Cybersecurity challenges for the railway sector



From Heraclitus that believed that "War is father of all, and king of all", to the Network and Information Security Directive (NIS 2), the Critical Entities Resilience Directive (CER) and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

In the European Union, we have two major developments:

- the Network and Information Security Directive (NIS 2), that replaces and repeals the NIS Directive (Directive 2016/1148/EC). NIS 2 will improve cybersecurity risk management and will introduce reporting obligations across sectors such as energy, transport, health and digital infrastructure.

In Annex I (Sectors of High Criticality), we find that "Infrastructure managers, responsible in particular for establishing, managing and maintaining railway infrastructure, including traffic management and control-command and signalling", "Railway undertakings, including operators of service facilities" and "Operators of service facility, any public or private entity responsible for managing one or more service facilities or supplying one or more services to railway undertakings" are in the scope of the NIS 2 Directive.

- the Critical Entities Resilience Directive (CER). 11 sectors are: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food. Member States will need to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for the society and the economy. "Infrastructure managers", "Railway undertakings", and "operators of service facilities" are in the scope of the Critical Entities Resilience Directive (CER).

There are also specific actions applicable, such as increasing the resilience of the European Railway Traffic Management System (ERTMS), and the further introduction of telematics applications for freight and passenger services (TAF/TAP) in data and messages exchange within the TSIs revision by 2022.

UNIFE (in French, the Union des Industries Ferroviaires Européennes, or the European Rail Supply Industry Association), is the association representing the rail supply industry at the European Union (EU) and international levels. UNIFE’s members include more than 100 companies – from SMEs to large industrial players – active in the design, engineering and manufacture of rolling stock (i.e., trains, metros, trams, freight wagons) as well as rail signalling and infrastructure equipment.

In the "UNIFE Position Paper on Cybersecurity in Railways", we read that the European rail supply industry recognises that mitigating cyber-threats is vital to maintaining a safe, reliable railway and urban rail public transport. This is no small feat given their complex interdependences and legacy infrastructure elements. Cybersecurity is a key requirement to enable these mobility systems to effectively deploy and fully leverage a connected, digital environment.

Ensuring the integrity of both mainline and urban rail transport systems and maintaining operational continuity standards is an objective which is shared by the whole sector. Cybersecurity threats are usually cross-border, and a cyber-attack on the critical infrastructure of one country can easily affect the whole EU.


In the USA, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enactment of CIRCIA marks an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.

CIRCIA includes a number of requirements related to the required reporting and sharing of covered cyber incidents, to include the following:

- Cyber Incident Reporting Requirements: CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.

- Federal Incident Report Sharing: Any federal entity receiving a report on a cyber incident after the effective date of the final rule must share that report with CISA within 24 hours. CISA will also have to make information received under CIRCIA available to certain federal agencies within 24 hours.

- Cyber Incident Reporting Council: DHS must establish and Chair an intergovernmental Cyber Incident Reporting Council (Council) to coordinate, deconflict, and harmonize federal incident reporting requirements.

CIRCIA additionally authorizes or requires a number of initiatives related to combatting ransomware, to include the following:

- Ransom Payment Reporting Requirements: CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments made as a result of a ransomware attack. CISA must share such reports with federal agencies, similar to above.

- Ransomware Vulnerability Warning Pilot Program: CISA must establish a pilot to identify systems with vulnerabilities to ransomware attacks and may notify the owners of those systems.

- Joint Ransomware Task Force: CISA has announced the launch of the Joint Ransomware Task Force in accordance with the statute to build on the important work that has already begun to coordinate an ongoing nationwide campaign against ransomware attacks. CISA will continue working closely with the Federal Bureau of Investigation and the National Cyber Director to build the task force.

On October 18, 2022, the U.S. Transportation Security Administration (TSA) rolled out the third Security Directive (SD) for U.S passenger and freight railroads. It builds upon two previous Security Directives, published in 2021: 1580-2021-01 “Enhancing Rail Cybersecurity”, and SD 1582-2021-01 “Enhancing Public Transportation and Passenger Railroad Cybersecurity.”

Developed with extensive input from industry stakeholders and federal partners, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Transportation’s Federal Railroad Administration (FRA), this "Enhancing Rail Cybersecurity – SD 1580/82-2022-01" strengthens cybersecurity requirements and focuses on performance-based measures to achieve critical cybersecurity outcomes.

The security directive requires that TSA-specified passenger and freight railroad carriers take action to prevent disruption and degradation to their infrastructure to achieve the following critical security outcomes:

- 1. Develop network segmentation policies and controls to ensure that the Operational Technology system can continue to safely operate in the event that an Information Technology system has been compromised and vice versa;

- 2.Create access control measures to secure and prevent unauthorized access to critical cyber systems;

- 3. Build continuous monitoring and detection policies and procedures to detect cybersecurity threats and correct anomalies that affect critical cyber system operations; and

- 4. Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.

Passenger and freight railroad carriers are required to:

- 1. Establish and execute a TSA-approved Cybersecurity Implementation Plan that describes the specific cybersecurity measures the passenger and freight rail carriers are utilizing to achieve the security outcomes set forth in the security directive.

- 2. Establish a Cybersecurity Assessment Program to proactively test and regularly audit the effectiveness of cybersecurity measures and identify and resolve vulnerabilities within devices, networks, and systems.


Russia’s invasion in Ukraine has changed the cybersecurity landscape and has created new cybersecurity threats across the world. The US Cybersecurity & Infrastructure Security Agency (CISA) has warned all organisations that it’s time to put “shields up.” In the UK, the National Cyber Security Centre (NCSC) has cautioned British organisations about the heightened risk of attacks, asking them to strengthen their defences.

According to the European External Action Service (EEAS) which is the European Union’s diplomatic service: "This war will force us to increase our defence spending. We need to spend more but above all to spend better, i.e. jointly. Some member states, such as Germany, have already taken important new measures in this area with €100 billion additional defence spending in 2022 and an increase of the defence budget to above 2 % of GDP from 2024. This must be the case everywhere where defence spending is still too low."

According to Heraclitus, "War is father of all, and king of all". Tt sounds true for railways cybersecurity, and so many "nice to have" projects have become "must have".


Our training programs

Cyber Risk GmbH is offering training programs in some difficult areas, like the new NIS 2 Directive of the European Union that changes the compliance requirements of many entities in the railway sector, and programs that assist the Board of Directors and the CEO in understanding cybersecurity challenges.

The Board of Directors and the CEO of entities in the railway sector must understand that they are high value targets. For them, standard security awareness programs are not going to suffice. The way they are being targeted is anything but standard or usual. They are the recipients of the most sophisticated, tailored attacks, including state-sponsored attacks. These are attacks that are often well planned, well crafted, and employ advanced psychological techniques able to sway a target towards a desired (compromising) behavior without raising any alarms.

Countries expand their global intelligence footprint to better support their growing political, economic, and security interests around the world, increasingly challenging existing alliances and partnerships. They employ an array of tools, especially influence campaigns, to advance their interests or undermine the interests of other countries. They turn a power vacuum into an opportunity.

Countries use proxies (state-sponsored groups, organizations, organized crime, etc.) as a way to accomplish national objectives while limiting cost, reducing the risk of direct conflict, and maintaining plausible deniability.

With plausible deniability, even if the target country is able to attribute an attack to an actor, it is unable to provide evidence that a link exists between the actor and the country that sponsors the attack.


You may visit:

Cybersecurity Training for the Railway Sector.

The NIS 2 Directive as it applies in the Railway Sector.

Cybersecurity Training for the Board of Directors in the Railway Sector.


Cyber Risk GmbH, some of our clients