VIAVI Solutions
Cyber Security Is a Minimum, Not a Plus
This article first appeared in the Railway-News magazine, Issue 2 2023.
In this article, Eric-Vittorio Li Destri, the Railway & MCx Cyber Security Product Line Manager at VIAVI Solutions, explains the new EU NIS2 and Cyber Resilience Act regulations and why railway operational technology is so vulnerable to attack.
EU cyber security regulation, as everywhere in the world, is currently evolving.
A big bang event, larger than GDPR, will take place in the next 18 months across Europe. Member States will need to integrate the EU (Network and Information Systems) NIS2 Directive and also comply with the new Cyber Resilience Act (CRA).
These new cyber security regulations cover a wide range of industries and sectors, including railway, both from an IT and an OT (operational technology) perspective.
EU NIS2 Regulation
Before we examine railway OT and its potential cybervulnerabilities, let’s first clarify the new regulations and what they mean for the railway industry, especially regarding telecoms and signalling systems.
NIS2 was published on 28 November 2022, giving EU Member States 21 months to incorporate it into their respective national cyber security laws (i.e. by August 2024). Outside the EU, other countries such as the UK and USA are generally expected to follow this approach.
Centred on three pillars – capabilities, risk management and reporting, and co-operation and information exchange – the NIS2 Directive seeks to enhance cyber security by:
- Defining a minimum set of measures
- Ensuring there is a risk-based approach to managing cyber security
- Enforcing management accountability
- Reporting and sharing information on significant incidents
The penalty for failure to comply is significant – from EUR 10m for small companies, to up to 1.4% (and even 2%) of annual group turnover worldwide, if the requirements are not fulfilled. And it’s not just the company which can be fined, so can its board!
