Cyber Security Meets Transport Infrastructure

Mike Hewitt, head of next generation networks, transport and public UK at Panasonic Systems Solutions Europe, considers the importance of cyber security and IT resilience when it comes to protecting the rail industry.



By Mike Hewitt

 Head of Next Gen Networks

 Transport and Public UK

 Panasonic System Solutions Europe 



How secure is the UK Rail Industry and is it ready for the challenges to come? Technology introduction is critical to the railway and is a mix of Operational Technologies (OT), Information Technologies (IT), these systems often share physical environments and have interconnection requirements, therefore opening the systems to many attack vectors. Connected systems will only be as secure as the weakest link and therefore collaboration across industry stakeholders is key to risk assessment and identification to mitigate the threat of cyber vulnerabilities. There can be in excess of 20 connected systems across current rolling stock which can be a mix of information, retail, and operational systems including Passenger WiFi, Infotainment, CCTV, Passenger Information, Train based Data, Location, Public Address and Ticketing and On-board Retail Systems.

Cyber Security represents a significant challenge for the UK Rail industry and the systems deployed across fixed and moving infrastructure along with the implication and threats from distributed but connected systems including passenger wifi and connected technology systems. Cyber security is a mix of physical security, network security and data protection with operational systems that if affected can result in disruption to commuter networks or worse damage to infrastructure,  people and brand reputation.


The threat and attack landscape is constantly evolving and changing, firewalls, vlans and encryption alone are not sufficient. Resilient cyber security systems and solutions are a mix of asset management and configuration, Protection/Monitoring, Incident Detection, Incident Management/Response and Restoration / Recovery – this can be summarised as

  • Understand – identify the assets, risk of attack and impact of an incident
  • Protect – safeguarding of assets by robust protection of interfaces, data and deter attackers
  • Detect – identify abnormal behaviour, alert and share information with Stakeholders
  • Respond – reduce the impact, rapid recovery from incidents and timely reporting to improve threat intelligence and reporting.


Many of the industry bodies are starting to provide guidance and best practice guidelines including RDG, RSSB, DFT and CPNI while government and EU regulators are implementing legal requirements such as The General Data Protection Regulation (GDPR) and tThe Network Security and Information Security Directive (NIS) both or which become Law by May 2018.

GDPR  is a set of regulations that covers systems or processes which  collect personal data. This will have animpact on how a  passenger’s personal data and CCTV images can be  captured, managed and stored by an operational support system. These systems include passenger WiFi which captures email addresses, MAC addresses, IP addresses and device names which can all be classed as personally identifiable information (PII) under the GDPR regulations.


NIS is a European set of directives who’s initial target is “Critical National Infrastructure” companies including Transportation.

The key points of NIS require that infrastructure operators;

  • Have the capabilities to ensure that the systems implemented to protect networks remain effective and are able to detect cyber security events that have the potential to affect essential services
  • That organisations are able to monitor the status of networks and supporting systems for security events that have the potential to impact essential services – this needs to be delivered under the management of a SOC (Security Operations Centre)
  • Another key requirement is Anomaly Detection that affects or has the potential to affect the delivery of essential services and that appropriate action is taken to respond to the anomaly.


The NIS directive requires designated operators of essential services to notify the relevant authority “without undue delay and as soon as possible, at a maximum no later than 72 hours after having become aware of an incident.”

At Panasonic we work across our stakeholders, partners and regulators to protect the rail industry,  ensuring  that current and future railway technologies are appropriately and proportionally protected from cyber attack.

We will achieve this by developing a culture of security first at the heart of everything we do to deliver freedom through innovation and security by design.


On Wednesday 21 February 2018, I hosted a webinar to discuss the implications of  GDPR and NIS for the UK rail market.

Watch the recording here: 


This article was published in the Dec/Jan 18 edition of Rail Technology Magazine, you can view it at (log in required).