The integrated management of safety tasks and cyber security is a key requirement in ensuring safe rail operations. As part of an integrated Safety and Quality approach, cyber security does not just perform a strategic and control function. SBB also monitors network traffic around the clock to ensure effective protection against attacks from cyberspace.  

The growing threat level makes public transport in Switzerland part of critical national infrastructure. Such infrastructure must meet requirements in terms of punctuality and reliability, but also expectations regarding IT security. New technologies, digitalisation and automation are essential to ensure Switzerland remains connected and well-supplied. Without secure IT infrastructure, no train can run on the tracks safely nowadays.

Cybercrime – a global billion-dollar business – is constantly evolving and SBB, its customers and partners are not protected against it. In addition to state actors, professional private organisations of hackers are also trying to profit from attacks on companies. SBB’s cyber security strategy aims to ensure its IT infrastructure is adequately protected against cyberattacks. This stops cyberattacks from bringing the rail system to a standstill for days or even weeks.

Risk management on multiple levels

SBB creates trustworthy, resilient digital applications for systems, installations and vehicles. It also operates its own Cyber Defence Center, which monitors network traffic around the clock and initiates the countermeasures required in the event of an incident.  

SBB assesses and manages its information security risks as part of the Information Security Management System (ISMS) for its digital solutions. This is certified under the ISO 27001 standard for business applications.

SBB is committed to making its contribution to Switzerland’s technological and social development and participates in cybersecurity initiatives and the training and development of cybersecurity specialists. Dialogue and cooperation with other companies, partners and the research sector is an integral part of this approach.

Certified ISMS management system for the protection of IT infrastructure.

SBB AG operates an information security management system (ISMS) in accordance with the requirements of the international standard ISO/IEC 27001:2013.

Information security is part of SBB’s daily activities to ensure business-critical IT systems and the required data are adequately protected based on the risk situation.

An Information Security Management System (ISMS) enables the systematic management and control of information security. ISMS helps to ensure regulatory and contractual compliance requirements are met and documents and measures the quality of information security across all SBB assets. ISMS aims to continuously improve the security levels in the areas which are certified. ISMS supports the security objectives defined for SBB’s values in terms of confidentiality, integrity and availability.

The ISO 27001 certificate focuses on SBB’s Digital Zone with the following scope of certification: ‘planning, development and operation of digital solutions in the area of business applications for SBB Information Technology’

The ISMS is managed within Safety and Quality and controlled and developed by the Information Security team for SBB as a whole.