Product Expertise: Cybersecurity In Railway Sector

INTRODUCTION : The railway sector has been facing two major phenomena brought about by the digitalisation of systems. On one hand, there is an ever-increasing presence of software at all levels, including components and subsystems (signalling, rolling stock, energy, infrastructure and communications) and on the other hand, there is a threat of cybercrime.

These challenges arise because of needs of the users and new services proposed which require greater connectivity between the distributed control systems located closest to the field and the IT systems or cloud applications through which they are served. In cybersecurity, this phenomenon translates into the term “ increase in the attack surface ” and it means greater exposure of the most critical systems to the risks of cybercrime.

Of course, this concerns the new projects that are required to set out security requirements in order to deal with cybersecurity problems at the source.

SAFETY IN RAILWAY SECTOR : Safety is a mature field in the railway sector. The applicable standards such as the IEC 61508, the EN 50126, the EN 50128 and the EN 50129 ar well known and their application is mandatory. On the other hand, for cybersecurity, the benchmarks applicable to the sector are much fewer and their application is currently not mandatory (in the regulatory sense). The industry standard IEC 62443 may prove to be a valuable aid, particularly part 3-3, which addresses the security of control systems (called “IACS” for “Industrial Automation Control System”). EN 50159 (or IEC 62280) [Ref.9] This standard addresses a particular subject of cybersecurity communications. It identifies threats against transmission systems used in the railway sector.

Even though Functional Safety and Cybersecurity share a common goal of trust in the system, the two sectors adopt different ways of characterising risk.

The cyber approach will focus on the characterisation of the malevolence. At the base of this malevolence, the voluntary act depends on the following factors : the attacker (his motivations/ his technical level/ the resources he has) and the vulnerabilities that are inherent to any digital system.


CYBER RISK Analysis : conduct a cybersecurity risk analysis; it is customary to use the three criteria well known to specialists: Confidentiality / Integrity / Availability (CIA).

The HUMAN place : whole cyber culture that must be promoted with two objectives in mind; do not be an attack vector (know the rules of hygiene) and adopt a questioning behaviour when faced with suspicious situations.

Hardening & Secure BY DESIGN : it is essential to design and install systems capable of resisting attacks, by design, which will put the effort of security in the upstream phases of the projects at the time of defining the hardware and software architectures, but also during the stages of development and integration

Use of CERTIFIED products : This involves creating a threat model for the product and its interfaces, defining security requirements to counter these threats, applying a SDLC1 (Systems Development Life Cycle) adapted to the development process, the application of the defence in-depth concept and making a policy available for security patches and updates and these elements can be verified through certification issued by third party.

Bureau Veritas is able to assist you in setting up or improving some of these steps. Our services also include certification according to the 62443 standard, support in risk analysis or the “ Secure By Design ” approach.

Bureau Veritas’ services for the rail industry cover the full life cycle of projects, from design, through component manufacturing, to construction and operation. We work with major industrials, manufacturers and rail operators around the world to deliver safe and compliant projects that meet the needs of today’s rail users.

Phone : +91 22 6274 2000 | Visit :
Email :,

This article is a part of our September 2019 Magazine: Subscribe to our Magazine Today!