Digitalization can contribute to making rail transport safer, more efficient and more convenient for both passengers and freight, but it also exposes rail systems to cybersecurity risks. (…) Indeed, one must be aware that cyber threats are as versatile and dynamic as the digital world and its applications.UNIFE (The European Rail Industry) on the impact of digitalization on rail transport, as an example
Securing mobility for the future
So what are we at Siemens Mobility doing to protect our modern, connected transportation systems?
Our customers are the owners and operators of infrastructures that are regarded as critical to our communities: traffic systems, rail networks, entire intermodal travel ecosystems. They face new threats, new laws and new requirements in cybersecurity. Making it time to act and respond in a structured way.
As leaders of the digitalization of public transport, Siemens Mobility is your trusted partner when it comes to cybersecurity with trained staff, secure products and solutions, as well as certified security processes across the product lifecycle.
The result: a world in which both operators and passengers alike experience and benefit from secure modern technologies.
The global trends driving cybersecurity
Teaming up for securityIn February 2018, Siemens teamed up with the Munich Security Conference and other global partners to present the Charter of Trust. The initiative defined 10 principles fundamental to a secure digital world. This is how Siemens Mobility approaches these principles.
The 10 principles
We believe cybersecurity is everyone’s task – that is why we have established clear measures and targets as well as the right mindset throughout our organization. Within Siemens Mobility, we have set up an efficient cybersecurity management system which – like a quality management system – covers responsibilities, procedures, activities, tools and other content in milestones.
Building on our achievements in “Security by Design”, we are now gradually shifting our focus to “Security by Default” – the next level of security for products, solutions and services. With this paradigm shift in security, we can progress further on minimizing the attack surface and increasing the protection of our customers’ assets.
Our customers are at the center of all we do – and we know that they have to frequently work with national cybersecurity agencies as well as cyber response teams. That is why we support our customers with expertise in securely designing, constructing and operating mobility systems that meet the requirements of all stakeholders.
Innovating and adapting cybersecurity to meet new threats requires constant innovation and co-creation. We have initiated co-creation measures within the industry to align risk assessment processes, define security zones and conduits for generic signaling architecture, and develop reference protection profiles for mobility systems and sub-systems.
Siemens Mobility is driving awareness and education of cybersecurity both internally and externally. Regular cybersecurity awareness training is mandatory for every Siemens Mobility employee. Specific target groups receive additional job-related product and solution security training.
For our customers and suppliers, Siemens Mobility offers domain-specific security training on four levels ranging from awareness and base skills to special skills and role-specific learning.
Mature and managed processes provide the foundation you need for reliable results when it comes to cyber risk management – and certification plays a key role in the management of these processes. Siemens Mobility is thus advancing the organization towards 3rd party certification of development and integration projects along holistic security standards as well as cyber certification of IT/OT systems.
When cyber-attacks occur: an immediate and coordinated response is required from the industry.
Siemens does its part in this by being an active partner of a group of computer emergency response team (CERT) organizations called FIRST. We also partner with several universities, research institutes and Information Sharing and Analysis Centers (ISACs) to improve transparency and response in the mobility sector.
Siemens also has a dedicated team of security experts that manages the receipt, investigation, internal coordination, and public reporting of security issues related to Siemens products, solutions, or services. Called ProductCERT, the team is the primary contact for security researchers and offers security advisories for standard products. Solution-specific vulnerability advisories are also offered on a contractual basis.
Industry regulation and standardization are only successful if they are based on multilateral cooperation. Siemens Mobility supports the use of international industrial security standards in the railway domain and is supporting the CEN/CENELEC Working Group 26 on its way to a Technical Standard TS50701 (Cybersecurity in the Railway System).
The Charter of Trust is an important nucleus for further joint initiatives to promptly implement the above 10 principles. Siemens Mobility supports the UNIFE Cybersecurity Working Group, which serves as a platform for members to discuss and identify opportunities for cooperation on cybersecurity issues in the European rail sector.
A strong alliance
We take our responsibility for cybersecurity well beyond the boundaries of our own organization, because approaches to cyber threats do not end there. To make the digital world more secure, we have joined forces with leading companies from around the globe to form the Charter of Trust. This cooperation is already showing the first signs of success and has ambitious goals for the future. Stay updated on this global cybersecurity initiative by following our activities here.