Railway Cyber Security Threats and the NIS Directive

Author: Mike Hewitt

I recently attended a TechUK DCMS Workshop on Implementing the Network and Information Systems (NIS) Directive.

Whilst it’s understandable that GDPR has been getting a lot of airtime recently, it’s surprising that there hasn’t been as much on this other EU directive. It will arguably have a bigger effect, particularly for the rail industry, and require a much more comprehensive approach to information security. 

The NIS directive comes into force on 10th May, and all deemed 'Operators of Essential Services', such as UK operators in electricity, transport, water, and energy will have to comply from this date. EU Member states have until 9th May 2018 to transpose the directive into domestic legislation. The UK government is implementing the requirements through a UK-wide set of regulations – the Network and Information Systems Regulations 2018, which will come into effect on 10th May. 


The UK government states, ‘as our reliance on technology grows, the impact of failure in those systems and the opportunities for those who would seek to compromise our systems and data increase.’ These will need to be prepared to deal with the rising number of cyber threats, but the NIS directive will also cover other threats affecting IT, such as power failures, hardware failures environmental hazards.

The UK railway faces specific issues because of its operating environment, legacy infrastructure, and the application of new digital technology. In fact, whilst huge efforts are being made to safeguard the safety elements of these systems, many cyber incidents have already affected the rail industry. There is also great potential for future attacks that could result in a range of possible outcomes, from reputational damage through to disruption and even injury and loss of life due to systems being compromised.

Although the deadline for NIS Directive compliance is looming, there remains a relatively slow adoption of in engineering practices, which is surprising when the railway has high numbers of geographically dispersed assets and workforces that have different skills and levels of experience. 

The National Cyber Security Centre has outlined four key objectives to help meet the directive, they are: Managing Security Risk; Protecting against Cyber Attack; Detecting Cyber Security Events; and Minimising the Impact of Cyber Security Incidents. 

I and my colleagues will be working together to create a future series of blogs focused on each of these objectives. I do hope you’ll continue reading.


This blog was copied from an original post on LinkedIn, if you wish to take part in the discussion or share it please follow this link.