The expansion of potential cyber threats has increased due to the integration of connected devices, the Internet of Things (IoT), and the convergence of IT and OT in railway operations.
In this Help Net Security interview, Dimitri van Zantvliet is the Cybersecurity Director/CISO of Dutch Railways, and co-chair to the Dutch and European Rail ISAC, talks about cyber attacks on railway systems, build a practical cybersecurity approach, as well as cyber legislation.
At the Dutch Railways (but this goes for our entire sector), our cyber jobs have evolved to focus more heavily on cybersecurity in the face of increased digital transformation, -threat landscape, and -cyber legislation. With the integration of connected devices, the IoT and IT-OT convergence throughout our operations, the attack surface for potential cyber threats has greatly expanded.
As such, our main responsibilities include implementing and maintaining robust security measures to protect our systems and networks from cyber-attacks. This includes regularly assessing and mitigating risks, implementing security protocols and controls, and ensuring compliance with railway sector regulations.
Additionally, our IT- and operations teams work closely with our strategic and GRC teams to integrate security into the design and deployment of new technologies, as well as to develop incident response plans to address any security breaches that may occur. In summary, the increasing digital transformation in the railway industry has emphasized the need for a top level, proactive and comprehensive approach to cybersecurity to protect the company’s assets and customers’ and employees’ data. Cybersecurity has become ChefSache!
Yes, 100%. We keep track of all incidents that are happening in the sector together with our (European) Railway ISAC, local NCSC’s and ENISA. Cyber-attacks on the railway industry have been increasing in recent years, as this vital sector too becomes more reliant on digital systems and connected devices as you mentioned before. The types of attacks that we see include:
We educate and train employees on the importance of cybersecurity and the methods as described above. This includes regular security awareness training and simulated phishing campaigns to test employees’ susceptibility to social engineering attacks. Finally, we have implemented and are continuously working on a multi-layered and zero trust security approach that includes both traditional IT security controls such as firewalls and intrusion detection systems, as well as OT control system-specific security controls and new approaches like continuous cyberpolicy enforcement.
Well, there are several key steps that you can take in your first 100 days:
Don’t limit yourself and your teams to those bullet points but also work on compliance, incident response, and supply chain collaboration. Don’t be afraid to ask your colleague CISO’s for advice, I will be happy to give some guidance too.
Yes, that’s always a challenge as these systems may still be in use but are no longer supported by the vendor. Some assets (like trains) have a lifecycle of 30 years. It depends a bit on the Purdue level this asset is working in, but some of the ways to address this issue include:
We closely follow what our friends on the other side of the pond are developing. Your president seems to have embraced cybersecurity and I recently had the privilege to meet with his Cyber Security Director Chris Inglis. Vital infrastructures will be specific targets for attacks so having legislation in place to speed up the resilience is perfect to my opinion. Having the possibilities to fine organizations that purposely do not comply is necessary as well. We’re only as strong as the weakest supply chain link. In Europe we are similarly working on implementing the NIS directive and recently the Commission has issued the NIS2– and Critical Entities Resilience (CER) directives. I applaud these initiatives.
In general, I believe that requiring institutions, groups, and companies whose service interruptions might jeopardize the economy or public security to report cyber incidents is a positive step towards improving the security of our critical infrastructure. By mandating the reporting of incidents, organizations will be able to share information about threats, vulnerabilities, and best practices, which will help to improve the overall security of the sector.
I also believe that new cyber legislation is an important step in the right direction, but it’s just one piece of the puzzle. Organizations must take a holistic and proactive approach to cybersecurity to effectively protect their critical infrastructure from cyber threats. I am positive that if we have the right commitment to do this, that the Railway Sector will become more resilient day after day!
