Aventra Vehicle Digital Risk Assessment


We worked in partnership with Roke Manor Research Ltd, a leading UK cyber security and communications specialist, on a digital resilience project for Bombardier (now Alstom, a global rolling stock manufacturer), to help in-house teams assess the exposure of the Aventra platform to a range of possible cyber security threats.

The Aventra was introduced to the UK rail network in 2017 and has since become an increasingly familiar to commuters as it joins fleets serving the south, west and midlands regions.



To provide confidence that the vehicle will meet the highest standards of security against current and emerging threats, the client commissioned the Ricardo-Roke team to produce a full appraisal of the platform's digital risk profile.

The project represented one of the first examples of a major train manufacturer seeking to integrate cyber security assessments into early design and testing processes.



Upon completion, Ricardo-Roke provided a detailed, high-level risk-based assessment that highlighted the security risk of components, sub-systems and the Aventra platform, along with recommendations that could be incorporated directly into existing risk management practices.

Our assessments also provided confidence to project teams that the Aventra platform was capable of compliance with the Directive on the Security of Network and Information Systems (NIS-D).


What is the NIS-D and does it affect you?

The Directive on the Security of Network and Information Systems (NIS-D) was adopted by the European Union in 2016.

The intention is to ensure common standards of security across all member states and the Directive sets out a range of security requirements that now apply to operators of essential services - including national railways and their supply chains.

Relevant organisations that fail to comply with the Directive risk incurring strict financial penalties - which can be up to 4% of turnover - and being subjected to increased supervision by their designated National Competent Authorities.

Ensuring full compliance with NIS-D is a complex challenge for organisations unfamiliar with its scope, its requirements and even the extent of materials and information they must be able to provide about their networks and information infrastructure.


Bombardier (now Alstom)

Key Services

Cyber security

Start and end dates

04/2017 - 12/2019


United Kingdom, Derby

Digital resilience
Learn more

Contact our experts

Related case studies

View all case studies

Elizabeth line - Crossrail

Read case study

Metrolinx safety assessment

Read case study

Sydney Metro Shadow Operator

Read case study