Rail Industry Codes of Practice for Cyber Security

Summary

Ravinn were engaged by the Rail Industry Safety and Standards Board (RISSB) to develop a Cyber Security Code of Practice for Australian Rail, a key part of the Australian rail industry framework for cyber security and building on the AS7770 Rail Cyber Security Standard published in 2018.

The intent of this Code of Practice was to provide useful and relevant practices for implementing cyber security in rolling stock and train control systems. Particular challenges facing the rail industry include;

• increased connectivity within both rolling stock and train control systems
• a high degree of integration between IT and OT
• distributed architecture
• long lifecycles of equipment and certification processes. Once a component of the system is certified, it might be obsolete from a cyber security perspective considering the rapidly evolving threat landscape
• diversity of supply chain and technology
• interoperability across the diverse RTOs and RIMs operating in Australia
• rail as an industry is typically very safety orientated and there is a difficulty integrating both cyber security and safety together

The Code of Practice was developed by bringing together subject matter experts in cyber security, rolling stock and train control systems from across the Australian and New Zealand rail industry. As project lead, Ravinn led a number of workshops to develop each stage, bringing together the shared expertise to build the code of practice to a stage where it was ready to go out for public consultation. Following feedback and input from across the global rail and cyber security industry the finishing touches were put together and endorsed by the development group ready for publication.

Ravinn were delighted to play a role in this key aspect of the Australian rail industry’s proactive approach to cyber security and play a part in defending critical infrastructure from cyber threats.