SECUR-ED Cyber-security roadmap for PTOs

Transcription

1 SECUR-ED Cyber-security roadmap for PTOs Document identification Related SECUR- ED SP / WP Related SECUR- ED Deliverable SP3 / WP35 Reference SCR-WP35-T-THA Dissemination Level Lead Participant THALES Lead Author PUBLIC João Lima (INO) Thieyacine Fall (THA) Nelson Escravana (INO) Contributors INOV Reviewers INOV THALES RATP This document is issued in the frame and for the purpose of SECUR-ED project. This project has received funding from the European Union s Seventh Framework Programme (FP7/ ) under grant agreement n This document and its contents are the property of SECUR-ED Partners. All rights relevant to this document are determined by the applicable laws. Access to this document does not grant any right or license on the document or its contents. This document or its contents are not to be used or treated in any manner inconsistent with the rights or interests of SECUR-ED Partners or to their detriment and are not to be disclosed externally without prior written consent from SECUR-ED Partners. Each SECUR-ED Partner may use this document in conformity with SECUR-ED Consortium Agreement provisions. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 1 of 107

2 History Version Status Date Author Main Changes 1.0 Draft 14/04/2014 THALES First internal draft 1.1 to 1.8 Draft 31/08/2014 THALES INOV Completion of the various sections 1.9 Under review 11/09/2014 THALES INOV Version under review 2.0 Under review 14/10/2014 THALES RATP comments taken into account 3.0 Issued 20/10/2014 THALES Final version Document name: SECUR-ED Cyber-security roadmap for PTOs Page 2 of 107

3 Contact THALES: Thieyacine Fall: INOV: João Lima: Nelson Escravana: Document name: SECUR-ED Cyber-security roadmap for PTOs Page 3 of 107

4 TABLE OF CONTENTS History... 2 Contact... 3 TABLE OF CONTENTS Abstract & Summary Concepts & definitions Safety versus Security versus Cybersecurity Most disruptive concepts/technologies in years to come Industrial Internet of Things Industry Predictive Maintenance and Big Data Intelligent Transport Systems (ITS) Automatic Train Control Risk management and cybersecurity for a PTO Enterprise Risk Management overview Urban transport Risk Management overview Safety risk management Security (people and assets) risk management Internal control (internal fraud) management Information security/cybersecurity risk management Interactions between risk management approaches Architecture framework (IT-related) and assets within a PTO On-board, wayside, station and OCC control networks On-board control network Wayside control network Station control network OCC control network Energy distribution automation systems Train control and automatic operation systems Computer-based Train Control (CBTC) Passenger information systems (PIS) Ticketing systems Surveillance systems (Video systems, Intrusion Detection, Physical access control) Bus Transport Technology Security standards, best practices and recommendations applicable for a PTO Energy distribution and automation control (EDAC) systems EDAC system communication security...43 Document name: SECUR-ED Cyber-security roadmap for PTOs Page 4 of 107

5 5.1.2 Substation intelligent electronic devices security EDAC security management system Industrial automation and control systems (IACS) IACS availability IACS security management system Security certification Government/International agencies recommendations Information technology systems ISO standards NIST standards German BSI IT-Grundschutz Open Security Architecture (OSA) Security Management, Governance and Business alignment European regulation Personal information protection aspects Cyber-attack protection aspects Impact on PTO organisations Future procurement and outsourcing Procurement recommendations and guidelines IT Outsourcing and Cloud deployment Implementation approach and first affordable measures ISMS implementation ISMS functions ISMS process Preliminary PTO ISMS implementation approach Essential Security measures Essential rules and recommendations Essential security controls Defence-in-depth and legacy system protection Legacy systems protection Defence-in-depth architectures Advanced and targeted-attack protection measures Further directions Organisational requirements Standardization/Certification and regulation Standardization/Certification EU Regulation Development of cybersecurity technologies Cybersecurity supervision References...89 Document name: SECUR-ED Cyber-security roadmap for PTOs Page 5 of 107

6 11.1 List of acronyms Referenced documents Referenced Standards listing ISO IEC IEEE NIST Additional standards Document name: SECUR-ED Cyber-security roadmap for PTOs Page 6 of 107

7 1 Abstract & Summary As more and more Europeans are living today in urban areas, urban mass transportation has become the de-facto preferred, and often the only possible, transport mode for a significant part of the daily commuters. The sensitive role public transport operators (PTOs) play in society, in terms of the consequences that a service disruption would have, makes security in mass transportation a key objective to be achieved. As a matter of fact, mission statements for a public urban transport operator can be resumed as follows: Provide passengers a reliable, fast and convenient transport with customer care; Protect passengers, personnel and assets from hazards and threats. Similar to many Critical Infrastructures (CIs), urban public transportations usually require several form of industrial control systems (ICS) to manage dynamic physical processes. In the past these were highly isolated with no outside connections (air-gapped networks), and were implemented with proprietary control and communication technologies. Although, in recent past, the awake of highly sophisticated attacks has repeatedly demonstrated the possibility to circumvent air gapped systems, some PTOs still rely on isolation as their way to protect themselves. With the development and dissemination of new concepts (such as Industry 4.0, Predictive maintenance & big data, Automated Train Control systems) and modern ICT technology, new systems and technologies are being introduced into PTOs infrastructure, and often connected with legacy systems, to increase PTOs efficiency and effectiveness in transporting passengers in an increasingly competitive environment. This resulted in an increase of the dependency on information systems and technology to assist and optimize operations, which consequently increases the need to urgently address the issue of protecting PTO s cyber infrastructure. Protecting the information-processing infrastructure of PTOs is, however, especially challenging, if one considers the wide range of threats that may target it, and the coexistence of long lifecycle technologies (like most ICS), and rapidly changing new technologies. These threats may range from malware infections with the objective of disrupting the operation of the public transportation network, all the way to highly targeted terrorist attacks with the objective of inflicting mass casualties. Moreover, the strategy commonly used by PTOs to handle cybersecurity (as it is commonplace in many organisations) tends to set apart the physical/infrastructural security from the information/cybersecurity. While this might not have been critical in the past, it will have a significant impact in PTOs in the future, in particular if one considers a cybersecurity incident that crosses safety or security (of passengers and assets). Document name: SECUR-ED Cyber-security roadmap for PTOs Page 7 of 107

8 Even though some of these concerns have been known for some time, there is a general lack of guidance, in terms of high-level roadmaps that can assist in implementing cybersecurity controls suitable to be used by public transport operators. The document will present: How cybersecurity fits in the overall risk management strategy of a PTO; A comprehensive framework of assets, architectures and technologies used by a PTO taking into account the different types of transport operated by PTOs as well as the cases where the transport operator is not the infrastructure owner/operator (4th railway package from the EU commission); A set of security standards and regulations that may be applicable to a PTO; How cybersecurity will impact PTO organisations; A set of baseline security requirements for future procurement; An implementation approach and first affordable security measures; Further directions towards standardization and eventually regulation. The aim of this document is to develop Cybersecurity awareness and to provide a central reference for any PTO independently of its nature or size. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 8 of 107

9 2 Concepts & definitions To ease the reader s task on understanding this document there are some concepts used throughout the document, which should be introduced from the beginning. The first of them is related with cybersecurity and its use within the context of public transportation. The other one is concerned with the rapid pace of technological development and its implication in terms of risk exposure for any PTO. It is essentially a description of the most disruptive technologies, which will impact PTOs in years to come. 2.1 Safety versus Security versus Cybersecurity According to the definition provided in [1], safety is defined as the state of being free of risk or danger (natural or accidental), in the sense that the entity in charge of that infrastructure/system is in control of the recognized hazards, and the risk of harm or damage have been reduced as low as reasonably practicable. Additionally, the term safety, when used as an attribute, encompasses all measures, actions or systems aiming at ensuring the state of safety. More generally, safety might be seen as the protection against all nonintentional threats. In an urban transport network, the safety function is of special relevance on the systems that control and operate the infrastructure components and vehicles. In those cases, the safety function is in charge of ensuring these systems operate as they were designed to. Security comes out as a natural extension of safety, extending the protection safety provides against non-intentional threats, with specific protections against intentional threats. According to the definition presented in the same guide [1], security is the set of means/actions through which safety is ensured, in particular against intentional threats encompassing all measures, actions or systems aiming at preventing intentional threats from compromising safety. In [2], is provided a good overview of the main differences between safety and security. Cybersecurity is one of the components of the overall security function. To better define cybersecurity, one first needs to define what is intended by cyberspace. Using the definitions from ISO (Information technology Security techniques Guidelines for cybersecurity), cyberspace is defined as the complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form. Cybersecurity is then defined as the preservation of confidentiality, integrity and availability of information in the Cyberspace. In addition, other properties such as authenticity, accountability, nonrepudiation and reliability can also be involved. Cybersecurity is related with several other security domains, which are depicted in Figure 1: Information Security is the security domain that more commonly is related with the protection of the virtual world against attacks. It is concerned with the protection of confidentiality, integrity, and availability of information in general, to serve the needs of the applicable information user ; Document name: SECUR-ED Cyber-security roadmap for PTOs Page 9 of 107

10 Network Security is concerned with the design, implementation, and operation of networks for achieving the purposes of information security on networks within organisations, between organisations, and between organisations and users ; Internet Security is concerned with protecting internet-related services and related ICT systems and networks as an extension of network security in organisations and at home, to achieve the purpose of security. Internet Security also ensures the availability and reliability of Internet services ; Figure 1 - Relationship between Cybersecurity and other Security Domains [3] Information and Communication Technology (ICT) Security might be seen as an extension of Internet Security to consider computer systems that are not connected to the Internet. At the same time, the use of the term ICT security usually excludes all questions of illegal content, unless they directly damage the system in question, and includes the term supply chain security, to consider the risks associated with the suppliers of those systems; Critical Information Infrastructure Protection is concerned with protecting the systems that are provided or operated by critical infrastructure providers, such as energy, telecommunication, and water departments. CIIP ensures that those systems and networks are protected and resilient against information security risks, network security risks, internet security risks, as well as cybersecurity risks ; Cybercrime is used to define a criminal activity where services or applications in the cyberspace are used for or are the target of a crime, or where the cyberspace is the source, tool, target, or place of a crime ; Document name: SECUR-ED Cyber-security roadmap for PTOs Page 10 of 107

11 Finally, cybersafety is defined as the condition of being protected against physical, social, spiritual, financial, political, emotional, occupational, psychological, educational or other types or consequences of failure, damage error, accidents, harm or any other event in the cyberspace which could be considered non-desirable. The relation between cybersecurity and cybersafety might be considered as an extension of the relation between security and safety, when considering the cyberspace as the environment. The interested reader might refer to [3] for a more complete analysis of each of these security domains, as well as some variations of the definitions provided. When considering PTOs, cybersecurity becomes an important stake whenever an impact on one of its subdomains has consequences on people and assets (and consequently on security and safety). Confidentiality is usually not a concern. For example, since information systems are used to provide safety mechanisms such as rail signalling systems or automation energy, as well as to provide security mechanisms such as video surveillance, physical access control mechanisms or physical intrusion detection, tampering and/or preventing access to those systems may have a significant impact on safety and/or security. 2.2 Most disruptive concepts/technologies in years to come Industrial Internet of Things Industrial Internet of things is a vision of how Internet of things will change industry and enables complex devices/systems/services communications, development of smart objects [4]- [5] or predictive maintenance using big data analytics. It is already applied for intelligent vehicle systems [6]- [7]. Obviously, this vision will only be realized by a dramatic increase of network bandwidth itself supported by a large development of the Next Generation Network Infrastructure (NGNI) including use of optic fibre, wired/wireless integration, 4G and 5G mobile networks (including the ability to define, provision and manage networks, and the applications and services that run on them, in a flexible and scalable manner (Software-Defined Networking (SDN) [8])). Most prominent application areas of interest for a PTO will be: Industrial applications (process control extended to predictive maintenance); Energy management; Infrastructure management; Building automation; Transport systems. Industrial Internet of things is the technological basis for Industry 4.0 (see below) concept to emerge as well as for intelligent transport systems. Some of railway PTOs are already using infrared thermometers, microphones and ultrasound scanners alongside theirs tracks in order to send readings to the railroad s data centres, where pattern-matching software identifies equipment at risk of failure [9]. Other railway PTOs are using Big Data for predictive maintenance purpose [10]. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 11 of 107

12 2.2.2 Industry 4.0 Industry 4.0, promoted from the beginning by the German government, is essentially a concept to greatly improve automation across industries and achieve the goal of a smart/intelligent factory (introducing methods of self-optimization, self-configuration, selfdiagnosis, cognition and intelligent support). As of today, this concept makes business management easier and more efficient with centralization of all functions: Management and optimization of the energy of all sites (industrial installations and/or computers); Management and control of processes (machines, pumps, ventilation, etc.); Management and control of buildings (air conditioning, elevators, lights, shutters, etc.); Management of Security (CCTV, fire alarm, physical access control, etc.) Predictive Maintenance and Big Data The relationship between the concept of "Big Data" and "control-command" appears mainly in the field of predictive maintenance [11]. Unplanned downtime is the main reason why predictive analytics and "Big Data" have received particular interest. Predictive analysis enables predictive maintenance of motors, terminal equipment and sensors. The rise and relevance of new data from equipment and use of such data (predictive analytics) will predict and anticipate failures of a system or equipment. Predictive preventive maintenance can optimize maintenance planning and reduce consequential costs due to faulty equipment (annual losses due to downtime of plant production equipment are estimated 5% worldwide). This type of maintenance will also reduce the cost of random preventive maintenance or reactive maintenance (Crisis). The tools to identify and acquire useful data to create a predictive maintenance plan include control (monitoring) and diagnostic techniques such as vibration analysis, circuit motor analysis, oil analysis, or even ultrasonic analysis. The latest advances in predictive analytics and "Big Data" for processing and correlating data sources in large quantities are used to understand how changes in the behaviour of equipment or asset can result in its failure Intelligent Transport Systems (ITS) Intelligent Transport Systems (ITS) [12] are systems in which information and communication technologies are applied in the field of road transport, including infrastructure, vehicles and users, and in traffic management and mobility management, as well as for interfaces with other modes of transport. Such systems have recently led to some states in the U.S. legalizing autonomous driverless vehicles despite potential safety issues. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 12 of 107

