS 50701
(see below), ISO27K series can be applied to the business part of railway infrastructure, which primarily includes IT
systems.

NIS Directive Cooperation Group guidelines. In 2018, the NIS cooperation group4 issued a “reference document”
which provides a summary of the Group’s main findings on cybersecurity measures for OESs (NIS Cooperation
Group, 2018). The reference document primarily covers the risk treatment phase of risk management. It does not
establish a new standard nor duplicate existing ones (e.g., ISO) but provides MS with a clear and structured picture of
their current and often common approaches to the security measures of OESs. Beyond OESs, this reference
document may be considered useful by other public or private actors looking to improve their cybersecurity. As it
focuses on security measures, it will be studied in more detail in chapter 5.

ISA/IEC 62443 standards. The ISA/IEC 62443 series of standards provides a framework to address and mitigate
security vulnerabilities in industrial automation and control systems (IACS). They described both technical and
process-related aspects of industrial cybersecurity and provide a risk management approach, especially for OT
systems, which can be applied to OT used in the railway sector. In particular, the ISA/IEC 62443-3-2, “Security Risk
Assessment, System Partitioning and Security Levels” standard defines a set of engineering measures to guide
organisations through the process of assessing the risk of a particular IACS and identifying and applying security
countermeasures to reduce that risk to tolerable levels. A key concept is the application of IACS security zones and
conduits, which were introduced in ISA/IEC 62443-1-1, Concepts and Models. The standard provides a basis for

1
The method Afhankelijkheids- en Kwetsbaarheidsanalyse (A&K analysis) was developed in draft form by the Dutch public company RCC. The Dutch
Ministry of Internal Affairs completed its development in 1996 and published a handbook describing the method. The method has not been updated
since that time. The A&K analysis is the unique and preferred method for risk analysis by Dutch government bodies since 1994. In addition to the
Dutch government, Dutch companies often use A&K analysis.
https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-
methods/m_dutch_ak_analysis.html
2
With the BSI Standard 200-3, the BSI provides an easy-to-apply and recognised procedure which allows organisations adequate and targeted control
of their information security risks. The procedure is based on the elementary threats described in the IT-Grundschutz Compendium on the basis of
which the IT-Grundschutz-modules were drawn up.
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi-standard-
2003_en_pdf.html;jsessionid=A26D9630FC3E530CDEECEACC00297837.internet461?nn=128620
3
EBIOS Risk Manager (EBIOS RM) is the method for assessing and treating digital risks, published by National Cybersecurity Agency of France
(ANSSI) with the support of Club EBIOS. It provides a toolbox that can be adapted, the use of which varies according to the objective of the project.
EBIOS Risk Manager is compatible with the reference standards in effect, in terms of risk management as well as in terms of cybersecurity.
https://www.ssi.gouv.fr/en/guide/ebios-risk-manager-the-method/
4
The NIS Cooperation Group is composed of representatives of Member States, the Commission, and ENISA, has been established under
the NIS Directive. It facilitates strategic cooperation between the Member States regarding the security of network and information systems.
https://digital-strategy.ec.europa.eu/en/policies/nis-cooperation-group

10
 RAILWAY CYBERSECURITY
November 2021

specifying security countermeasures by aligning the identified target security level with the required security level
capabilities set forth in ISA/IEC 62443‑3‑3, System Security Requirements and Security Levels.

CLC/TS 50701. Following this standard, the Technical Specification 50701 was issued (CLC/TS 50701, 2021). This
European Technical Specification applies ISA/IEC 62443 to the railway sector. It applies to the communications,
signalling, processing, rolling stock and fixed installations domains. It provides references to models and concepts
from which requirements and recommendations can be derived and which are suitable to ensure that the residual risk
from security threats is identified, supervised, and managed to an acceptable level by the railway system duty holder.
CLC/TS 50701 can be used to define a list of OT components for the railway sector, and to build a list of OT-specific
security measures.

Shift2Rail Risk Assessment Methods (projects X2Rail-1 and X2Rail-3). Shift2Rail proposes a risk assessment
based on IEC 62443-3-2 (X2Rail-1, 2019; X2Rail-3, 2020). It proposes a common railway framework, which includes:

 Attacker landscape dedicated to railway

 Threat landscape dedicated to railway based on (ISO 27005, ENISA’s 2016 Threat Taxonomy 2016 and
BSI: Threats Catalogue)
 Impact matrix
 Approach for high-level risk assessment and estimation of the security level targets based on the STRIDE
threat classification
 Process for detailed risk assessment.

Based on this common approach, Shift2Rail performed a risk assessment of a generic railway signalling system
compliant with the IEC 62443 and proposed target security levels for the different identified zones. X2Rail-3 proposed
a Simplified Risk assessment approach in 2020 (X2Rail-3, 2020) which consists of the following workflow:

1. Description of the zone under assessment

2. Division of the assessment into six STRIDE threat domains5
3. Estimation of likelihood and impact
4. Risk computation
5. Security level mapping to risk level
6. Foundational Requirements6 security level mapping to six STRIDE threat domains security levels

CYRail recommendations on cybersecurity of rail signalling and communication systems. The EU-funded
project CYRail7 issued a guide published in September 2018 (Cyrail, 2018). This guide provides an analysis of
threats targeting railway infrastructures, in addition to the development of attack detection and alerting techniques,
mitigation plans and Protection Profiles for railway control and signalling applications to ensure security by design of
new rail infrastructures. It relies on the IEC62443 standard. The security assessment consists of the following 5
steps:

 Identification of the system under consideration (SUC)

 Performing a high-level cybersecurity risk assessment to identify the worst-case risks
 Partition of the SUC into zones and conduits and definition of the vulnerabilities
 Realisation of detailed risk assessment in each zone and conduit in 10 steps (identify threats, identify
vulnerabilities, determine consequence and impact, determine unmitigated likelihood, calculate unmitigated

5
The STRIDE model is a model of threats developed by Microsoft to identify computers security threats, as the first step in a proactive security
analysis process. The next steps in the process are identifying the vulnerabilities in the implementation and then taking measures to close security
gaps. STRIDE model defines a threat as any potential occurrence, malicious or otherwise, that can have an undesirable effect on the system
resources. STRIDE stands for 6 main threats: Spoofing of user identity, Tampering with data, Repudiability, Information disclosure (privacy breach),
Denial of Service (DoS) and Elevation of privilege. Vulnerability is an unfortunate characteristic that makes it possible for a threat to occur. An attack is
an action taken by a malicious intruder to exploit certain vulnerabilities to enact the threat. It was created to be applied to a specific system or during
the development of a product; therefore, it is less relevant at a company level, as it does not encompass the whole risk management process.
Nevertheless, it can be used with a more global methodology when defining the threats.
https://docs.microsoft.com/en-us/archive/msdn-magazine/2006/november/uncover-security-design-flaws-using-the-stride-approach
6
According to IEC62443, security capabilities are organised according to seven Foundational requirements (FR1 Identification and Authentication
Control, FR2 – Use Control, FR3 - System Integrity, FR4 – Data Confidentiality, FR5 – Restricted Data Flow, FR6 – Timely Response to Events, and
FR7 – Resource Availability.
7
https://cyrail.eu/about-cyrail-project-1

11
 RAILWAY CYBERSECURITY
November 2021

cyber security risk, determine security level target, identify and evaluate existing countermeasures, revaluate
likelihood and impact, calculate residual risk, document and communicate results)
 Documentation of the process

This guide is useful to conduct risk analysis within the railway sector, particularly on control and signalling
applications, using the IEC62443 standard.

EULYNX, RCA, and OCORA approach. EULYNX is a European initiative led by 13 IMs to standardise interfaces
and elements of signalling systems. EULYNX Reference Architecture defines the complete EULYNX system,
describing the overall architecture, cross-cutting architectural concepts, and all generic functions of the system.
Baseline Set 3 was completed in 20208.

RCA stands for Reference Control, Command & Signalling (CCS) Architecture. It is an initiative led by members of
the ERTMS Users Group (EUG) and EULYNX to define a harmonised architecture for the future railway CCS, with
the main goal of substantially increasing the performance/total cost of ownership (TCO) ratio of CCS. The RCA
Baseline Set 0 Release 1 was updated with the Cyber Security guidelines created by OCORA, RCA and EULYNX. It
defines a risk assessment process taking IEC 62443 and CLC/TS 50701 as security standards and gives an example
on how to apply it to trackside CCS. The following process is defined:

 Definition of system under consideration

 Initial zoning concept based on risk assessment
 Definition of attacker types
 Evaluation of the attackers, strength, motivation
 Supplementation of threats
 Sorting of threats into foundational requirements
 Definition of the initial security level per threat
 Entering the foundational requirement value into the vector of the preliminary zone
 Application of reduction factors to determine the final security level
 Application of the measures according to IEC62443

The focus of RCA is on the architecture of the CCS trackside. There is a similar initiative, named OCORA, which
addresses the architecture of the CCS on-board side9. It is a joint initiative by 5 European railway companies10 which
has been set up to define the architecture and interfaces for the next generation of on-board European Train Control
System (ETCS) systems.

UIC Guidelines for Cyber-Security in Railways. In 2018, the UIC ARGUS WG decided to produce an enforced
document to provide specific guidance to the ‘Railway’ (UIC, 2018). This guidance document is designed to support
the rail industry in reducing its vulnerability to cyber-attacks and to ensure availability, integrity, confidentiality of
railway systems and data at all times. The document has a particular but not exclusive focus on signalling and
telecommunication within railway. The document is based on the ISO 27001 and 27002 standards and offers
guidance specific to railway. It also describes common risk management steps such as: establishment of the security
context, assets identification (primary and supporting), impact analysis (supported by operational impact scenarios),
threat identification, selection of applicable threat scenarios, estimation of risk level for each applicable threat
scenario based on the likelihood and the impact of those threat scenario, selection of risk treatment options, and
selection of a list of additional controls.

8
https://www.eulynx.eu/index.php/documents/published-documents/open-availability/baseline-set-3/257-20200623-eulynx-documentation-plan-eu-doc-
11-v3-4-0-a/file
9
https://github.com/OCORA-Public
10
Deutsche Bahn (DB), Société nationale des chemins de fer français (SNCF), Nederlandse Spoorwegen (NS), Österreichische Bundesbahnen (ÖBB)
and Schweizerische Bundesbahnen (SBB

12
 RAILWAY CYBERSECURITY
November 2021

3. RAILWAY ASSETS
AND SERVICES

For RUs and IMs to manage cyber risks, it is crucial that they identify their railway assets and services that need to
be protected. The railway sector is composed of multiple stakeholders who are responsible for their own
infrastructure, assets and services, but they are strongly interconnected and interact with one another to deliver
services. These interactions complicate risk assessment, because interdependencies between external stakeholders
or suppliers must be considered in the analysis. The list resulting from this identification of assets and services should
contain services the stakeholders have to deliver, and assets, such as devices, physical infrastructure, people and
data needed to support these services.

In addition, stakeholders may develop indicators to assess cyber risk impact on the availability, integrity and
confidentiality of these assets and services (e.g., number of users affected, economic impact, environmental impact,
recovery time objectives, etc.).

Eight essential high-level railway services have been considered during the 2020 ENISA study (ENISA, 2020):
 Operating traffic on the network
 Ensuring the safety and security of passengers and/or goods
 Maintaining railway infrastructure and/or trains
 Managing invoicing and finance (billing)
 Planning operations and booking resources
 Information for passengers and customers about operations
 Carrying goods and/or passengers
 Selling and distributing tickets.

Railway stakeholders can use various taxonomies as the basis to identify their key cyber-related assets and services
and adapt it to their own operational environment. Based on the desk research and information collected during the
workshops, the key point is to maintain an asset inventory for cyber-related assets. Assets should be identified and
registered in the asset inventory based on the system they relate to, the service they support and the information they
handle. As mentioned, interdependencies between systems and third-party hardware and software, vendors, or other
stakeholders must be considered. They should be identified in the specifications of technical interface (and/or data
exchange) requirements. Finally, the department/division responsible for cybersecurity should be included in
procurement contract review and implementation to ensure cybersecurity is addressed.

The identification of all interdependencies of the systems can be a real challenge. This is the case for external
dependencies, but also for internal dependencies. Specifically, IT and OT interdependencies are complex because
their boundaries are increasingly blurring, and OT and IT have different levels of maturity in terms of cybersecurity.
Maintaining an exhaustive inventory is complex as systems are evolving fast, and the digitalisation of all processes is
adding more and more systems that must be considered. This is exacerbated by the fact that the people responsible
for the inventory often are unaware knowledge of all the assets and rely on systems engineers or security experts of
the asset owner to maintain the inventory. Third-party-managed systems are also complicated to integrate in internal
inventories due to this mix of responsibilities. To support this inventory, automated tools for asset management
(identification, logging and monitoring) can be deployed, but the deployment of such tools requires strong interactions
with systems that don’t always support such interactions. For asset identification, IT/OT asset discovery tools can be
deployed, but care needs to be taken during their configuration so as not to affect the performance of systems.

