Cybersecurity in railway - alternatives of independent assessors’ involvement in cybersecurity assurance

Cybersecurity and related security management become important issues in railway projects and operations when implementing new digitalised technology. The railway industry is facing an increasing degree of digitalisation like else in society. CENELEC issued the CLC/TS 50701 in 2021 that may become the most important basis for the railway actors to manage railway cybersecurity in context of the RAMS lifecycle processes. By connecting cybersecurity to the railway application lifecycles, CLC/TS 50701 supports the identification of system requirements related to cybersecurity, and preparation of the associated documentation for security assurance and system acceptance. Like the role of an independent safety assessor acting in the safety domain of railway, the authors believe in, and suggest an independent cybersecurity assessor to be involved in system assurance and acceptance with regards to cybersecurity. This paper presents alternatives to such involvement of an assessor and discusses the possible advantages and disadvantages of alternatives based on a set of parameters and criteria. Recommendations with respect to involvement are fully based on qualitative evaluations of the mentioned criteria. Preliminary results are derived from discussions among SINTEF researchers, as well as discussions with actors from the railway industry. The alternatives have been balanced and validated against findings in the literature, that also covered approaches seen in other industrial domains.