5th Annual Rail Cybersecurity Summit 5th Annual Rail Cybersecurity Summit

Date


GMT
 

Location

Online Event

Attend

Get your ticket to attend and join below to build your agenda. View event site for more info.

Schedule

Get your ticket to attend. Join event to build your agenda.
Clear

Tuesday, February 18, 2020

- GMT
- GMT
Keynote Panel: A look at Cyber Maturity in the Rail Sector
Darren Handley
Darren Handley
Department for Transport, Policy Lead - Connected & Autonomous Vehicles
Darren Hepburn
Darren Hepburn
Network Rail Telecoms, Chief Information Security Officer (CISO)
Craig Dunn
Craig Dunn
Hiscox, Head of Cyber Services
Eddy Thesee
Eddy Thesee
Alstom, Vice President Cybersecurity
Simon Moorehead
Simon Moorehead
Rail Delivery Group, Chief Information Officer
  • Which are the main maturity categories for cyber security in the rail sector? 
  • What is the current level of cyber security maturity in the different categories?
  • Which main improvements were made in the last years?
  • What are the most needed actions to improve cyber security maturity in the near future?  
- GMT
Innovation, Standardisation and Cybersecurity by Design for Digital Railways- Overview from the European Commission
Carlos De-Grandis
Carlos De-Grandis
European Commission - DG MOVE Rail Safety and Interoperability, Policy Officer, Rail Digitalisation

·       Digitalised railways are evolving towards connected and automated mobile assets linked to the infrastructure via radio communication systems

·       All transport modes are becoming connected systems (V2V & V2I): cybersecurity is critical for transport throughout all modes and has strong direct implications on safety critical applications.

·       A strong EU governance is in place for cybersec at horizontal level (ENISA+ DG CNECT) and Sectorial level (MOVE+ERA)

·       Three main initiatives:

o   Rail ISAC (Info Sharing and Analysis Centre) – Railways (operators plus Infra mgrs.) led

o   Standardisation within CENELEC (industry-led)

o   Joint coordinated effort within Shift2Rail Joint Undertaking to mainstream Cybersecurity (by design) in the most critical rail systems

- GMT
Securing the Future of Rail – A Cyber Perspective
Darren Handley
Darren Handley
Department for Transport, Policy Lead - Connected & Autonomous Vehicles

Dr Handley will talk about the government perspective on the need to ensure that current and future developments in the rail industry are secure by design and how this fits in with the current regulatory framework in the UK.

- GMT
- GMT
An approach Security Management Systems in a Devolved Rail Environment
Darren Hepburn
Darren Hepburn
Network Rail Telecoms, Chief Information Security Officer (CISO)

What the board want to know

• Challenges around application of security

o Accountabilities and responsibilities that sit across organisations

o Regulations

o Risk and Reporting

• Approach to security management systems for railways

o Governance

o Security Risk Assessment & Assurance

o Security Operations o Supply Chain, Culture and Competence

- GMT
Engaging the Supply Chain in Risk Management for Digital trains
Eddie Ekwo
Eddie Ekwo
Arriva UK Trains, Head of Technical Information Security, Group Information Security
  • How the sector is and should be managing the risks in the transition from legacy to digitised systems
  • Contingency planning 
  • Risk assessment and the evaluation of the integrity of assets
  • Industry buy-in and collaboration
- GMT
Ensuring Security in the Newly Interconnected Digital Arena
David Butler
David Butler
Airbus, CNI Cyber lead UK
Sash Rigby
Sash Rigby
Modux, Technical director

Ensuring and even understanding the cyber risk in the increasingly inter-connected digital world is complex. A staged approach should be adopted, starting by understanding the overarching system from the people, process and technology angles. Essential to the technology stage is to be able to model information, and hence risk, flows in a dynamic ever-changing system. This then enables credible attack paths to be identified and targeted penetration testing to be conducted. For this presentation Airbus, and its penetration testing provider, Modux, will provide an overview of the similarities between the Aerospace and Train industries in the UK before diving down into the emerging tools and techniques that can be adopted to identify and articulate Cyber risk on new digital trains so they can be addressed.

- GMT
- GMT
- GMT
Achieving IEC 62443-3-3 Security Level 3 for Rail Automation Systems
Markus Alexander Wischy Hernandez
Markus Alexander Wischy Hernandez
Siemens Mobility, Head of R&D IT Security

The talk will focus on the strategy achieving IEC 62443-3-3 Security Level 3 compliance for a country-wide, fully digitalized rail automation system. Topics are the current status of standardization, the required central security services and outlook for the protocols required to achieve interoperability. Additionally, the application of this strategy in a large rail-automation infrastructure project is presented.

This topic would bring together various points:

·         Technical security systems and communication protocols

·         Standardization, also aiming at the work that is currently done within Shift2Rail IT-Sec Working Group and an overall move of the sector to IEC 62443 compliance.


- GMT
Cyber Challenge: An Infrastructure Managers Perspective
Vish Kalpura
Vish Kalpura
Network Rail, Principal Engineer

Defining the “modern” Control Command and Signalling (CCS) System?

