Join Christoffer Neesen, Senior Manager of OT Security at Deutsche Bahn, as he delves into the critical issue of managing the intersection of rail operations and cybersecurity in the age of digitalization. Neesen highlights the importance of organizational change when implementing effective cybersecurity practices within the railway industry and emphasizes the need for a holistic approach.
About our guest:
Christoffer Neesen, the Senior Manager of OT Security at Deutsche Bahn. With over three years of experience in this role, Christoffer is responsible for leading Deutsche Bahn's operational technology (OT) security program. Based in Berlin, Germany, he brings a wealth of knowledge and expertise in operational rail technologies and cybersecurity. Christoffer's professional journey includes holding various information security and product roles with TÜV Rheinland InterTraffic GmbH and Bombardier Transportation.
Roark Pollock: Hi, I'm Roark Pollock. And this is the first season of the Secure Tracks podcast, where we host rail industry leaders to talk about operational rail technologies and cybersecurity. In this episode, we're hosting a guest from one of the biggest rail operators in Europe. We'll discuss some of the challenges associated with operational rail tech cybersecurity. Today's conversation should be exciting. We have Christoffer Neesen from Deutsche Bahn. But one disclaimer here, Christoffer's views and opinions in this podcast are his own and do not represent the views and opinions of Deutsche Bahn. Christoffer is the Senior Manager of OT Security at Deutsche Bahn and based in Berlin, Germany. Christoffer has been in the cybersecurity role for Deutsche Bahn for the last three years and is leading the company's OT security program. Before Deutsche Bahn, Christoffer held a variety of information security and product roles with TÜV Rheinland InterTraffic GmbH and Bombardier Transportation. Further, Christoffer has degrees in industrial engineering business and a master's degree in information security from the University of London. Christoffer, welcome to the show. And thank you for joining us today.
Christoffer Neesen: Thank you.
Roark: All right. Well, welcome to the show, Christoffer. One of the things I usually like to do is ask people how they got into cybersecurity because a lot of us came into the industry in roundabout ways. You perhaps are one of the very few guests that we've had, or we've talked to that actually has a formal education and information security. So maybe instead of trying to explain information security, which is pretty obvious at this point, I need to talk a little bit about how you got into the rail industry and cybersecurity, specifically in the rail industry.
Christoffer: Yeah, sure. Well, that was a quite a funny story. My first job was in the consulting area for supply chain management. And after a year, I decided it was not the way I wanted to go. So as I was looking for a job at and found the one for a trainee program with Bombardier back then for supply chain management for procurement. So yeah, so I went there, I went through the application. And then they told me, I'm sorry, the job was gone. Well, we have a different one in project management. So I went with the 20 in project management and started my rail career at Bombardier.
Roark: Yep. Yeah. Okay, excellent. That was pretty easy, then. You didn't take nearly as long enough to figure out what you wanted to do with your licenses. If someone was No. Yeah.
Christoffer: Life as it happens.
Roark: Yeah. That's exactly how it happens. Yeah. Taking a roundabout way. So let's, let's jump into our first topic of conversation. I thought what we talked about is the different challenges that you see in securing operational rail tech environments. And we all know that these rail operations are being digitized into fast-paced, interconnected with other corporate network systems. And you know, basically the buzzword I think, especially as marketing people like to talk about, is it OT convergence, but from your perspective, in the trenches? What's the reality from your perspective? And it? Can you give us some examples that, you know, show or demonstrate how some of the rail operational systems are actually being interconnected?
Christoffer: Yeah, we see that that topic is convergent, happening very quickly and strongly. I mean, you know, systems used to be isolated. So, um, OTs have would run likely island mode, I would say, and now you see their work, they're getting more intelligent. So like, if we look at machineries, we are looking at topics like predictive maintenance, condition-based maintenance. So you're making connectivity to machines that were isolated before to get operational data. So the motivation, the primary motivation is getting operational excellence, so benefiting from that, and that right away brings along the question of cybersecurity. So we have a lot of topics with IoT IoT cloud connectivity happening, and that is in machinery Park. And if you look at the trains, we see a lot of diagnostic platforms. So the big system integrators have diagnostic platforms where they have access to their data. And, yep, offer like an additional benefit against the few points for the operators.