13 ITS [13] include telematics and all types of communications in vehicles, between vehicles (e.g. car-to-car), and between vehicles and fixed locations (e.g. car-to-infrastructure). They also include the use of information and communication technologies (ICT) including navigation systems. Latest development [14] include: Vehicle to vehicle communications; Vehicle to roadside communications; Vehicle ad-hoc networks; Autonomous vehicle guidance. Very limited adaptation for bus technologies has been studied [15] and several operators [16] as well as solution providers [17] already offer new services Automatic Train Control Automatic Train Control (ATC) [18] is an integrated system that guarantees the secure movement of trains. ATC integrates various subsystems positioned on-board and wayside: Automatic Train Operation (ATO) which performs on-board, non-vital functions normally performed by the train driver, including ensuring a smooth acceleration of the train to the running speed, speed regulation and smoothly stopping the train at the proper position at station platforms or in front of stopping signals. ATO subsystems are primarily located on-board and represent one of the principal components of a driverless system. Additionally, ATO subsystems report vehicle health status to the ATS; Automatic Train Protection (ATP) is responsible for the safe operation of a signalling system. It imposes speed limits on trains, both to maintain a safe operating distance between them and to comply with safety and speed requirements. The ATP system is designed to be a fail-safe (vital) system; Automatic Train Supervision (ATS) that operates to control trains automatically in accordance with the railway timetable and generally involves a centralized traffic control system. According to the International Association of Public Transport (UITP) [19], there are five Grades of Automation (GoA) of trains: GoA 0 is on-sight train operation, similar to a tram running in street traffic; GoA 1 is manual train operation where a train driver controls starting and stopping, operation of doors and handling of emergencies or sudden diversions; GoA 2 is semi-automatic train operation (STO) where starting and stopping are automated but a driver in the cab starts the train, operates the doors, drives the train if needed, and handles emergencies. Many ATO systems are GoA 2; GoA 3 is driverless train operation (DTO) where starting and stopping are automated but a train attendant operates the doors and drives the train in case of emergencies; GoA 4 is unattended train operation (UTO) where starting and stopping, operation of doors and handling of emergencies are fully automated without any on-train staff. A "driverless" train is defined as meeting GoA 4. Most modern infrastructures in Europe already use ATC systems. U. S. authorities have already devised a roadmap or strategy to secure such systems [20]. European authorities Document name: SECUR-ED Cyber-security roadmap for PTOs Page 13 of 107

14 either at the national level or at the European commission level are starting to address the topic [20]. Accordingly to [19], as of 2011, Driverless trains were already present in 25 cities around the world. Since then, it has become the preferred choice for new lines & systems in Europe and around the world. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 14 of 107

15 3 Risk management and cybersecurity for a PTO 3.1 Enterprise Risk Management overview Beyond the use of the ISO 73 (Risk management Vocabulary) and ISO (Risk management Principles and guidelines) for a strict definition of a risk and the overall risk management process, risk typology and categorization at the enterprise level have been only issued by international audit or financial control bodies (Committee of Sponsoring Organisations of the Treadway Commission (COSO), International Accounting Standards Board (IASB), Basel Committee on Banking Supervision (BCBS)), and actuarial Bodies (International Actuarial Association, Casualty Actuarial Society). Even though there might be an overall consensus to categorize enterprise risks [21] (Strategic risks, Operational risks, Financial risks, Hazard risks), only the financial services (BCBS) and insurance industry supported by the EU commission have defined it more in depth. Pillar I Basel II [22]- [23] has defined: Market risk; Credit risk; Operational risk. Some of the risks that are not covered by the Pillar I, were considered for the first time within the Basel II [22]- [24]: Concentration risk; Liquidity risk; Reputation risk; Strategic risk; Business cycle risk. The Insurance industry has also defined risks [25] supported by the EU commission [26]: Underwriting Risk (Life and non Life); Health underwriting risk; Market Risk; Credit Risk; Operational Risk. Following ISO (Risk is the effect of uncertainty on objectives ), strategic risk is a possible source of profit/loss that might arise from the pursuit of a successful/unsuccessful strategic business plan. For example, strategic risk might arise from making great/poor business decisions, from the substandard execution of decisions, from perfect/inadequate resource allocation, or from a success/failure to respond well to changes in the business environment. According to the COSO Enterprise Risk Management (ERM) model, strategic risks are internal risks in which reputation risks are included. ERM has been driven essentially by economic value analysis especially for market or credit risks (economic loss/gain type of Document name: SECUR-ED Cyber-security roadmap for PTOs Page 15 of 107

16 events). It is understood that operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. The nature of an operational risk or the risk source (item or activity having a potential for a consequence) can provide a categorization of risks. It means that loss events whether human, financial, environmental or even societal can provide such categorization. The official Basel II framework has defined event types with some examples for each category: 1. Internal fraud Misappropriation of assets, tax evasion, intentional mismarking of positions, bribery; 2. External fraud Theft of information, hacking damage, third-party theft and forgery; 3. Employment Practices and Workplace Safety Discrimination, workers compensation, employee health and safety; 4. Clients, products, & business practice Market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning; 5. Damage to physical assets Natural disasters, terrorism, vandalism; 6. Business disruption & system failures Utility disruptions, software failures, hardware failures; 7. Execution, delivery, & process management Data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets. 3.2 Urban transport Risk Management overview By inference, risks supported by urban transport operators should be: Reputation risk; Strategic risk; Financial risk (Credit risk); Operational risk. Financial risk (Credit risk) has been added due to large infrastructure investments (railway/tramway infrastructure or subway cars/buses) made by urban transport operators (the 4 th railway package, that sets out a framework and requirements for railways in the EU to allow open access operations on railway lines by companies other than those that own the rail infrastructure, even amplified that risk). For any Public Transport Operator (PTO), realistic event types for an operational risk framework should be: 1. Internal fraud Misappropriation of operator s assets, corruption of operator s employees; 2. External fraud Theft of (electronic) tickets, third-party theft and forgery, use of transportation without tickets; 3. Employment practices and workplace safety discrimination, workers compensation, employee health and safety; 4. Business practice Improper use of transportation assets; 5. Damage to physical assets and people (injury or death) natural disasters, terrorism, vandalism (anti-social behaviour), criminal activity (theft of metal), sanitary disaster; Document name: SECUR-ED Cyber-security roadmap for PTOs Page 16 of 107

17 6. Business disruption & system failures train or/and bus failures, utility disruptions, access (bus or/and train stations) disruptions, software failures, hardware failures; 7. Execution, delivery, & process management data entry errors, accounting errors, ticketing errors, passenger information errors, failed mandatory reporting, negligent loss of operator s assets, leak of confidential passenger information (including payment card information). Operational risks which carry the most impacts and consequences are: Safety; Security. From an organisational perspective, every medium and large PTO has a Safety and Security department or direction. Every medium and large PTO will have also an internal audit/control department or direction in charge of controlling efficiency and effectiveness of operations (including fraud management). Any medium and large PTO will have also an IT department, or direction, to manage IT operations from at least corporate management operations (Human resources, Finances, Marketing, Strategic planning) and some business operations such as Ticketing, Passenger Information systems or Customer relationship management systems. An only bus PTO and/or small PTO may not have such complex organisation even though from an IT perspective few PCs and servers might be managed for a set of handful users who concentrate all corporate management and business operations functions. The following paragraphs describe the main type of risks assessment/management methodologies that might be of use for a medium and/or large PTO Safety risk management Functional safety is defined generically through IEC (Functional safety of electrical/electronic/programmable electronic safety-related systems). This standard defines the risk assessment approach (safety risk analysis, scale of likelihood, and scale of consequences) which ends to the definition of safety functions for a given process and, a Safety Integrity Level (SIL) for each safety function. Safety risk analysis can use different methodologies to identify risks. Methodologies are either qualitative or quantitative: Hazard and Operability Analysis (HAZOP) IEC (Hazard and operability studies (HAZOP studies) - Application guide); Failure Mode and Effects Analysis (FMEA) IEC (Analysis techniques for System reliability Procedure for failure mode and effects analysis (FMEA)); Fault Tree Analysis (FTA) IEC (Fault tree analysis (FTA)); Formal design review IEC (Design review). A safety function responds either to a random (occurrence is unpredictable, but is predictable in a probabilistic or statistical sense, arise from physical causes and only apply to the simple hardware components within a system) or systematic (repeatable, predictable, arises from human error (misconceptions, mistakes)) failure. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 17 of 107

18 The SIL is based on a number of quantitative factors (probabilistic) in combination with the degree of assurance targeted for the system s life cycle management. Each SIL corresponds to an average probability of failure on demand or a probability of dangerous failure per hour. Safety measures and components are usually specific of the business function/process and the overall architecture/infrastructure. Automatic Train Control (ATC) System and affiliated technology CBTC (Communication Based Train Control) implement safety functions for train systems. Even though Metros, trams and other light rail systems are subject in many Member States to local or regional safety rules, a common risk (safety) assessment and management process such as the one defined in EU regulation 1078/2012 [27] can be shared among the following organisational/operational entities: Infrastructure management (tracks); Railway stations (OCCs); Rail/tram/bus vehicles (Rolling stock). Additionally, trams and buses are furthermore often subject to road safety legislation. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 18 of 107

19 Figure 2 - Safety monitoring process framework (Rail) safety is usually monitored and supervised by external public bodies or authorities [28]. The Modular Urban Transport Safety and Security Analysis project (MODSafe) [29], a recent European project devoted to the safety lifecycle of urban-guided transport systems, presented: A risk analysis methodology with some input of the standard EN (Railway applications The specification and demonstration of reliability, availability, maintainability and safety (RAMS)) and notions of safety requirements (SILs), measures and functions essentially from the standard IEC (Railway applications Urban guided transport management and command/control systems) and IEC (Railway applications Automated urban-guided transport (AUGT) Safety requirements); A safety functional model and a safety object model in order to build safety systems (centred essentially on Urban Guided Transport Management and Command/Control Systems, IEC 62290). Document name: SECUR-ED Cyber-security roadmap for PTOs Page 19 of 107

20 3.2.2 Security (people and assets) risk management Since very specific criminal laws apply to public transportation in most of European countries and in large cities, a dedicated transport police force (which may consist of officers employed directly by the local public transport operator, or as a specialized unit of a local police force) is required for most of urban transport operators. This police force is usually in charge to handle external fraud (in particular use of transportation without tickets), as well as any crime specified by law on public transportation (prevent and investigate crimes committed against the PTO or by or against passengers or other customers of the PTO, or those committed on the PTO's property). Natural jurisdiction includes: A track, A network, A station, A maintenance depot, A railway vehicle. In some cities and countries, specific laws against terrorism apply on public transportation. In some countries and large cities, the loss or compromise of transport infrastructure could have a major detrimental impact on the availability or integrity of essential services, leading to severe economic or social consequences or to loss of life. As such, urban transport infrastructure/operations can be considered as critical national infrastructure for which specific laws and controls apply supported by the Directive 2008/114/EC [30]. Legal framework for security in public transport is described for several countries in [31]* and [32]. Crime risk assessment refers not only to prevention of recidivism [33] from the judiciary system but also to assessing vulnerabilities, exposures, and threats as well as setting tasks to respond and prevent crime on the field [34] for the law enforcement forces. Reducing crime can be achieved through design and situational interventions, such as improved street, lighting, CCTV, improved availability of public transport, better visibility of crime-prone areas. Crime and terrorism risk assessment methodologies are at an early stage and essentially based on actuarial/statistical models [35]- [36]. A thorough description of crime and terrorist threats in urban rail guided transport systems can be found in [37]. Public transport security concept is furthermore described in [38]*. Risk terrain modelling [39]- [40], which consists of an approach to spatial risk analysis that utilizes a geographic information system to attribute characteristics of the real world (crime prone areas, sport event, city demonstration, etc.) to places on a digitized map, is starting to be applied into policing operations. This will allow dispatching and deploying efficiently a dedicated transport police force along the rail/tram/bus network. Physical security measures embedded in crime risk assessments will mitigate potential damage and injuries that can be inflicted should an incident occur. CCTV, even though it cannot replace police force staff, allows a reduction in their number or their redeployment to other security activities. CCTV can help clarify whether a security alert is real and is often vital in post-incident investigations and be used in court. Future Document name: SECUR-ED Cyber-security roadmap for PTOs Page 20 of 107

21 development of such technology will include soon intelligence image analysis, which will allow [41]- [43]: Crowd and person monitoring; Tracking and recognition of moving objects; Activity/behaviour recognition; Learning camera topology; Learning semantic scene models; Automated Extraction of Evidence from CCTV footage. Whenever CCTV is not in use, and potential criminals become aware of that fact, there might an increase of crimes of opportunity and clearly favour planned terrorist acts. Physical perimeters (doors, windows, gates), physical access control and intruder alarms keep access points to a minimum and make sure the boundary between public and private areas in a metro/tram/bus station or vehicle is secure. Lightning can also deter intrusion. Terrorism risk assessment [44] leads to very specific systems/operations to be implemented such as [45]: Explosives and ballistics protection; Secure destruction of sensitive systems; Lighting; Hostile vehicle mitigation; Explosives and weapons detection; CBR detection technology. Future physical security systems will be dependent on IT systems and common networking protocols to support their operation. The additional flexibility in deployment, the ability to use centralized security control rooms for OCCs, ATCs and physical security monitoring, and potential cost savings will expose PTOs to risks they didn t previously needed to consider Internal control (internal fraud) management Internal control involves everything that controls risks to an organisation. Nevertheless, its focus for a transport company will be essentially to achieve: Organisation's objectives in operational effectiveness and efficiency (mainly projects, maintenance and operations management); Detection and prevention of (internal and external) fraud; Reliable financial reporting; Compliance with laws, regulations and policies. Railways/operations and maintenance management focuses on the core business of a PTO and encompasses the following functions: Train/metro/tramway/bus service operations; Station operations; Customer service; Document name: SECUR-ED Cyber-security roadmap for PTOs Page 21 of 107