·         A case study: Commissioning of a digital traffic management system

·         Are the risks understood by the users?

·         Emerging Threats –Who (or what...) can disrupt our modern systems? What is the worst that can happen?

·         How Networkrail is addressing the technical integration challenges?

·         How worried should we be as industry?

·         Challenges of the weakest link in a Systems of Systems approach

- GMT
- GMT
Faster than Rail: Signaling Cybersecurity is Emerging
Amir Levintal
Amir Levintal
Cylus, CEO and Co Founder
  • Emerging cybersecurity risks for rail signaling and control systems
  • The challenge in protecting rail operations from cybersecurity attacks 
  • Attack surface
  • Usecases for signaling systems attacks
  • Approaches to address signaling cybersecurity


- GMT
A Safety and Systems Engineering Approach to Cyber Security

Railway engineers have been managing the system risk associated with electronic signalling, command and control systems for half a century. Through systems engineering the safety, integrity and availability of modern digital systems is better than ever before, but how do operators deal with emerging cyber security threats?

 At Atkins, we use our extensive systems engineering and railway infrastructure knowledge to manage cyber security risk using the same tools and techniques. Matt Simpson, Atkins Director or Cyber Resilience, will talk through the safety and systems engineering approach to cyber security, how to upskill railway engineers to enable them to effectively identify and manage cyber security risk, and what it takes to transform your business into a cyber resilient organisation.

- GMT
Panel Session: NIS and GDPR: The Journey for the Digital Rail Sector
Mike Hewitt
Mike Hewitt
Linbrooke Services, Head of Optical Networks and Innovation
Mohammed Zumla
Mohammed Zumla
Ofgem, Special Advisor – NIS Competent Authority NIS Competent Authority
David Tapia Santamaría
David Tapia Santamaría
CAF, Cybersecurity Engineer, Technology Division, R&D Department
Craig Dunn
Craig Dunn
Hiscox, Head of Cyber Services
  • NIS is ramping up across Europe, how is this helping or hindering organisations, are positive impacts regional only, presently? 
  • How are organisations in the rail sector managing GDPR?
  • What lessons have we learned?
  • Setting out objectives - How can they be achieved?
  • What are our interpretations and what concrete examples of implementation are we seeing?
  • How can we define "Readiness" for our organisation, we operate across the EU and each member state has its own interpretation of compliance?
  • How will this impact my business?


 

- GMT
Panel: Information Sharing. Developing Trust and Sharing threat Intelligence
Olivier De Visscher
Olivier De Visscher
European Railway Information Sharing and Analysis Center Chairman, Cybersecurity Critical infrastructure advisor
Jan Hohenauer
Jan Hohenauer
SBB AG, Deputy Chief Information Security Officer
Mike Hewitt
Mike Hewitt
Linbrooke Services, Head of Optical Networks and Innovation
  • What are the challenges we face in obtaining and sharing intelligence and actionable information?
  • Are we sharing information beyond threat intelligence such as NIS directive best practices?
  • How is the rail sector currently sharing information?
  • What type of intelligence will enable us to make better decisions? (OT Security threat landscape sharing)
  • How much should we rely on central government
  • How can we become more effective at accessing actionable intelligence from within the organisation and beyond?
- GMT

Wednesday, February 19, 2020

- GMT
- GMT
Cenelec TC 9X/WG 26 - Cybersecurity standard for EU Railways
Eddy Thesee
Eddy Thesee
Alstom, Vice President Cybersecurity
  • Why a Cybersecurity standard in railways ?
  • Scope of the Technical specification
  • Relation between Cybersecurity and safety
  • Status of the work
  • Conclusions
- GMT
How to implement Cyber Security in large Railway Projects (Case Study)
Jan Hohenauer
Jan Hohenauer
SBB AG, Deputy Chief Information Security Officer

The SBB’s approach to integrate Cyber Security in large scale railway projects such as the Gotthard Base Tunnel. What we learned and how we established Cyber Security during the construction project and beyond.

·        Digitalization challenges in an integrated railway system

·        Technical and Cultural Challenges of Operational Technology in projects

·        Pragmatic approaches to implement and preserve Cyber Security in an industrial environment

 

- GMT
Cyber Security as a Business Risk
Ian Maxwell
Ian Maxwell
Office of Rail and Road, Head of Train Control Systems

 Modern Computer Based Systems

o  What are the benefits

o  What risks/hazards do they introduce

·     The Three scourges of software management; cyber security; obsolescence

·     How big are the risks compared to “traditional” risks

·     Managing cyber risk – the three building blocks

o  Design; operation; disaster planning

·     Who is responsible when the system is shared by duty holders

- GMT
- GMT
GB Mainline Rail Rolling Stock - Cyber Security Requirements & Assurance
Robert Orr
Robert Orr
Context Information Security, Cyber Security Principal Consultant

- An awareness of the range of regulatory requirements and rail standards for cyber security

- Managing Cyber Security risks for rail rolling stock

- Embedding (cyber) Security by design

- Developing an effective assurance programme ( Validation and verification Plan) 

- Developing a Security Assurance Case Including claims, arguments and evidence

- Evaluating the effectiveness of Security outputs and outcomes (incl independent qualified Security testing)

