Rail Cyber Security

 The Directive on the Security of Network and Information Systems (NIS-D), first adopted by the European Union in 2016, sets out a range of security requirements that now apply to operators of essential services - including national railways and their supply chains.

Ensuring full compliance with NIS-D is a complex challenge for organisations unfamiliar with its scope, its full requirements and even the extent of materials and information they must be able to provide about their networks and information infrastructure.

We help rail organisations through every stage of the process. Through our unique Ricardo partnership we combine rail domain knowledge with a deep understanding of security practice in other critical infrastructure  to ensure every aspect of the directive is accounted for.

Following initial briefings to help raise awareness amongst staff of the NIS-D and its expectations, we work with your staff to develop project and document plans, determine requirements and emerging prirotites, manage all liaison with regulators and help prepare their final evidence for submission. 

The ISA/IEC 62443 series of standards are the foundations of cyber security for critical infrastructure such as rail and mass transit systems and their supply chains.

These international standards provide a detailed framework for identifying, assessing and managing the risks to industrial automation and control systems (IACS), and also instil proven techniques for assessing the performance of current security apparatus.

Ricardo's experts will utilise specialist rail domain experience to help you bring your organisation into alignment with current best practice. From an initial gap analysis through to a staged implementation plan to address weaknesses or stengthen resillience measures, we will support and train your teams through every stage in the process. 

Digital resilience looks beyond IT processes and encompasses an organisation's processes, governance and physical assets, as well as its interactions with customers, staff and the outside world.

Applying an approach that combines any existing Cyber Security Management Plan, IEC 62443 (global standard for the security of Industrial Control System networks) and global best practice from the rail industry, our teams of rail domain experts and cyber security specialists will perform a thorough assessment of your current risk status

Most importantly, rather than following a generic industry approach, our digital risk assessments are designed to accommodate the unique characteristics of the rail industry - such as its open and accessible environments - and take into account the full range of potential threat sources, including those from non-malicious actors.

At the end of the process, you will be presented with a detailed, impact-led appraisal of the cyber-risks faced across your operations, prepared with a rail 'mindset' and accompanied by guidance on proportionate mitigation measures and recommended next-steps.

Our Lifecycle consultancy service ensures that Digital Resillience remains an integral component of any rail product or system.

At every stage of development, our experts will be available to provide advice on potential vulnerabilities and help develop proportionate responses.

Central to our approach is enabling managers and projects teams to understand the ever-changing risks inherent in digitally connected systems. Through bespoke risk analysis, threat profiling exercises and direct interaction with both industry and international regulatory bodies, we ensure project teams are fully aware of their security responsibilities from design through to operation and maintenance

When determining responses, we help project teams maintain a full-system viewpoint, looking not only at each individual project in isolation, but also its interfaces with physical assets and control systems, and its vulnerability to human interactions, whether malicious in nature or not.