22 Ticketing and fare collection; Marketing; Web-site management; Solution development & implementation; Operations Control Centre; Passenger information management; Security management; Asset management planning and deployment; Rolling stock maintenance including overhauls and refurbishments; Stations and depot facility management; Track and structures; Signalling and traction power maintenance; Etc. Best practices are usually not shared, but some institutions [46]- [47] have published several documents on the topic and provided benchmarking. Best practices for IT operations Management refer to the following frameworks: IT Infrastructure Library (ITIL) v3 [48]; Control Objectives for Information and related Technology (COBIT) 5 [49]. ITIL v3 [48] focuses on IT service management and describe processes, procedures, tasks and checklists to elaborate: Service strategy; Service design; Service transition; Service operation; Continual service improvement. ISO (Information technology Service management) is a reflection of ITIL [48] but supports other sources such as COBIT [49]. COBIT 5 [49] integrates previous frameworks from the Information Systems Audit and Control Association (ISACA) (Val IT, Risk IT) and compares well with ITIL, ISO 20000, ISO series (Information technology Security techniques Information security management systems), PRINCE2 and ISO (Corporate governance of information technology) (ISO imposes de facto a model for corporate governance of IT). Its ambition is to become a de facto reference for anything from IT strategy to IT processes as well as IT risk management (including information security management). The IT risk management framework is contained within the Assess and Manage IT Risks part of COBIT 5. The IT controls from COBIT define the risk assessment framework. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 22 of 107

23 Several risk assessment methodologies can also be applied such as: Factor Analysis for Information Risk (FAIR) [50]; Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) [51]. Even though no best-practices acknowledged by European institutions have been published for fraud management, Canadians and U.S. accountants have published a document, which described an approach [52], which can be applied for every enterprise. Briefly, this step-bystep approach is defined by: Fraud risk governance; Fraud risk assessment; Fraud prevention; Fraud detection; Fraud investigation and corrective action Information security/cybersecurity risk management References to risk assessment/management methodologies have been already described in [53]*. Most of them follow ISO (Information technology Security techniques Information security risk management) and previous reviews of NIST SP (Guide for Conducting Risk Assessments) (the latest being more complex). Simplified risk assessment methodologies can also be applied for small PTOs, such as Facilitated Risk Analysis Process (FRAP) [54]. For overall security management methodologies one can refer to ISO (Information technology Security techniques Information security management systems Requirements) and IEC (Industrial communication networks Network and system security Part 2-1: Establishing an industrial automation and control system security program). Some countries have even defined a framework to allow critical national operators to assess the Business Impact Levels for compromises of the confidentiality integrity or availability of information and ICT (Information Communication and Technology) systems [55] Interactions between risk management approaches Even though IEC do not cover security, it recognizes that intentional (human) malicious actions have to be taken into account in the risk analysis and mention IEC (Industrial communication networks - Network and system security) as a standard to deal with it. However, IEC do not mention any example of potential security vulnerability that might affect safety. Interactions between safety and security are detailed in the MODSAFE project [31]*. Additionally, security breaches resulting in safety hazards are described. Cyber-attacks are mentioned once as an unconventional type of terrorist attacks with no further details. The Document name: SECUR-ED Cyber-security roadmap for PTOs Page 23 of 107

24 same apply for the Cluster of User Networks in Transport and Energy Relating to Antiterrorist Activities (COUNTERACT) project in which cyber-attack is also mentioned once. Cyber threats are introduced in crime and terrorist threats [56]* with few generic scenarios. Recent works from the Security and Safety Modelling (SESAMO) project [57]- [58] have attempted to specify safety and cybersecurity mechanisms and develop risk assessment techniques however they have not included security. Potentially a cyber-attack can be combined with a terrorist attack to decrease potential security measures put in place or increase effect and impact on target. A cyber-attack can also have a direct impact on safety as stated before. The potential non-linear interactions can be between: Security and safety; Cybersecurity and security; Cybersecurity and safety. Even though risks can be categorized separately, measures and/or mechanisms to cover the risks cannot. Dependencies between cybersecurity and safety mechanisms are studied in the SESAMO project while contradictions between safety measures and security requirements are described in the project MODSAFE. Interactions between risks can be summarized as follows: Safety Risks (Requirements) Safety Measures Cyber Security Risks (Requirements) Cyber Security Measures Security Risks (Requirements) Security Measures Any measures corresponding to a specific set of requirements might affect other requirements : Measures might affect each other : Figure 3 - Non-linear interactions between safety, security and cybersecurity At minimum, all risk assessments need to be confronted. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 24 of 107

25 4 Architecture framework (IT-related) and assets within a PTO Urban mass transport infrastructures have traditionally used automated systems, based on Programmable Logical Controllers (PLC) as part of SCADA systems or similar. In the recent years mass transportation systems have been suited with a significant amount of state of the art ICT technology, to support and streamline its functioning, as well as to improve the service provided to its customers. More recent trends, like the Industry 4.0, Predictive Maintenance & Big Data, and ATC systems concepts, point towards an even increasing degree of integration between the existing systems, and also towards the introduction of more complex and more intelligent control, management and operation systems. Additionally, it is also important to consider the separation between the infrastructure manager and the transport operator, as proposed in the sequence of the 4 th railway package of the European Union. Taking into account these concerns, its is necessary to establish an architecture framework to outline the technologies used in transport infrastructures, as well as their integration and interdependencies. The ICT systems and technology used in mass transport infrastructures, more specifically in rail mass transport infrastructure, might be separated in 5 distinct system domains that are related and inter-dependent with each other, as depicted in Figure 4: Figure 4 - Mass Transport Infrastructure system domains On-board systems The goal of these systems is twofold: in one hand, to operate and manage the operation of vehicles, controlling most electromechanical components of the vehicle and maintaining a close collaboration with systems in some of the other logical divisions, and in the other hand, to provide information to passengers; Wayside systems A line on a transport network is usually divided in several zones, being each zone managed with a significant degree of independence of the other zones. The wayside systems exist to fit this purpose: They interact with the vehicles Document name: SECUR-ED Cyber-security roadmap for PTOs Page 25 of 107

26 to coordinate their operation, they interact with the adjacent zones to handover the vehicles, and finally interact with the control centre systems to provide awareness of the network state and adapt the zone operation to the operator s requirements. Moreover, they are responsible for managing all the electromechanical devices in their domain, like interlocking and energy control systems, adapting their state in accordance with current needs; Station systems Similarly to the on-board systems, station systems manage the operation of the station infrastructure, ranging from the control of lift/escalators and platform doors, to management and presentation of information to passengers; Operations control centre systems The operations control centre is the place where typically the operator manage its transport network. Therefore, the OCC systems interact with some of the systems in the other logical divisions, to keep an up-to-date vision of the transport network s state and, on the other hand, to coordinate the reaction and response to unexpected events; Business Support Systems These systems are used to support PTO s business, assisting them in efficiently operating the transport infrastructure. The next sections are concerned with the description of the main functions supported by the systems on each of these domains, as well as the standards and industry recommendations upon which they are designed. 4.1 On-board, wayside, station and OCC control networks A modern rail transport network is extensively suited with electromechanical components to support and physically operate the transport infrastructure. These electromechanical components might be found across most of the previously defined systems domains. In Figure 5 provided bellow, extracted from MODSafe D5.1 [59], it is possible to have an overview of these components. Some of the components might be further subdivided, in the sense that they are itself a composition of several other components. The referenced MODSafe deliverable might be used for a more complete reference on those subdivisions. The subsystems and electromechanical components usually assume a networked architecture, despite the type and topology of that network varying between different system domains. These communication networks have the purpose of enabling their components to communicate and to be externally controlled On-board control network In the case of the on-board control systems the network usually assumes one of the configurations defined in IEEE (Standard for communications protocol aboard passenger trains). Specifically, IEEE standardizes 3 types of on-board network protocol: Type L (general-purpose control network based on ANSI/CEA (Control Network Protocol Specification) and ANSI/CEA (Free-topology twisted-pair channel specification)) and Type T (railway control network based on IEC :2007), which are specially suited for control applications with low latency, low bandwidth requirements, as well as Type E (IP Ethernet network based on IEEE (IEEE Standard for Ethernet)), which Document name: SECUR-ED Cyber-security roadmap for PTOs Page 26 of 107

27 provides high bandwidth and performance requirements and enables to integrate the lower level control networks with external systems. The on-board networks are commonly used to both for safety and non-safety related purposes and applications. To be possible to use these networks in both situations, they must be provided with additional safeguards for safety related communications. Figure 5 - Control network components (MODSafe Project) [59] EN 50159:2010 (Railway applications - Communication, signalling and processing systems - Safety-related communication in transmission systems) systematically defines the threats these networks are subjected to, and purpose a set of defences to protect them from these threats. Additionally, the on-board control network may be suited with an event recorder, to register the actions and statuses of on-board controllers, actuators and components. IEEE (R2005) (IEEE Standard for Rail Transit Vehicle Event Recorders) provides a description of the components and respective events that might be monitored, as well as the performance and crashworthiness requirements of such devices. Trains are usually provided with a control and monitoring HMI, which may be used by the vehicle driver/operator to monitor the actual status of the vehicle as well as to interact with it Wayside control network ISA 95 standards, later adopted as IEC (Enterprise Control Systems Integration) standards, aim at defining a standard interface between control systems and enterprise Document name: SECUR-ED Cyber-security roadmap for PTOs Page 27 of 107

28 systems, both in terms of the needed functions to be exchanged between both domains as well as the information flows, by providing several models to analyse and describe the interface between both types of systems. One of those models is the Functional Hierarchy Model (Figure 6), specified in IEC (Enterprise Control Systems Integration Part 1: Models and Terminology), which defines the functional levels upon which the assets are organized in an organisation, ranging from the process control level (Level 1), where the sensing and manipulation of the physical process actually occurs, to the business planning and logistics level (Level 4), where the business-related activities needed to manage the organisation, in the medium/long-term, are carried. Figure 6 - Functional Hierarchy Model The SCADA systems used in a mass transport infrastructure assume a functional organisation identical to the one provided in ISA 95. In Figure 7 presents an example of such a scenario, where a Rail Control Centre/OCC (Site Level) manages the operation of a set of Rail Sections/Wayside Sections (Area Level), composing a Line. Each Rail Section contains a set of production systems (Work Centre Level) that control the physical systems of the infrastructure. A mass transport infrastructure might be composed by more than one Line, being each of these lines operated independently, while being managed under the Enterprise level, provided in the ISA 95 standard. A typical SCADA network is composed by the following elements: Programmable logic controllers (PLC) The objective of the PLCs is both to convert the signal from the physical sensors and actuators into a digital signal suitable to be interpreted and analysed in a control server, as well as to command those devices, by converting the signals received from the control server to an analogue signal the devices are able to interpret. These devices are usually programmable to support more advanced control capabilities. One of the usual applications of PLCs in railway Document name: SECUR-ED Cyber-security roadmap for PTOs Page 28 of 107

29 is to control the traction electrification substations. This system will be further addressed in a following section; Remote terminal units (RTU) The objective of the RTUs is similar to the objective of PLCs, however they are commonly considered as more sophisticated, in the sense that they are suited with capacities to control, autonomously, the execution of physical processes, without the direct intervention of any control server. In the context of railways, RTUs may be used in the train to wayside control operations. The operation of these systems is also further addressed in one of the subsequent sections; Figure 7 - Rail SCADA example architecture (NIST SP800-82) Control server This server is used to interact and manage both PLCs and RTUs. In the case of PLC it is commonly used to issue commands to them to execute, while in the case of RTUs it might interact only when some more high level process condition is reached, or as a fallback when the RTUs fail; Human management interface (HMI) station The HMI station is used by the system operator to monitor the status of the running processes, by displaying the information obtained from the PLCs and RTUs in a structured way, as well as to issue commands to be sent to these components; Data historian This system is used to maintain a log of the statuses obtained by the PLCs and RTUs, the commands they autonomously sent, the commands they executed instructed by the control server, as well as the commands ordered by the system operator via the HMI station. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 29 of 107

30 4.1.3 Station control network The increase in complexity in train systems has somehow been accompanied by an increase in complexity in stations, and the systems used inside of them. Thus, stations usually feature a complex SCADA system, to monitor and control the diversity of systems installed in it. In GB (Code for Design of Subway) is provided a thorough description of the systems, the corresponding interfaces and requirements, installed and used in a metro station. In terms of the SCADA systems station architecture, it might differ from the architectures typically found in wayside SCADA systems, in the sense that even though they are usually remotely manageable from the OCC, the control server and data historian are usually fitted in a control room inside the station. In some cases, the operation of the station SCADA system might even be controlled in a station OCC OCC control network Some of the transport network monitoring, control and management operations are often performed centrally, in an OCC. Depending on the network technological development level, the OCC might be the single place where some of the systems are managed. One example is the lines with CBTC installations where there is no driver or staff operators on-board. This subject will be further addressed in section 4.3. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 30 of 107

31 Figure 8 - OCC control network systems Additionally, the OCC controls and monitors the hierarchy of SCADA systems deployed across the transport infrastructure, orchestrating them accordingly to the current transport demands and network operation status. Figure 8 outlines some of the systems with interfaces in the OCC control network, divided between the systems that support communication, control, SCADA and power supply functions. Considering the functional hierarchy model provided in Figure 6, the OCC control network might be considered as operating at levels 3 and 4, given its operations management and business planning roles. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 31 of 107