- GMT
Cyber Security in Rail Operational Technology
Manpreet Mann
Manpreet Mann
Bombardier Transportation Thailand Ltd, Product Director Networks and Cyber Security

Currently there is a lot of confusion around how to secure the OT for Rail Systems.  What does it mean to be IEC 62443 vs ISO 2700x vs other standards compliant.  How should we go about to ensure true security for the rail OT?  It is all about how the infrastructure is created and what is the system under consideration.  There is no one standard that can answer this question and we must use multiple methods to determine Vulnerabilities and ultimately the Risk we carry day to day in our operations.  In addition, the system has a design life of 30 years so how do we operate and maintain it while maintaining security?  Also, what external factors are there that further shape the direction we must take?  It’s a lot of questions with multiple answers out of which neither are entirely right or wrong as it depends on the deployment and interaction of the rail systems.  Some topics should be kept simple and some need to be complex, in this discussion we will take a point of view on a complete Rail OT system and how to first detect its vulnerabilities and the risk.  Then we discuss how to operate and maintain it for the next 30 years and keep this secure.

 

- GMT
Cyber Security and Beyond. . . An Infrastructure Manager’s Perspective
Monish Sengupta
Monish Sengupta
East West Railway, Head of Engineering
Douglas Young
Douglas Young
East West Railway, Head of Asset Management & Information

Traditionally a railway performed as a loosely coupled system of systems. Increasing digitisation offers many benefits by bringing these systems into more tightly coupled, or even integrated, systems – however the benefits do not come without risk. As future Infrastructure Managers this presentation will present our candid perspective of security on the modern railway.

- GMT
Cybersecurity and Safety on the Digital Railway – A Perfect Storm?
Nigel Stanley
Nigel Stanley
TÜV Rheinland, Chief Technology Officer, Operational Technology, and Industrial Cybersecurity CoE
  • As we move to an increasingly digitised railway what are the safety implications?
  • How can safety be impacted by cybersecurity?
  • IT vs. OT in the railway industry – achieving a safe and secure balance
  • Building relationships between safety and cybersecurity engineers
- GMT
- GMT
Code of Practice for Consumer IoT Security - 13 outcome-focused guidelines that can be applied to (almost) any sector
Jasper Pandza
Jasper Pandza
Department for Digital, Culture, Media and Sport, Secure by Design, Cyber Security for the Internet of Things
  • Code of Practice for Consumer IoT Security - It contains 13 outcomes based principles that can be applied to any sector. We are focussing on the top 3 most important / impactful to securing IoT and are currently looking at options to regulate these. In addition, we have transposed the 13 principles in the code of practice into global standards on IoT security. Top 3 principles are:

  • 1) No default passwords
  • 2) Implement a vulnerability disclosure policy
  • 3) Keep software updated
- GMT
Panel: Security by Design
David Tapia Santamaría
David Tapia Santamaría
CAF, Cybersecurity Engineer, Technology Division, R&D Department
Jan Hohenauer
Jan Hohenauer
SBB AG, Deputy Chief Information Security Officer
Eddie Ekwo
Eddie Ekwo
Arriva UK Trains, Head of Technical Information Security, Group Information Security
  • How can we adopt a secure by design approach (what guidance can the sector rely upon?) given the challenges of new technology being introduced?
  • Not all railway systems are able to comply with cybersecurity standards and that has an impact on rolling stock manufacturers, how are they addressing this challenge?
    Are companies paying sufficient attention to securing their products, or to the variety and scale of cyber attacks?
  • Should security by design be regulated or would that deter innovation and investment?
  • Are we presently building new assets with security as a priority? 
  • Are we ensuring security first before usability? 
  • What is an acceptable level of security? Are new security features capable of evolving faster than the pace of new threats? Is that realistic?
  • How are we effectively testing products prior to sale?
- GMT
Panel: Supply Chain Cyber Security and 3rd Party Risk for the Rail Sector
Eddy Thesee
Eddy Thesee
Alstom, Vice President Cybersecurity
Robert Orr
Robert Orr
Context Information Security, Cyber Security Principal Consultant
  • What resources are required for us to maintain a clear picture of our supply chain?
  • Do we know the value of the information and assets our suppliers hold?
  • Do we have an understanding of who our suppliers are and how do we establish confidence in their cybersecurity maturity levels?
  • Are we getting any better at communicating our security needs?
  • Are we training procurement and clearly identifying specifications in our RFP’s?
- GMT
Panel: Asset Inventory. Do you know what is on your network? Have we clearly defined asset registries?
Markus Alexander Wischy Hernandez
Markus Alexander Wischy Hernandez
Siemens Mobility, Head of R&D IT Security
Douglas Young
Douglas Young
East West Railway, Head of Asset Management & Information
  • How effectively are we tracking our assets?
  • Are our asset lists matching what is in the field? (Are we getting any better at identifying cyber assets associated with a critical asset?)
  • Are we educating technicians who are making changes to the system, appropriately? Do they take into account the impact on cybersecurity and operations?
  • What can we do with an asset inventory?
- GMT