on this page
-
Markets
Defence
Transportation
Matt Simpson
Technical director, London, United Kingdom contact form+44 207 121 2290
Diffuse and dangerous. These are the words used to describe the increasingly complex nature of cyber security. Hostile activity is persistent and growing. In 2024 the National Cyber Security Centre reported a three-fold increase in the number of nationally significant incidents that were “severe”.
Against this backdrop the Government has introduced the Cyber Security and Resilience Bill, the most significant change in cyber regulations in seven years. For the rail sector - already classified as essential services - this legislation introduces expanded supply chain requirements, enhanced incident reporting, and stronger regulatory oversight.
For many, that raises familiar, thorny questions: who owns cyber risk, and how do we manage it across complex systems without compromising performance? Budgets don’t always align, and proven approaches - like those developed for the East Coast Digital Programme - often go underused as the sector reinvents solutions rather than adopting what already works.
The answer lies in recognising that cybersecurity in rail is fundamentally an engineering challenge. It’s about keeping operations running safely, reliably, and without disruption. That means putting cybersecurity and operational resilience back where it used to be: in the hands of the engineers who design and maintain the systems we rely on to run a safe, available railway.
From security wrappers to secure systems
Cybersecurity in rail has often followed an IT-first model, built around data protection, access control, and network security. That’s important. But in operations, the risks are different.
Rail is less concerned with data loss and more with disruption. If a train believes there’s a fault, it stops. If a signal system is compromised, services halt. In a safety-critical setting, availability is everything - and confidence in system integrity is what keeps trains moving.
You see the same in other high-dependency environments - like air traffic control or nuclear energy - where operations are too critical to separate cyber risk from engineering design. No one expects cybersecurity teams to understand how to run a fusion reactor. The people best placed to manage risk are those who understand the system. Rail is no different.
In that context, cyber resilience can’t fit solely with IT or compliance teams. It must be embedded into the systems themselves, from design through to operation. And in a sector that still relies heavily on legacy infrastructure, understanding how vulnerabilities propagate is just as important as preventing breaches.
That’s why the answer isn’t to employ more IT security specialists. It’s to equip engineers - the people who already understand the railway - with the tools, training, and authority to help secure it.
Secure by Design
This is where ‘Secure by Design’ comes in: an approach that builds cyber resilience into engineering processes, not just around them.
This thinking isn’t new. Early work on rail cybersecurity came from signalling, control, and safety engineers managing system interference risk. But over time, cyber became more corporate. Oversight - and crucially, funding - shifted to centralised teams. These teams asked the right questions, but couldn’t influence solutions. The result was an avalanche of frameworks, policies, and standards.
Those developments added scope and capability. But frameworks alone don’t secure a railway. Integrated, operationally grounded decisions do.
For example, AtkinsRéalis’ Cyber Academy trains systems, maintenance, and signalling engineers in practical cyber resilience through the application of internationally recognised standards. Delivery teams design risk out from the start, rather than audit it in at the end.
This isn’t about replacing cybersecurity professionals. It’s about expanding the network of people who are equipped and trusted to contribute to resilience. And the training isn’t complex. Engineers can easily access structured courses aligned to international standards. The real barrier is not complexity - it’s prioritisation and funding.
Please note that you are now leaving the AtkinsRéalis website (legal name: AtkinsRéalis Group inc.) and entering a website maintained by a third party (the "External Website") and that you do so at your own risk.
AtkinsRéalis has no control over the External Website, any data or other content contained therein or any additional linked websites. The link to the External Website is provided for convenience purposes only. By clicking "Accept" you acknowledge and agree that AtkinsRéalis is not responsible, and does not accept or assume any responsibility or liability whatsoever for the data protection policy, the content, the data or the technical operation of the External Website and/or any linked websites and that AtkinsRéalis is not liable for the terms and conditions (or terms of use) of the External Website. Further, you acknowledge and agree that you assume all risks resulting from entering and/or using the External Website and/or any linked websites.