32 4.2 Energy distribution automation systems In most modern rail transport systems, the vehicles are electrically powered, and thus a power distribution network should be in place to support this function. As described in the previous section, in a typical rail PTO, each rail section features a system responsible for managing the electrification of that section accordingly to the current demand of that zone. Figure 9 - Substation automation system architecture (IEC ) IEC (Communication networks and systems in substations), describe the systems and typical configurations found on these electrical substations. In a typical configuration, as depicted in Figure 9, a substation automation system (SAS) is divided in three layers that communicate both horizontally as well as vertically. At the process level, there are deployed a set of sensors and actuators across the electrical substation switchgear that are subsequently controlled and monitored by a set of controllers at the bay level. These controllers may assume either a control or protection role, monitoring each other actions to ensure certain threshold levels are not surpassed. Finally, at the station level, the station host and HMI workstation are used to monitor and interact with the controllers at the bay level, to adjust the state of the electrical substation as needed. The communication between the components of a SAS is usually performed using a standardized protocol, whose most common examples are the Distributed Networking Protocol (DNP) (standardized as IEEE 1815:2012 (IEEE Standard for Electric Power Systems Communications-Distributed Network Protocol (DNP3))), the IEC and the Document name: SECUR-ED Cyber-security roadmap for PTOs Page 32 of 107

33 IEC (Tele-control equipment and systems Transmission protocols). In [60] is provided a detailed description of these protocols, as well as how they are used in practice. A SAS may be seen as an instantiation of a SCADA system, with stringer requirements in terms of the infrastructure protection. Given the impact a malfunction might have in the electrical substation itself, as well as in the equipments it is providing energy to, this protection is essential. 4.3 Train control and automatic operation systems With the evolution of the technology and transport infrastructures there is an increasing need to automate the functioning of transport vehicles, to reduce the operational delays, to increase the safety, and to enable the real-time adaptation of the transport offer accordingly to the demand Computer-based Train Control (CBTC) The computer-based train control (CBTC) systems, or urban-guided train management systems (UGTMS), were developed to support the automation requirements of transport networks, being specifically aimed at Urban Transport Systems like Metro and Trams. CBTC supports a wide automation range of automation levels, starting from a level where the system only plays supervision role with the operation being performed manually (GoA 1 Non-automated train operation), to a level where there is no on-board operation staff (GoA 4 Unattended train operation). Table 1 - UGTMS GoA level functions Table 1 provides a description of the functions supported by the system in each of the GoA levels, as defined in IEC (Railway Applications Urban guided transport management and command/control systems Part 1: System principles and fundamental concepts). Document name: SECUR-ED Cyber-security roadmap for PTOs Page 33 of 107

34 A typical architecture of a CBTC system, described by IEEE (IEEE Standard for Communications-Based Train Control (CBTC) Performance and Functional Requirements), is provided in Figure 10 below. The systems that interact in a CBTC system are spread across three of the systems domains previously defined, namely on-board, wayside and in the OCC. The on-board CBTC equipment interacts with the train subsystems to operate the train in accordance with the movement authorities it receives from wayside. Depending on the GoA level, the vehicle may be suited with a train operator control HMI, which enables the operator to control the functions provided at that level. The CBTC wayside equipment controls the interlocking and the additional zone equipment to make it match the configuration needed at each moment, and interacts with the neighbouring zone s CBTC wayside equipment, to manage the handover of the transiting vehicles. Figure 10 - CBTC Reference Architecture (IEEE ) The Automated Train Supervision (ATS) system in the OCC controls the CBTC. The role of the ATS system is to support the network management, enabling to override most automatic actions taken by wayside and on-board systems. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 34 of 107

35 The operation of a CBTC system is built around three functions: Automatic train protection (ATP) This function aims at ensuring fail-safe protection against collisions, overspeed, as well as additional conditions that might endanger the trains; Automatic train operation (ATO) The ATO functions are used at higher GoA levels, and aims at automating the functions otherwise managed by the train operator, like controlling the opening and closing of the vehicle doors, and managing the actual movement of the train; Automatic train supervision (ATS) This function, as described earlier, aims at providing a high level view of the automated network, as well as providing override capabilities to the automatic actions taken on some CBTC functionalities. The safe operation of a CBTC network requires the existence of permanent communication between on-board systems and wayside, as well as the other way around. In Figure 11 are depicted some of the components, with which the CBTC system interacts in each of the system domains involved in its operation. Figure 11 - Urban Guided Train Management System (UGTMS) system interfaces (IEC ) The European Railway Traffic Management System (ERTMS) is another example of a train control and operation automation system, and results of an initiative from the European Union to increase the interoperability between the long-distance rail transport networks of its Document name: SECUR-ED Cyber-security roadmap for PTOs Page 35 of 107

36 Member States, while at the same time making the operation of the rail transport infrastructure safer, by providing additional protection features. It is similar in objective to the CBTC, but suited to long distance railways, and is not intended (at least with the actual development level) to support driverless and unattended train operation. Also it is much more focused on International compatibility and train movement control than CBTC. Other aspects related with train automation are not covered by ERTMS. 4.4 Passenger information systems (PIS) The PIS is the system used to interact with passengers to present information relevant about their travel, to distribute contents, as well as to manage and providing direct communication functionalities in case of emergency. This system is spread across three system domains (on-board, station and OCC), and the high level interfaces between each other are depicted in Figure 12. Figure 12 - PIS internal and external interfaces (Adapted from [61]) MODURBAN D47 [61] provides an extensive analysis of the functionalities for each of the system domains, as well as the detailed interfaces between each domain, which the interested reader might refer to. Additionally, IEEE 1477 (IEEE Standard for Passenger Information System for Rail Transit Vehicles) describes the system interfaces with the various components of rail vehicles, as well as the set of equipments that must be installed on-board and the requirements they must be compliant with. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 36 of 107

37 4.5 Ticketing systems Ticketing systems fulfil one significant role in a transport network, which consists of receiving, from passengers, the payment for the transport infrastructure usage. A correct operation of these systems is important for the PTOs given that if the systems are not working properly, it may result in significant financial losses. Figure 13 presents the typical architecture of a ticketing system. For passenger to be able to access some of the components of the transport network they must have an access token, usually called a ticket medium, which may be charged on a pay shop or vending and recharging machine. When the passenger wants to make use of the transport network, he presents its ticket at an access validator, which executes a debit transaction. Later on, the computer associated with the validator interacts with the back-end system to validate the transactions and, if needed, clearing the payment. The amount of time between the ticket presentation and back-end validation may depend on the type of system, as well as on the type of connection with the backend systems. Figure 13 - Ticketing system reference architecture There is plenty of diversity in terms of ticketing systems in the market, specifically in what to the ticket medium and validator interaction is concerned. Despite that diversity, most of them are compliant, to some extent, with two standards: ISO (Identification cards Contactless integrated circuit(s) cards Proximity cards), which defines the physical characteristics of proximity cards and the protocols used to interact with it, and ISO 7816 Document name: SECUR-ED Cyber-security roadmap for PTOs Page 37 of 107

38 (Identification cards -- Integrated circuit(s) cards with contacts), which is concerned with the description of the application protocol. Additionally, in some cases, ticketing systems from a PTO are integrated with the ticketing systems from other operators, either to offer support to the usage of specific ticketing mediums of one operator to pay for the transport services of other operators, or to have a common ticketing medium, that might be used across operators. ISO (Road transport and traffic telematics Electronic fee collection (EFC) Interface specification for clearing between operators) provides support for the first case, while ISO (Public transport Interoperable fare management system) provides support for the latter one. 4.6 Surveillance systems (Video systems, Intrusion Detection, Physical access control) The surveillance systems (SS) play a significant role in the operation of a public transport operator. Given the impracticality of deploying security personnel to monitor the whole extent of the transport infrastructure, or even allocating resources to being constantly monitoring the video feeds received from the video surveillance systems, it is fundamental to the operators to be able to timely and automatically detect any anomalous situation, and activate the necessary resources to handle it. The surveillance system components are, thus, distributed across the transport infrastructure, being deployed in three main divisions (on-board, wayside and on the OCC), as depicted in Figure 14 and Figure 15 bellow. Figure 14 - On-board SS [62] On-board, the main role of the surveillance system is to ensure the safety of the passengers. Depending on the level of automation of the network, the surveillance system might be monitored on-board, if there is an operator on-board, or might send the video feeds to the OCC, or to a dedicated Security Operations Control Centre (S-OCC), where the surveillance system, using intelligent video capabilities, analyse the received images and warns the security operator if needed. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 38 of 107

39 In the wayside, however, the role of the surveillance system is more extensive. In this case, when we refer to wayside we mean the stations, platforms and trackside as well as electrical substations, depots and maintenance sites. In this perspective, the surveillance system is used not only to ensure the safe operation of the vehicles, but also to ensure that unauthorized personnel do not access the wayside facilities. To that effect, the surveillance system interfaces with additional systems, like the access control system, to obtain additional signals that may enable it to reason about the normality of the situation at each location. Figure 15 - Wayside SS [62] Document name: SECUR-ED Cyber-security roadmap for PTOs Page 39 of 107

40 Additionally, the surveillance system may also interact with the passenger information system, either to enable the operator to communicate with the passengers on-board using pre-recorded or on-demand messages or to execute predefined actions, without the intervention of the operator, when a determined condition is met. MODURBAN D116 [62] describes some basic requirements and system interfaces for surveillance systems, to which the interested reader might refer. Moreover, on SECUR-ED D33.1 [63], is presented an analysis of the current capabilities on video-analytics, as well as some of the operational restrictions that make these capabilities possible. 4.7 Bus Transport Technology Most of the system types described in this document so far are aimed at urban rail transport, and are usually neither used nor applicable to urban bus transport. The typical IT architecture of a bus transport infrastructure is simpler than the one provided for urban rail transport operator. It might be divided in 2 system domains: On-board systems These systems interact with the devices on-board, with the objective of obtaining diagnostic data for the operations control centre, as well as to present information and additional services related to passenger operation; Back-office/OCC systems These systems are used to manage, rather than directly control as happens in rail transport, the operation of the transport network. They interact with the on-board systems, to receive diagnostics and operation data, as well as to provide the vehicle driver with route and dispatching information, and finally to manage the information presented to passengers both inside the vehicles as well as at bus stops. The communication between vehicles is usually performed in one of two ways: either using a long range, public communication network, enabling to have a periodical communication between systems, or using a short range communication network, usually deployed in large bus hubs and depots, to exchange ticketing and historical data stored in vehicles regarding services provided since the last synchronization. Figure 16 depicts a typical IT architecture of an urban bus transport network [64], obtained from the European Bus System of the Future (EBSF) project [65]. This project was aimed at designing an integrated system, suitable to be used in next generation of bus transport systems in Europe. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 40 of 107

41 Figure 16 - Bus technology IT architecture [64] The vehicle controllers and sensors are connected on a CAN network, usually in compliance with the SAE J1939 (Recommended Practice for a Serial Control and Communications Vehicle Network) standard. This family of standards defines a network upon which the diverse components are interconnected, as well as network and application-level protocols. The data obtained from the vehicle control network, through the Fleet Management System (FMS) [66], is presented to the driver in an on-board diagnostics console, and sent to the remote diagnostics and maintenance system on the back-office. Another system of great importance is the Automated Vehicle Management System (AVMS), which supports planning, operations, monitoring, control, and maintenance functions. In STADIUM (Smart Transport Applications Designed for large events with Impacts on Urban Mobility) project is presented a more detailed analysis of the operation and interfaces of the AVMS system with other systems (e.g., On-board passenger information (PI) system, etc.) [67]. The previously described systems are usually interconnected trough an IP network, as depicted in Figure 16. In Annex A of EN (Public transport Road vehicle scheduling and control systems Part 1: WORLDFIP definition and application rules for on-board data transmission), is presented an analysis of the requirements of such a network, as well as a more complete analysis of the systems usually found on-board urban buses. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 41 of 107

42 5 Security standards, best practices and recommendations applicable for a PTO To provide a systematic way to address information security, industry associations and standardization bodies have developed a set of standards. These systematic views have the advantage of providing a common language between different market operators, as well as providing standardized strategies to validate the efforts of each entity towards cybersecurity. It is thus of significant importance for PTOs to be familiar with the security-related standards, best practices and industry-accepted recommendations existing in each of the technological domains they work with, given that these references may be of significant importance when considering the definition, implementation and improvement of their cybersecurity programmes. The analysis of the existing standards, best-practices and recommendations builds up on the architectural framework described in the previous section, posing as a reference to improve the security of those systems, by pinpointing the standards that might be used to address the specificities of each system domain. This analysis is will focus three main system classes, which aggregate the system types described in the previous section: Energy distribution and automation control (EDAC) systems The standards and recommendations presented for this system class seek for the protection of the systems that handle the distribution, automation and control of the energy throughout the transport network, namely the systems described in sections 4.1 and 0 of the architecture framework; Industrial automation and control systems (IACS) The systems that handle the control and automation of the transport infrastructure, namely the automated control and interaction with the station, wayside and on-board systems, are the ones targeted by the standards and recommendations presented in this system class. These systems are described in sections, 4.1, 4.3 and 4.7 of the architecture framework; Information technology (IT) systems The standards and best practices applicable to general IT systems are presented in this system class. Even though these recommendations might be generally applicable to most system types from the architecture framework, they are especially applicable to the systems presented in sections, 4.4, 4.6 and 4.7 from the architecture framework. It must be noted however that some of the security standards, best practices and recommendations described in this section overlap each other. The choice of the standards/recommendations to be used by each operator need to be made in a case-bycase approach, taking in consideration the dimension, nature and environment of the transport infrastructure, and the relevant organisational aspects of each of the stakeholders. 5.1 Energy distribution and automation control (EDAC) systems As previously described in section 0, energy distribution and automation control systems play a significantly important role in a transport infrastructure, in the sense that without energy the infrastructure would not be able to operate, and a malfunction or unintended action may cause significant damages on these systems or on the ones powered by it. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 42 of 107

