In March 2025, Rail Partners, the Rail Delivery Group (RDG) and the Rail Safety and Standards Board (RSSB) hosted the Fleet Cyber Security Conference, at Thinktank Birmingham Science Museum. The event brought together fleet operators and owners and their supply chain to share cyber security best practice and real-world case studies. The conference discussed practical measures the rail industry is using to reduce cybersecurity risks to rolling stock fleets.
It was a follow up to its Fleet Software Integration and Cyber Security event in February 2024, covered in Issue 208 (May-June 2024). Last year’s event highlighted the issue, outlined some of the tools and techniques available to operators, and explained the difference between Information Technology (IT) systems (generally fairly standard suites of applications on relatively standard hardware) and Operational Technology (OT) systems (generally bespoke software and hardware systems controlling the rolling stock). Speakers also explained that it is sensible to have what is known as a demilitarised zone between IT and OT with no direct connection between them.
This year, there was more focus on both dealing with cyber threats, and the development of standards and processes to support operators working with increasingly complex connected systems. The fact that the general public now has access to on-train systems through Wi-Fi was also highlighted as a risk that could be exploited by so-called bad actors.
Evolving risk
Nicole Jennings, chief delivery officer at RDG previewed the forthcoming Rail Cyber Security Strategy, emphasising that managing cyber security is vital, given the fact that rail systems are increasingly digital and interconnected. Cyber security is a risk that is consistently evolving, so rail operators cannot eliminate the risk but can mitigate the impact using a consistent and systematic approach to information security. The Strategy is due to be launched in Summer 2025.
Nicole said that the Strategy will help operators to understand cyber risks and the impact of cyber incidents; protect railway assets by safeguarding the confidentiality, integrity and availability of digital systems; and detect abnormal behaviours in people, assets, and/or systems and respond in a way that reduces the impact of cyber security incidents.
There will be five objectives:
- Everyone should understand cyber risks, their role in mitigating them, and how to recognise and respond to threats.
- Everyone has a clear picture of exposure, together with their role in identifying weaknesses and assessing potential impacts.
- Security measures are applied uniformly across cyberspace, physical locations, and organisations.
- Security is embedded from design to decommissioning, with continuous adaptation to emerging risks.
- Strong monitoring and detection processes are in place to help in acting quickly to minimise damage.
Security and safety
These five points are quite similar to the process that a railway would carry out to identify and manage hazards and risks, as became apparent when James Walker, head of digital safety at ORR, and Darren Fitzgerald, principal electrical and systems rolling stock engineer at RSSB, spoke.
James identified the links between security and safety in a useful diagram.
Although described separately in English, Rail Engineer notes that ‘security’ and ‘safety’ are the same word in many languages. It was no surprise that ORR expects duty holders to manage the risks arising from software and cyber security failures such as overcrowding, disruption, and signalling system failures. This means that duty holders should manage their software-based system so that software design, operation, maintenance, and cyber security risk is managed in the same way as any other risk as part of their safety management systems.
The approach should be managing security risk, protecting against cyber-attack, detecting cyber events, and minimising the impact of such events. Safety and security specialists should therefore work together to identify and mitigate risks.
James outlined the findings of some ORR inspections. He commended some good practice such as dedicated cyber/information security teams and good support for cyber security throughout the organisation. In contrast, he said, there were many areas for improvement in areas such as coordination of approach to manage safety and security, lack of cooperation between safety and security teams, together with supply chain and change management assurance issues.
Darren Fitzgerald outlined applicable standards, describing how the Purdue Enterprise Reference Architecture (PERA) model can be applied to on-train networked systems.
He also outlined the likely scope of the forthcoming IEC 63452 proposed standard on Railway Applications – Cybersecurity which will cover the areas listed in Table 1. It is likely to be published in March 2026.
Darren also introduced Technical Note 2312 Rolling Stock – Cyber Security Essentials. It covers security compliance, physical security and other measures, management of change including control and configuration of assets and systems, system interfaces, and an appendix listing standards with potential cyber security implications. Finally, forthcoming RSSB developments include an update to RIS-2700-RST Verification of Conformity of Engineering Change to Rail Vehicles I with appendices on software and cyber security. There will also be a training course – An introduction to rolling stock digital systems – which will include an overview of system models, a high-level introduction to software, and how to understand cyber security in a basic format.