13
 RAILWAY CYBERSECURITY
November 2021

3.1 TAXONOMY
To help RUs and IMs choose which assets and services to include in their risk assessment, a comprehensive list has
been compiled. It is based on the systems’ list described in the ENISA Report - Railway Cybersecurity of 202011.
It has been constructed from existing literature, validated during interviews with railway stakeholders in 2020, and
enriched based on the feedback received during the 2021 workshops. It gives a robust and high-level overview of
railway assets, with relevant categories.

Other, more detailed taxonomies exist in the sector and have been reviewed in order to complement and align
(especially for the names and associated descriptions) this list with approaches on asset taxonomies, such as X2Rail
Deliverables12, RCA-OCORA-Eulynx Security Guideline13 and TS50701. Indeed, RCA, OCORA, and Eulynx have
created comprehensive asset architecture models specific to OT systems (on-board and trackside systems). They
present assets at a more detailed level – up to the component level – and can be used for the risk assessment of a
particular system, where such detail is required.

This list has been broken down to 5 areas; the services that stakeholders provide, the devices (technological
systems) that support these services, the physical equipment used to provide these services, the people that
maintain or use them, and the data used.

Fourteen service categories, together with sub-categories, are defined and depicted in Figure 2. For each service
listed on (ENISA, 2020), assets have been identified. These are based on the list of systems by (ENISA, 2020), desk
research, CLC/TS50701 and complemented with additions such as supply chain or freight assets. Supply chain
assets refer to the assets provided by suppliers; as this present list may not be exhaustive, suppliers’ threats can be
additionally covered by defining a list of suppliers and applying specific measures to them. Freight assets are
especially relevant as railways amount for a significant amount of EU freight transport. They can be targeted by
specific attacks that are more focused on financial gain rather than disruption or passenger safety.

In addition, each asset has been characterised according to the kind of resources the asset uses:
 IT systems: refers to all components, devices and software used to store and process the information and
realise IT operations.
 OT systems: refers to all components, devices and software used to conduct physical railway operations.
 Network and communications systems: refers to all components and devices used to physically convey
information fluxes.
 Supply chain: refers to the assets provided by suppliers.

Four device categories have been identified, namely:

 Telecom
 IT & OT infrastructure
 Infrastructures and trackside
 On-board

These categories illustrate the systems to which the assets belong to and it is used to define the operation where the
asset will be used: passenger comfort, signalling, corporate operations, etc. (see figure 3)

Moreover, physical equipment can be found either on infrastructure and trackside (buildings,
tracks, etc.), or on-board (trains, wagon, lighting, etc.) (see Figure 4)

Finally, the different categories of people that are using these systems (clients or employees)
and the different categories of data used by those systems are listed (see Figure 5).

These taxonomies can be used for developing an initial ontology-knowledge representation for the railway domain.
For detailed descriptions of these five areas of assets, please consult Annex A.

11
See https://www.enisa.europa.eu/publications/railway-cybersecurity
12
See X2R3-T8_3-D-SMD-004-06_-_Deliverable_D8.2-3c_Protection_profile___On-board_components and X2R3-T8_3-D-SMD-009-06_-
_Deliverable_D8.2-3b_Protection_Profile_-_Trackside
13
See RCA Gamma published (eulynx.eu)

14
 RAILWAY CYBERSECURITY
November 2021

Figure 2: Railway Service categories

15
 RAILWAY CYBERSECURITY
November 2021

Figure 3: Railway devices

16
 RAILWAY CYBERSECURITY
November 2021

Figure 4: Railway Physical Equipment

Figure 5: People and Data

17
 RAILWAY CYBERSECURITY
November 2021

4. CYBER-RELATED
THREATS

In the railway sector, compromised OT systems can affect passengers’ safety, cause a train accident, or interrupt
traffic. OT systems are usually more vulnerable than IT systems, in part due to a lack of cybersecurity awareness in
OT personnel, in part because they were not designed with cybersecurity in mind (long lifecycles of 30 years,
presence of legacy systems) and because they are less controlled and decentralised compared to IT systems. While
in the past they remained less exposed, often isolated from internet and other IT networks, they are now more and
more interconnected with classic IT systems, which makes them even more vulnerable and exposed to cyber threats.

RUs and IMs need to identify which cyber threats are applicable to their assets and services. One of the common
questions is whether threats, such as disasters, physical attacks, or outages, should be included or considered as not
being specific to the “cyber” ecosystem. Most stakeholders include them, as they can affect information security. If
they are not included, they should be considered in other risk management or business continuity management
processes of the company, and this must be agreed on when the threat taxonomy is being developed.

Another challenge faced by the railway sector is assessing the likelihood of a threat scenario. One would need to
consider the level of capability required for an attack, the level of exposure of the targeted asset, and the intent of an
attacker, all of which are information that RUs and IMs may have difficulty in assessing accurately.

Several methods are proposed by the different cyber risk management frameworks. For example, X2Rail-314
proposes to rely on the Common Vulnerability Scoring System (CVSS). They have selected four CVSS Exploitability
metrics in CVSS: Attack Vector (System Exposure), Attack Complexity, Privileges Required and User Interaction.
Levels for these metrics have been defined, mathematically calculating the resulting likelihood. Other methods are
less quantitative, but also simpler to apply, such as ISO27005, which combines the likelihood of occurrence of the
threat (low, medium, high), the ease of exposure (low, medium, high) and the value of the asset (from 0 to 4) to
calculate the likelihood of an incident scenario15. It is also very difficult to maintain this information because it changes
through time as the threat landscape evolves.

Finally, the railway sector faces challenges associated with supply chains. Security risks related to suppliers (e.g.,
remote access to the railway networks/systems) are less covered because of the heterogeneous and broad nature of
the supplier landscape, but also because stakeholders do not have much control over the cybersecurity level of their
suppliers and the cyber risks they may introduce. This topic can be reinforced by making an inventory of all the
suppliers, categorising them in term of criticality (e.g., do they have access to a critical system, is there a strong
interconnection between systems, do they manipulate sensitive data, etc.) and assessing the cybersecurity maturity
of the most critical suppliers as a starting point.

4.1 TAXONOMY
RUs and IMs should decide on a list of threats to be used to perform their cyber risk analysis. There are several
threat taxonomies available, without a consolidated version being available. For a detailed mapping of railway threat
taxonomies, one can consult “Appendix to D8.2 Security Assessment: A mapping of threat landscapes” (X2Rail-1,
2019). This document maps various approaches to the proposed threat landscape by X2Rail-1 WP 8, which is based
upon the ISO 27005 threat landscape with some improvements for railways. The ISO 27005:2011 16, ENISA Threat
Taxonomy17 and BSI Threats Catalogues are mapped to the threats considered under the X2Rail-1 WP 8 Threat
landscape.

14
See X2Rail-3 Deliverable D8.1 Guidelines for railway cybersecurity
15
See ISO 27005, annex E, E.2 Detailed information security risk assessment
16
See ISO 27005, annex E, E.2 Detailed information security risk assessment
17
https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view

18
 RAILWAY CYBERSECURITY
November 2021

Figure 6: Threat taxonomy

19
 RAILWAY CYBERSECURITY
November 2021

To assist in this process, this report provides a comprehensive and tailored list of threats based on the 2016 ENISA
Threat Taxonomy18, as this is a more extensive list. It can be used as the basis to identify threats that apply in the
context of the company and to assess railway cyber threats. It has been simplified to better apply to railways, and to
ensure stakeholders can effectively use it. The resulting list of categories was reviewed and validated with experts
during dedicated workshops. The main categories are as follows:

 Disaster (natural, environmental)

 Unintentional damage / loss of information or IT assets
 Physical attack (deliberate / intentional)
 Failures / Malfunction
 Outages
 Malicious activity / Abuse

Each threat belongs to a category and is applicable to one or more railway assets. This taxonomy has been
represented graphically in Figure 6 and the threats are described in more detail in Annex B.

For an updated view of the current threat landscape, i.e. the current top threats, readers can consult the latest ENISA
Threat landscape report19. For a more detailed analysis of adversary tactics, the MITRE ATT&CK® knowledge base20
and the Common Attack Pattern Enumeration and Classification (CAPEC)21 can also be used.

4.2 CYBER RISK SCENARIOS

This section describes examples of cyber risk scenarios which can assist railway stakeholders when performing a risk
analysis. They show how the asset and threat taxonomies can be used together and were based on the known
incidents of the sector and the feedback received during the workshops. Each scenario is associated with a list of
security measures, detailed later in chapter 28, which will mitigate the risk of this scenario occurring, and are derived
from best practices. The following scenarios are described:

 Scenario 1: Compromising a signalling system or automatic train control system, leading to a train accident
 Scenario 2: Sabotage of the traffic supervising systems, leading to train traffic stop
 Scenario 3: Ransomware attack, leading to a disruption of activity
 Scenario 4: Theft of clients’ personal data from the booking management system
 Scenario 5: Leak of sensitive data due to unsecure, exposed database
 Scenario 6: Distributed Denial of Service (DDoS) attack, blocking travellers from buying tickets
 Scenario 7: Disastrous event destroying the datacentre facility, leading to disruption of IT services

18
See https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view
19
https://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends
20
https://attack.mitre.org/
21
https://capec.mitre.org/

20
 RAILWAY CYBERSECURITY
November 2021

4.2.1 Scenario 1 – Compromising a signalling system or automatic train control system,

leading to a train accident

Figure 7: Compromising a signalling system or automatic train control system, leading to a train accident

This scenario requires high motivation of the attacker and in-depth knowledge of railway systems and networks. It is
considered a low likelihood scenario. It has been included as the potential impact can be very high and this is one of
the primary concerns of railway stakeholders when considering cyber risks. A similar incident took place in the city of
Lodz, Poland in 2008 when an attacker managed to hack into a tram system.

Attack details

 An attacker gathers information (type of requests, IP address, etc.),

o either trespassing on railway undertaking train facilities (e.g., depos, maintenance centre, etc.),
o or from a malicious employee,
o or using phishing to steal information from an employee;
 An attacker builds a device or a software to command-and-control junctions and trains according to gathered
information;
 An attacker uses of the device to control the junctions and the trains;
 An attacker provides false information to the system, leading to a major disruption or even a train accident.

Impacts Stakeholders Assets affected

 Train casualties  Automatic train control system

 Human casualties Railway undertaking  Interlocking systems
 Disruption of activity Infrastructure manager  Tracks, trains
 Loss of reputation  Passengers

Security Measures

High level security measures Examples of specific measures

NIS - PR.10 - Physical and environmental security

NIS - GV.6 Human resource security NIST - PR.AT Awareness & Trainings (1, 2, 3, 4, 5)
NIS - PR.4 Cryptography CLC/TS50701 SR 1.2 - Software process and device
NIS - PR.8 Access right identification and authentication

NIS - DF.3 Logs correlation and analysis

NIS - DF.1 Detection

21
 RAILWAY CYBERSECURITY
November 2021

4.2.2 Scenario 2 – Sabotage of the traffic supervising systems, leading to train traffic stop

Figure 8: Sabotage of the traffic supervising systems, leading to train traffic stop

This scenario is a targeted attack using a specific Industrial Control System (ICS) malware to disrupt the traffic
supervising systems, thus leading to an urgent stop of train traffic. Such an incident has not yet occurred in the
railway sector. This scenario could also be applied to freight docking systems, and thus disturb or interrupt freight
activity.

Attack details

 An attacker introduces an ICS malware, through phishing emails sent to employee or removable devices
used on OT systems;
 The ICS malware propagates, takes over of the system, and gains remote access;
 The malware allows the attackers to easily communicate with traffic supervising systems and remotely
manipulate the system’s memory to inject shellcodes, eventually injecting a payload that disrupts traffic
supervising systems;
 The traffic supervising systems stop, preventing their supervision and leading to an urgent stop of train traffic.

Impacts Stakeholders Assets affected

 Remote monitoring
 Temporary speed restriction
 Disruption of activity Railway undertaking  Interlocking
 Loss of reputation Infrastructure manager  Train control
 Automatic train protection
 Freight docking

Security Measures

High level security measures Examples of specific measures

NIS - GV.6 Human resource security NIST - PR.AT Awareness & Trainings (1, 2, 3, 4, 5)

NIS - PR.9 IT security maintenance procedure CLC/TS50701 - SR 3.2 - Malicious code protection

NIS - GV.5 Security Audit CLC/TS50701 - SR 3.3 - Security functionality

verification
NIS - DF.1 Detection
CLC/TS50701 - SR 3.4 - Software and information
NIS - DF.3 Logs correlation and analysis integrity

22
 RAILWAY CYBERSECURITY
November 2021

4.2.3 Scenario 3 – Ransomware attack, leading to a disruption of activities

Figure 9: Ransomware attack, leading to a disruption of activities

In 2021, ransomware attacks are considered the top threat scenario and are targeting the transport sector. In this
case, the attacker infiltrates the information system, exploits a vulnerability, and deploys a ransomware on a large
amount of assets. A similar incident happened in May 2017 when Germany’s Deutsche Bahn rail infrastructure was
infected with WannaCry ransomware22, leading to messages appearing on station information screens.