43 5.1.1 EDAC system communication security The network communication in EDAC systems is performed using three standardized protocols: DNP, IEC and IEC Despite being industrially accepted and widely deployed, these protocols were not developed with security in mind. Exception must be made however to DNP v3.0, which introduced a mechanism to support secure authentication between the communicating parties. Nonetheless, apart from this specific feature, both protocols do not address communications security in a systematic way. In IEEE (Recommended Practice for Data Communications Between Remote Terminal Units and Intelligent Electronic Devices in a Substation), and despite the main subject of this standard not being EDAC communication security, are proposed several security mechanisms suitable to be added to the EDAC communication protocols to increase their protection level. IEC (Power systems management and associated information exchange - Data and communications security) is the result of a much broader initiative to systematically improve the security of EDAC communication protocols, by proposing a layer that builds on top of the existing protocols with the purpose of adding a set of security properties. This standard is divided in 10 parts, and its relation with the existent EDAC communication protocols is depicted in Figure 17. Figure 17 - IEC parts and EDAC communication protocol relation Substation intelligent electronic devices security Security of intelligent electronic devices used in substations, operating at the bay level as described in section 0, is the subject of IEEE (Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities) standard. This standard defines the security capabilities that should be considered when procuring, installing or commissioning these devices, as well as requirements that must be met by those security capabilities, to provide support for an implementation of an EDAC security management system. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 43 of 107

44 5.1.3 EDAC security management system Additionally to the standards referred in the previous subsections, which have a very narrow scope typically aiming at the protection of a given aspect of EDAC system security, there are several standards that aim at the implementation of a security management system considering the EDAC system as a whole. The North-American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard series provides support to the implementation, maintenance and validation of an EDAC security management system, by taking in consideration each security relevant function. This standard is divided in 8 parts, with two additional parts to be introduced in the future, as defined in Table 2. Each of the NERC CIP standards specify the entities to which it is applicable, the requirements that should be met by each applicable entity, which measures should be provided on the implementation of each requirement, and the compliance activities carried to ensure the requirements are being met. Table 2 - NERC CIP Standard parts CIP-002 CIP-003 CIP-004 CIP-005 CIP-006 CIP-007 CIP-008 CIP-009 CIP-010 (Future) CIP-011 (Future) Critical cyber asset identification Security management controls Personnel and training Electronic security perimeters Physical security Systems security management Incident reporting and response planning Recovery plans for critical cyber assets Configuration change management and vulnerability assessments Information protection Another standard providing support for the definition of an EDAC security management system is the ISO (Information technology Security techniques Information security management guidelines based on ISO/IEC for process control systems specific to the energy utility industry). This standard is aligned with, and based on the same principles of, ISO (Information technology Security techniques Code of practice for information security controls) standard (Section 5.3). However, it was specifically extended to the domain of EDAC systems, to provide an information security management system that addresses from the bay level up to the process level. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 44 of 107

45 5.2 Industrial automation and control systems (IACS) Considering the central role, and widespread usage, of industrial automation and control systems in transport networks, it is of utmost importance to increase the protection of those systems both against intentional attacks, as well as against accidental actions that, even though do not directly constitute an attack, may significantly endanger their normal operation IACS availability IACS are generally real-time systems, whose availability must be ensured at all times. However, there are several strategies to address this issue. IEEE 802.1D (IEEE Standard for Local and Metropolitan Area Networks: Media Access Control (MAC) Bridges) addresses the interconnection of local-area networks (LAN) and metropolitan-area networks (MAN), according to the IEEE 802 standards, and defines two protocols: Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP). These protocols are used to ensure a loop-free network topology and, on what to availability is concerned, allow a network to be provided with redundant links, which will be used to reorganize the network in case a link being used fails. However these protocols commonly used in LANs, have a reconfiguration time usually bigger than 1s, making them less suitable to IACS application. Additionally, IEC (Industrial communication networks - High availability automation networks) also defines several redundancy protocols, specifically with industrial control networks in mind. IEC is divided in seven parts, where each part defines one or more availability protocol. Two parts worth noting are IEC (Industrial communication networks - High availability automation networks - Part 2: Media Redundancy Protocol (MRP)) and IEC (Industrial communication networks - High availability automation networks - Part 3: Parallel Redundancy Protocol (PRP) and High-availability Seamless Redundancy (HSR)), where protocols especially suitable to the IACS used in transport networks are proposed. MRP (IEC ) makes use of some of the principles of STP and RSTP, by providing a reconfiguration protocol based on the existence of spare, unused links on the network. However, rather than relying in all the nodes to perform failure detection and autonomously re-run the reconfiguration protocol, this protocol is based on a central manager, who centralized these operations. With the standard settings, MRP is able to guarantee a typical reconfiguration time of 500ms, 200ms, or 30ms in rings composed of up to 50 switches, and a typical reconfiguration time of 10ms in rings composed of up to 14 switches. This protocol is extensively used in IACS, being widely supported by manufacturers. PRP ((IEC ) uses two separate networks, where similar copies of the same data frame are sent through each of the two networks. The end nodes are dedicated switches (Double Attached Nodes (DANs)), while other switches (Single Attached Nodes (SANs)) in the network remain unaware of the operation of the protocol. An important characteristic of a PRP implementation is that the two networks can have identical or different topologies and/or different performance characteristics. HSR (IEC ) is based on the same principles of PRP, in the sense that the data is sent across two separate networks, however HSR networks are restricted to a ring topology. Unlike PRP, HSR uses DANs that are connected to each other without the requirement of Document name: SECUR-ED Cyber-security roadmap for PTOs Page 45 of 107

46 dedicated Ethernet switches. It is important to note that available network bandwidth is halved, because two frames, instead of one, are transmitted over the ring. Both HSR and PRP are able to deliver 0ms typical reconfiguration times, being thus especially suitable to be used in time-critical IACS system. This performance comes, however, at the cost of having to deploy and maintain two parallel networks, with dedicated and generally expensive hardware. Table 3 - Redundancy protocol comparison In Table 3 are outlined the several redundancy protocols defined in each of the analysed standards, and the typical operational properties of these protocols, namely in what to reconfiguration time is concerned IACS security management system The definition of a standardized way to address security of the industrial automation and control systems deployed on an organisation, as a whole, is also subject of some standards, whose more relevant examples, next described, are ISA 99 and NIST SP standards ISA 99/IEC The ISA 99 committee prepared a set of technical recommendations, later adapted as IEC standard, to provide end-to-end security on IACS. This standard is aligned with the architectural principles standardized in ISA 95, already described in Section The standards proposed are divided in 4 layers, general, policies and procedures, system and component, which itself are sub-divided in several parts, as depicted in Figure 18: IEC and IEC define the terminology, concepts and models upon which the standard series is built upon; IEC specifies a set of security compliance metrics, intended to be measurable, context-specific and automatable, to assess the effectiveness of the IACS security management system; Document name: SECUR-ED Cyber-security roadmap for PTOs Page 46 of 107

47 IEC (to appear) aims at describing the common security life cycle that is used throughout IEC series; IEC and IEC support the establishment and operation of an IACS security management system, being mainly focused on the asset owner. This standard is aligned with ISO principles, enabling to integrate the IACS security management system with a higher-level information security management system; IEC addresses patch management in IACS, applying some wellestablished practices to IACS; IEC focuses on certification of IACS supplier security policies and practices. This standard will be further addressed in Section 8; Figure 18 - ISA 99/IEC standards IEC provides guidance on the implementation of security controls in IACS, by applying existent tools, technologies and controls described under other existent control frameworks; IEC establishes requirements for conducting a security risk assessment, including defining the zones and conduits of the IACS, providing a breakdown of the system s logical architecture, as well as provide guidance on the definition of the target Security Assurance Levels (SALs) to be achieved by the systems in reference; IEC provides detailed technical system requirements (SRs) associated with the seven foundational requirements (FRs) described in IEC including defining the requirements for system capability security levels, SL-C; Document name: SECUR-ED Cyber-security roadmap for PTOs Page 47 of 107

48 IEC (to appear) defines the security product development lifecycle, specifying the requirements of each development phase, to enable the provisioning of security early in the system s life; IEC (to appear) aims at specifying the security requirements at the IACS component level, as well as defining the technical controls expanding system-level requirements to the individual components. Several certifications and formal validation strategies have been proposed aligned with ISA 99 standards. These certification and validation strategies will be further addressed in Section NIST SP NIST SP (Guide to Industrial Control Systems (ICS) Security) was developed to assist operators implementing an IACS security management system based on the principles defined for information security management system provided in other NIST standards. The document provides an overview of IACS and typical system topologies, identifying the typical threats and vulnerabilities of those systems, and providing recommended security countermeasures to mitigate the associated risks. This standard, additionally to defining a set of security control specifically applicable to IACS, builds on top of NIST SP (Security and Privacy Controls for Federal Information Systems and Organisations) security control catalogue and implementation guide, further described in Section 5.3. A new revision of this standard is being prepared, to introduce: Updates to IACS threats and vulnerabilities; Updates to IACS risk management, recommended practices and architectures; Updates to security capabilities and technologies for IACS; Alignment with NIST SP , Revision 4 security controls including the provision of tailored security control baselines for low, moderate, and high impact IACS Security certification It is a very common procedure in IACS to perform a safety certification of the systems and components, and that way ensure that there is a very low probability of that system or device to act in an unexpected and unsafe way. The safety certification of the systems used in mass transport is usually based on the IEC standard or, its specific adaption for railway systems, IEC Generally speaking, the certification of a component or system against these standards leads to the attribution of a safety integrity level (SIL), which frames the expected failure rate for that system. Even though products certified accordingly to these standards are expected to act in a controlled and well-behaved manner, which would likely reduce the number of intrinsic vulnerabilities and the size of the attack surface, they explicitly offer no guarantee when considering a malicious attack. Thus, several techniques have been proposed to address the security certification of systems and components. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 48 of 107

49 Common Criteria (CC) One of these proposals makes use of techniques already existing in general software security certification, namely the Common Criteria (CC), defined in ISO (Information technology -- Security techniques -- Evaluation criteria for IT security). The Common Criteria is a formal security assurance framework, based on the definition of a formal specification, a Protection Profile (PP), of the system to certify. The PP outlines the target of evaluation, the Security Target (ST), by defining the system, its interfaces and its expected behaviour, and establishes a set of Security Functional Requirements (SFR) to be accomplished to attain a given target Evaluation Assurance Level (EAL). The EAL framework provides a similar approach to the one provided by SIL in safety certification. There are 7 EAL levels, which range from EAL 1 where the ST is just functionally tested to EAL 7 where the ST is formally evaluated from the design stage up to the testing. Based on the PP definition, the product is subjected to a security evaluation by an accredited institution, which results in the definition of the set of Security Assurance Requirements (SAR) used to certify that product, and the EAL attained as a result of the evaluation process. There are two known PP, proposed by NIST, defined with IACS in mind: The System Protection Profile - Industrial Control Systems [68] addresses the certification of the IACS as a whole, by specifying the security requirements and controls that should be implemented throughout the infrastructure, as well as the assurance requirements that must be met by the target IACS. This PP was designed to aim at EAL 3; The Field Device Protection Profile for SCADA Systems in Medium Robustness Environments [69] addresses the certification of the field components of an IACS. This protection profile is more narrow scoped that the previous one, aiming only at a specific part of the IACS system featuring, thus, more stringent security requirements and a larger amount of required controls. This PP aims at achieving EAL ISA 99 certifications Another approach to ensure the security of IACS has been through the development of certifications against ISA 99/IEC 62443, given the broad coverage of these standards regarding IACS security. Several certifications programs have been developed by two main certification entities: ISASecure and Wurldtech. ISASecure is responsible for three certification programs, which we will briefly describe next: Document name: SECUR-ED Cyber-security roadmap for PTOs Page 49 of 107

50 Figure 19 - EDSA certification levels Embedded Device Security Assurance (EDSA) This certification focuses on the security of embedded devices and addresses device characteristics and supplier development practices for those devices. This certification is composed of a matrix, specifying the functions to be certified, and the requirements for each of these functions across three certification levels (Figure 19): o The Communication Robustness Testing (CRT) is concerned with the robustness of communication protocol s implementation, including resistance to several attacks such as SYN flood and invalid packets; o The Functional Security Assessment (FSA) specifies a set of security controls, aligned with NIST SP800-53, which should be included accordingly to the intended level of certification; o Finally, the Software Development Security Assessment (SDSA) specifies a set of requirements in accordance with IEC 61508, ISO 15408, Microsoft SDLC and the Comprehensive, Lightweight Application Security Process (CLASP) from OWASP, which addresses the introduction of security across an organisation's application development process; Security Development Lifecycle Assurance (SDLA) This certification is based on the assessment of the product supplier s development lifecycle processes for industrial automation control systems. An SDLA certification is granted to a specific version of a named documented development lifecycle process, under version control, that is used by a named development organisation or organisations. The successful certification of a security development lifecycle leads to the attribution of an assurance level ranging from 1 to 4, designed in a similar fashion to the SAL defined in IEC System Security Assurance (SSA) This certification addresses the security of IACS as a whole, given that the system meet the following criteria: o It consists of an integrated set of components and includes more than one device; o It is available from and supported as a whole by a single supplier, although it may include hardware and software components from several manufacturers; o The supplier has assigned a unique product identifier to the control system which the supplier uses in the marketplace to refer to the integrated set of components as a whole; o The system product is under configuration control and version management. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 50 of 107