Roark: Right, right. And it makes sense. I mean, it's mostly for the benefit of the operations organization to the maintenance organizations, bringing in better efficiencies, etc.
Christoffer: Yeah, exactly. And it raises a lot of questions, because now if you look at the Purdue Model, you are now making links between the highest level and the lowest level. And of course, isn't the surrounding which is 20 years behind that of the IT security? So, of course, to get a maturity level you're into it, it is. Yeah, it takes a lot of effort.
Roark: Right? Yeah, one of the things that I hear and, you know, I'll be transparent, I hear this from the vendor community quite a bit is that these operational rail systems tend to be very unique. And then it in the for to the rail industry, and the cybersecurity and these for these unique systems require some really unique features and capabilities. And I don't know, if you run into this, or you see this as much from your side, but do you have any examples that you can share about how, you know, the rail tech systems are, in fact, unique to the rail industry in the impact that may have on cyber security systems in place?
Christoffer: Well, first of all, it's a strongly regulated area, we have to do with recommendation legislation and what supervisory authorities, right, so that's one issue, which we have to tackle, especially if you look at topics like a patch management, patch management cycles. And that also brings to the topic of very long lifecycle. So you see, look at the classical rail development lifecycle, from RAMs, you have, you know, requirements, breakdown, risk assessment, integration testing, but then comes the operational phase and direction phase is 30-40 years. So you have three to five years of development system integration, then comes a long time and that you have to handle now, it used to be different because with safety, you said, Okay, have a safe system, I make no change. So as it does to the appropriate maintenance and keep the system running, so oil ain't changing schools, etc. And attacking screws, the bolts and nuts and, and now it's like, whoa, we have this whole long time. And we need to, you know, obtain the cybersecurity in this system. And that is a completely new way of thinking for the engineers for the operators. And of course, for the regulation. Next station.
Roark: Right, right. Yeah, it's a great, it's good point, when, when you and I talked before, one of the things that we talked about, and this may be a bit of out of left field, but pardon the Americanism, that's a baseball thing, by the way. But what's your take on the whole conversation recently around AI? Especially the popularity of tools like Chat GPT that people are talking about? I mean, do you see this movement as something that helps security teams in the rail industry? Or do you think this is just yet another threat vector?
Christoffer: Yeah, so I mean, every time you would get $1, you hear a Chat GPT wouldn't have to work? Yeah, definitely. Well, I mean, looking at, you know, large language models, it's fascinated with what it can do. The Magic Box people putting more with their emotions into it, and everybody can do. So I think from my point of view, it's important to see where can it go technology? What will it bring in the future? So not to see it as an immediate threat, per se, but as a warning to see what for what must we prepare? Because it's like a, like an ongoing game between attackers and defenders. So good to see what threat is coming? How can we react to that? That is the point about then, from that point of view, I think it's it's good that it happens now. Because like you say, you always overestimate the change within the next 10 years and underestimate the change in the next two years. Change. So this is this is the disruption for sure, and getting larger and larger, and new ideas will come up, you will use it to the good into the bathroom.
Roark: Gotcha. Now, are your teams using perhaps chat GPT or any of the other similar tools in daily work today are experimenting with some of the different tools?
Christoffer: No, no Chat GPT not as I know a lot of companies that prohibited the banking industry area or government agencies is fair because it learns anything you feed into it if we keep inside and it's my and intellectual property and yeah, your information. So what would you rather use this like? A record like an optical recognization. Like if you if you have projects looking at some graffiti detection on the train that way, the maintenance team already knows Oh, there's profit on the train, we have to get a cleaning team out there because there's always a always a penalty on that. From the so from the city that gives us the contract state that gives us a contract for the operational services. So that's why they're always looked at. There's no graffiti on the trains and keep track.
Roark: Interesting. Yeah. There's something I never thought about just checking in, get rid of the trains. Right. Quick question. So how do you think you know, as you're looking at OT security or the security and then a rail tech, operational systems today? How would you compare where we are today and the job that the industry is doing in the operational areas compared to where we are in it cybersecurity, given that we have such a much longer history, thinking about it, cybersecurity?