Attack details

 An attacker infiltrates the information system by phishing or stealing credentials;

 They scan the network for vulnerabilities, to exploit them and gather information;
 They discover vulnerabilities on systems (e.g. due to inadequate patch management);
 They deploy a ransomware that encrypts the data on all vulnerable systems;
 The infected systems and devices cannot be used anymore;
 They demand a ransom in bitcoins in a limited amount of time in exchange for data to be decrypted.
 They further extort employees and customers by threatening to expose personal or confidential data.

Impacts Stakeholders Assets affected

 Disruption of activity  IT systems in services and

 Loss of data and information Railway undertaking devices
 Loss of reputation Infrastructure manager  Data, information and
 Financial loss knowledge

Security Measures

High level security measures Examples of specific measures

NIS - PR.9 IT security maintenance procedure CLC/TS50701 - SR 3.2 Malicious code protection
NIS - PR.2 System segregation CLC/TS50701 - SR 3.4 - Software and information
NIS - PR.3 Traffic filtering integrity

NIS - GV.6 Human resource security CLC/TS50701 - SR 5.2 Zone boundary protection

NIS - DF.1 Detection CLC/TS50701 - SR 5.1 Network segmentation

NIS - DF.3 Logs correlation and analysis NIST - PR.AT Awareness & Trainings (1, 2, 3, 4, 5)

22
See https://www.railtech.com/digitalisation/2017/12/11/wannacry-virus-was-wake-up-call-for-railway-industry/

23
 RAILWAY CYBERSECURITY
November 2021

4.2.4 Scenario 4 – Theft of clients’ personal data from the booking management system

Figure 10: Theft of clients’ personal data from the booking management system

This scenario is a targeted attack, where the attacker steals the identity of an administrator and is therefore able to
connect to a cloud-based booking management system and exfiltrate customer data. A similar incident happened in
November 2017 with Rail Europe North America (RENA) suffering due to a 3-month long data breach23 and in
January 2019 when China Railway’s official online booking platform suffered a massive data breach, with information
later being sold on the dark web24.

Attack details

 Attackers identify and retrieve authentication data (credentials) to get access to useful systems:
o by gathering information on railway systems through social engineering;
o by identifying the targeted systems used for booking management and fetching the identity of the
people using them;
o once systems and their operators/users are identified, attackers launch phishing attacks to retrieve
credentials to access to those systems;
 The attacker gets direct access, accesses the system using the administrator credentials;
 They get unauthorised access to customer data and retrieve it;
 They leak the data or sell them.

Impacts Stakeholders Assets affected

 Booking management
 Tarnished reputation
Railway undertaking  Clients’ personal information
 Regulatory sanction (GDPR)
 Passengers

Security Measures

High level security measures Examples of specific measures

NIST - PR.AT Awareness & Trainings (1, 2, 3, 4, 5)

NIS - GV.5 Security Audit
CLC/TS50701 - SR 1.1 Human user identification
NIS - PR.2 System segregation
and authentication
NIS - PR.3 Traffic filtering
CLC/TS50701 SR 4.1 - Information confidentiality
NIS - PR.7 Authentication and identification
CLC/TS50701 - SR 5.1 Network segmentation
NIS - PR.8 Access rights
CLC/TS50701 - SR 5.2 Zone boundary protection

23
See https://d3security.com/blog/data-breach-of-the-month-rail-europe-north-america/
24
See https://cyware.com/news/cyber-incidents-affecting-railways-a-threat-to-customer-data-a8d25ccc

24
 RAILWAY CYBERSECURITY
November 2021

4.2.5 Scenario 5 – Leak of sensitive data due to unsecure, exposed database

Figure 11: Leak of sensitive data due to unsecure, exposed database

This scenario is also related to data leakage, but the starting point here is a supplier with a low cybersecurity level.
The attacker uses this third-party weakness to exfiltrate sensitive data. A similar incident happened in February 2020
with a database of C3UK25, which offered Wi-Fi services to passengers in train stations. The database contained 146
million records, including personal contact details and dates of birth, and was exposed online without a password26.

Attack details

 A supplier providing services stores sensitive data (e.g., marketing company that manages a marketing
campaign, data from an open Wi-Fi service available at a train station) in an unprotected database, exposed
on internet, without password and without encrypting the information;
 Hackers connect to the database and exfiltrate the information;
 The database contains personal information, such as email addresses, date of birth, name, reason to travel
and travel arrangements;
 Hackers use the information for extortion attacks targeting employees and customers.

Impacts Stakeholders Assets affected

 Data, information and

knowledge (sensitive data:
personal, email, telephone,
commercial and financial,
 Loss of users' data
train/traffic, supply chain data,
 Regulatory sanction
Railway undertaking freight data, IT infrastructure
(GDPR)
with audit/logs, other IT
 Tarnished reputation
systems data)
 People (Passengers;
employees - executives,
drivers and all other)

Security Measures

High level security measures Examples of specific measures

NIS - GV.5 Security Audit NIST - ID.SC Supply Chain Risk (1, 2, 3, 4, 5)
NIS - GOV.7 Ecosystem mapping ISO27002 - A.15 Supplier relationships
NIS - GOV.8 Ecosystem relations CLC/TS50701 SR 4.1 - Information confidentiality

25
Wi-Fi for transport service provider
26
See https://www.bbc.com/news/technology-51682280

25
 RAILWAY CYBERSECURITY
November 2021

4.2.6 Scenario 6 – DDoS attack, blocking travellers from buying tickets

Figure 12: DDoS attack, blocking travellers from buying tickets

This scenario is a targeted attack, where the prerequisite for the attacker is to have created a botnet network (a set of
compromised devices controlled by a hacker to perform their attacks). The attacker can then use the botnet to flood
devices with requests and make them unavailable. Another possibility to consider for a DDoS scenario is a non-
targeted attack, where an Internet Service Provider (ISP) is targeted with this type of attack, thus affecting railway
services that use this ISP.

Attack details

 An attacker has previously infected a number of computers, creating a botnet (a set of compromised
devices controlled by a hacker to perform their attacks);
 The botnet is used to launch a DDoS attack on the railway networks: the networks and servers exposed
to the internet are flooded with requests and connection attempts and thus shut down, unable to sustain
the flow;
 All services and actions that need the internet-exposed devices are now unavailable: ticket-vending
machines, sites or applications, and commercial websites. Passengers are unable to book tickets.

Impacts Stakeholders Assets affected

 Tarnished reputation
 Loss of revenue
 Booking management
 Disruption of activities Railway undertaking
 Automatic fare collection
 Administrative and
resource burden

Security Measures

High level security measures Examples of specific measures

NIS - DF.1 Detection

ISO27002 - A.17.1 Information security continuity
NIS - DF.3 Logs correlation and analysis
ISO27002 - A.17.2 Redundancies
NIS - RS.1 Business continuity management
CLC/TS50701 - SR 7.1 Denial of service protection
NIS - RS.2 Disaster recovery management

26
 RAILWAY CYBERSECURITY
November 2021

4.2.7 Scenario 7 – Disastrous event destroying the datacentre, leading to

disruption of IT services

Figure 13: Disastrous event destroying the datacentre, leading to disruption of IT services

This scenario is the consequence of a disastrous event which leads to disruption of activity. The event (natural
disaster, fire, etc.), affects the datacentre and destroys part of it, leading to a physical destruction of IT systems and
thus a disruption of activities related to these services. Depending on the redundancy strategy of the company (geo-
redundancy, cloud, external back-ups, etc.), the disruption can last more or less time. A similar incident happened in
March 2021 when OVH27 had a fire in one of its datacentres, making millions of websites unavailable for days 28.

Attack details

 A disastrous event affects the datacentres and destroys part of it; it can be either a natural disaster
(earthquake, flooding, storm, etc.) or a fire due to a physical malfunction;
 The railway servers supporting the IT systems are physically destroyed;
 The main IT systems are unavailable, leading to a disruption of all IT-supported services: corporate and
support, sales and customers relations, timetable construction systems, asset management;
 The back-ups stored in the datacentres are physically destroyed as well; data are thus lost, prolonging the
disruption.

Impacts Stakeholders Assets affected

 IT systems in services and

 Loss of information Railway undertaking devices
 Disruption of activities
 Data, information and
 Loss of revenue Infrastructure manager
knowledge

Security Measures

High level security measures Examples of specific measures

ISO27002 - A.17.1 Information security continuity

ISO27002 - A.17.2 Redundancies
NIS - RS.1 Business continuity management NIST - RC.RP Recovery Planning (1)
NIS - RS.2 Disaster recovery management CLC/TS50701 - SR 7.3 Control system backup
NIS - PR.10 - Physical and environmental security CLC/TS50701 - SR 7.4 Control system recovery
and reconstitution
CLC/TS50701 - SR 7.5 Emergency power

27
French Hosting and Cloud company
28
See https://www.reuters.com/article/us-france-ovh-fire-idUSKBN2B20NU

27
 RAILWAY CYBERSECURITY
November 2021

5. CYBERSECURITY
MEASURES

Once risks have been identified and prioritised according to risk evaluation criteria in relation to the incident scenarios
that lead to those risks, they should be treated via a risk treatment plan. Four options are usually proposed regarding
risk treatment29 : risk modification, risk retention, risk avoidance and risk sharing.

 Risk modification is modifying the level of risk by introducing, removing, or altering controls so that the
residual risk can be reassessed as being acceptable.30
 Risk retention is accepting the risk without further action, if the level of risk meets the risks acceptance
criteria.31
 Risk avoidance is avoiding the activity or condition that increases the particular risk.32
 Risk sharing is sharing the risk with another party that can most effectively manage the particular risk. 33

As described in the ISO 27005 standard, these options must be selected based on the outcome of the risk
assessment, the expected cost for implementing these options and the expected benefits from these options. At the
end of the process, no risk exceeding the risk acceptance criteria should be left. In order to reduce the identified risks
to acceptable levels, appropriate security measures should be identified and prioritised. Security measures can be
defined internally, using best practices and building a remediation plan tailored to the information system. However, a
common practice is to use already-defined security measures published in security frameworks. These security
frameworks often contain a list of controls or security requirements.

NIS Directive cybersecurity measures. The NIS cooperation group issued a list of security measures directed to
OESs in a Reference document on security measures for Operators of Essential Services. The purpose of this list is
“to provide Member States with a clear and structured picture of Member States’ current and often common
approaches to the security measures of OES”.34 The document examines a high number of domains where
cybersecurity measures should be applied. For each domain, it gives a set of broad measures alongside their
definitions (Figure 14).

These domains and measures could be used as the first basis for the risk treatment plan and complemented with
measures from the CLC/TS 50701 regarding the OT cybersecurity and ISO/IEC 27002 security measures for IT
cybersecurity.

Indeed, during the workshops, it was discovered that RUs and IMs often choose a two-step approach, by selecting a
general framework for IT cyber risk treatment and complementing it with a more detailed, industry-driven one for the
OT cyber risk treatment. ISA/IEC 62443 and CLC/TS 50701 are among the main references used for OT
cybersecurity. For IT risk frameworks, NISD national security requirements, ISO27002 framework and the NIST
Cybersecurity framework are among the more commonly used. Other less common frameworks have also been
cited, such as the SANS Top 20 Critical Security Controls35, or the Forrester Information Security Model36.

29
See for instance ISO 27005, chapter 9 Information security risk treatment
30
See ISO 27005, chapter 9.2 Risk modification
31
See ISO 27005, chapter 9.3 Risk retention
32
See ISO 27005, chapter 9.5 Risk avoidance
33
See ISO 27005, chapter 9.5 Risk sharing
34
Reference document on security measures for Operators of Essential Services, p.5
35
A list of 20 actions for cyber defence, that are close to the NIST 23 categories, and published by the SANS Institute, an organisation that provides
information, resources, and training regarding cybersecurity.
36
A security model declined in 123 security components (controls) divided into 25 functions and 4 domains has been cited. It is published by the
market research company Forrester.

28
 RAILWAY CYBERSECURITY
November 2021

Figure 14: Domains of security measures for OESs (NIS Cooperation Group, 2018)

The ISO/IEC 27002 standard and Annex A’ of ISO2001 describe requirements for information security management
and a set of security controls37. These controls are organised in 12 categories38:

 Information security policies

 Organisation of information security
 Human resource security
 Asset management
 Access control
 Cryptography
 Operations security
 Communications security
 Supplier relationships
 Information security incident management
 Information security aspects of business continuity management
 Compliance

Similar to the NIS Directive security measures, ISO 27002 could be used as a basis for the risk treatment plan, and
complemented with additional national security requirements, while OT systems could be complemented with
CLC/TS 50701. Some measures from the NIST framework could also be used as they can be described in more
detail.

The NIST Cybersecurity framework is accompanied by an exhaustive list of requirements. They are classified
according to five functions (Identify, Protect, Detect, Respond, Recover) and 23 categories. Each of these categories
contain a list of precise security requirements (over 900 in total). Those controls are also mapped against the ISA
62443 series and the ISO/IEC 27001:2013. The framework is quite detailed and focuses primarily on IT security. The
NIST cybersecurity framework can be used as is and complemented by CLC/TS 50701 for OT railway systems
requirements, or it can be used to complete another generic frameworks or standards, such as the ISO 27001 or the
NIS Directive security requirements.