51 This certification is divided in several assurance functions, as depicted in Figure 20. Additionally, it may leverage on prior certification efforts aligned with the previously described certifications, given that, in one hand, the SDLA function is the base of the SDLA certification (which might be pursued in parallel), and, in the other hand, the FSA and SRT are components of the EDSA certification, enabling to use the result of the assessment of those functions of the system s devices already certified. Figure 20 - SSA certification activities Similarly, Wurldtech has developed two certification programs, addressing IACS security certification: Achilles Communications Certification This certification addresses the robustness of the network communication of IACS, supporting the certification down from the device level, up to the whole system level. It supports most of the commonly used IACS communication protocols, like DNP3, Modbus TCP/IP, Fieldbus, etc., and the certification makes use of a communications-testing platform developed by Wurldtech. Additionally, it is aligned with the CRT part of the ISASecure EDSA certification, being assigned a level of 1 or 2 to the certified products; Achilles Practices Certification This certification establishes a set of security requirements IACS manufactures should comply with, based on IEC This certification contains 272 security benchmarks across 4 process category areas and 35 key process areas that are used to assess the people, processes and technologies implemented. The 4 process category areas are organisation, system s capability, commissioning and acceptance testing, and maintenance and support. This certification uses a non-standard assurance level, attributing to the certified entities a level of Bronze, Silver or Gold accordingly to the accomplished requirements. The certification programmes offered by both ISASecure and Wurldtech have experienced different industry acceptance levels, due to various reasons: In the first place, the cost of carrying on some of the certification activities may be too high for some organisations. As an example, the FSA and SDLA functions of the Document name: SECUR-ED Cyber-security roadmap for PTOs Page 51 of 107

52 ISASecure SSA certification and the Achilles Practices certification can reach values up to 100K ; Additionally, some certification processes are not well defined, reducing the comparability and even the trust on the result of that certification. An example of such a certification is the Achilles Practices certification, where the certification process is not explicitly described; The Achilles Communications certification has had significant success, in part due to its relative simplicity, and to the provisions of a testing environment easily usable. As a result, more than 15 companies have already been certified, and more than 180 devices have been certified; Most national and international information security agencies have not endorsed these certifications, due to their lack of rigorous measures like the ones provided by CC. This is the case of ENISA, BSI and ANSSI; Finally, most of these certifications do not take in consideration the risk of the specific system or application, like in the model proposed in ISO (Information technology Security techniques Application security). This standard defines application security as context dependent process, which results from an analysis of application-specific risks, and their integration in the overall organisation risk management approach, which leads to the definition of an application target level of trust (LoT). Based on the LoT definition, are selected the adequate controls to bring the security of the application up to the level defined. This approach is similar to the one provided in safety certification, by defining the acceptable expected failure rate keeping it as low as reasonably possible (ALARP), offering a more cost and risk effective approach to product security validation Government/International agencies recommendations Even though not having a standard nature, and thus not being mandatory or subject of enforcement, several governmental and international agencies and institutions created recommendations and best practices, which are suitable to be used by transport operators. The European Union Agency for Network and Information Security (ENISA), which is in charge of improving network and information security state across the Union, produced several recommendations and best practices documents on the domain of critical infrastructure protection: In [70], ENISA provides an extensive analysis of standards and recommendations, being used across several of its constituent countries. This document might be used by the interested reader to find a more in-depth description of the relevant standards on IACS security than the one provided in the current document; In [71], it is presented a good practices guide to be used by Computer Emergency Response Teams (CERTs) on handling the incident management and response processes in IACS, with a focus on the definition of the CERT mandate and constituency, as well as on the operation and organisational capabilities these teams should be provided with; In [72], ENISA outlines a set of recommendations related to the patching of IACS, more specifically of SCADA systems, aiming at reducing the window of exposure to vulnerabilities. This document addresses the challenges usually faced in a patch Document name: SECUR-ED Cyber-security roadmap for PTOs Page 52 of 107

53 management process, and provides recommendations on how to overcome those challenges. The Centre for Protection of National Infrastructure (CPNI) is the United Kingdom s government agency responsible for improving national infrastructure security. This agency provides an extensive recommendations and best practices catalogue [76], addressing many of the technical and managerial domains involved in IACS. Additionally, it also provides a multi-part SCADA security guide [77], describing a set of security measures IACS operators should implement, as well as information on how to implement and put in practice those measures. The French National Agency for Information System s Security (Agence nationale de la sécurité des systèmes d information ANSSI) also addresses the protection of industrial control systems against cyber-attacks. The recommendations and guidelines provided are divided in a three-part guide: The first part, Maîtriser la SSI pour les systèmes industriels (Controlling industrial systems system s information security) [73], is concerned with the description of the context surrounding industrial control systems and a possible methodology to integrate information security into those systems. This guide also describes some of the most common vulnerabilities found in real-world environments, as well a preliminary list of good practices; The second part, Méthode de classification et mesures principals (Classification method and main measures) [74], specifies a method to classify the criticality of industrial control systems, attributing it to a three-level system class, accordingly with its operational relevance, disruption susceptibility and impact. Additionally, it provides a set of security measures, based on the preliminary list of good practices from the first part, which specify the different implementation requirements for each of the system class levels; Finally, in the third part, Mesures détaillées (Detailed measures) [75], presents a more in-depth analysis of the constraints and vulnerabilities industrial control systems are subjected to. It builds up on the security measures proposed in the second part to propose a more complete set of security measures, as well as guidance on how to apply them to each system class level, grouped into organizational and technical security measures. The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik BSI) from the German government, similarly to its counterparts previously described, is the agency responsible for handling the computer, communications and information security in Germany. The BSI proposed two best practices and recommendation guides, related to the critical infrastructure and IACS protection, worth mentioning. In [78] it is proposed a baseline security concept, to provide a baseline on the protection requirements and security procedures and processes that should be implemented by companies defined as part of the national critical infrastructure. Additionally, BSI proposes a CIP Security implementation plan [79] that, building up on the baseline security concept, further extends it and provides guidance on how to implement and how to extend the proposed solutions. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 53 of 107

54 5.3 Information technology systems Additionally to the standards specifically tailored to address particular aspects of critical infrastructure security, like the ones described in the previous sections, there are several standards designed to provide a systematic approach to general IT systems security. These standards are of no less relevance to PTO organisations than the one described earlier, given the dependence on this kind of systems, as well as their susceptibility as a cyberattack target ISO standards Several standards have been proposed by ISO with the objective of assisting on the implementation and improvement of information security. One of the most widely known initiatives, and one of the most used, is the ISO (Information security management systems) standard family, which is built with the purpose of supporting the implementation, maintenance and improvement of Information Security Management Systems (ISMS). The lifecycle of an ISMS is supported by 5 foundational standards, described next: ISO outlines the requirements to the establishment, implementation, maintenance and continuous improvement of an ISMS. The standard uses an information security risk based approach, to align the implementation of the security controls with the specific risks each organisation is subjected to. This standard addresses the necessary activities to define the context of the organisation, ensure leadership commitment and plan the implementation, as well as to support, operate, evaluate the performance and improve the ISMS. Annex A specifies the 114 controls divided in 14 control groups that are suitable to be used to address the risks identified; ISO further defines the security controls outlined in ISO Annex A, by providing, for each security control, implementation guidance and additional relevant information; ISO (Information technology Security techniques Information security management system implementation guidance) provides guidance on the implementation of an ISMS, focusing in the critical aspects for a successful design and implementation. Additionally, it provides an end-to-end description of the ISMS specification and design process, the process of obtaining management approval to its implementation, and the description of an ISMS implementation process; ISO (Information technology Security techniques Information security management Measurement) supports the definition of measures and metrics to assess the performance of the overall ISMS, as well as of the implemented security controls and control groups; ISO 27005, already addressed in Section 3.2.4, further defines the information security risk management processes as required in ISO 27001, to support the implementation of an ISMS based on a risk management approach. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 54 of 107

55 Based on the foundations provided by these standards, there are several other standards that belong to the ISO family, which are concerned with specific aspects of an ISMS: ISO (Information technology Security techniques Governance of information security) provides guidance on the governance of information security, by which the management can evaluate, direct, monitor and communicate the information security related activities within the organisation; ISO (Information technology Security techniques Network security) addresses the specificities of the network security, by analysing the security risks associated with network security, and providing controls to support the network technical security architectures; ISO 27034, already analysed in Section , provides an application security management framework, designed to address the application-specific security risks throughout the application lifecycle; ISO (Information technology Security techniques Information security incident management) proposes an information security incident management framework, providing a structured approach to detect, report, assess and respond to information security incidents, as well as to detect, assess, manage and mitigate information security vulnerabilities. Additionally, ISO (Societal security Business continuity management systems Requirements) is usually used in conjunction with the standards from the ISO family, given their complementary nature. This standard defines a consistent framework to plan, establish, implement, operate, monitor, review, maintain, document and continually improve a business continuity management system to protect against, reduce the likelihood of occurrence of, prepare for, respond to, and recover from disruptive incidents when they arise NIST standards The NIST also proposed several standards concerning IT security from end-to-end. The range of subjects addressed is extensive, and thus only a few standards, which are considered relevant for PTO organisations, will be outlined in this document. For a more complete reference, the interested reader may refer to the complete NIST Special Publications (SP) database in [80]. NIST SP (Managing Information Security Risk Organisation, Mission, and Information System View) defines a risk management framework based on a 4-step cyclic process, as depicted in Figure 21. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 55 of 107

56 Figure 21 - NIST SP Risk Management Process This risk management framework uses a multi-layered perspective, composed by the Organisation, Mission/Business Process and Information System layers. The risk management process is carried on seamlessly across the three layers, with the overall objective of continuous improvement of organisation s risk-related activities and effective inter-tier and intra-tier communication among all stakeholders having a shared interest in the mission/business success of the organisation. The information security management system proposed by NIST is built around this risk management framework. It should, however, be noted that this risk management framework is significantly more complex, and consequently more costly, when compared for example with ISO To support and ease on the implementation of the risk management framework, NIST SP Rev.1 (Guide for Applying the Risk Management Framework to Federal Information Systems) might be used; NIST SP Rev. 1, already addressed in Section 3.2.4, provides guidance on the execution of risk assessments, specifically on its preparation, execution and maintenance, as well as on the communication of its results; NIST SP Rev. 4 defines a process for selecting and tailoring security controls, to protect the assets from the risks identified in the risk assessment process. This standard also features extensive security and privacy catalogues. The security controls catalogue features 240 security controls across 18 security control families, while the privacy controls catalogue features 26 privacy controls across 8 privacy control families. Each control provides additional information about its nature and how it can be enhanced with further sub-components, as well as provides guidance regarding its implementation and supporting references. Finally, priority and baseline allocation levels are specified, where the latter define the enhancements that should be implemented accordingly to priority of the control; NIST SP A Rev. 1 (Guide for Assessing the Security Controls in Federal Information Systems and Organisations) complements NIST SP Rev.4, by providing a straightforward, cost-effective and repeatable security control assessment process, to validate the effectiveness of the implemented controls, and thus ensure they are addressing the threats and protecting the systems they were chosen for. As Document name: SECUR-ED Cyber-security roadmap for PTOs Page 56 of 107

57 it is aligned with the controls defined in SP800-53, it features a control assessment procedure catalogue where, for each control, it specifies the minimum assessment objectives that should be validated; NIST SP Rev. 2 (Computer Security Incident Handling Guide) is concerned with the response to computer security incidents. It provides guidance on the establishment and organisation of computer security incident response capabilities, as well as on handling, coordination and information sharing regarding incidents German BSI IT-Grundschutz The German BSI developed an information security management framework, named IT- Grundschutz (IT Baseline Protection, in English), with a structure and methodology quite different from the previously described frameworks. One of the main differences of this framework is that it does not require a full-fledged risk assessment, which is a basic pre-requisite of most existent frameworks, which the BSI considers to be significantly expensive and time-consuming. Instead, this framework uses a lightweight risk management framework, based on a catalogue (the IT-Grundschutz Katalogue [81]) of standard modules that represent each typical entity in an IT environment, on the definition of the typical threats these entities are vulnerable to, and the adequate safeguards to mitigate those threats. The IT organisation is divided in five layers, accordingly to Figure 22, and each standard module addresses some aspect of some of these five layers. Figure 22 - IT Grundschutz layers The IT-Grundschutz methodology (BSI standard [82]) is composed of four steps: IT structure analysis This step is concerned with gathering information about the information technology assets in the area under consideration, by documenting the applications, IT systems, IT rooms and corresponding dependencies. This information gathering step should be limited to the most important systems and components, to maintain the clarity of the obtained results; Document name: SECUR-ED Cyber-security roadmap for PTOs Page 57 of 107

58 Assessment of protection requirements The objective of this stage is to ascertain how much effort needs to go into protecting IT applications, IT systems, communications connections and rooms against impairment of confidentiality, integrity and availability, by considering the sensitivity and business criticality of the systems to protect. By establishing the protection requirements at an adequate level, and not trying to provide all guarantees to every systems, the methodology aims at maintaining the lowest possible cost; Modelling In this step, the IT structure and protection requirements are matched with the standard components of the IT-Grundschutz catalogue, representing thus the convergence between the real environment to be protected and the standardized view supported by IT-Grundschutz; Basic security check Based on the results of the modelling stage, it is performed a basic security check, to assess, from against the security safeguards to be implemented, which one have already been implemented, and which ones need to be implemented yet. One of the key aspects of the IT-Grundschutz methodology is its extensive catalogue. This catalogue features three main divisions: standard modules, threats, and safeguards. Each standard module addresses some entity in the IT environment. The standard module catalogue is organized accordingly to the IT-Grundschutz layers, depicted in Figure 22. For each standard module, a description of that module is provided, the definition of the threat scenarios that apply to it, a set of recommendations regarding its protection, and the set of safeguards that might be applied to it. The suggested safeguards are divided in each of the system lifecycle steps, namely Planning and Design, Purchasing, Implementation, Operation, Disposal, and Contingency Planning. The standard module catalogue features 79 standard modules spread across the 5 layers. The threats described in the threat scenario catalogue are divided in 5 threat families: Basic Threats, Force Majeure, Organisational Shortcomings, Human Error, Technical Failure, and Deliberate Acts. For each of the 554 threat scenarios across these families, is presented a brief description as well as a practical example of that threat. Finally, the safeguards described in the safeguard catalogue are divided in 6 safeguard categories: Infrastructure, Organisation, Personnel, Hardware and Software, Communication, and Contingency Planning. For each of the 1245 safeguards is described who is the person in charge of the initiation and implementation of the safeguard, the description of the safeguard, and the relevant review questions to ensure the correct implementation of the safeguard. The IT-Grundschutz methodology is supported by a tool specially designed to that effect, which support the definition, administration and update of the IT environment, and provides a reporting system to support a structured evaluation of the security management system implementation. Additionally, BSI offers certification in accordance with ISO on the basis of IT- Grundschutz. This certification can be used to demonstrate that the essential requirements of ISO have been implemented in a set of IT assets by applying the IT-Grundschutz methodology and a supplementing risk analysis (BSI standard [83]), if required. Moreover, the BSI offers two preliminary stages for this certification, which serve as a migration path towards actual certification, where the number of safeguards to be implemented differs across levels. Each safeguard included in an IT-Grundschutz module is Document name: SECUR-ED Cyber-security roadmap for PTOs Page 58 of 107