Christoffer: Well, as you said, IT is already you know, IT security is already established, it's known with OT security, you know, sometimes you get the reply. Is it the typo? Did you actually mean IT not OT? And it's like, no, it's a fresh tectonic technology. And you need a lot of awareness is key because it's the people are key. In this case, you can only put so much technology into security, and to a certain point, but the users, the people that operate the trainings and machinery, they are key and we have to make their life their daily work easier. that integrates and that makes them OT security success.
Roark: Yeah, yeah, I agree with that. There are many more people involved in OT, cybersecurity than in general, IT cybersecurity makes easier job, I'm sure from your standpoint. You know, how do you think about the people, they're not necessarily people within Deutsche Bahn or any rail operator, but the broader community? How do you think about our view the relationships that the rail operators have today, with, with the integrators, the rail integrators, the cybersecurity vendor community? Do you feel like the integrators and the vendors are working closely with the operators today to really address some of your security concerns and challenges? Are there things that we all need to work on?
Christoffer: What we see is the collaborations forming, so system integrators trained manufacturer is looking to collaborate to get that knowledge into their portfolio, you know, and to be able to offer it to operators, within the operator that always differs from how the how the system is in their country, because I can speak for example, in Germany, we are in competition, so we have to win public tenders. And in those tenders, the state defines what they want. So if they don't say, Oh, we want, you know, we want Wi-Fi, we want this and that, then, of course, nobody will offer it. So that's where it starts more states driven with what they expect and want. And that can be different from nation to nation.
Roark: So do they set a minimum baseline that you have to adhere to. And then you can go above and beyond that, or just stick to that minimum baseline, right?
Christoffer: You have the minimum baseline. And then if you have a certain size, at least in Germany, if you're critical infrastructure, then you have to reach a higher baseline because you fall into a regulation legislation perspective.
Roark: So different operators have different requirements based on the scale of their operational environments.
Christoffer: Correct. If you're a very small one, you only have five trains, you have a lower baseline.
Roark: Right? You probably have a lot less automation things as well, I would assume. Yeah. Yeah, that makes sense. Okay, got it. Got it. So, you know, as you think about where we are today, I'm sure that given the fact that you're in charge of the IoT security programs there, Deutsche Bahn here, you're constantly thinking about what's coming down the road. We're down the tracks in this case, pun intended. But as you look forward, you know, maybe let's say three to five years down the tracks, what are you most concerned about? Or maybe what do you think are going to be the most difficult challenges that you have to deal with or that operators, in general, have to deal with?
Christoffer: I think they really have to deal with the organizational change because you there are a lot of standardization works out there, guidance documents, but nobody really asked the question, how do you integrate into your organization? And that is something which no one can answer, you know, generically, or generic for everybody. So, and for that you need to people, you need your colleagues that understand, you know, what is OT security was the goal, you need management, you need management backing, because cybersecurity is always seen as a cost factor, you know, what do we get for it is. I always say, it's a bit like a, you know, a house insurance. You know, everybody has it everybody hopes never happens. But it costs money. You know? That's how security is.
Roark: Right? Yeah, that's exactly right. Do you see these programs? I mean, I'm assuming they take a lot of top-down commitment really happened that they can't necessarily be driven from the bottom up without that top-level executive commitment.
Christoffer: Right? Absolutely. You need top-level executive commitment here. And that is a top down. And depending on the size of enterprise, it's like a huge tank and this, you know, to steer a huge tank in comparison to the small little sports ship. It just takes some time. And yeah, maybe, to see the landscape is so different. Even within an enterprise, you have machinery, which is older, which is more modern. The variety is that which, makes it more complex.
Roark: Yeah, you've got different organizations involved. They each organization has to learn kind of a little bit about the other domain. So it gets very complicated,
Christoffer: Right? So it's winning is winning the people that they understand that OT security helps them and doesn't hinder them, like, Oh, don't don't call security people. They're just gonna, you know, shut everything down. Like, no, we'll help you. And that's that's the point. That is the most work, you have to do it in the beginning and to rise and maturity. I think that is, that is a challenge. And also the challenge, of course, the changing threat landscape. We've seen with the Ukraine, conflict, and war, that the threat landscape, which was before unimaginable here and in Europe, has changed, like within weeks with like, what is happening, so that also something which we've have noticed that you have to be more adaptive and think the unpossible or impossible.
Roark: Yeah, very much. So. I would say it's not even in Europe, I think unrest anywhere in the world can can create cyber issues. It doesn't matter if it's on your doorstep, or on the other side of the planet. Cyber doesn't really have any borders.
