Improving Cyber Risk Management through Collaboration, Communication and Co-Operation
During February 18th-19th Westlands Advisory attended the Cyber Senate on Rail Industry Cyber Security (https://www.cybersenate.com/new-events/railcybersecurity). The event was attended by executives and management from Train Operating Companies (TOC), Rolling Stock and Signalling Manufacturers, Cyber Security Engineers and Consultants, and Technology vendors. The presentations, panel discussions and debate during networking breaks covered issues ranging from implementation of standards to managing challenges such as third-party risk and developing defence in depth.
Innovation and change are coming to the rail industry. As infrastructure projects approach the end of lifecycles, a new era of rail travel is emerging that will be defined by digital technology, enabling improved services and better experiences. A digital rail network also brings security challenges that need to be addressed to ensure that the rail industry maintains its impressive safety record. Whilst security and safety are not inextricably linked, a security failure may have an adverse effect on rail industry safety, and this has resulted in a considerable amount of work to establish security standards and controls to improve cyber resilience.
However, it’s an unfortunate truism that security investment tends to be driven by either a significant event or due to regulation, and therefore gaining board support and finance to implement cyber security plans can be difficult. In addition, the rail industry is complex and used to long development cycles which means change can be slow.
Developing a cyber secure rail industry is a significant challenge which involves securing many complex systems, working across supply chains and borders. There is not a straight-forward solution to the cyber security threat, but there are measures that organisations can implement to reduce the risk and rail cyber security is starting to mature.
A wave of new standards and controls are in the process of being finalised (TS 50701 and IEC 62443-3-3) and there is a strong collaborative effort throughout the rail industry to improve resilience. Initiatives to improve skills and education, embed security processes as part of system design, and a willingness to work with industry to deploy the latest technologies are evidence of how approaches to security continue to evolve.
Although there has been significant progress the rail industry needs to keep improving and evolving. Implementing an effective Cyber Risk Management program, ensuring that new systems are Secure by Design, threat intelligence is shared, third party risk is reduced, and digital assets are identified and managed, are all industry priorities. They are also significant challenges that require industry-wide commitment, board level awareness and support, and a practical approach to cyber risk management.
WA developed a summary of the event in collaboration with the Cyber Senate. The paper is free for all event attendees. For Rail Operators, System Integrators and Cyber Security Technology vendors there is a £499 + VAT fee for the paper.