BY ENTERING THE EXTERNAL WEBSITE, YOU ALSO ACKNOWLEDGE AND AGREE THAT YOU COMPLETELY AND IRREVOCABLY WAIVE ANY AND ALL RIGHTS AND CLAIMS AGAINST ATKINSRÉALIS, AND RELEASE, DISCHARGE, INDEMNIFY AND HOLD HARMLESS ATKINSRÉALIS, ITS OFFICERS, EMPLOYEES, DIRECTORS AND AGENTS FROM ANY AND ALL LIABILITY INCLUDING BUT NOT LIMITED TO LIABILITY FOR LOSS, DAMAGES, EXPENSES AND COSTS ARISING OUT OF OR IN CONNECTION WITH ENTERING AND/OR USING THE EXTERNAL WEBSITE AND/OR ANY LINKED WEBSITES AND ANY DATA AND/OR CONTENT CONTAINED THEREIN.
Such waiver and release specifically includes, without limitation, any and all rights and claims pertaining to reliance on the data or content of the External Website, or claims pertaining to the processing of personal data, including but not limited to any rights under any applicable data protection statute. You also recognize by clicking “Accept” that the terms of this disclaimer are reasonable.
The information provided by Virtua Research cited herein is provided “as is” and “as available” without warranty of any kind. Use of any Virtua Research data is at a user’s own risk and Virtua Research disclaims any liability for use of the Virtua Research data. Although the information is obtained or compiled from reliable sources Virtua Research neither can nor does guarantee or make any representation or warranty, either express or implied, as to the accuracy, validity, sequence, timeliness, completeness or continued availability of any information or data, including third-party content, made available herein. In no event shall Virtua Research be liable for any decision made or action or inaction taken in reliance on any information or data, including third-party content. Virtua Research further explicitly disclaims, to the fullest extent permitted by applicable law, any warranty of any kind, whether express or implied, including warranties of merchantability, fitness for a particular purpose and non-infringement.
The consensus estimate provided by Virtua Research is based on estimates, forecasts and predictions made by third party financial analysts, as described above. It is not prepared based on information provided by AtkinsRéalis and can only be seen as a consensus view on AtkinsRéalis' possible future results from an outside perspective. AtkinsRéalis has not provided input on these forecasts, except by referring to past publicly disclosed information. AtkinsRéalis does not accept any responsibility for the quality or accuracy of any individual or average of forecasts or estimates. This web page contains forward-looking statements based on current assumptions and forecasts made by third parties. Various known and unknown risks, uncertainties and other factors could lead to material differences between AtkinsRéalis' actual future results, financial situation, development or performance, and the estimates given here.
Regulation with teeth
The Cyber and Resilience Bill’s intent is ultimately to create a more coherent foundation for resilience across critical sectors. For rail, three key implications stand out:
- It pushes responsibility into the supply chain, including contractors and vendors delivering digital rail systems and services.
- It broadens the definition of who’s in scope. Managed service providers—like those delivering railway reliability and performance platforms—may soon be held to the same standards as asset owners.
- It sharpens reporting requirements. To give the government better insight into critical threats, incidents must now be reported within 24 hours, with full response plans delivered in 72.
These point to a future where resilience is everyone’s responsibility, and where joined-up thinking between cyber specialists, engineers, and the supply chain will be essential.
Please note that you are now leaving the AtkinsRéalis website (legal name: AtkinsRéalis Group inc.) and entering a website maintained by a third party (the "External Website") and that you do so at your own risk.
AtkinsRéalis has no control over the External Website, any data or other content contained therein or any additional linked websites. The link to the External Website is provided for convenience purposes only. By clicking "Accept" you acknowledge and agree that AtkinsRéalis is not responsible, and does not accept or assume any responsibility or liability whatsoever for the data protection policy, the content, the data or the technical operation of the External Website and/or any linked websites and that AtkinsRéalis is not liable for the terms and conditions (or terms of use) of the External Website. Further, you acknowledge and agree that you assume all risks resulting from entering and/or using the External Website and/or any linked websites.