Christoffer: Right? It doesn't have any borders. And that's something which you really learn. People were like, very busy with the news, but you didn't see what was happening behind the news in the cybersecurity realm. I would say that air was like, frontiers that you didn't know before were like, Yeah, blurred. And I think that when you woke up a lot of people, governments, organizations, and now we have to see how we react to this. Because at the end of the day, safety is key is that what we must uphold with cybersecurity? And we transport people? I mean, that's why we need to react and be prepared.
Roark: Right? I 100% agree. Yeah, absolutely. Let's change topics a little bit here and talk about you mentioned earlier, the world of regulatory frameworks. I know there's, there's, you know, Rails not the only one there's over a dozen critical infrastructure industries are all going through different transformations at different speeds. Some people like to discuss it as industry four Dotto or the fourth industrial revolution. How do you think the rail industry is doing relative to some of the other critical infrastructure industries as far as developing cybersecurity frameworks for the rail operational environments?
Christoffer: I would say we're on the way I mean, when we started with the standardization group, where I'm also active, we looked at other industries and said what are the other people doing? I mean, we have automotive industry. They have connectivity and what is the avionic industry doing? They there's the idea of also Internet on board and no plane comes down. So they must have gone to type, you know, regulation and conformity assessment. So you see there, like in the automotive industry, it's the ISO 21434. And aviation law says like DO-326A, it's very interesting because they integrated security and safety that what in the rail industry is beginning everything Oh, safety and security, how do we merge these? Or do we keep them separate? And where how do you synchronize it? So that is the issue where we are currently. And that's where we were, I say we're on the way because, you know, railway does takes a bit to, to to, you know, get on tracks get on speed. And, yeah, we're looking right and left and also benefiting from other industries.
Roark: Yeah, that's interesting. I assume most of the transportation industries are kind of similar. You mentioned two of them. I'm assuming things like busing, transportation, maritime, also have some problems, or challenges.
Christoffer: Yeah, it's definitely learning from other industries from other nations that have published guidelines. And also looking at what classical IEC 6043 for Industrial Security. The what the golden reference point which we have.
Roark: Right, yeah, you hit on an interesting question that that I had was with, I know you're a member of the working group that now is developing the new cybersecurity standard that's being called IEC 63452, for those that are keeping track. But it seems like today, most of the operators in the rail industry are already following or relying on 62443. So why is there a new standard, necessary and what's going to be different with the new standard?
Christoffer: So looking back one step before the TS 50701, which is now being turned in the IC 60452, which you mentioned, was like a guidance document, it was it was a lot of guidance. And now, because it was taking a specification, and now we're going to the direction of the international standard. So a document where you can also have a compliance assessment against. So performing the assessment. And the difference will be that, first of all conformity assessment. And we'll be more precise, because a standard is short and precise in the in the requirement and then can have a larger national guidance section. But it will be more brief. And it will be also from my point of view, stronger focus on IEC 60443. And, but with rail additions. In my personal view, in the future, we will even see a real specific profile because IEC 60443 has now introduced, it's going to reduce profiles, so industry-specific profiles, which you can add to the series to the IEC 60443. And that I think will also help if we see that coming in the future on top of the IEC 664.
Roark: Bit of a mouthful, I finally got 62443 down where I can say without thinking about it. Now you're introducing jumbles up the numbers. Yeah.
Christoffer: Yeah, this just adds 62443 was is this is so well-known industry standards. So every the whole industry jumped on it, because it didn't have anything for real in their hand. And it's well known, it's structured and use this, especially for their development life cycles for the risk assessment. That's the reason why it's so dominant. And I believe it was remain dominant in the industry.
Roark: Right? And I know that the industry came out with TS 5701 just a few short years ago, and what's going to be different with IEC 63452, will it replace 5701? Is it going to be in addition to having these fit together?
Christoffer: Well, there are some discussions about that but one one isn't the direction okay, where we're going to then that's going to become obsolete to fit yesterday, some new ones then, you know, going to be put aside and then Only the international standard will be continued. It's also important because of all the new European regulations which we have cyber resilience act, at least here in Europe, they say they have large regulations or more requirements. Now, they say, if you do not have industry-specific cybersecurity standards, which you follow, you must follow all these these requirements. Of course, the industry is industries are keen to have the cybersecurity standard. And that's also reason why, for example, automotive is accepted from the cyber resilience act, because they have their standard, which they follow.
