Politics

Politics Home | Getting cybersecurity on track: How to protect rail in the transition to Great British Railways

Published

on

Credit: Adobe



Martin Rhodes MP & Chris Parker MBE
| Fortinet

Advertisement

As Britain’s railways move into public control under GBR, digitisation is transforming how the network runs. But with more connected systems comes greater cyber risk. With 1.7 billion passenger journeys a year, government and industry must embed cyber resilience into procurement, skills, incident learning, and cross-sector collaboration from day one.

Britain’s railways are changing more rapidly than at any point in a generation. The creation of Great British Railways (GBR) moves the operation of trains from private train operating companies into the hands of the state as franchises expire.

Advertisement

Earlier this year, we saw the first GBR rolling stock down in Brighton. But behind the red white and blue paint, the operation of trains is changing too, with increasing digitisation of passenger information systems and operational technology.

A modern rail system is a good thing – but it brings new cyber challenges. Around the world, cyberattacks on rail infrastructure have caused serious disruption, such as in Germany, Israel and Denmark. In the UK, we need to guard against weaknesses as we transition to GBR, with over 1.7bn passenger journeys a year. Suddenly, the risk is owned by government, not private companies.

Analysis commissioned by the Department for Science Innovation and Technology found a hypothetical systemic cyber incident on the rail network could result in a total economic cost of approximately £1.8 billion for a week’s period of disruption. Meanwhile, the National Cyber Security Centre (NCSC) continues to report a sharp rise in serious cyber incidents affecting the UK’s essential services and wider economy, underlining a growing risk to critical national infrastructure like rail.

Advertisement

As the network becomes more digital, keeping trains moving safely and reliably increasingly depends on the resilience of the cyber systems that protect them. The transition to GBR presents a series of new challenges from procurement to skills and it is vital that GBR equips itself to be fit for the future. In Fortinet’s recent report on this subject, four key recommendations emerged.

The first is to establish a national cybersecurity incident reporting and learning system for the rail industry. Too often, organisations learn only from incidents that happen within their own network. Yet cyber threats rarely respect organisational boundaries. The NHS’s patient safety reporting framework is a model for how lessons from incidents and near misses can be captured centrally and shared quickly across an entire sector. The transition to GBR presents an opportunity to embed that culture of continuous learning from the outset, helping operators identify systemic vulnerabilities before they become major disruptions.

Second, cybersecurity must become an integral part of procurement rather than an afterthought. In Great Britain, passenger rolling stock typically has a service life of around 30–35 years, with some fleets already over 30 years old, meaning that contractual choices made now will shape the network’s cyber risk profile for a generation. Decisions taken today about rolling stock, signalling systems and operational technology will shape the railway for decades to come. If cybersecurity expertise is absent when those decisions are made, vulnerabilities can become locked into infrastructure with long asset lifecycles that are difficult and expensive to remedy later. Great British Railways offers the chance to make “secure by design” the default principle for procurement, ensuring resilience is built into every new system from the beginning rather than bolted on afterwards.

Third, the sector must address the growing cyber skills challenge. The National Skills Academy for Rail (NSAR) estimates that up to 75,000 workers could be lost to retirement or attrition by 2030, with acute shortages already emerging in areas such as digital signalling, data, and systems engineering. Yet the future railway depends on professionals who understand both operational rail systems and modern cyber risk. Those hybrid skills remain in short supply. A dedicated rail cyber skills taskforce could help coordinate training, attract new talent and ensure the workforce develops alongside the technologies it will be responsible for protecting.

Advertisement

Finally, we need stronger collaboration across critical national infrastructure. The convergence of information technology and operational technology means that cyber resilience can no longer be considered in isolation by individual organisations. Transport operators, infrastructure managers, technology suppliers and Government all have a role to play in identifying emerging threats and sharing best practice. Trusted cybersecurity partners should be a central part of that collaboration. Building on NCSC Information Exchanges, sector specific working groups for major transport modes (rail, aviation, maritime and road) should coordinate cyber risk assessment, set shared resilience standards, run joint exercises and report regularly to ministers on emerging threats and recommended actions. This should, in time, be extended to critical national infrastructure sectors such as energy and health.

The Cyber Security and Resilience Bill, being debated in Parliament today, is an important step forward in setting a modern and updated legal framework, but it is only the start. By pairing clear statutory duties with an industry-wide learning culture, secure-by-design procurement, a skills pipeline that reaches every region and an open door between Government and industry, we can turn GBR into a global benchmark for safe, digital transport.

 

 

Advertisement

Martin Rhodes, Member of Parliament for Glasgow North.

 

 

 

Advertisement

 

 

Chris Parker MBE, Director of Government Strategy at Fortinet.

Source link

You must be logged in to post a comment Login

Leave a Reply

Cancel reply

Trending

Exit mobile version