CZ/SK verze

"Cyber Threats are Possible. We Can't Ignore Them," Says ZSSK CARGO Vice Chairman Hambálek

&quote;Cyber Threats are Possible. We Can't Ignore Them,&quote; Says ZSSK CARGO Vice Chairman Hambálek
photo: RAILTARGET/Matej Hambálek
09 / 07 / 2024

We spoke with Matej Hambálek about the hot topic of cybersecurity in railways and the steps ZSSK CARGO is currently taking in this area. This discussion comes as an interdepartmental consultation is underway regarding the proposed amendment to the Cybersecurity Act, which is scheduled to take effect on January 1, 2025.

You have been the Vice Chairman of the Board of ZSSK CARGO since November 15, 2023, but you have spent your entire career in transportation, both rail and air. You have also served at the Ministry of Transport. You previously worked at ZSSK CARGO from 2012 to 2016. How do you perceive the changes in railways and ZSSK CARGO since then?

A lot has changed. Despite the conservative nature of the railway sector, it has also been impacted by digitalization. It includes the installation of GPS locators on wagons and the development of systems and applications that manage our company's operations. However, what has clearly changed is the risk of cyber threats. It is a topic I have now taken under my wing.

We can follow up on this. In 2022, a directive on measures to ensure a high common level of cybersecurity across the European Union (known as NIS2) was issued, which should also affect your company as the largest Slovak carrier. How are you preparing for the potential new obligations associated with this?

Not everything that comes to us from Brussels is seen as good. However, we must take cyber threats seriously. We have implemented the previous NIS1 directive and are currently conducting a detailed internal analysis of the possible impacts. We are working on implementing additional measures. I have personally contacted all our relevant departments, including IT and the cybersecurity manager, representatives from commerce and operations, and the HR department. I consider my coordination as Vice Chairman of the Board indispensable in addressing this issue, which affects the entire company. I have also sought cooperation from the National Security Office.

When we talk about threats, is it even possible for someone to cyberattack the systems of a national carrier? How seriously do you take the potential threat?

At CARGO Slovakia, we perceive cyber threats as potentially possible and, therefore, cannot ignore them. The transition to digital solutions has brought many operational benefits, efficiencies, and risks. We cannot pretend that Slovakia is not affected because we are a small country. Even the railway sector in smaller EU countries has faced attacks in the past. It doesn't necessarily have to directly threaten security or control systems, but it can still cause significant damage.

Can you provide examples of similar attacks from the past?

One example is the cyberattack in Ukraine in 2017, which disrupted timetable systems, halted railway operations and caused chaos in both freight and passenger transport. Another warning example is the disruption of train control in Poland, where an attack caused signal failures and train delays. Even an email attack can suffice. Take the attack on Czech Railways in 2020, which, although it did not directly threaten transport, had evident impacts.

Why do you consider email attacks a problem?

We must realize that we increasingly handle things online, either through emails or our systems. From a security perspective, we separate these two communication channels into emails and information systems, primarily focusing on workflow. Email is considered an operational communication tool, but it is open and often exploited by fraudulent messages, which we have all encountered in our personal lives. We know of a past case in the transportation segment where an email was sent from an almost identical address to the CEO's, requesting immediate payment of an invoice to a changed supplier account number. In this case, no actual payment was made, but it illustrates how easily email can be exploited. Continuous training of internal employees against increasingly sophisticated external attacks is important and necessary. We must recognize that we no longer work only with paper but rather in a hybrid, mixed form. If we have data only in electronic form, we could lose it in a cyberattack and might not be able to recover it, or only with great difficulty and expense. I aim to set everything up so robustly that any impact from threats will cause minimal damage.

How should your systems be set up to withstand cyberattacks? Some experts say it is practically impossible to secure everything to prevent an attack.

Yes, you are right. It is never possible to set up a system to be 100% secure. As systems evolve, so do the nature of threats. However, it is still essential to talk about a strong cybersecurity defense strategy, which means not only securing the ICT systems themselves but also implementing organizational measures and retraining employees, which is often overlooked. One of the most critical elements is that one of the biggest cyber risks is the internal employee, who can cause a security incident, either knowingly or, more often, unknowingly.

How will you and your colleagues set up the cybersecurity system?

From my perspective, it is crucial to know what we need to protect, where our weaknesses are, where we store data, how we work with it, how to ensure data and information security and protection, and, last but not least, to have processes in place that ensure that after a potential attack, we can quickly restore operation of our infrastructure with minimal damage and data loss. This issue concerns the entire company, so a global perspective is appropriate, requiring a proactive and multi-level cybersecurity strategy. As I mentioned, we currently have the NIS1 directive implemented and conduct repeated cybersecurity audits through certified auditors. It is also another important tool we use in setting up and identifying potential threats.

The transposition period for the NIS2 directive is October 17, 2024. The Slovak National Security Office, as the central government body responsible for cybersecurity, published a draft amendment to the Cybersecurity Act for interdepartmental consultation at the end of May 2024. How do you perceive the potential amendment proposal?

We are already studying the draft amendment to the Cybersecurity Act, but since we are considering submitting comments, I will not comment on our position on the law at this time. However, I must say that I find the Slovak proposal more logical and less complicated than the Czech proposal, which we also followed during its preparation.