Roark: So the rail industry wants to come up with their own so that they are not beholden to the cyber resiliency act. On a point-by-point basis, all right. That's the first I've heard of that. Okay, that's interesting. Got it. And you mentioned it a lot of this work on the IEC standards, at least from my viewpoint, across the pond, you know, the work being done on 63452 It seems like a lot of that work is being done in Europe. How's the organization working with operators and other organizations more globally, especially in North America, and Asia Pacific regions, to kind of hopefully push this as more of a global standard and widely adopted?
Christoffer: Yeah, well, all the experts more invited to participate. It is an international project team PT before it becomes an international standard. We have colleagues from China from Japan, included, and there will also be a final review. So although we don't have a continuous participation from the whole, you know, international community, ever at every meeting, there will be a review points or where everybody can comment, and then the committee would take the are being taken into consideration.
Roark: So where's the process stand? And today are there's still opportunities for operators to get involved in the development of the standard?
Christoffer: I think currently now we're shortly before the first comment phase. So I think October around that time, is supposed to be a Kommandant.
Roark: So they're very close to having the first draft of the 63452,. Excellent. And do you know the timing of that? Or is there a publish time?
Christoffer: Yeah, there's a publish time, but don't nail me on that. I think it's to 2025. It's supposed to be published.
Roark: Okay. Got it. And are there other standards? I know that IEC standards have been developing and getting a little bit more worldwide adoption, are there other standards in other parts of the world that are relevant in the rail industry as well, that people are having to really pay attention to?
Christoffer: Well, I know that APTA has some standards have published, we've also seen Australian standards being published, which were interesting. I recall that the former working group we looked at that and also Singapore, the state nation of Singapore has also published something on that you're also very keen on cybersecurity, for OT security for railways. And even the Netherlands has, as issued should things. So yeah, there are there are activities. But of course, no international real standard. That's what we're working at.
Roark: Right, and even 63452 is an optional framework for people to adopt. Right?
Christoffer: Yeah, yeah. Currently, it is. It will be interesting when we see what happens with the safety world because currently in the safety case, it is there's a link to it says you have to look at security, which can possibly impact safety-related functions, right that says look at ISO 27001 or IEC or and IEC 62443 inputs on how to handle that. Now it will be interesting to see if then maybe in the future, we'll say okay, also look at IEC 63452.
Roark: That makes sense. Okay, I did not know that. That's excellent. All right. Let's move on to our third topic. Your we touched on this a little bit earlier. Let's let's talk about some of the organizational considerations or maybe even culture changes that cybersecurity and in the operational environment really bring us up. You know, one thing I guess it's a big challenge. You already mentioned it that the rail tech systems or rail OT systems are owned by somebody else, namely the operations teams and maintenance team. So I'm sure this causes more challenges than dealing with IT security. How do you address some of those challenges and start to try to overcome those concerns?
Christoffer: Right so so what we have is we have like we have two organizational sides with one the CIO area where IT security has always been located and then we have the CTO area where we have the whole you know technological operational systems running and so you have to like bridge the gap and you need the bridge makers because you must decide for your organization okay will I put the OT security to the CIO people that already have an understanding of cyber security or do I put it separated and put it on the CTO area that have an understanding of the technological systems the OT systems but not so much of the cyber security so you have to see how how do like CIO and CTO work together do they like each other or not it's about people I end up saying it's always about people so and then looking at how you integrate that yeah for us I can say we we've concentrated on the CIO area we have like we have strong bridge makers into the CTO area you need communicators that you know explain and you know take the people along the trip the road at the track.
Roark: Right right, yeah you touched on it you know I don't know many cyber security people that know much about rail and probably my guess is most of the rail operations people aren't cyber experts either how do you start to get these teams up to speed in each other's kind of domain enough that they're able to communicate and work together? Do they have any common systems where they're working off of the same data sets or are they all looking at different data?