BY ENTERING THE EXTERNAL WEBSITE, YOU ALSO ACKNOWLEDGE AND AGREE THAT YOU COMPLETELY AND IRREVOCABLY WAIVE ANY AND ALL RIGHTS AND CLAIMS AGAINST ATKINSRÉALIS, AND RELEASE, DISCHARGE, INDEMNIFY AND HOLD HARMLESS ATKINSRÉALIS, ITS OFFICERS, EMPLOYEES, DIRECTORS AND AGENTS FROM ANY AND ALL LIABILITY INCLUDING BUT NOT LIMITED TO LIABILITY FOR LOSS, DAMAGES, EXPENSES AND COSTS ARISING OUT OF OR IN CONNECTION WITH ENTERING AND/OR USING THE EXTERNAL WEBSITE AND/OR ANY LINKED WEBSITES AND ANY DATA AND/OR CONTENT CONTAINED THEREIN.
Such waiver and release specifically includes, without limitation, any and all rights and claims pertaining to reliance on the data or content of the External Website, or claims pertaining to the processing of personal data, including but not limited to any rights under any applicable data protection statute. You also recognize by clicking “Accept” that the terms of this disclaimer are reasonable.
The information provided by Virtua Research cited herein is provided “as is” and “as available” without warranty of any kind. Use of any Virtua Research data is at a user’s own risk and Virtua Research disclaims any liability for use of the Virtua Research data. Although the information is obtained or compiled from reliable sources Virtua Research neither can nor does guarantee or make any representation or warranty, either express or implied, as to the accuracy, validity, sequence, timeliness, completeness or continued availability of any information or data, including third-party content, made available herein. In no event shall Virtua Research be liable for any decision made or action or inaction taken in reliance on any information or data, including third-party content. Virtua Research further explicitly disclaims, to the fullest extent permitted by applicable law, any warranty of any kind, whether express or implied, including warranties of merchantability, fitness for a particular purpose and non-infringement.
The consensus estimate provided by Virtua Research is based on estimates, forecasts and predictions made by third party financial analysts, as described above. It is not prepared based on information provided by AtkinsRéalis and can only be seen as a consensus view on AtkinsRéalis' possible future results from an outside perspective. AtkinsRéalis has not provided input on these forecasts, except by referring to past publicly disclosed information. AtkinsRéalis does not accept any responsibility for the quality or accuracy of any individual or average of forecasts or estimates. This web page contains forward-looking statements based on current assumptions and forecasts made by third parties. Various known and unknown risks, uncertainties and other factors could lead to material differences between AtkinsRéalis' actual future results, financial situation, development or performance, and the estimates given here.
Train the people you already have
A common refrain in the industry is that we don’t have enough cyber talent. The skills gap is real. But in rail, the more urgent challenge is alignment.
Most cyber professionals focus on network, data and confidentiality challenges. Most engineers inhabit a world of reliability, integrity and safety metrics. We don’t always need fluency in both - a rare skill - but we do need improved collaboration between those who manage infrastructure resilience and those who secure it. And we need to equip engineers with greater cyber awareness to support more secure design.
That means building confidence in areas like risk assessment and mitigation planning. It also means recognising that many of the people already delivering safe, resilient rail systems can - and should - be part of the cyber conversation. And it frees up cyber teams to focus on what they do best, such as network access, emerging vulnerabilities and incident response.
A mindset shift - not a reinvention
None of this is about reinvention. It’s about returning to the fundamentals of good engineering: understanding risk, designing it out, and delivering systems that perform safely under pressure. The threat landscape may be evolving, but the principle is the same: build security and resilience into the system, not around it.