CLC/TS 50701 is based on or derived from IEC 62443 series standards. The purpose of the TS “is that, when a
railway system is compliant to this TS, it can be demonstrated that this system is at the state of the art in terms of
cybersecurity, that it fulfils its targeted Security Level and that its security is maintained during its operation and
maintenance.” It is best suited for industrial systems and designed specifically for the railway sector, as it applies to
the Communications, Signalling and Processing domain, the Rolling Stock domain and to the Fixed Installations
domain. It contains a list of security requirements for the OT components and services of the railway sector and thus

37
https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-
methods/m_iso27001.html
38
ISO/IEC 27001 Standard - Information technology - Security techniques - Information security management systems – Requirements, p9

29
 RAILWAY CYBERSECURITY
November 2021

should be completed with a more generic approach, such as the ISO 27001, the NIST Cybersecurity Framework or
the NIS Directive.

5.1 APPLYING CYBERSECURITY MEASURES

To help stakeholders implement the security measures, workshops were conducted with relevant experts and
institutions to discuss challenges, priorities, and best practices. The purpose was to gather concrete feedback on the
risk treatment plans.

Defining the list of measures that will be used was described as the top priority of the attendants of the workshops. To
do so, operators draw a list of cybersecurity measures from known references. Assets’ maturity is assessed against
those measures, and measures that are not met are included in the list of security measures that must be applied to
these assets. This list of security measures can also be used as a common basis for the manufacturers to implement
minimum cybersecurity requirements by design or for security requirements to be included in contract specifications.

To define the set of measures that will be used, organisations also assess the level of compliance with national
cybersecurity requirements (primarily according to the NIS Directive, but also against other requirements stemming
from laws on national security, transport security or critical infrastructure protection).

During the workshops, stakeholders highlighted the importance of awareness raising and training sessions
(especially against top threats, such as ransomware and phishing) or email security to prevent phishing. On the latter,
the protection of endpoints and network segregation is also a top priority to reduce the risk of propagation of such
attacks. As for OT security, the emphasis is placed mainly on network segregation and access control for critical
systems. Adaptation of legacy systems is also a concern and should be considered as a priority, but it is also a big
challenge, considering the complexity of updating systems with long lifecycles. Additionally, particular emphasis is
placed on incident response.

Finally, applied security measures are often challenged by external audits or penetration testing. Some organisations
use third parties to conduct such assessments. The systems tested can belong both on the IT and OT domains. In
addition to technical audits, governance audits can also be conducted, such as an ISO-compliance audit.
Furthermore, business continuity and recovery and incident response plans can also be tested with crisis exercises.

A challenge cited by multiple RUs and IMs is the management of relationships with third parties and ensuring that the
products and services supplied meet cybersecurity requirements. Often, compliance with NIS Directive security
requirements does not apply to third parties. To engage more with the industry and to encourage the implementation
of cybersecurity measures, one solution could be to design a baseline at EU level to make the manufacturers and
providers align their systems’ compliance. Common baseline requirements should be reflected in tenders to allow for
competing solutions achieving similar security capabilities across Europe. However, when considering minimum
baseline requirements, there are risks involved, such as the minimum baseline not changing while the threat
landscape changes, or that these minimum-security requirements do not meet the risks of the organisation. The use
of EU certification schemes for IT or OT cybersecurity (should these become available) could be also a way to assess
whether such requirements are met by the industry.

Another challenge that was identified is continuity, i.e., ensuring that the security level remains adequate and that the
risks are continuously monitored. To do so, regular reviews and compliance assessments are needed. Maintaining an
up-to-date threat landscape for the railway sector is equally important. An additional challenge is the separation
between IT and OT, as it is often difficult to differentiate what is strictly OT from what is IT. In this case, it is difficult to
know which controls to apply.

5.2 CYBERSECURITY MEASURES

To help stakeholders define cybersecurity measures, a list of controls from the NIS Directive has been mapped
against various references (ISO27001, NIST CSF and CLC/TS5070139). It is up to the stakeholders to choose
whether they will only select some measures from this list, use it as a basis for building their own list, or use it in
entirety. Stakeholders should also remember that they may have to comply with national guidelines and specific

39
The security measures of CLC/CS 50701 are matching the measures described in IEC 62443-3-3:2013.

30
 RAILWAY CYBERSECURITY
November 2021

national sectorial regulations. They should also verify which references apply to them and, if needed, complete the
present list with the missing requirements.

The mapping was done in two phases: first, the references were reviewed and the most relevant measures were put
in front of the NIS Directive measures, keeping these measures as the starting point of the review. Then, the reverse
operation was carried out: the measures from the references that had been removed in the first phase were added to
the most relevant NIS Directive measures. This ensures that all NIS Directive measures have been covered; and that
all the other referenced measures are integrated into the mapping.

An example of a security measure is included below. It includes measures under the NIS Directive domain: Protection
and the category of “Identity and Access Management”. The two measures of this category “Authentication and
identification”, and “Access rights” are described according to the NIS Directive guidelines. They are then associated
with relevant measures that can be found in ISO/IEC 27002, the NIST cybersecurity framework and CLC/TS50701.

A detailed list of security measures can be found in Annex C.

Table 1: Domain: Protection - Category: Identity and Access Management

31
 RAILWAY CYBERSECURITY
November 2021

Measure Description ISO/IEC 27002 NIST CSF CLC/TS50701

SR 1.1 - Human user identification and

authentication
SR 1.2 - Software process and device
identification and authentication
For identification,
SR 1.3 - Account management
the operator sets
SR 1.4 - Identifier management
up unique
SR 1.5 - Authenticator management
accounts for A.9.1 Business
SR 1.6 - Wireless access management
users or for requirements of
SR 1.7 - Strength of password-based
automated access control
authentication
processes that A.9.3 User PR.AC Identity
SR 1.8 - Public key infrastructure (PKI)
need to access responsibilities Management,
NIS - PR.7 certificates
resources of its A.9.4 System and Authentication
Authentication SR 1.9 - Strength of public key authentication
Critical application access and Access
and SR 1.10 - Authenticator feedback
Information control Control (1, 4, 6, 7)
identification SR 1.11 - Unsuccessful login attempts
System (CIS). A.9.4.2 Secure PR.DS Data
SR 1.12 - System use notification
Unused or no- log-on procedures Security (5)
SR 1.13 - Access via untrusted networks
longer-needed A.9.4.3 Password
SR 2.1 - Authorisation enforcement
accounts should management
SR 2.2 - Wireless use control
be deactivated. A system
SR 2.3 - Use control for portable and mobile
regular review
devices
process should
SR 2.4 - Mobile code
be established.
SR 2.5 - Session lock
SR 2.6 - Remote session termination
SR 2.7 - Concurrent session control
SR 5.2 - Zone boundary protection

Among the rules

defined in its
systems security SR 1.1 - Human user identification and
policy, the authentication
ID.AM Assets
operator grants A.9.1 Business SR 1.2 - Software process and device
management (5,
access rights to requirements of identification and authentication
6)
a user or an access control SR 1.3 - Account management
PR.AC Identity
automated A.9.2 User access SR 1.4 - Identifier management
Management,
process only management SR 1.5 - Authenticator management
NIS - PR.8 Authentication
when that access A.9.4.4 Use of SR 1.6 - Wireless access management
Access rights and Access
is strictly privileged utility SR 1.7 - Strength of password-based
Control (1, 4, 6, 7)
necessary for the programs authentication
PR.DS Data
user to carry out A.9.4.5 Access SR 1.8 - Public key infrastructure (PKI)
Security (5)
their mission or control to program certificates
PR.PT Protective
for the source code SR 1.9 - Strength of public key authentication
Technology (3)
automated SR 1.10 - Authenticator feedback
process to carry SR 2.1 - Authorisation enforcement
out its technical
operations.

32
 RAILWAY CYBERSECURITY
November 2021

6. CONCLUSIONS

European RUs and IMs use a combination of good practices, approaches, and standards to perform cyber risk
management for their organisations. This report gathers insights on these current practices in a single document and
can assist railway undertakings and infrastructure managers in their efforts to apply them. It provides examples of
reference material, such as available taxonomies of assets and threats, comprehensive threats scenarios, derived
from real incidents and cyber risk mitigation measures, derived by guidelines and standards.

The report also highlights the challenges faced when applying such approaches. Most importantly,
Railway
there is a lack of a single cyber risk management approach for railway organisations to cover
both IT and OT in a unified manner.
organisations
lack of a single
IT vs OT risk management approaches. The differentiation between IT and OT in the railway cyber risk
sector is increasingly difficult and having discrete approaches and taxonomies for cyber risk management
management makes the issue more challenging. In many cases, it can be a complex process to
approach to
identify which approach is better suited, whether a device can be considered IT or OT or which
security measures and which standard should be applied. Having a more structured and unified
cover both IT
approach with respect to cyber risk management would help the sector to harmonise, thus facilitating and OT in a
risk discussions between the different entities of the railway ecosystem. It can also enable more unified manner
collaboration with the supply industry of the sector.

More harmonization and alignment of good practices. Future work could include further alignment of the sector-
specific taxonomies and more guidance on the application of good practices. Wherever possible, further
standardisation could be pursued, as this is also a request stemming from the railway supply industry, which
advocates for more certification schemes at EU level. Significant sectoral challenges remain, including the cyber risk
management of supply chains. This could be remedied with a regulatory approach encompassing the entire railway
ecosystem under the same cyber risk management requirements. At present, key elements of the railway supply
chain, both IT and OT, do not fall under the same European regulatory framework.

Keeping railway systems and cyber risk assessments up-to-date. Another significant issue specific to the sector
is the plethora of legacy systems which add an additional degree of difficulty when managing cyber risk. At present, it
is not possible to provide relevant recommendations to address the cybersecurity of legacy systems in the railway
sector. It would be necessary to involve the railway industry in such an exercise. Additionally, even for newly
developed systems, there is the need to ensure that the results of risk assessments remain current, that risks are
continuously monitored, and that the security level remains adequate. Maintaining an up-to-date threat landscape for
the railway sector could be a step towards this direction.

33
 RAILWAY CYBERSECURITY
November 2021

7. BIBLIOGRAPHY

CLC/TS 50701 Railway applications – Cybersecurity, 2021. https://www.en-standard.eu/clc/ts-50701-2021-railway-

applications-cybersecurity/

Cyrail, 2018. CYRail Recommendations on cybersecurity of rail signalling and communication systems. September
2018. https://cyrail.eu/IMG/pdf/final_recommendations_cyrail.pdf

ENISA, 2016. ENISA Threat Taxonomy v 2016. https://www.enisa.europa.eu/topics/threat-risk-management/threats-

and-trends/enisa-threat-landscape/threat-taxonomy/

ENISA, 2020. Railway Cybersecurity - Security measures in the Railway Transport Sector. November 2020.
https://www.enisa.europa.eu/publications/railway-cybersecurity

ENISA, 2021. Minimum Security Measures for Operators of Essentials Services (tool).
https://www.enisa.europa.eu/topics/nis-directive/minimum-security-measures-for-operators-of-essentials-services

IEC 62443-2-1:2010, Industrial communication networks - Network and system security - Part 2-1: Establishing an
industrial automation and control system security program.

IEC 62443-3-3:2013, Industrial communication networks - Network and system security - Part 3-3: System security
requirements and security levels.

ISO 31000:2018, Risk management – Principles and guidelines.

ISO/IEC 27001: 2013, Information technology - Security techniques - Information security management systems –
Requirements.

ISO/IEC 27002: 2013, Information technology - Security techniques - Code of practice for information security controls

ISO/IEC 27005: 2018, Information technology - Security techniques - Information security risk management.

