Railway infrastructures are moving towards more intelligent, connected, user-centric and collaborative systems. While it brings many advantages for the industry and users, it also poses new opportunities for cyber-criminals and terrorists. CYRail delivered tailored...
Railway infrastructures are moving towards more intelligent, connected, user-centric and collaborative systems. While it brings many advantages for the industry and users, it also poses new opportunities for cyber-criminals and terrorists.
CYRail delivered tailored specifications and recommendations for secure modern rail systems design and operation. CYRail took advantage of developments in other industries (aeronautics, automotive, energy and IT) and brought them into the railway sector, taking similarities and specificities into account.
Within a comprehensive operational scenario, CYRail identified a set of vulnerabilities through iterative security assessments. Within a list of vulnerabilities identified, it was possible to select new technologies that allows to detect and mitigate threats to the railway operation and the safety of their users.
Countermeasures and resilience mechanisms were defined in ways that allows not only to upgrade existing networks but also deploying new installations, to ensure that railways systems can keep operating within security and safety parameters in any circumstance.
A recommendations brochure, that summarizes most of the project results, and other information can be obtained on www.cyrail.eu.
CYRail has reached the end of the project, and although some minor deviations have happened, CYRail Project and Consortiums members had successfully accomplished the main goals for the project reaching the planned milestones and associated deliverables.
CYRail project, after a productive end-users workshop were several Advisory Board members were present, was able to define a comprehensive operational scenario with different use cases. With the definition of a formal methodology for security assessment, CYRail performed a first cyber security assessment, within a set of assets identified on the Operational Scenario, producing a list of vulnerabilities.
On Top of this, WP4 developed tools for Threat Identification and Management which are expected to be integrated into AirBus Threat Management Tools. WP3 provided a refined risk assessment (this assessment methodology is being published as an article), considering the impact of WP5 and WP4 results. WP5 defined a set of Countermeasures and Mitigation strategies, along with resilience mechanisms which are considered on the WP6 protection profiles, which is one of the major project results, and that can contribute for certification authorities work on cybersecurity for railways, and public transport in general.
Projects results are being widely disseminated, and details of partners efforts can be seen on Deliverable D7.4.
We can safely say, that the project achieved the results and objectives as foreseen.
Security requirements, such as Protection Profile are usually specified based on general, expected security needs by the developers and government agencies that may usually result in generic requirements for a component only with limited security context.
In our case we will also develop a Protection Profile, but this is done on a well-founded understanding of the security needs of the users (operators), derived from a risk assessment, taking into account the specific use cases and scenarios. This means that we will be able to better address the actual needs.
Second we will develop this Protection Profile in a context of system accreditation, ISA-62443. This means that aspects such as integration and maintenance, which are essential for secure operation over time, will be addressed by the project.
Third, we will also take the aspects of secure design into consideration. Although this is the basis for security, it is something that is often neglected when specifying security requirements, independent if these are ISO/IEC 15408 or any other standard.
Finally, we believe that the project could provide valuable input into the European security initiative [COM-2017-477] by increasing the overall transparency of cyber security assurance and avoiding fragmentation of in the EU and related security requirements and evaluation criteria by relying on and integrating existing security standards for an important industry.
More info: http://cyrail.eu.