59 assigned to one of these three levels so it can be easily seen which concrete security recommendations from the IT-Grundschutz Catalogues have to be implemented Open Security Architecture (OSA) The Open Security Architecture (OSA) is an open-source, community effort to provide an information technology services security framework. OSA is similar in approach to the IT- Grundschutz described in the previous section, in the sense that it tries to provide an introduction to security management without requiring a high initiation effort. However, instead of using standard modules to describe the systems existing in an IT environment, like happens in IT-Grundschutz, the OSA is based on the description of common use-cases, denominated security patterns, which describe typical interaction scenarios in IT environments. The definition of a security pattern takes in consideration the systems that intervene in that use-case, as well as the actors [84] that play some part in it. The security controls to be implemented are defined relatively to each of the actors of the security pattern, i.e. the necessary controls to ensure that each actor is protected from the threats he is subjected to in the security pattern. Additionally to the security pattern library [85], it is provided a security control library [86] aligned with the NIST SP rev.2 (out-dated version of NIST SP rev.4 described previously), which also establishes a mapping with the security controls provided in ISO 27002, COBIT 4.1 and PCI-DSS v Security Management, Governance and Business alignment Management, governance and business alignment of information and cybersecurity is a task of great importance, since security should not only be able to address the risks that effectively pose a threat to the business with the highest priority, responding to the business needs, but also because it must ensure that the security program is implemented in a costeffective and cost-sensitive way, as well as to guarantee that there is an adequate planning for security investment. There are several business governance and management frameworks that address these questions, of which some examples will be presented in the following subsections British BSI PAS 555 The British BSI developed PAS 555:2013 (Cyber Security Risk Governance and Management Specification) to address the governance of cybersecurity programs. PAS 555 supplies a holistic framework for effective cybersecurity management which not only considers the technical aspects, but also the related physical, cultural and behavioural aspects of an organisation s approach to address cyber threats, including effective leadership and governance. The objective of PAS 555 is to provide tools to enable organisations to: Focus investment in the most appropriate way, minimising potential losses and improving operational effectiveness and efficiency; Document name: SECUR-ED Cyber-security roadmap for PTOs Page 59 of 107

60 Develop organisational resilience by improving loss prevention and incident management; Identify and mitigate cybersecurity risk throughout the organisation. This standard might be viewed as an extension of ISO 27014, to provide a governance framework not only considering information security risks, but also to integrate with a wider spectrum of risk and organisational management frameworks like ISO 20000, ISO and ISO COBIT 5 for Information Security The COBIT 5 (Control Objectives for Information and Related Technology, version 5) [49] framework is one of the most widely known IT management and governance frameworks. It addresses the alignment between the business and IT by establishing a set of metrics and maturity models to measure their achievements, and to identify and implement controls and assign responsibilities to business and IT process owners and actors. The COBIT 5 for Information Security aims at defining an extension to COBIT 5, with the objective of providing the same kind of framework to the management and control of security processes and activities as is provided to the overall business context, and explaining the each of the main framework components from a security perspective Sherwood Applied Business Security Architecture (SABSA) The Sherwood Applied Business Security Architecture (SABSA) [87] defines an enterprise security architecture and service management framework, based on the principles of a widely know enterprise architecture framework, the Zachman Framework [88]. At a high abstraction level, the Zachman Framework defines a view of an Enterprise by creating a bi-dimensional matrix where each cell is defined by the intersection between a communication question (What, Why, How, Who, Where and When) and a model perspective (Scope, Business, System, Technology, Tool and Operation). The Zachman Framework does not aim at providing a methodology to describe enterprise architectures, but yet to provide an ontology to describe all the aspects of an organisation. Contrarily to the Zachman Framework, the SABSA framework aims at providing a security architecture and a service management framework, with a matrix describing each of them, as well as a methodology and a set of processes to instantiate these frameworks. The SABSA framework also enables to integrate with The Open Group Architecture Framework (TOGAF) [89], to enable organisations already using that framework to use both frameworks in conjunction and thus align the critical business goals with the IT security decisions ISF Standard of Good Practice for Information Security The Standard of Good Practice for Information Security [90] results from an effort from the Information Security Forum (ISF) to deliver a guide on the information security arrangements that need to be made to keep the business risks associated with information systems within acceptable limits, and presents good practice in practical, clear statements. This standard is updated annually to introduce improvements in the good practices and topics provided, as well as to better align with additional industry standard. The ISF Standard of Good Practice for Information Security is aligned with the ISO family and with COBIT. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 60 of 107

61 The topics covered on the standard, starting from the standard version of 2011, are organized accordingly to two perspectives: a security assurance perspective, focusing on activities that should be carried on at each step of the security assurance lifecycle, and an environment-specific perspective, which define the relevant topics to be addressed in accordance with each environment. The security assurance perspective is divided in 4 categories: Security Governance, Security Requirements, Control Framework, and Security Monitoring and Improvement. Each of these categories is further divided in several areas, in a total of 118 topics. In its turn, the environment-specific environment is divided in 5 categories: Security Management, Critical Business Applications, Computer Installations, Networks, Systems Development, and End-User Environment. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 61 of 107

62 6 European regulation One of the first steps towards the definition of a cybersecurity program is to frame it in the context of the existent legislation. The applicable legislation might have a significant impact in the definition of the cybersecurity programme, by influencing the way in which some actions might be carried on, or by establishing requirements to how certain types of information might be handled. In the context of PTOs that impact is twofold, given that it is considered a critical infrastructure by nature while, at the same time, handling personal and commercial information, as a result of the commercial exploration of the infrastructure. This section will highlight some of the key aspects found in European level legislation that must be considered when implementing a cybersecurity programme. Each member state may have additional legislation that should be taken into consideration. For a more complete analysis of the European legislation in the security and privacy realms, as well as its transposition to each of the SECUR-ED demonstration city member states, the reader may refer to D (State of the Art on Security and Privacy Policies - Legislation) [32], where a thorough analysis, as well as the assessment of the implications to the functioning of PTOs is presented. The European Union have long sought to hegemonize and standardize procedures and practices across the Union, by means of directives and regulations, while still keeping the sovereignty of each member-state to decide how, and to which extent, to apply those directives. Both the security and privacy of electronic communications, and more specifically of critical infrastructures also, have been targets of this standardization strategy. While not providing an in-depth analysis of the existent diplomas in the referred subjects, it will be outlined the major aspects that should be taken in consideration when implementing a cybersecurity programme Personal information protection aspects One of the first Directives in the EU on the domain of privacy and protection of personal data domains is the Directive 95/46/EC [91]. Considering the fact that PTOs handle, either as data controllers or processors, personal data, the safeguards specified in this, and related Directives, apply. Thus, and accordingly to the stipulated, the PTOs must ensure that: There are appropriate technical and organisational measures to protect ( ) against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. ). The protection measures should ensure an adequate level of security against the risks the information protected is subjected to, as well as considering the cost of implementation of such measures (Art.17 (1)); When personal data is not directly processed by the data controller, it must ensure the processor provides sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out, and must ensure compliance with those measures (Art.17 (2)). Document name: SECUR-ED Cyber-security roadmap for PTOs Page 62 of 107

63 Additionally, and even though not being legally required, payment cardholder information is furthermore protected in compliance with the Payment Card Industry Data Security Standard (PCI DSS) v3.0 [92], which provides requirements and security assessment procedures, enabling a more stringent protection of personal and private information related to payment operations Cyber-attack protection aspects Additionally to the sole protection of personal data and privacy, there are also concerns on the protection of the IT infrastructure, as a whole, against cyber-attacks. In Directive 2008/114/EC [93], regarding the designation of European critical infrastructures and security improvement assessment, are defined several requirements critical infrastructure operators should implement, that apply, even though not being specifically directed at, cybersecurity. One of such requirements is the definition of an operator security plan (OSP) which should identify the critical infrastructure assets of the ECI and which security solutions exist or are being implemented for their protection (Art. 5 (1)). The operator security plan should include: An identification of the important assets of the infrastructure; A risk analysis considering the major threat-scenarios involving these assets, their vulnerabilities, and the potential impact on their exploitation; The definition and prioritization of the security measures to address the identified risks, with a distinction between the indispensable and permanent security measures to be employed at all times, and additional measures, to be implemented in accordance with the risk and threat levels. Additionally, Directive 2008/114/EC [93] requires the specification of a Security Liaison Officer, being the point of contact between the critical infrastructure operator and the relevant authorities of the member state (Art. 6 (1)). In 2008, the European Commission issued the SEC(2008)2702 Proposal for a Council decision on a Critical Infrastructure Warning Information Network (CIWIN) [94]. The CIWIN portal aims at assisting information exchange on shared threats, vulnerabilities and appropriate measures and strategies to mitigate risk in support of Critical Infrastructure Protection (CIP). The CIWIN portal has been up and running since mid-january 2013, but its usage is not mandatory. More recently, in the Proposal for a Directive 2013/0027(COD) [95], and with the respective amendments approved in the European Parliament Legislative Resolution A7-0103/2014 [96], the European Union seeks to define a set of measures to ensure a high common level of network and information security, with a special emphasis in critical infrastructure. It is proposed to require market operators (including PTOs) to: Notify the national competent authorities regarding incidents having a significant impact on the core services they provide (Art. 14 (2)). The competent authority may inform the public, or require the PTO to do so, where it determines that disclosure of the incident is in the public interest (Art. 14 (4)); Take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations (Art. 14(1)); Document name: SECUR-ED Cyber-security roadmap for PTOs Page 63 of 107

64 Take measures to prevent and minimise the impact of incidents affecting their network and information system on the core services they provide and thus ensure the continuity of the services underpinned by those networks and information systems (Art. 14(1)); A PTO will need to be able to provide information needed to assess the security of their networks and information systems, including documented security policies (Art. 15(2a)); A PTO may be subjected to a security audit carried out by a qualified independent body or national authority and make the results thereof available to the competent authority (Art. 15(2b)); This proposal also encourages the use of European or international interoperable standards and/or specifications relevant to networks and information security as a mean to harmonize the implementation and organisational measures to manage risks (Art. 16 (1)). Table 4 summarizes current European-wide regulation that a PTO should consider when setting up a Cybersecurity program. Table 4 - European security and privacy regulation requirements relevant for PTOs Category Directives Required Measures Data protection Directive 95/46/EC [91]; Access control; Policies Proposal for a Directive 2013/0027(COD) [95]; Planning Documentation and Risk management requirements Proposal for a Directive 2013/0027(COD) [95]; Directive 2008/114/EC [93]; Proposal for a Directive 2013/0027(COD) [95]; Secure storage; Secure communications; Security Policy; Continuity Planning; Security program documentation; Risk management process; Communication Proposal for a Directive 2013/0027(COD) [95]; Directive 2008/114/EC [93]; Auditability Proposal for a Directive 2013/0027(COD) [95]; Management of mandatory disclosure of incident information; Liaison office with proper authorities; Ability to provide information to external security auditors. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 64 of 107

65 7 Impact on PTO organisations For many PTO organisations, cybersecurity requirements are not addressed in request for proposals for new projects or legacy systems even though urban public transportation will experience soon a big transformation due essentially to new regulations at the European level and massive use of Ethernet and IP based technologies (Industry 4.0, Intelligent Vehicle, Automation Train Control systems, predictive maintenance systems, intelligent imaging systems). Not only the lack of cybersecurity knowledge (competencies) and awareness, but also cost reduction pressure in particular for infrastructures, have not allowed to transform organisations in order to cope with cybersecurity requirements, implementation and operations. Clear separation between safety department, security department and IT department within a PTO operator has not facilitated an organisation-wide discussion about cybersecurity and the implementation of a holistic approach to it, even though resiliency has become a unifier concept. Any current PTO organisation includes: Corporate functions such as HR, Finances and Legal departments; A railway/tramway safety department in order to design (establish requirements), operate, maintain and monitor railway/tramway safety systems; A security department in order to design (establish requirements), operate and maintain security systems (such as CCTV systems and incident management systems) as well as to deploy security forces on the field; A transport department in order to operate and maintain metros, railways, tramways, buses (including infrastructure) as well as to collect fares; A transport engineering department in order to establish requirements for metro stations, railways, tramways, buses (including infrastructure). Industrial systems are usually designed, built and maintained by integrators and products suppliers. Industrial systems can include safety systems; An IT department in order to design (establish requirements), operate and maintain IT networks and Management Information Systems (including ticketing systems, HR management systems, financial management systems, customer relationship management systems, passenger information systems, etc.). IT security experts belong usually to this department; An internal Control Audit department; For large cities, some PTOs have developed a dedicated department in order to manage (operate and maintain) large metro stations. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 65 of 107