ISO-IEC 62443 series. https://www.isa.org/intech-home/2018/september-october/departments/new-standard-

specifies-security-capabilities-for-c

NIS Cooperation Group, 2018. Reference document on security measures for Operators of Essential Services. CG
Publication 01/2018, February 2018. https://digital-strategy.ec.europa.eu/en/policies/nis-cooperation-group

NIST Cybersecurity Framework, 2018. Cybersecurity Framework Version 1.1, April 2018.
https://www.nist.gov/cyberframework

RCA OCORA Eulynx – CS Guideline, 2020. https://www.eulynx.eu/index.php/documents/rca/251-rca-publications

Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and
tools. https://www.enisa.europa.eu/publications/risk-management-principles-and-inventories-for-risk-management-
risk-assessment-methods-and-tools

UIC, 2018. Guidelines for cyber-security in railway, UIC-ETF, ISBN 978-2-7461-2732-6. https://www.shop-
etf.com/en/guidelines-for-cyber-security-in-railways

X2Rail-1 Start-up activities for Advanced Signalling and Automation Systems (2016 - 2018).
https://projects.shift2rail.org/s2r_ip2_n.aspx?p=X2RAIL-1

X2Rail-1, 2019. Deliverable D8.2 - Security Assessment, rev.2.

https://projects.shift2rail.org/s2r_ip2_n.aspx?p=X2RAIL-1

X2Rail-3, Advanced Signalling, Automation and Communication System (IP2 and IP5) – Prototyping the future by
means of capacity increase, autonomy and flexible communication (2018 - 2020).
https://projects.shift2rail.org/s2r_ip2_n.aspx?p=X2RAIL-3

X2Rail3, 2020. Deliverable D8.1 - Guidelines for railway cybersecurity part 1 –Simplified Risk Assessment. December
2020. https://projects.shift2rail.org/s2r_ip2_n.aspx?p=X2RAIL-3

34
 RAILWAY CYBERSECURITY
November 2021

A ANNEX: ASSET DESCRIPTIONS

Table 1: Assets per device category

Assets Description Attribute Reference40

Telecom

Radio network used for all railway processes: communication Network and
Radio transmission
with trains, signalling, safety and security operations, logistics communication ENISA, 2020
network
management, etc. systems
Wired and wireless Network and
Wired and wireless systems used for network
transmission communication ENISA, 2020
communications in LAN or Internet connection.
network systems
Operational Network and
Telephone-related devices such as loudspeaker systems,
telephone communication ENISA, 2020
walkie-talkies, etc.
intercom systems
Network and
Mobile telephone
GSM/GSM-R phone devices. communication ENISA, 2020
devices (GSM)
systems

IT & OT Infrastructure

Computer & Computers and servers used as support goods by all IT & OT
IT systems ENISA, 2020
server systems.

Infrastructures and trackside

Automatic ticket
distribution and
Devices and equipment to distribute and control the tickets. IT systems -
verification
infrastructures
CCTV (video Devices used for video surveillance of assets and people at
OT systems CLC/TS 50701
surveillance) risk.
Fixed
Detectors such as track vacancy detectors, hot box detectors,
infrastructure OT systems CLC/TS 50701
avalanche detectors and fire detectors.
detectors
Wayside Source and destination for information about approaching
OT systems -
equipment trains and their crews.
Station signalling Equipment for station signalling regarding interlocking (safe
(automatic train setting of routes for trains by controlling signals, points, and
protection, the track vacancy), automatic train protection (ATP) or radio OT systems CLC/TS 50701
interlocking, radio block centre (controls the movement authorities for the trains
block centre) in an ETCS Level 2/3 system).
Fixed
Network and
communication Fixed devices to communicate with railway personnel and
communication CLC/TS 50701
tools (GSM-R, passengers.
systems
MSC/BSC)
Network and
Radio transmission
Relays antenna for radio communication. communication CLC/TS 50701
relays
systems
Wired and wireless
Network and
transmission
Equipment to support network communications. communication CLC/TS 50701
internal network
systems
infrastructures

40
When a reference to a document is not given, the element was added based on the consultation with experts (workshops).

35
 RAILWAY CYBERSECURITY
November 2021

Assets Description Attribute Reference40

Network and
Public Wi-Fi and
Equipment to support public Wi-Fi and internet access. communication CLC/TS 50701
internet accesses
systems

On-Board

Various on-board detectors such as ATP, fire detectors,

On-board
alarms, anti-intrusion tools, diagnostics tools and energy OT systems CLC/TS 50701
detectors
metering.
On-board physical infrastructures related to driver tools:
traction, braking driver machine interface, train control
management tools.
Driver tools Traction is the system responsible for train movement. OT systems CLC/TS 50701
The driver machine interface includes all the technological
objects used to manage communications between the train
and the driver (e.g., screens, buttons, handles, etc.).
On-board equipment that communicates with the networks Network and
Radio transmission
and allows the train to communicate with corporate IT communication CLC/TS 50701
relays
systems. systems
Wired and wireless
On-board equipment used for wired or Network and
transmission
wireless transmission on internal network (Mobile communication CLC/TS 50701
internal network
Communication Gateway, cab radio). systems
infrastructures
Network and
Public Wi-Fi and On-board equipment giving the users access to internet
communication CLC/TS 50701
internet accesses (through Wi-Fi, for example).
systems
Equipment supporting CCTV on the train (cameras, recording
On-board CCTV systems), used for video surveillance of assets and people at IT systems CLC/TS 50701
risk.

Table 2: Assets per service category

Assets Description Attribute References41

Timetable construction

Systems which allow commercial offers to be created for

Commercial offer customers, including timetables for each train line (track usage
IT Systems ENISA, 2020
construction for railway undertakers and commercial offers of train tickets
for passengers or freight).
Systems which allow the preparation of resource rosters
(assets and staff), providing the staff planning for all people
Staff planning IT systems ENISA, 2020
working in railway (drivers, controllers, railway worker, station
employee, maintenance workers, etc.)
Systems which allow resource booking (locomotive, wagon,
Resources booking IT systems ENISA, 2020
etc.)

Sales, distribution, and customers relations

Systems that allow the management of customer relations

Marketing IT systems ENISA, 2020
(e.g., claims, loyalty cards, marketing campaigns).
Booking Systems enabling customers to buy tickets or book a train
IT systems ENISA, 2020
management seat, including commercial websites and applications.
Automatic fare
Systems enabling the automatic collection of customers' fares. IT systems ENISA, 2020
collection

41
When a reference to a document is not given, the element was added based on the consultation with experts (workshops).

36
 RAILWAY CYBERSECURITY
November 2021

Assets Description Attribute References41

Network allocation systems

Systems enabling RUs to construct and plan operations and

Operation planning
to inform the IMs of any special characteristics of trains or IT systems ENISA, 2020
construction
loads (e.g., dangerous goods, oversize).
Systems enabling IMs to apply costing policies to the RU for
Operation billing IT systems ENISA, 2020
the use of the infrastructure.
Systems enabling RUs to book infrastructure (corridors) to
Corridors booking IT systems ENISA, 2020
operate their trains on the network

Assets management

Asset inventory Systems enabling RUs and IMs to inventory their assets. IT systems ENISA, 2020
Systems enabling RUs and IMs to manage their asset
Logistics IT systems ENISA, 2020
logistics.
Systems enabling RUs and IMs to account for their assets
Asset procurement (infrastructure, or trains for example), and to procure new IT systems ENISA, 2020
assets.

Signalling

Systems used to direct railway traffic and oversee the

Remote monitoring OT systems ENISA, 2020
monitoring of train locations on tracks.
Systems used to direct railway traffic and secure
Key management OT systems ENISA, 2020
communication between trains.
Juridical recorder Systems used to direct railway traffic and record events on
OT systems ENISA, 2020
unit trains complying with the ERTMS/ETCS standard.
Systems used to direct railway traffic and reduce the speed of
Temporary speed
rail traffic to ensure safe passage on unsafe sections of OT systems ENISA, 2020
restriction
tracks.
Systems used to direct railway traffic and prevent conflict in
signalling movements through an arrangement of tracks. It
Interlocking OT systems ENISA, 2020
includes wayside systems that give information on
approaching trains and their crews.
Automatic train Systems which activate emergency brakes if train speed is
OT systems ENISA, 2020
protection faster than allowed.

Command-Control

Master system to control all train elements (speed, doors,

Train control OT systems ENISA, 2020
etc.).
Automatic train System responsible for speed control in response to external
OT systems ENISA, 2020
control inputs.
Automatic train Systems used to enable movement of trains and manage
OT systems ENISA, 2020
supervision traffic loads.
Energy traction System overseeing the supply of the electrified rail network. OT systems ENISA, 2020
Systems and services related to freight docking: loading and
Freight docking OT systems -
unloading of goods, cranes, and platforms management.

Auxiliary

Energy System overseeing the management of power delivery. OT systems ENISA, 2020
Heating, ventilating
and air System overseeing the management of heating, ventilation,
OT systems ENISA, 2020
conditioning and air conditioning.
(HVAC)
Lighting System overseeing the management of lighting. OT systems ENISA, 2020
Water System overseeing the management of water. OT systems -
Escalator and System overseeing the management of escalators and
OT systems -
elevator elevators.

37
 RAILWAY CYBERSECURITY
November 2021

Assets Description Attribute References41

Development

Bidding
Bidding systems for the RU or IM to answer invitations to
management IT systems ENISA, 2020
tender for train operations or infrastructure management.
systems
Research and
engineering Centralise and coordinate research and engineering. IT systems ENISA, 2020
systems

Passenger services

Passenger System overseeing the passenger announcement

IT systems ENISA, 2020
announcement management.
Passenger System managing the passenger's general information about
IT systems ENISA, 2020
information their trip: track number, time of arrival, delay, etc.
Passenger System overseeing the management of passenger
IT systems ENISA, 2020
entertainment entertainment (internet access...).

Telecom

Network and
Operational time System which synchronises the clocks of the different IT
communication ENISA, 2020
distribution system equipment (servers, workstations, etc.).
systems

Security

System allowing the control of physical access within

Access control OT systems ENISA, 2020
buildings.
CCTV Video-surveillance systems. OT systems ENISA, 2020
Network Network intrusion detection systems to detect abnormal
IT systems ENISA, 2020
monitoring activities.
Devices and software allowing cybersecurity activities:
Cybersecurity surveillance (SOC), firewalls, Endpoint Detection and IT systems ENISA, 2020
Response systems.

Safety

Systems managing fire detection within buildings, stations, or

Fire detection OT systems ENISA, 2020
datacentres.
Emergency
System managing operational communication and sending
telephony and OT systems ENISA, 2020
alerts in case of emergency.
alerting
Operations safety Systems that keep operations safe and secure. OT systems ENISA, 2020

Maintenance

Systems enabling RUs and IMs to create an inventory of their

Asset inventory IT systems ENISA, 2020
assets related to maintenance (parts, equipment, etc.).
System overseeing direct diagnosis or tele-diagnosis with
Diagnosis IT systems ENISA, 2020
GSM communication from the train.
Maintenance System scheduling and operating maintenance activities on
IT systems ENISA, 2020
scheduling track and trains.
Service
Systems enabling the provision of maintenance equipment. IT systems -
provisioning

Corporate & Support

IT ticketing IT ticketing systems to create and attribute tickets detailing IT

IT systems ENISA, 2020
systems users’ technical or help requests.
Resource System overseeing the management of allocation of
IT systems ENISA, 2020
allocation systems resources used by RUs and IMs to perform usual business.

38
 RAILWAY CYBERSECURITY
November 2021

Assets Description Attribute References41

Documentation
systems / System overseeing the management of documents (shared
IT systems ENISA, 2020
Document folders, SharePoint, OneDrive, etc.).
management
Alert escalation
Process and system used in case of crisis, in order to escalate
and crisis IT systems ENISA, 2020
and manage the situation.
management
Administrative
Administration of the telephone systems used by employees. IT systems ENISA, 2020
telephone systems
Administrative time Network Time Protocol (NTP) systems that provide time
IT systems ENISA, 2020
distribution management for all systems.
Finance Manages all financial aspects (accounting, consolidation).. IT systems ENISA, 2020
System for employee management: recruitment, pay, training,
HR IT systems ENISA, 2020
evaluation, etc.
IT-related
(equipment,
Vendor systems for IT services and equipment. Supply chain -
services) system
supply

Table 3: Assets per physical equipment category (description)

Assets Description Reference42

On-Board

Doors Sub-system that controls the train doors. CLC/TS 50701

On-board physical infrastructures related to lighting. Includes the electronics

On-board lighting dedicated to ensuring correct illumination of railway cars both internally and CLC/TS 50701
externally; special case of external lighting are headlights.
Heating, ventilating
and air On-board physical infrastructures related to heating, ventilating and air conditioning.
CLC/TS 50701
conditioning This system provides crew and passengers with ambient comfort conditions.
(HVAC)

Train Physical equipment of trains including embedded devices and their software. -

Freight
On-board physical infrastructures related to freight locomotives. -
locomotives
Special wagons
(Container
transport, oil On-board physical infrastructures related to special wagons. -
transport,
refrigerated)
On-board system
On-board physical infrastructures related to the system supply. -
supply

Infrastructure and trackside

Energy systems
Infrastructures that support providing energy to all facilities. -
supply

Tracks All physical equipment and infrastructures related to tracks. -

Catenary Supply of electric energy to trains. -

42
When a reference to a document is not given, the element was added based on the consultation with experts (workshops).

39
 RAILWAY CYBERSECURITY
November 2021

Assets Description Reference42

Train assembly
Facilities where trains are assembled. -
facility
Stations -
All buildings used for train stations. CLC/TS 50701
buildings
Other buildings
(Administrative, All building used for corporate, IT or OT purposes. -
facilities, …)
Electrical
Physical infrastructures that support electrical substations. CLC/TS 50701
substations
Physical infrastructures supporting level crossings. Protects the crossing area of rail
Level crossing CLC/TS 50701
and road traffic.
Physical infrastructures related to bridges or tunnels.
"Tunnels" includes the electronics installed in railway tunnels to support tunnel
Tunnels and specific infrastructure functions (e.g., ventilation, alarm systems, fire and smoke
-
bridges detectors, fire extinguisher, etc.)
"Bridges" includes the electronics installed in railway bridges to support bridge
specific infrastructure functions (e.g., monitoring systems, lift control, etc.)."
Escalators and Physical infrastructures related to escalators or elevators that allow passengers and
ENISA, 2020
elevators employees' to move in buildings and infrastructures.

