Some 23,500 trains use the network infrastructure every day and, over a year, cover over a billion kilometers of track. IT plays a crucial role in ensuring seamless operational processes of this magnitude. This is not just for the purposes of correctly setting signals, level crossings, and switches, it also provides support in coordinating the entire train traffic across Germany.
In its role, DB Netz AG is a critical infrastructure company par excellence – it ensures that a unique critical infrastructure in Germany remains in continuous operation. As a critical infrastructure company, the benchmark for IT security is particularly high. Documentation and degree of fulfillment of security requirements are an important issue for the DB Netz AG business.
The new basis for management of information security means that DB Netz AG is switching from a reactive, manual approach to a planned, active one. They succeed in efficiently orchestrating the necessary information and cooperative obligations. Laborious, reactive, and recurring research tasks (e.g. for upcoming audits) are replaced by a systematic, industrial approach for information security. DB Netz AG is put in a position to establish structured IT security documentation as a requirement for the divisions in the group, as proof of compliance, and as a tool for comprehensive security management. The company gains a high degree of transparency at all times and also embeds the significance of IT security at management level. This enables IT security management to be controllable in the extensive and fast-moving business as well as in the framework conditions and regulations which are becoming more complex. It does away with silos and creates a company-wide vision.
Using modules from the ESARIS security architecture helps to provide a modern basis for the operational IT security management. The client achieves company-wide efficiency and transparency.
The critical infrastructure challenges faced by DB Netz AG are nothing new. But, in recent years, there has been a development in the number of standards, lists of requirements, work instructions, and security concepts, the establishment and fulfillment of which is checked by auditors. All of this content and the cooperative obligations are distributed throughout the entire company and its specialist units. Together this brings about huge costs for the company's small IT security team. In order to meet the critical infrastructure requirements, as well as comply with other security standards and certifications, the team decided to put its existing information security management system (ISMS) to the test. “We wanted to generate comprehensive transparency around necessary information and at the same time guarantee an efficient implementation of ISMS,” explains Dr. Eberhard von Faber at T-Systems. The security team wanted to set out a modern basis for the IT security management and embed it within the company. This is because a whole range of internal divisions needed to actively work on this over the long term. How can this work?
ESARIS (Enterprise Security Architecture for Reliable ICT Services) presented those in charge with a suitable security architecture for fundamentally reprocessing the IT security and placing it on a new footing. They turned to T-Systems/Deutsche Telekom Security for consulting services. ESARIS is a collection of measures, standards, and instructions for securing ICT services. ESARIS standardizes, harmonizes, and improves IT security. ESARIS has been primarily developed for IT service providers where highly distributed value creation is the order of the day. This is also the case for DB Netz AG. Many building blocks of the ESARIS security architecture can be used accordingly. T-Systems and Deutsche Telekom demonstrated this as part of a consulting project over several months in 2021. In cooperation with the experts, amongst other things, they analyzed the existing situation with regard to the tools used, sources of information, and available documentation. They reflected the results of the analysis in the available blueprints of the ESARIS security architecture. This proved that it was not only original IT security themes in the Enterprise IT that needed to be taken into account, but also the increasingly more important area of OT, or IIoT security. In conjunction with the security team, the consultants developed a company-specific security taxonomy based upon this. It gives a detailed representation of which themes and tasks need to be revised and how they are linked with one another. The taxonomy provides a permanent overview and serves as a control tool. This central tool allows those responsible for IT at DB Netz AG to efficiently orchestrate their IT security management. They gain a solid foundation and a plan for the next implementation steps. Central document management plays a further significant role, the cornerstones of which were discussed together. A collaboration model defines the cooperative obligations, helps to organize cooperation, and forms the basis for governance within the company.