66 Internal Control/Audit Department Large Metro station Department Transport (Operations) Department Safety Department Transport Engineering Department IT Department Security Department HR Department Finances Department IT Security Expertise Figure 23 - Model sample of a PTO organisation Historically, cybersecurity has started in the IT department. Information security standards and information security policy were first developed and implementation was carried out. Information security solutions were developed and new, dedicated software and hardware equipment were added. Recent breaches (Attack on industrial PLCs (STUXNET in 2010 [97], Dragonfly in 2014 [98]) and Haifa tunnel attack (CCTV) in 2013 [99]) have drawn attention and highlighted a lack of skilled resources to address cybersecurity of industrial systems, security systems as well as safety systems. Other recent breaches such as the Target breach [100] have shown that protecting customer data (in particular credit card data) has become very important and enterprise risk management (at the board level) should encompass cybersecurity risks. A dramatic increase of information security breaches has also forced few large PTOs organisations to start to invest in information SOC (Security Operations Centre) for management information systems. SOC encompasses 3 out of 5 core functions of the NIST Framework for Improving Critical Infrastructure Cybersecurity [101], described in Section 9.1.1: Detect; Respond; Recover. Nonetheless, information SOC for industrial systems and other embedded systems are not yet mature. Even though cybersecurity specialists from the IT department can potentially help the security department, they lack skills to help the railway/tramway safety department or the transport-engineering department (industrial and energy automation systems). Recruiting cybersecurity specialists for the railway/tramway safety department and the transport engineering department, and training them to become familiar with industrial systems and railway/tramway safety systems, becomes a priority. From an organisational maturity level perspective (see matrix below (Table 5) and [102]), it means also to move maturity from level 1 to level 2. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 66 of 107

67 Table 5 - Organisational maturity levels People Level 1 Performed Success depends on individual heroics. Fire fighting is a way of life. Relationships between disciplines (security, safety, cybersecurity) are uncoordinated, perhaps even adversarial. Level 2 Managed Success depends on individuals and management support. Commitments are understood and managed. People are trained (awareness) Level 3 Established Groups or departments work together, sometimes as an integrated team with expertise from security, safety and cybersecurity. Training is planned and provided according to roles and skills. Level 4 Predictable A strong sense of teamwork exists within each project which relates to security, safety and cybersecurity. Level 5 Optimizing A strong sense of teamwork exists across the organisation. Everyone is involved in process improvement. Maturity level 3 will be achieved by fostering workshops between departments about cybersecurity, providing at the operational level a global overview of risks managed (ISO 31000/ISO 27005) and preparing organisations to manage cybersecurity incidents. Maturity level 4 will be achieved whenever risk/incident management processes will become predictable. Maturity level 5 will be achieved when continuous improvement of risk/incident management processes will be put in place. Internal Control/Audit Department Large Metro station Department Transport (Operations) Department Safety Department Transport Engineering Department IT Department Security Department HR Department Finances Department Cyber Security Expertise Cyber Security Expertise Figure 24 - Model sample of a PTO organisation with a cybersecurity maturity level 2 Document name: SECUR-ED Cyber-security roadmap for PTOs Page 67 of 107

68 8 Future procurement and outsourcing The procurement and outsourcing of new technological products and solutions are two key processes where cybersecurity should be taken in consideration, given the impact they may have on the future of the operational and security environment of PTO organisations, and also the opportunity they provide to impact the security of the overall architecture from early stages on the lifecycle of new systems. One of the facts that make procurement and outsourcing security-critical process is the growing trend towards an ever increasing integration between the IT systems used in PTO organisations. With this increasing integration, systems that were usually disconnected from the outside world are integrated with more external facing systems which increase their exposure, and eventually their vulnerability, to attacks. Additionally, the adoption and usage of vendor-operated cloud infrastructures to replace otherwise physical, PTO-owned IT infrastructures, which, even though is not yet common in PTO organisations, is a recognized trend in general IT organisations, would require PTOs to establish more stringent security requirements on the vendors of such solutions. 8.1 Procurement recommendations and guidelines To introduce security into new systems from early design stages, and to enable its maintenance throughout the system s lifecycle, PTO organisations must establish security requirements in the procurement processes of new systems, ensure these requirements are fulfilled in the systems acquired, and manage the risks associated with the systems supply chain. IEC (Security for Industrial Automation and Control Systems - Certification of IACS supplier security policies and practices to appear) standard draft, based on a set of best practices gathered by the International Instrument Users' Association (WIB), aims at establishing requirements solution vendors should comply with when supplying control systems. These recommendations are divided in 135 process areas, covering most aspects of security engineering, and are grouped into four logical categories: Organisational, Systems Capability, Systems Acceptance Testing and Commissioning, and Maintenance and Support. For each of the process areas, is provided a set of base practice objectives, which define the base requirements and recommended enhancements to be fulfilled by suppliers. This guidance is provided in a procurement language format, which might be included in the purchaser procurement documents. The Department of Homeland Security (DHS) from the United States Federal government developed the Cyber Security Procurement Language for Control Systems [103], with a similar purpose of the IEC However, additionally to providing guidance on the requirements that should be established in the system s procurement process, it is also provided recommendations regarding the Factory Acceptance Tests (FAT), Site Acceptance Tests (SAT) and Maintenance Procedures that should be supported or carried on by the solution supplier, as well as on the dependencies between each topic. The topics provided are divided in 12 categories: System Hardening, Perimeter Protection, Account Management, Coding Practices, Flaw Remediation, Malware Detection and Protection, Host Document name: SECUR-ED Cyber-security roadmap for PTOs Page 68 of 107

69 Name Resolutions, End Devices, Remote Access, Physical Security, Network Partitioning, and Wireless Technologies. Additionally to including security requirements on the procurement processes for new products and services, PTO organisations should also consider the risks associated with introducing additional links or dependencies in their supply chains. NIST SP Draft 2 (Supply Chain Risk Management Practices for Federal Information Systems and Organisations Draft 2) addresses this issue, by providing guidance on the supply chain risk management by integrating it with the risk management framework provided in NIST SP , as well as by defining a set of security controls specifically tailored to deal with supply chain risks, build on the security controls described in NIST SP Rev IT Outsourcing and Cloud deployment The opportunities offered by the adoption of cloud infrastructures bring along a set of security issues, which PTO organisations should be able to address if ever consider to explore these opportunities. The reduction in the control of the infrastructure, allied with the enlargement of the IT environment boundaries, requires PTO organisations to implement additional safeguards to protect from the specific issues found on these environments. The Cloud Security Alliance (CSA) provides two frameworks to deal with cloud security issues. The Cloud Control Matrix (CCM) [104] defines security controls to be implemented by cloud providers. The security controls are organized in 16 control domains, as depicted in Figure 25 below. For each security control is defined the architectural divisions (Physical, Network, Computing, Storage, Application, Data), the cloud service delivery model (IaaS, PaaS, SaaS) and the supplier relationship models (Service Provider, Customer) to which it applies. It is also defined a mapping between the controls provided and the security control frameworks of other standards, like ISO 27001, PCI DSS, COBIT, NERC CIP, NIST SP , etc. Figure 25 - CCM control domains [104] The Cloud Assessment Initiative Questionnaire (CAIQ) [105] is meant to be a companion to the CCM, and these documents should be used together. The question set is a simplified distillation of the issues, best practices, and control specifications from CCM, intended to help organisations build the necessary assessment processes for engaging with cloud providers. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 69 of 107

70 9 Implementation approach and first affordable measures Either if we consider PTO organisations that already have well established security practices, or PTO organisations which have not reached such security development level, there is a set of security recommendations, in the form of security strategies, measures, and controls, which might be considered absolutely essential to adequately increase the security of the PTO s cyber environment. The implementation of those recommendations should take in consideration the size and nature of the PTO organisation, to better suit them to the specific environment. Even though a set of security recommendations might be proposed out of the box, PTO organisations should consider their adoption in the context of an information security management system (ISMS), both to support their continuous improvement as well as to ensure that risks not directly addressed by any of the proposed recommendations are adequately treated. Building up on the knowledge from the standards, best-practices and recommendations addressed in the previous chapters, the following sections provide an ISMS implementation approach, essential first affordable measures, guidance on the protection of legacy infrastructures and systems, and additional measures that might be relevant to increase the protection against more sophisticated attacks. 9.1 ISMS implementation The implementation of an ISMS aims at providing a structured approach towards the security not only of the IT environment, but also of the organisation as a whole. Its first and foremost objective is, thus, to increase the level of security of the target organisation, and do so in a continuous fashion, while considering the dynamic nature of information systems both in terms of deployed systems, as well as in terms of existing vulnerabilities and weaknesses that need to be consistently addressed. ISMSs are risk centric, in the sense that its operation is focused on the identification, characterization and treatment of information security risks, specific to the environment the ISMS is being used on. Additionally, ISMS should work towards an organisational culture that promotes security, through adequate managerial commitment and support, constant awareness of the impact each user s actions have on the security of the overall organisation, and the adoption of selfprotection measures to reduce the likelihood of being attacked. In Sections 5.1.3, and 5.3 several standards aimed at defining an ISMS for several domains were described, of which NERC CIP, IEC 62443, ISO 27001, NIST SP are examples of. Rather than addressing any of these specific standards in this section, we provide an overview of the general information security functions and information security management process stages that are the basis for most of them, leaving the choice of which ISMS implementation to use open for each PTO organisation. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 70 of 107

71 9.1.1 ISMS functions An ISMS is designed to offer support to a set of security functions [101], which are depicted in Figure 26 bellow. Cyber security functions Identify Protect Detect Respond Recover Figure 26 - Cybersecurity functions [101] Identify The identification function is concerned with understanding the cyber organisation, both in terms of assets, protection requirements, and security policy, processes and controls in practice, as well as maintaining that information in a structured, consistent and easily accessible way; Protect This function is responsible for the development, implementation and maintenance of the relevant safeguards to limit and contain the occurrence of cyberattacks; Detect Complementary to the protect function, the detection function has the objective of providing facilities and safeguards to detect, identify and provide details regarding the occurrence of a cybersecurity event; Respond The response function is responsible for providing capabilities to react to detected cybersecurity events, and thus prevent its escalation that may have more serious consequences. It is connected with the Protection and Detection functions, in the sense that its action may consist in adapting or augmenting these functions; Recover Finally, the recovery function provides the capacity to recover from cyber events or attacks that were not possible to be prevented, restoring the affected systems/processes back to a normal functioning state ISMS process An ISMS should be understood as a continuous process, based on a constant analysis of the risks being faced by the organisation, and the planning, implementation and validation of the corrective actions to avoid, mitigate or transfer those risks. The typical information security Document name: SECUR-ED Cyber-security roadmap for PTOs Page 71 of 107

72 management process features 4 process stages, as depicted in Figure 27. These process stages are described next Plan/ Programme establishment The planning stage has the objective of defining the ISMS to be implemented. The first step is usually to scope and define the boundaries of the programme, including the assets and technologies to be protected, and the protection needs of each system. The boundary definition should take in consideration applicable national and international legislation, as well as regulatory obligations that must be respected. Plan Act Do Check Figure 27 - Plan-do-check-act (PDCA) cycle Based on the definition of scope and boundaries, it is produced a security policy document, defining the strategic direction and principles of action of the ISMS, as well as its alignment with the risk management strategy of the organisation, including the criteria used to evaluate the risks. Finally, in alignment and consonance with the risk management strategy of the organisation, the risks are assessed, analysed and evaluated, to select the suitable set of security controls to be applied to mitigate them Do/ Programme implementation and operation The implementation and operation stage is concerned with putting in practice the security controls selected during the risk assessment process, with respect to the organisational risk mitigation strategies, and the protection levels required in each particular situation. To enable the assessment of the effectiveness of the implemented controls, it should also be defined the measures, as well as how these measures should be later used to obtain the effectiveness of each security controls. Additionally to the implementation of the security controls, the already existent controls should be operated and maintained, to maintain the level of protection already provided. The implementation of new controls, as well as the adaptation of the existent ones, should conduct to the needed updates of the processes in place to detect and respond to security events. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 72 of 107

73 Moreover, it should be ensured that an adequate level of training and awareness is being provided at all organisational layers, according to the roles and responsibilities of managers, employees, and additional parties Check/ Programme assessment and validation The objective of the check stage is to assess the effectiveness and performance of the security controls in place, considering the previously defined parameters, and in light of the security events detected throughout the organisation, or the results of security testing exercises. The effectiveness assessment should ensure that the security objectives are being accomplished and these results are aligned with the strategy and security policy defined. Similarly, the risk assessment should be periodically validated taking in consideration the changes in the organisational structure, existing threats, new technologies and systems deployed, additional regulatory and legal requirements, etc. Finally, it should consider adaptations of the security objectives, policy and strategy as a consequence of the security events occurred, both the ones that had no impact as well as the ones who had some kind of impact Act/Programme correction and improvement Finally, the act stage should, based on the input obtained from the previous stage, proceed to implement the needed adaptations of the ISMS, with the objective of mitigating any identified situation. It should, also, ensure that lessons learnt from the current cycle are reused in the following cycles, as well as the conducted adaptations are communicated to the relevant parties and the detection and prevention process adapted accordingly Preliminary PTO ISMS implementation approach Taking into consideration the ISMS functions and process stages that must be implemented to operationalize an ISMS, and also the industry standards, best-practices and recommendations presented in Chapter 5, it is possible to define a preliminary approach to the implementation of such a program. The implementation approach, depicted in Figure 28, define the absolutely essential steps that must be included in each of the ISMS process stages, taking into consideration the specificities and special needs of PTOs. This should thus be used as a discussion starting point, towards the implementation of an ISMS that perfectly suits the environment and operational constraints of each particular PTO. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 73 of 107

74 Figure 28 - PTO's ISMS preliminary implementation approach 9.1 Essential Security measures The selection of the most adequate security measures to be implemented in each PTO organisation is only possible through the implementation of an ISMS, as described in the previous section, or, at least, through the realization of a risk assessment (or some approximation to it). However, there are some well-known rules, recommendations and security controls deemed essential, which even though might not provide the best possible options for each target organisation, provide a significant protection level against most common attacks at an affordable cost Essential rules and recommendations The United Kingdom s CPNI, jointly with the Government Communications Headquarters agency (GCHQ) and the Department for Business Innovation and Skills (BIS), presented the 10 essential steps towards cybersecurity [106]. These steps were defined as those essential to mitigate a significant percentage of the attacks. For each essential step, is provided additional guidance regarding the risk it addresses as well as which tools might be used to address each risk. This guide is more suitable to be used by the PTO with a low security development level, given the simplicity and introductory nature of the proposed measures. Document name: SECUR-ED Cyber-security roadmap for PTOs Page 74 of 107