Christoffer: They're all looking at their own systems um so that's why you have to um yeah make make the connection and bridge it and also adapt in your how we say adapt in your like um audio or yeah audio targeted communication so adapt your communication to and depending on who you want to reach because someone who is a machine operator you know if you ask them okay you know if you ask ask them okay um what VPN are you using can you give me the the version of it okay VPN I have a machine what do you what are you talking about so you must make it very extended in a manner that he can understand she can understand what you want from them and why is important and the same is on the other side you know if you have the security people and then the the workers come and say hey look um you know this button doesn't work and I'm the keyboard always crashes and so i just connected something here because now it works easier with with a USB stick and right now um it's it's talking to the people and um giving them the awareness not only of the topic but also the awareness of the other point of view that that is where where you really have the big leverage because if that works then you're talking about solutions technological solutions processes optimization and then you really benefit but the people are key.
Roark: Yeah do you do your from a cybersecurity standpoint so, does your organization do a lot of proactive outreach to the operation organizations and even possibly formal training programs?
Christoffer: Yeah so training awareness even on the workshop floor level that that is important and also um having um yeah reporting on each side what is happening here what is happening there just to get this awareness because otherwise you know people start oh yeah we can connect the system and we're like no no you don't connect anything here without you know um speaking to us you know?
Roark: right right got it got it all right and and how how are you finding that those efforts are working um you know are they where you would want them to be or are you making good progress and uh still working?
Christoffer: Yeah yeah I mean the organizations um the web operators organizations are large so of course there's always a lot of work to do but it has improved within the last few years that OT security is not mistaken anymore for a typo uh it's you know it's oh there is something and also to recognize that wow we have also a lot of OT assets even more than it assets so that that was also a step to um a long way to go and to get this acknowledgment from management and the people that they understand it is important and now we see the benefits coming slowly but surely.
Roark: Right understood so you you mentioned it before you've got uh two different organizations you have the the CIO organization where cyber resides and you have the CTO organization where the operations teams reside who pays for all this uh from a budget standpoint?
Christoffer: That also will depend how you implement it at the end of the day if you operate on on the CIO side and then have an arrangement with the CTO side or divide it um yeah you it's that's more like an accounting topic um which we have to like arrange um because must see how how you how you divide it equally and fairly between the entities you know, yeah.
Roark: Got it i was just curious about the purse strings usually not the better ability to make things happen if you've got uh some of the budget yeah it's always one addition
Christoffer: It's always the best um way is if there's regulation and it says you have to right because like your critical infrastructure you have to do this and that and that is changing continuously um then there's no discussion about who pays it you have to do it.
Roark: It's always a forcing function in the cyber world, either that or something bad happens
and typically either one drive a lot of quick response. All right, so Christopher, let's kind of start wrapping things up a little bit here. As somebody that doesn't stay in and day out responsible for rail tech cyber security, if you think about the job that CISOs have to do as far as being in the rail operator, we may have a number of other CISOs listening today. What kind of advice would you give those folks as they're thinking about diving more further into security in their rail tech or OT environments?
Christoffer: Yeah, I would say you need to get the bridge makers, you need the CTO and the CIO area to work together, that is key. Talk to the people, talk to the people that operate your OT systems, get to know them, get to know their needs because that is also a business need. I mean, at the end of the day, you have to uphold your business processes and be resilient. So that you can never forget that it has a certain purpose, the OT security or the cyber security, and that's to uphold business and be competitive. And that's also what you can argument towards upper management to get their buy in in this topic and their backing. And then if you have that awareness, awareness, awareness, people, people, people, because the OT is operated by people. It's not an app which runs on an automatic clock. It's people.
Roark: Right. You touched on an interesting topic. There may be a topic for another podcast appearance. We can talk about how to build a business case for some of these efforts in the operational environment. But you're spot on. It always comes back to supporting the business. Well, Christopher, if somebody wanted to talk to you or get in contact with you, are there social media platforms that you're active on or what's the best way to reach you?
Christoffer: Yeah, I'm on LinkedIn.
Roark: Okay. Okay. All right. Well, please note, Christopher is on LinkedIn and note the spelling in his first name. It's different and unique. It stands out. So you should be easy to find because of that. Well, Christopher, I want to thank you very much for joining us today.
Christoffer: It's been a pleasure talking to you.
Roark: I also want to thank all of our listeners today. That is the end of our show today. So until next time, keep your tracks secure.
Christoffer: Thank you.