Lighting Physical infrastructures related to lighting. ENISA, 2020

Water control Physical infrastructures related to water control (wells, etc.). -

Fire management Physical infrastructures related to fire management (fire extinguisher, etc.) -

Freight docking Physical infrastructures related to freight docking platforms, allowing loading and
-
platform unloading of goods.
Goods storage
Physical infrastructures related to goods storage (such as containers). -
facilities
Heating, ventilating
and air Heating and ventilating equipment, providing crew and passengers with ambient
CLC/TS 50701
conditioning comfort conditions.
(HVAC)

40
 RAILWAY CYBERSECURITY
November 2021

Table 4: People and data (description)

Assets Description

Data, Information and Knowledge

Email Data used by email systems.

Telephone Data used by telephone systems.

Clients’ personal information Name, address, credit card information, usage, etc.

Employee personal information Name, address, salary, etc.

Asset inventory data Asset-related data.

Support tickets Tickets sent to support to detail users requests.

Data related to the commercial, financial or administrative information and

Commercial, financial, administration data
activities.

CCTV data Video tapes, recording, etc.

IT infrastructure data Architecture figures, flow matrix, etc.

Research and engineering data Data related to research and engineering activities.

Maintenance data Train status, maintenance operations, etc.

Train or traffic data Train location, train course, etc.

Audit (audit trail, logs) Audits reports, audit trail, logs.

Systems maintenance data Backups, configurations, audit, log, install images, licenses, certificates, etc.

Supply chain data/knowledge (providers,

Providers, data, contracts, service met records.
contracts, service management records)
IT systems data (for critical systems not
Data used in IT systems: IP mapping tables, credentials, etc.
mentioned)
Data used for control of the systems (e.g., signalling systems data to and
OT systems data
from train, to and from trackside elements).

Freight information Asset-related data.

People

Passengers People using train services.

Drivers Employees driving trains.

Controllers Employees in charge of controlling passengers’ tickets.

Railway workers Employees in charge of the railway.

Station employees Employees in charge of managing the stations.

Maintenance workers Employees in charge of the maintenance (train or tracks).

HR Employees in charge of HR.

Executives Company’s executive staff.

Marketing, communication, finance teams Employees in charge of marketing, communication, or finance.

Administrator teams Employees in charge of administrating the systems.

IT teams Employees in charge of IT.

41
 RAILWAY CYBERSECURITY
November 2021

B ANNEX: THREATS DESCRIPTION

Table 5: Threat categories and descriptions

Threats Description

Disaster (natural, environmental)

Natural earthquakes, floods, landslides,

tsunamis, heavy rains, heavy snowfalls,
heavy winds, solar eruptions, thunder
Disastrous events caused by natural or environmental elements.
stroke, pollution, dust, corrosion,
water, explosion, animal damages (rats,
squirrels, etc.)

Unintentional damage / loss of information or systems

Information leakage/sharing due to Confidential data shared involuntarily by a member of the organisation via the
human error information system (emails, social network...).
Erroneous use or administration of Error in the use or administration of the organisation’s assets leading to information
devices and systems leakage, damage to such assets or physical harm.
Using information from an unreliable Using information in the organisation’s processes and systems from a non-verified,
source non-official source, or an official but corrupted source.
Unintentional change of data in an
Harmful modification of data, mistakenly done by a member of the organisation.
information system
Inadequate design and planning or Error in the design of a system or its planning or delivery, leading to system
improper adaptation unavailability.
Damage caused by a third
Unintentional damage caused by a supplier or a partner.
party (supplier or partner)
Damages resulting from penetration Unintentional damage caused by an IT team during a penetration test of an
testing information system.
Loss of (integrity of) sensitive Loss of sensitive information, or unwanted modification of sensitive information,
information leading to the unavailability of the necessary data.
Loss of recorded information in IT systems (back up) or OT systems (train system
Destruction of records
records or similar).

Physical attack (deliberate/ intentional)

Every type of fraud committed by a passenger, aiming at diverting the

Fraud by passengers
organisation’s resources, particularly fraud regarding tickets or subscription.
All type of acts aiming at physically destroying or harming the organisation’s
Sabotage / Vandalism
properties.
Theft (devices, storage media and
Theft of physically available resources.
documents)
Information publicly and physically leaked or shared by a member of the
Information leakage / sharing from
organisation, whether voluntarily or not (via the passenger announcement system,
document / equipment
for instance).
Unauthorised physical access /
Access to the organisation premises by a non-authorised person.
Unauthorised entry to premises
All type of pressure directed toward members or the organisation or stakeholders
Coercion, extortion, or corruption
to gain an advantage over the organisation.
Damage from the warfare / Terrorist All damages originating from a large organisation (country, terrorist group or other
attack / Activist attack similar organisation) or damages that are ideologically motivated.

42
 RAILWAY CYBERSECURITY
November 2021

Threats Description

Failures / Malfunction

Failure / malfunction of devices or Natural dysfunction or dysfunction stemming from a misconfiguration on a device
systems or a system.
Failure / malfunction / disruption of Natural dysfunction or dysfunction stemming from a misconfiguration, on the
communication links communication networks.
Failure / malfunction / disruption of Natural dysfunction or dysfunction stemming from a misconfiguration on the
service providers (supply chain) services provided by the suppliers.

Outages

Loss of resources Unavailability of provided resources (maintenance parts, etc.).

Loss of electricity Unavailability of electricity.

Loss of cooling Unavailability of cooling.

Loss of oil or gas Unavailability of oil or gas.

Absence of personnel (strike,

Absence of key personnel (strike, pandemic, etc.).
pandemic, etc.)

Low competency or maturity of Personnel lacking competency to correctly and efficiently complete tasks causing
personnel unavailability of assets or services.

Internet outage Unavailability of the services provided by the global internet suppliers.

Mobile communication outage Unavailability of mobile (GSM) communication services.

Unavailability of the organisation’s network communication due to network

Network outage
dysfunction (natural or not).

Malicious Activity / Abuse

Theft of a systems’ legitimate user's identity: account theft, authentication means’

Identity theft (Identity fraud/ Account)
theft (login, password, email, etc.).
Phishing or spear-phishing email to retrieve a stakeholders’ credentials, or e-mail
Unsolicited E-Mail
designed to retrieve sensitive information via social engineering.
Cyber-attack that aims at making a machine or network resource unavailable to its
Denial of service intended users by temporarily or indefinitely disrupting services of a host
connected to the Internet.
Piece of code or software that infects a host (computers, servers, etc.) to harm an
Malicious code/ software/ activity information system in various ways. This includes ransomwares, trojan horses,
viruses, worms., etc.
Psychological manipulation of people into performing actions on the information
Social engineering
systems or divulging confidential information.
Generation and use of rogue Legitimate certificates that have been compromised or forged to trick a system in
certificates thinking the certificate’s user is legitimate and can access the protected resources.
Malicious changes in hardware or software configuration or code to cause harm to
Manipulation of hardware and software
the information system.
Manipulation of information Malicious breach of data integrity or transmission of false information.

Every type of fraud committed by authorised personnel aiming at diverting the

Fraud by authorised personnel
organisation’ resources.

Unauthorised use or administration of Unauthorised use or administration of the organisation’s assets leading to
devices and systems information leakage, damage to such assets or physical harm.

Unauthorised use of a legitimate software leading to information leakage, damage

Unauthorised use of software
to such assets or physical harm.

43
 RAILWAY CYBERSECURITY
November 2021

Threats Description

Network Intrusion Unauthorised access to a network, giving access to network resources.

Installation of a software not allowed on a computer or server. This can create

Unauthorised installation of software
vulnerabilities that are not under control of the company.
Compromising confidential information
Intentional confidential data leakage from authorised or unauthorised access.
(data breaches)
An attacker gains unauthorised access to a computer network and resources,
Targeted attacks (APTs etc.)
remaining undetected for an extended period.
Access to a protected resource using crafted passwords or passphrases with many
Brute force
trials to find the associated access credentials.
Abuse of authorisations Legitimate users who use their authorisations for fraud or stealing sensitive data.
Interception of information Physical interception of information (eavesdropping).
Network reconnaissance, network
Interception and identification of information about networks to identify security
traffic manipulation and information
weaknesses.
gathering
Interception of information between two endpoints in information systems
Man in the middle / Session hijacking
(computers, servers, etc.)

44
 RAILWAY CYBERSECURITY
November 2021

C ANNEX: SECURITY MEASURES

Table 6: Governance

Security
ID Description ISO/IEC 27002 measures NIST CSF measures CLC/TS50701 measures
Measures
Information System Security Governance & Risk Management
ID.GV Governance (4)
ID.RA Risk Assessment (1, 3, 4, 5,
6)
ID.RM Risk Management Strategy
6.1 Actions to address risks and opportunities
(1, 2, 3)
The operator conducts and regularly 8 Operation
RS.IM Improvements (1, 2) SR 7.8 - Control system component
updates a risk analysis, identifying 9.3 Management review
ID.SC Supply Chain Risk inventory
its Critical Information Systems (CIS) 10 Improvement
Security risk Management (1)
NIS - GV.1 underpinning the provision of the A.8.1 Responsibility for assets
analysis PR.IP Information Protection
essential services of OESs and A.12.6.1 Management of technical See sections 6 and 7 of CLC/TS50701
Processes and Procedures (12)
identifies the main risks to these vulnerabilities and IEC 62443-2-1 (section 4.2)
ID.AM Assets management (1, 2,
CIS. A.18.2.1 Independent review of information
4, 5)
security
DE.CM Security Continuous
Monitoring (8)
RS.MI Mitigation (3)
RS.AN Analysis (5)
4.3 Determining the scope of the information
security management system
4.4 Information security management system
5.1 Leadership and commitment
5.2 Policy
5.3 Organisational roles, responsibilities and
authorities ID.BE Business Environment
The operator establishes, maintains
6.2 Information security objectives and (1,2,3,4)
and implements an information
planning to achieve them ID.GV Governance (1,2,3,4)
Security system security policy (ISSP)
NIS - GV.2 9.3 Management review PR.AT Awareness & Trainings See IEC 62443-2-1 (section 4.3.2)
policy approved by senior management,
A.5.1 Management direction for information (2,3 4,5)
guaranteeing high-level
security DE.DP Detection Processes (1)
endorsement of the policy.
A.6.1 Internal organisation ID.AM Assets Management (6)
A.7.2.1 Management responsibilities
A.18.1.1 Identification of applicable legislation
and contractual requirements
A.18.1.2 Intellectual property rights
A.18.2.2 Compliance with security policies and
standards

45
 RAILWAY CYBERSECURITY
November 2021

ID.RA Risk Assessment (1,3,4,6)

ID.RM Risk Management Strategy
(1, 2, 3)
Building on the risk analysis and
RS.IM Improvements (1, 2)
according to an accreditation
6.1 Actions to address risks and opportunities ID.SC Supply Chain Risk SR 2.8 - Auditable evens
process referred to in the ISSP, the
8 Operation Management (1) SR 2.9 - Audit storage capacity
operator accredits the CIS identified
Security 9.2 Internal audit PR.IP Information Protection SR 2.10 - Response to audit processing
NIS - GV.3 in its information system risk
accreditation 10.1 Nonconformity and corrective action Processes and Procedures (7, 12) failure
analysis, including, inter alia, the
A.12.1.1 Documented operating procedures PR.PT Protective Technology (1) SR 2.11 - Timestamps
inventory and architecture of the
A.12.7.1 Information systems audit controls ID.AM Assets management (1, 2, SR 2.12 - Non-repudiation
administration components of the
4, 5)
CIS.
DE.CM Security Continuous
Monitoring (8)
RS.MI Mitigation (3)
For each CIS and according to a
number of indicators and
assessment methods, the operator ID.AM Assets Management (5)
6.2 Information security objectives and
evaluates its compliance with its ID.RM Risk Management Strategy
planning to achieve them
ISSP. Indicators may relate to the (2, 3) SR 3.4 - Software and information
Security 7.1 Resources
NIS - GV.4 risk management organisation’s PR.IP Information Protection integrity
indicators 7.2 Competence
performance, the maintaining of Processes and Procedures (7, 8) SR 4.1 - Information confidentiality
9 Performance evaluation
resources in secure conditions, PR.DS Data Security (4)
A.12.1.3 Capacity Management
users’ access rights, authenticating ID.BE Business Environment (5)
access to resources, and resource
administration.
ID.GV Governance (3, 4)
ID.RA Risk Assessment (1, 3, 4, 5,
6)
6 Planning
ID.RM Risk Management Strategy
8 Operation
(2, 3)
9.2 Internal audit
The operator establishes and DE.CM Security Continuous
9.3 Management review SR 2.8 - Auditable evens
updates a policy and procedures for Monitoring (8)
10 Improvement SR 2.9 - Audit storage capacity
performing information system DE.DP Detection Processes (5)
Security A.5.1 Management direction for information SR 2.10 - Response to audit processing
NIS - GV.5 security assessments and audits of ID.SC Supply Chain Risk (4)
audit security failure
critical assets and CIS, taking into PR.AC Identity Management,
A.12.1 Operational procedures and SR 2.11 - Timestamps
account the regularly updated risk Authentication and Access Control
responsibilities SR 2.12 - Non-repudiation
analysis. (1)
A.12.7 Information systems audit
PR.PT Protective Technology (1)
considerations
PR.IP Information Protection
A.18.2 Information security reviews
Processes and Procedures (7, 12)
RS.IM Improvements (1, 2)
RC.IM Improvements (1, 2)
4.1 Understanding the organisation and its ID.AM Assets Management (6)
SR 1.1 - Human user identification and
context ID.GV Governance (2, 3)
The established information system authentication
4.2 Understanding the needs and expectations RS.CO Communications (1)
security policy has a CIS security SR 1.2 - Software process and device
Human of interested parties PR.IP Information Protection
awareness raising program for all identification and authentication
NIS - GV.6 resource 5.3 Organisational roles, responsibilities, and Processes and Procedures (7, 11,
staff and a security training SR 1.4 - Identifier management
security authorities 12)
programme for employees with CIS- SR 1.5 - Authenticator management
6.2 Information security objectives and DE.DP Detection Processes (1)
related responsibilities. SR 1.9 - Strength of public key
planning to achieve them PR.AT Awareness & Trainings (1,
authentication
7 Support 2, 3 4, 5)