Northern’s experience
George Copeland and Marc Silverwood described Northern Trains’ progress with cyber security over approximately the last 10 years from being a railway with no on-board OT systems to today where Northern has more than 360 ‘digital’ trains, over 650,000 Wi-Fi users, and more than 36,000 digital assets across its fleet.In
2021, one of Northern’s suppliers suffered a cyber-attack which took Northern’s on-train systems offline. However, after a team effort they were only offline for an hour. This experience led Northern’s board to establish an on-board systems team of approximately 10 engineers and it has clearly established roles and responsibilities defined for cyber throughout the organisation and with key suppliers. Some activities involved protection against attacks via, for example, on-train Wi-Fi, while other tasks included physical security of on-train equipment – e.g., equipment cupboards secured by non-generic keys.
George and Marc emphasised the importance of change control, explaining that an apparently straightforward connection of one on-train system to another can cause unexpected cyber risks. Comment was made that the usual process of handover of new trains and/or other equipment to an operator at a point in time is not appropriate for cyber risks which are constantly evolving, and a more enduring commercial arrangement is needed to ensure an ongoing relationship to enable new threats to be dealt with. Northern explained its cyber security management process and its operator-supplier interface.
Cross-asset activities
Credit: RSSB
Apoorv Shrivastava from RSSB discussed the work of the industry led Asset Integrity Group (AIG) which aims to bring cross-asset activities together as part of RSSB’s overall Rail Health and Safety Strategy with a mission where “Asset integrity [is] at a level where it isn’t noticed”. He introduced RSSB’s very readable ‘Cyber security for railway asset managers’ publication.
Apoorv outlined some of the work sponsored by the AIG including model risk assessments that others can adapt or follow a similar process. He further emphasised the increasing reality that cyber security is just another specialism in overall asset management, as well as safety/risk management. Good asset management involves asset knowledge, asset competence, and strategic influence. For complex assets, the skills/disciplines required are broad and include cyber competence.
RSSB is also facilitating a rolling stock Industry 100 (i100) project. I100 is an initiative from the National Cyber Security Centre to facilitate close collaboration with the best and most diverse minds in UK industry.
During a panel session, it was clear from the questions that the importance of having the right people specifying and assuring cyber security of systems is not always recognised. Moreover, there needs to be cooperation between all the actors involved with rolling stock – ROSCOs and TOCs, as well as train manufacturers and their suppliers.
Unusually, this seminar included a workshop session covering various stages of managing a cyber-attack, highlighting the importance of preparedness and expertise. Your writer has participated in many such tabletop exercises over the years, generally dealing with events such as collisions or derailments. The basic process for dealing with a derailment is similar to that for dealing with a cyber-attack, but the experts who need to be involved are different. However, unlike a derailment, not being able to immediately see what has happened further emphasises the importance of preparation and protection.
Manufacturer’s view
Bruno Corasolla from Hitachi Rail presented a manufacturer’s view. He further emphasised the importance of collaboration with transparency and feedback loops across the supply chain, from funders through to software developers. He felt that standards such as IEC62443 will help, together with ensuring compliance and sharing best practice (i.e., integrating cybersecurity measures into all stages of the supply chain).
Part of the challenge is that systems are increasingly complex, technology changes continuously, there can be resource constraints, and there are issues with diverse stages of maturity. Rail Engineer heard the solution to all this is commitment, collaboration, and more collaboration, while prioritising cyber.
Summing up
George Bearfield from Rock Rail, who gave the keynote at last year’s event, summed up the day, asking if cyber security really is that that complicated, and what should be done. He said that IT and OT is now well understood and stressed the importance of making assets secure by design (another parallel with safety), using the standards to help.
George acknowledged that cyber competence is improving. He said that it is important to understand system risks and vulnerabilities, and penetration testing can be a valuable tool. Indeed, for systems that have evolved with many changes, penetration testing can be useful as a penetration tester has to understand the system and data flows in order to carry out the tests. This is something that usually cannot be learned from the documentation.
While progress has been made, George concluded, the landscape keeps changing especially with the current unstable world political situation.
This was another valuable event organised by Rail Partners, RSSB, and RDG in collaboration. However, while Rail Partners has now shut down as a result of the planned industry changes, Rail Engineer understands that RSSB and Rail Delivery Group will work together to promote future events.
With thanks to David Gould at RDG and Mark Oakley at RSSB for their assistance.
Image credit: iStockphoto.com/BlackJack3d