Digital resilience

The Directive on the Security of Network and Information Systems (NIS-D) was adopted by the European Union in 2016.

Its intention is to ensure common standards of security across all Member States and sets out a range of security requirements that apply to operators of essential services - including national railways and their supply chains.

Relevant organisations that fail to comply with the Directive risk incurring strict financial penalties - which can be up to 4% of turnover - and could be subjected to increased supervision by their designated National Competent Authorities.

An expert route to full compliance

Ensuring full compliance with NIS-D is a complex challenge for organisations unfamiliar with its scope, its full requirements, and even the extent of materials and information they must be able to provide.

We support rail organisations through every stage of the process, combining rail domain knowledge with a deep understanding of security practices in other critical infrastructure.

We will help your staff develop project and document plans, determine requirements and emerging priorities, manage all liaison with regulators and help prepare final evidence for submission.

As digital technology plays an increasingly prominent role in day-to-day rail operations, so the industry must prove itself ever-more resilient to emerging threats.

Cyber security, with its focus on the protection of IT systems and infrastructure, is only part of the equation. Digital resilience looks beyond IT processes and encompasses an organisation's processes, governance and physical assets, as well as its interactions with customers, staff and the outside world.

In-depth, rail-focused risk assessments

Applying an approach that combines any existing Cyber Security Management Plan, IEC 62443 (global standard for the security of Industrial Control System networks) and global best practice from the rail industry, our teams of rail domain experts and cyber security specialists will perform a thorough assessment of your current risk status

Most importantly, rather than following a generic industry approach, our digital risk assessments are designed to accommodate the unique characteristics of the rail industry - such as its open and accessible environments - and take into account the full range of potential threat sources, including those from non-malicious actors.

At the end of the process, you will be presented with a detailed, impact-led appraisal of the cyber-risks faced across your operations, prepared with a rail 'mindset' and accompanied by guidance on proportionate mitigation measures and next-steps.

Our Lifecycle consultancy service ensures that Digital Resilience remains an integral component of any rail product or system.

At every stage of development, our experts will provide advice on potential vulnerabilities and help develop proportionate responses.

Bespoke advice and support

Central to our approach is enabling managers and projects teams to understand the ever-changing risks inherent in digitally connected systems.

Through bespoke risk analysis, threat profiling exercises and direct interaction with both industry and international regulatory bodies, we ensure project teams are fully aware of their security responsibilities from design through to operation and maintenance

In determining responses, we help project teams maintain a full-system viewpoint, looking not only at each individual project in isolation, but also its interfaces with physical assets and control systems, and its vulnerability to human interactions, whether malicious in nature or not.

Ricardo holds a long and proud record of delivering Independent Safety Assessment (ISA) services for railway clients across the world.

Whether certifying that new signalling products meet international standards, such as EN50126, or assessing entire rail systems, we have unparalleled international experience in this arena.

It is with this reputation for impartiality and evidence-based judgements that we offer an Independent Security Assessment service, offering clients the opportunity to place existing measures under the forensic scrutiny of our railway and security experts.

What are the benefits of an Independent Security Assessment?

Following the conclusion of our assessments, organisations gain a true understanding as to whether current measures are meeting recognised industry and international standards.

This information can then help you determine if current digital security measures remain sufficient to the ongoing threats you face.

The certification - issued by Ricardo - can also be used as evidence to internal and external stakeholders that your organisation maintains a serious and long-term commitment to the security of its systems and assets.