46
 RAILWAY CYBERSECURITY
November 2021

9.1 Monitoring, measurement, analysis and SR 2.1 - Authorisation enforcement

evaluation SR 5.2 - Zone boundary protection
A.6.1.1 Information security roles and
responsibilities
A.6.1.2 Segregation of duties
A.7.2 During employment
A.7.1 Prior to employment (screening and
terms & conditions)
A.7.3 Termination and change of employment
A.9.3 User responsibilities
Ecosystem Management
4.1 Understanding the organisation and its
context
4.2 Understanding the needs and expectations
of interested parties
The operator establishes a mapping
4.3 Determining the scope of the information ID.AM Assets Management (3, 4,
of its ecosystem, including internal
security management system 6)
Ecosystem and external stakeholders. This SR 5.3 – General purpose person-to-
NIS - GV.7 5.2 Policy ID.BE Business Environment
mapping mapping may include suppliers, in person communication restrictions
5.3 Organisational roles, responsibilities and (1,2,4)
particular those with access to or
authorities ID.AM Assets Management (6)
managing operator’s critical assets.
8.1 Operational planning and control
A.8 Asset management
A.8.2 Information classification
A.15 Supplier relationships
SR 1.13 - Access via untrusted networks
4.2 Understanding the needs and expectations
SR 2.6 - Remote session termination
of interested parties
SR 2.8 - Auditable evens
5.2 Policy
SR 2.9 - Audit storage capacity
7.4 Communication
SR 2.10 - Response to audit processing
7.5 Documented information
failure
8.1 Operational planning and control
SR 2.11 - Timestamps
9.3 Management review
RS.CO Communications (4, 5) SR 2.12 - Non-repudiation
The operator establishes a policy for A.5.1 Management direction for information
ID.RM Risk Management Strategy SR 3.1 - Communication integrity
its relations with its ecosystem in security
(1) SR 3.5 - Input validation
Ecosystem order to mitigate the potential risks A.7.1 Prior to employment
NIS - GV.8 ID.GV Governance (2) SR 3.8 - Session integrity
relations identified. This includes but is not A.7.2 During employment
ID.SC Supply Chain Risk (1, 2, 3, SR 4 - Data confidentiality
limited to interfaces shared between A.7.3 Termination and change of employment
4, 5) SR 5.1 - Network segmentation
the CIS and third parties. A.12.7 Information systems audit
RC.CO Communications (3) SR 5.2 - Zone boundary protection
considerations
SR 5.3 - General purpose person-to-
A.13.2 Information transfer
person communication restrictions
A.14.2 Security in development and support
SR 6.1 - Audit log accessibility
processes
SR 6.2 - Continuous monitoring
A.15 Supplier relationships
SR 7.1 - Denial of service protection
A.18.1 Compliance with legal and contractual
SR 7.6 - Network and security
requirements
configuration setting

47
 RAILWAY CYBERSECURITY
November 2021

Table 7: Protection

Security
ID Description ISO/IEC 27002 measures NIST CSF measures CLC/TS50701 measures
Measures

IT Security Architecture
SR 1.13 - Access via untrusted networks
SR 2.2 - Wireless use control
SR 2.3 - Use control for portable and
mobile devices
SR 2.4 - Mobile code
4.3 Determining the scope of the
SR 2.6 - Remote session termination
information security management
SR 3.1 - Communication integrity
system
SR 3.3 - Security functionality verification
A.6.2 Mobile devices and teleworking
SR 3.4 - Software and information integrity
A.8.1 Responsibility for assets
SR 3.5 - Input validation
A.8.3 Media handling
SR 3.8 - Session integrity
The operator only installs services and A.12.1 Operational procedures and PR.IP Information Protection
SR 4.1 - Information confidentiality
Systems functionalities or connects equipment responsibilities Processes and Procedures (1, 2, 3)
NIS - PR.1 SR 4.2 - Information persistence
configuration which are essential for the functioning and A.12.5 Control of operational software DE.AE Anomalies and Events (1)
SR 4.3 - Use of cryptography
the security of its CIS. A.12.6 Technical vulnerability PR.PT Protective Technology (3)
SR 5.1 - Network segmentation
management
SR 5.2 - Zone boundary protection
A.13.1 Network security management
SR 5.3 - General purpose person-to-
A.14.1 Security requirements of
person communication restrictions
information systems
SR 7.1 - Denial of service protection
A.14.2 Security in development and
SR 7.2 - Resource management
support processes
SR 7.6 - Network and security
configuration settings
SR 7.7 - Least functionality
SR 7.8 - Control system component
inventory
SR 1.13 - Access via untrusted networks
SR 2.6 - Remote session termination
SR 3.1 - Communication integrity
SR 3.5 - Input validation
SR 3.8 - Session integrity
SR 4.1 - Information confidentiality
PR.DS Data Security (5, 7)
SR 4.2 - Information persistence
The operator segregates its systems in A.12.1 Operational procedures and PR.PT Protective Technology (3, 4)
System SR 4.3 - Use of cryptography
NIS - PR.2 order to limit the propagation of IT security responsibilities PR.AC Identity Management,
segregation SR 5.1 - Network segmentation
incidents within its systems or subsystems. A.13.1 Network security management Authentication and Access Control
SR 5.2 - Zone boundary protection
(5, 6)
SR 5.3 - General purpose person-to-
person communication restrictions
SR 5.4 - Application partitioning
SR 7.1 - Denial of service protection
SR 7.6 - Network and security
configuration settings

48
 RAILWAY CYBERSECURITY
November 2021

Security
ID Description ISO/IEC 27002 measures NIST CSF measures CLC/TS50701 measures
Measures
SR 1.13 - Access via untrusted networks
SR 2.6 - Remote session termination
SR 3.1 - Communication integrity
SR 3.5 - Input validation
SR 3.8 - Session integrity
PR.DS Data Security (2)
SR 4.1 - Information confidentiality
The operator filters traffic flows circulating PR.PT Protective Technology (4)
SR 4.2 - Information persistence
in its CIS. The operator therefore forbids 8.1 Operational planning and control PR.AC Identity Management,
Traffic SR 4.3 - Use of cryptography
NIS - PR.3 traffic flows that are not needed for the A.13.1 Network security management Authentication and Access Control
filtering SR 5.1 - Network segmentation
functioning of its systems and that are A.13.2 Information transfer (3, 5)
SR 5.2 - Zone boundary protection
likely to facilitate an attack. DE.CM Security Continuous
SR 5.3 - General purpose person-to-
Monitoring (6, 7)
person communication restrictions
SR 7.1 - Denial of service protection
SR 7.6 - Network and security
configuration
settings
In its ISSP, the operator establishes and
implements a policy and procedures
related to cryptography, in view of A.10.1 Cryptographic controls ID.GV Governance (3)
Cryptograph SR 4.3 - Use of Cryptography
NIS - PR.4 ensuring adequate and effective use of A.18.1 Compliance with legal and PR.DS Data Security (1, 2, 5, 6, 8)
y SR 5.2 - Zone boundary protection
cryptography to protect the confidentiality, contractual requirements PR.PT Protective Technology (4)
authenticity and/or integrity of information
in its CIS.

IT Security Administration
SR 1.1 - Human user identification and
authentication
SR 1.2 - Software process and device
identification and authentication
The operator sets up specific accounts for SR 1.3 - Account management
the administration, to be used only for SR 1.4 - Identifier management
PR.AC Identity Management,
employees that are carrying out A.9.2 User access management SR 1.5 - Authenticator management
Administrati Authentication and Access Control
NIS - PR.5 administrative operations (installation, A.12.4.3 Administrator and operator SR 1.6 - Wireless access management
on accounts (1, 4, 7)
configuration, management, maintenance, logs SR 1.7 - Strength of password-based
PR.AT Awareness & Trainings (2, 4)
etc.) on its CIS. These accounts are kept authentication
on an up-to-date list. SR 1.8 - Public key infrastructure (PKI)
certificates
SR 1.9 - Strength of public key
authentication
SR 2.1 - Authorisation enforcement

49
 RAILWAY CYBERSECURITY
November 2021

Security
ID Description ISO/IEC 27002 measures NIST CSF measures CLC/TS50701 measures
Measures
SR 1.1 - Human user identification and
authentication
SR 1.2 - Software process and device
identification and authentication
SR 1.3 - Account management
SR 1.4 - Identifier management
A.9.3.1 Use of secret authentication
PR.AC Identity Management, SR 1.5 - Authenticator management
Hardware and software resources used for information
Authentication and Access Control SR 1.6 - Wireless access management
Administrati administration purposes are managed and A.9.4 System and application access
(1, 3, 4, 6, 7) SR 1.7 - Strength of password-based
on configured by the operator, or, where control
NIS - PR.6 PR.DS Data Security (5, 6, 7) authentication
information appropriate, by the service provider that A.12.1.4 Separation of development,
PR.AT Awareness & Trainings (2, 3, SR 1.8 - Public key infrastructure (PKI)
systems the operator has authorised to carry out testing and operational environments
4) certificates
administration operations. A.12.4.3 Administrator and operator
PR.PT Protective Technology (4) SR 1.9 - Strength of public key
logs
authentication
SR 1.10 - Authenticator feedback
SR 2.1 - Authorisation enforcement
SR 5.2 - Deny by default, allow by
exception
SR 6.1 - Audit log accessibility
Identity and access management
SR 1.1 - Human user identification and
authentication
SR 1.2 - Software process and device
identification and authentication
SR 1.3 - Account management
SR 1.4 - Identifier management
SR 1.5 - Authenticator management
SR 1.6 - Wireless access management
SR 1.7 - Strength of password-based
A.9.1 Business requirements of
For identification, the operator sets up authentication
access control
unique accounts for users or for SR 1.8 - Public key infrastructure (PKI)
A.9.3 User responsibilities PR.AC Identity Management,
Authenticati automated processes that need to access certificates
A.9.4 System and application access Authentication and Access Control
NIS - PR.7 on and CIS resources. Unused or no longer SR 1.9 - Strength of public key
control (1, 4, 6, 7)
identification needed accounts are to be deactivated. A authentication
A.9.4.2 Secure log-on procedures PR.DS Data Security (5)
regular review process should be SR 1.10 - Authenticator feedback
A.9.4.3 Password management
established. SR 1.11 - Unsuccessful login attempts
system
SR 1.12 - System use notification
SR 1.13 - Access via untrusted networks
SR 2.1 - Authorisation enforcement
SR 2.2 - Wireless use control
SR 2.3 - Use control for portable and
mobile devices
SR 2.4 - Mobile code
SR 2.5 - Session lock
SR 2.6 - Remote session termination

50
 RAILWAY CYBERSECURITY
November 2021

Security
ID Description ISO/IEC 27002 measures NIST CSF measures CLC/TS50701 measures
Measures
SR 2.7 - Concurrent session control
SR 5.2 - Zone boundary protection
SR 1.1 - Human user identification and
authentication
SR 1.2 - Software process and device
identification and authentication
SR 1.3 - Account management
Among the rules defined in its ISSP, the A.9.1 Business requirements of
ID.AM Assets management (5, 6) SR 1.4 - Identifier management
operator grants access rights to a user or access control
PR.AC Identity Management, SR 1.5 - Authenticator management
an automated process only when that A.9.2 User access management
Access Authentication and Access Control SR 1.6 - Wireless access management
NIS - PR.8 access is strictly necessary for the user to A.9.4.4 Use of privileged utility
rights (1, 4, 6, 7) SR 1.7 - Strength of password-based
carry out their mission or for the programs
PR.DS Data Security (5) authentication
automated process to carry out its A.9.4.5 Access control to program
PR.PT Protective Technology (3) SR 1.8 - Public key infrastructure (PKI)
technical operations. source code
certificates
SR 1.9 - Strength of public key
authentication
SR 1.10 - Authenticator feedback
SR 2.1 - Authorisation enforcement

