Filter By:

First Transport Cybersecurity Conference

This inaugural event that took place on 23 January 2019 brought together stakeholders from the aviation, maritime and railway industries, to explore the issue of cybersecurity, its relevance for the transport sector in light of past incidents and the synergies among the three transport modes.

The event was organised by the European Union Agency for Network and Information Security (ENISA), with the support of the European Commission (DG MOVE), EASA, the EU Agency for Railways (EuERA) and the European Maritime Safety Agency (EMSA), with the latter hosting the conference at their headquarters in Lisbon.

There were approximately 170 participants from all over Europe representing the three major transport modes. Collectively, they discussed the EU legal framework for cybersecurity, its relevance for the transport sector and explored options for further cooperation. Maja Markovcic Kostelac, Executive Director-EMSA & Per Haugaard, Director-DG MOVE, set the scene by stating that historically security had a physical sense, but with the introduction of IT systems has over a period of time, moved the goal posts. Digital and autonomous transport systems are continue to be developed, but consequently so has the need for a more robust response to the threat from cyber. Therefore, there needs to be cohesive and effective EU cyber security response.

Discussion Panel – agencies perspective on cybersecurity in transport
The first discussion panel comprised representatives from DG CONNECT, EASA, EuERA, ENISA and EMSA. With aviation being the focus, safety in the industry has matured due to the many years of information exchange. However, regarding security/IT systems, improvement is still required with the sharing of information. One prime example is that such information sharing is quite often hindered by national security implications, especially when it relates to national information or conflict zones. Therefore, co-operation between stakeholders is key to the successful fight against cyber attack. From the maritime perspective, the main opinion is that the speed of autonomous system development must be matched with the equivalent counter cyber measures.

Understanding the Threats
Each transport sectorwere provided an opportunity to share the various threat from cyber to their respective industry and it was interesting to learn that there were many common areas of concern. Nederlandse Spoorwegen, who represented the railway industry, spoke how the digitisation of both trains and railway networks has introduced many openings for cyber attack. Payment machines, passenger information, rail network computers and the safety control system being a few examples that are vulnerable to attack. With this in mind, cyber risk control in the railway industry is still immature and there is a great need for policy and oversight as threats that are becoming more sophisticated and increasing the attack surface. Maritime Portugal advised that data and information have created a knowledge-driven society opening up the risk of cyber attack. In July 2017, a prime example occurred when the maritime industry suffered a major cyber attack that targeted Maersk, effecting 47,000 computers and 4,000 servers. Additionally, there have been increasing frequency in spoofing events of ECDIS (Electronic Chart Display & Information System), which is the maritime equivalent to an aircraft’s GPS. Such attacks bear a striking resemblance to incidents that are on the increase in the aviation sector.

Roles and Perspectives
An interesting presentation from Eurocontrol explained how it is not only IT and ATM systems vulnerable to a cyber attack. Many non-ATM systems are vulnerable including general power, fire suppression and air conditioning, all of which could disabled an office/building and cause maximum disruption. From an aircraft perspective, ground communication links, supply chain, maintenance systems and on-board systems are all vulnerable. Regarding cyber protection, Eurocontrol outlined their support for the ‘no state/stakeholder will be left behind’ principle, advising that cybersecurity services are only effective if ALL stakeholders are able to adopt them. Network Rail from the UK outlined how the NIS (Network & Information Systems) Directive is not about hacking but instead focussing on the threats. Prior to the 2012 Olympics in London, Network Rail identified areas that could have been vulnerable to cyber attack. This resulted in the creation of their Cybersecurity Strategic Programme developed and implemented during 2013-2018. However, for the railway, EU operators that operate cross-border services (e.g. SNCF) problems can arise regarding multiple competent authorities implementing differing levels of cyber oversight.

Conclusions

  • Primarily the conference served as a fact-finding platform between the industries to understand one another’s cyber skills and threats.
  • Cyber attacks can have potentially serious consequences, resulting in loss of lives and harm to the economy.
  • The threat should be examined in a holistic manner by addressing not only internet-connected systems, but also the human element.
  • Non-regulatory actions are and should be pursued to address current cyber threats.
  • As transport is global and interconnected, a close co-operation with international partners and relevant international organisations should continue and be encouraged.
  • There should be a fostering of cross-fertilisation of ideas and experiences among the transport modes by organising meetings or workshops dedicated to cybersecurity, and bringing together experts from the different modes.
  • Development of cyber skills in the transport sector. DG MOVE will support the development of a cybersecurity ‘toolkit’ providing relevant and appropriate knowledge of good cybersecurity practices for transport staff.
  • Finally, all dialogue must continue, with the suggestion that a future conference should include representation from the road/haulage sector.

For further information, please contact Christopher.mason@eraa.org