That means engineers and cyber professionals working side by side, integrating standards with delivery, and investing in capability early, so security isn’t just tested—it’s designed in.
If we treat cybersecurity as a bolt-on, we’ll always be one step behind. But if we embed it as part of how we engineer the railway, we’ll build long-term cyber confidence, not just compliance.
Matt Simpson is a Technical Director for Cyber Resilience at AtkinsRéailis UK & Ireland. This article was originally published in the 11 June 2025 edition of RAIL Magazine.
Please note that you are now leaving the AtkinsRéalis website (legal name: AtkinsRéalis Group inc.) and entering a website maintained by a third party (the "External Website") and that you do so at your own risk.
AtkinsRéalis has no control over the External Website, any data or other content contained therein or any additional linked websites. The link to the External Website is provided for convenience purposes only. By clicking "Accept" you acknowledge and agree that AtkinsRéalis is not responsible, and does not accept or assume any responsibility or liability whatsoever for the data protection policy, the content, the data or the technical operation of the External Website and/or any linked websites and that AtkinsRéalis is not liable for the terms and conditions (or terms of use) of the External Website. Further, you acknowledge and agree that you assume all risks resulting from entering and/or using the External Website and/or any linked websites.
BY ENTERING THE EXTERNAL WEBSITE, YOU ALSO ACKNOWLEDGE AND AGREE THAT YOU COMPLETELY AND IRREVOCABLY WAIVE ANY AND ALL RIGHTS AND CLAIMS AGAINST ATKINSRÉALIS, AND RELEASE, DISCHARGE, INDEMNIFY AND HOLD HARMLESS ATKINSRÉALIS, ITS OFFICERS, EMPLOYEES, DIRECTORS AND AGENTS FROM ANY AND ALL LIABILITY INCLUDING BUT NOT LIMITED TO LIABILITY FOR LOSS, DAMAGES, EXPENSES AND COSTS ARISING OUT OF OR IN CONNECTION WITH ENTERING AND/OR USING THE EXTERNAL WEBSITE AND/OR ANY LINKED WEBSITES AND ANY DATA AND/OR CONTENT CONTAINED THEREIN.
Such waiver and release specifically includes, without limitation, any and all rights and claims pertaining to reliance on the data or content of the External Website, or claims pertaining to the processing of personal data, including but not limited to any rights under any applicable data protection statute. You also recognize by clicking “Accept” that the terms of this disclaimer are reasonable.
The information provided by Virtua Research cited herein is provided “as is” and “as available” without warranty of any kind. Use of any Virtua Research data is at a user’s own risk and Virtua Research disclaims any liability for use of the Virtua Research data. Although the information is obtained or compiled from reliable sources Virtua Research neither can nor does guarantee or make any representation or warranty, either express or implied, as to the accuracy, validity, sequence, timeliness, completeness or continued availability of any information or data, including third-party content, made available herein. In no event shall Virtua Research be liable for any decision made or action or inaction taken in reliance on any information or data, including third-party content. Virtua Research further explicitly disclaims, to the fullest extent permitted by applicable law, any warranty of any kind, whether express or implied, including warranties of merchantability, fitness for a particular purpose and non-infringement.
The consensus estimate provided by Virtua Research is based on estimates, forecasts and predictions made by third party financial analysts, as described above. It is not prepared based on information provided by AtkinsRéalis and can only be seen as a consensus view on AtkinsRéalis' possible future results from an outside perspective. AtkinsRéalis has not provided input on these forecasts, except by referring to past publicly disclosed information. AtkinsRéalis does not accept any responsibility for the quality or accuracy of any individual or average of forecasts or estimates. This web page contains forward-looking statements based on current assumptions and forecasts made by third parties. Various known and unknown risks, uncertainties and other factors could lead to material differences between AtkinsRéalis' actual future results, financial situation, development or performance, and the estimates given here.
Downloads
Trade releases