IT Security Maintenance
6.2 Information security objectives and
planning to achieve them
7.5.3 Control of documented
information
8.1 Operational planning and control
10.1 Nonconformity and corrective
action
SR 3.1 - Communication integrity
The operator develops and implements a A.8.2 Information classification PR.MA Maintenance (1,2)
SR 3.3 - Security functionality verification
procedure for security maintenance in A.11.2 Equipment PR.IP Information Protection
IT security SR 3.4 - Software and information integrity
accordance with its ISSP. To this end, the A.12.1.2 Change management Processes and Procedures (1, 2, 3,
NIS - PR.9 maintenance SR 3.8 - Session integrity
procedure defines the conditions enabling A.12.6.1 Management of technical 4, 7)
procedure SR 6.1 - Audit log accessibility
the minimum security level to be vulnerabilities PR.DS Data Security (3, 4)
SR 7.6 - Network and security
maintained for CIS resources. A.13.1 Network security management ID.SC Supply Chain Risk (4)
configuration settings
A.14.1 Security requirements of
information systems
A 14.2 Security in development and
support processes
A.14.3 Test data
A.15.2 Supplier service delivery
management

51
 RAILWAY CYBERSECURITY
November 2021

Security
ID Description ISO/IEC 27002 measures NIST CSF measures CLC/TS50701 measures
Measures

Physical and environmental security

SR 1.13 - Access via untrusted networks
SR 2.6 - Remote session termination
ID.AM Assets management (1, 4) SR 2.8 - Auditable events
DE.CM Security Continuous SR 2.9 - Audit storage capacity
Monitoring (2, 3, 6) SR 2.10 - Response to audit processing
The operator prevents unauthorised
A.6.2 Mobile devices and teleworking PR.IP Information Protection failures
Physical and physical access and damage to, and
A.8.1 Responsibility for assets Processes and Procedures (5, 6) SR 2.1 - Timestamps
NIS - PR.10 environment interference with the organisation’s
A.11 Physical and environmental PR.AC Identity Management, SR 2.12 - Non-repudiation
al security information and information processing
security Authentication and Access Control SR 4.2 - Information persistence
facilities.
(2, 3) SR 5.1 - Network segmentation
PR.DS Data Security (3) SR 5.2 - Zone boundary protection
PR.PT Protective Technology (2, 5) SR 7.5 - Emergency power
SR 7.8 - Control system component
inventory

52
 RAILWAY CYBERSECURITY
November 2021

Table 8: Defence

Security
ID Description ISO/IEC 27002 measures NIST CSF measures CLC/TS50701 measures
Measures

Detection
SR 2.8 - Auditable evens
SR 2.9 - Audit storage capacity
SR 2.10 - Response to audit
processing failure
SR 2.11 - Timestamps
9.1 Monitoring, measurement, analysis SR 2.12 - Non-repudiation
The operator sets up a security incident
and evaluation PR.DS Data Security (6, 8) SR 3.1 - Communication integrity
detection system of the “analysis probe for
A.12.2 Protection from malware DE.AE Anomalies and Events (1, 5) SR 3.2 – Malicious code protection
files and protocols” type. The analysis
A.12.4 Logging and monitoring DE.CM Security Continuous SR 3.3 - Security functionality
NIS - DF.1 Detection probes for files and protocols analyses the
A.12.6.1 Management of technical Monitoring (1, 2, 3, 4, 5, 6, 7) verification
data flows transiting through those probes
vulnerabilities DE.DP Detection Processes (1, 2, 3) SR 3.4 - Software and information
to seek out events likely to affect the
A.15.2.1 Monitoring and review of PR.PT Protective Technology (1) integrity
security of the CIS.
supplier services SR 3.8 - Session integrity
SR 3.9 - Protection of audit information
SR 5.1 - Network segmentation
SR 5.2 - Zone boundary protection
SR 5.4 - Application partitioning
SR 6 - Timely response to events
SR 1.12 - System use notification
SR 2.8 - Auditable evens
ID.RA Risk Assessment (1)
9.1 Monitoring, measurement, analysis SR 2.9 - Audit storage capacity
ID.SC Supply Chain Risk
The operator sets up a logging system on and evaluation SR 2.10 - Response to audit
Management (1)
each CIS to record events relating, at A.12.4 Logging and monitoring processing failure
PR.MA Maintenance (1,2)
least, to user authentication, management A.14.1.2 Securing application services SR 2.11 - Timestamps
NIS - DF.2 Logging DE.CM Security Continuous
of accounts and access rights, on public networks SR 2.12 - Non-repudiation
Monitoring (1, 2, 3, 6, 7)
modifications to security rules, and the A.15.2.1 Monitoring and review of SR 3.9 - Protection of audit information
DE.AE Anomalies and Events (3)
functioning of the CIS. supplier services SR 6 - Timely response to events
RS.MI Mitigation (3)
A.18.1.3 Protection of records SR 6.2 – Continuous monitoring
PR.PT Protective Technology (1)
SR 7.8 – Control system component
inventory
ID.RA Risk Assessment (4, 5) SR 2.8 - Auditable evens
9.1 Monitoring, measurement, analysis PR.PT Protective Technology (1) SR 2.9 - Audit storage capacity
The operator creates a log correlation and
and evaluation DE.AE Anomalies and Events (2, 3, SR 2.10 - Response to audit
Log analysis system that mines the events
9.3 Management review 4) processing failure
NIS - DF.3 correlation recorded by the logging system installed
A.16.1.4 Assessment of and decision DE.DP Detection Processes (3, 4, 5) SR 2.11 - Timestamps
and analysis on each of the CIS to detect events that
on information security events PR.IP Information Protection SR 2.12 - Non-repudiation
affect CIS security.
A.16.1.7 Collection of evidence Processes and Procedures (7) SR 3.9 - Protection of audit information
RS.AN Analysis (1, 5) SR 6 - Timely response to events

53
 RAILWAY CYBERSECURITY
November 2021

Computer Security Incident Management

ID.RA Risk Assessment (3, 4, 5, 6)
SR 2.8 - Auditable evens
ID.SC Supply Chain Risk
SR 2.9 - Audit storage capacity
Management (5)
SR 2.10 - Response to audit
PR.IP Information Protection
Information The operator creates, keeps up-to-date processing failure
Processes and Procedures (9, 10)
system and implements a procedure for handling, A.16.1 Management of information SR 2.11 - Timestamps
RS.AN Analysis (1, 2, 3, 4, 5)
NIS - DF.4 security responding to and analysing incidents that security incidents and improvements SR 2.12 - Non-repudiation
RS.MI Mitigation (1, 2, 3)
incident affect the functioning or the security of its A.16.1.7 Collection of evidence SR 3.9 - Protection of audit information
RS.IM Improvements (1, 2)
response CIS, in accordance with its ISSP. SR 5.1 - Network segmentation
RS.CO Communications (1, 3, 4, 5)
SR 5.2 - Zone boundary protection
RS.RP Response Planning (1)
SR 5.4 - Application partitioning
RC.RP Recovery Planning (1)
SR 6 - Timely response to events
RC.CO Communications (2)
SR 2.8 - Auditable evens
SR 2.9 - Audit storage capacity
7.5 Documented information
SR 2.10 - Response to audit
The operator creates, keeps up-to-date A.12.1 Operational procedures and
Incident RS.CO Communications (2, 3, 4, 5) processing failure
NIS - DF.5 and implements procedures for incidents responsibilities
reporting DE.DP Detection Processes (4) SR 2.11 - Timestamps
reporting. A.16.1 Management of information
SR 2.12 - Non-repudiation
security incidents and improvements
SR 3.9 - Protection of audit information
SR 6 - Timely response to events
The operator implements a service that SR 2.8 - Auditable evens
enables it to take note, without delay, of SR 2.9 - Audit storage capacity
Communicat
information sent out by its national 7.4 Communication SR 2.10 - Response to audit
ion with RS.CO Communications (2, 3, 4, 5)
competent authority concerning incidents, 7.5 Documented information processing failure
NIS - DF.6 competent DE.DP Detection Processes (4)
vulnerabilities, threats and relevant A.6.1 Internal organisation SR 2.11 - Timestamps
authorities ID.RA Risk Assessment (2)
mappings (up-to-date inventory of CIS, A.8.2.2 Labelling of information SR 2.12 - Non-repudiation
and CSIRTs
interconnections of CIS with third-party SR 3.9 - Protection of audit information
networks, etc.). SR 6 - Timely response to events

54
 RAILWAY CYBERSECURITY
November 2021

Table 8: Resilience

Security
ID Description ISO/IEC 27002 measures NIST CSF measures CLC/TS50701 measures
Measures
Continuity of operations
SR 2.8 - Auditable evens
SR 3.1 – Communication integrity
SR 3.3 - Security functionality verification
ID.RM Risk Management Strategy
SR 3.6 - Deterministic output
(1, 2, 3)
9.3 Management review SR 3.7 - Error handling
PR.IP Information Protection
In accordance with its ISSP, the operator 10.2 Continual improvement SR 4.1 – Information confidentiality
Processes and Procedures (4, 7, 9,
Business defines objectives and strategic A.5.1.2 Review of the policies for SR 4.2 – Information persistence
10)
NIS - RS.1 continuity guidelines regarding business continuity information security SR 5.2 - Zone boundary protection
RS.IM Improvements (2)
management management, in case of an IT security A.11.2.4 Equipment maintenance SR 6.1 - Audit log accessibility
RC.IM Improvements (1, 2)
incident. A.17.1 Information security continuity SR 7.1 - Denial of service protection
RC.RP Recovery Planning (1)
A.17.2 Redundancies SR 7.2 - Resource management
RC.CO Communications (1, 2, 3)
SR 7.3 - Control system backup
PR.PT Protective Technology (5)
SR 7.4 - Control system recovery and
reconstitution
SR 7.5 – Emergency power
ID.BE Business Environment (5) SR 5.2 - Zone boundary protection
In accordance with its ISSP, the operator PR.PT Protective Technology (5) SR 7.1 - Denial of service protection
Disaster defines objectives and strategic PR.IP Information Protection SR 7.2 - Resource management
NIS - RS.2 recovery guidelines regarding disaster recovery A.17.2 Redundancies Processes and Procedures (9, 10) SR 7.3 - Control system backup
management management, in case of a severe IT PR.DS Data Security (4) SR 7.4 - Control system recovery and
security incident. RC.IM Improvements (1, 2) reconstitution
RC.RP Recovery Planning (1) SR 7.5 – Emergency power
Crisis management
5.3 Organisational roles, SR 3.3 - Security functionality verification
The operator defines the organisation for responsibilities and authorities ID.BE Business Environment (5) SR 7.1 - Denial of service protection
Crisis
crisis management in its ISSP in case of A.6.1.1 Information security roles and PR.DS Data Security (4) SR 7.2 - Resource management
NIS - RS.3 management
IT security incidents and to ensure the responsibilities PR.IP Information Protection SR 7.3 - Control system backup
organisation
continuity of the organisation’s activities. A.11.2.4 Equipment maintenance Processes and Procedures (10) SR 7.4 - Control system recovery and
A.17.1 Information security continuity reconstitution
7.4 Communication RC.CO Communications (1, 2, 3) SR 2.8 - Auditable evens
The operator defines the processes for 9.3 Management review RC.RP Recovery Planning (1) SR 3.3 - Security functionality verification
crisis management in its ISSP which the 10.2 Continual improvement RS.IM Improvements (1, 2) SR 6.1 - Audit log accessibility
Crisis
crisis management organisation will A.5.1.2 Review of the policies for ID.SC Supply Chain Risk SR 7.1 - Denial of service protection
NIS - RS.4 management
implement in case of IT security incidents information security Management (5) SR 7.2 - Resource management
process
and to ensure the continuity of an A.6.1.3 Contact with authorities PR.IP Information Protection SR 7.3 - Control system backup
organisation’s activities. A.11.2.4 Equipment maintenance Processes and Procedures (4, 9, 10) SR 7.4 - Control system recovery and
A.17.1 Information security continuity PR.PT Protective Technology (5) reconstitution

55
 TP-01-21-425-EN-N
ABOUT ENIS A
The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to
achieving a high common level of cybersecurity across Europe. Established in 2004 and
strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity
contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and
processes with cybersecurity certification schemes, cooperates with Member States and EU
bodies, and helps Europe prepare for the cyber challenges of tomorrow. Through knowledge
sharing, capacity building and awareness raising, the Agency works together with its key
stakeholders to strengthen trust in the connected economy, to boost resilience of the
Union’s infrastructure, and, ultimately, to keep Europe’s society and citizens digitally secure.
More information about ENISA and its work can be found here: www.enisa.europa.eu.

ISBN 978-92-9204-545-6
doi: 10.2824/92259