What the NCSC CAF Means for UK RAIL Companies

In Cyro Cyber’s series on the application of the NCSC Cyber Assessment Framework (CAF), we’ve already examined the distributed networks of the water sector. The rail sector presents an even more distinctive challenge. That is, infrastructure that’s not just distributed, but moves millions of people daily – safely and securely.  

The UK rail sector presents a cyber security challenge unlike any other. It’s a fragmented sector of Infrastructure Management (Network Rail), Train Operating Companies (TOCs), Freight Operating Companies (FOCs), and Rolling Stock Leasing Companies (ROSCOs). Securing this environment means protecting a mix of legacy infrastructure and modern, digitally connected data centres on wheels. 

Here’s what the CAF means for the UK rail sector, and where Operators of Essential Services (OES) are hitting the hardest road (or rail) blocks. 

DfT and the Safety Mandate 

In the rail sector, the Department for Transport is the Competent Authority for the NIS Regulations, supported heavily by the Office of Rail and Road as the safety and economic regulator. 

The DfT uses the CAF as the foundation for its cyber compliance regime. However, in rail, the regulator’s primary lens is always physical safety. If a cyber incident causes a train delay, it’s a massive commercial and reputational issue. If a cyber incident compromises an interlocking system or the European Train Control System, a digital signalling system that continuously monitors and controls train movements to ensure safe spacing and speed, it’s a catastrophic safety issue. The DfT expects your CAF self-assessment to clearly reflect this hierarchy of risk. 

Key Nuances of the Rail Sector Profile 

When attempting to align with the CAF in a rail environment, standard enterprise security tools often fail. Here are the three most significant friction points we at Cyro Cyber see across our clients: 

The Moving Attack Surface and "Trackside" Realities 

A modern train is effectively a rolling IT/OT network, constantly connecting and disconnecting from trackside infrastructure and cellular networks. 

CAF Principles B2 (Identity and Access Control) and B5 (Resilient Networks) are incredibly complex when dealing with mobile assets and legacy trackside signalling. You can’t easily patch a train while it’s in passenger service, and enforcing network segmentation on legacy trackside relay rooms is notoriously difficult. The CAF expects operators to have a firm grasp on the boundaries between the train control networks, passenger Wi-Fi, and trackside signalling communications (like GSM-R). 

The "Fail-Safe" vs. "Fail-Secure" Conflict 

In traditional IT, if a system detects a severe threat, the standard response is to shut it down to protect the data (Fail-Secure). In rail OT, shutting down a signalling system unexpectedly could cause a physical disaster. Rail systems are designed to be "Fail-Safe", meaning they default to a state that prevents physical harm (like turning all signals to red). 

CAF Principle C1 (Response and Recovery Planning) requires cyber incident response to integrate flawlessly with physical safety protocols. However, cyber security controls cannot interfere with the Safety Integrity Levels (SIL) of rail equipment. Active vulnerability scanning or aggressive endpoint detection on a train's Central Control Unit can cause the system to trip. The DfT expects your security architecture to respect the physicals and safety protocols of the railway. 

The Franchising and Supply Chain Maze 

The UK rail network is uniquely fragmented. Network Rail owns the tracks and signals, ROSCOs own the trains, TOCs lease the trains and run the services, and vendors like Siemens or Alstom provide the underlying technology. 

CAF Principle A4 (Supply Chain) is the single biggest headache for the sector. When a cyber vulnerability is found on a train, who is responsible for patching it? The TOC operating it, the ROSCO that owns it, or the vendor that built it? The DfT expects OES to have clear, contractually backed delineations of cyber risk and incident response responsibilities across this complex supply chain. 

Deadlines and Drivers

Like the water and energy sectors, rail operates on strict funding cycles. We are currently in Control Period 7 (CP7), which runs from April 2024 to March 2029. 

This means the budgets for major infrastructure and digital signalling upgrades (like the East Coast Digital Programme) are already in motion. The DfT and ORR expect cyber resilience to be baked into these CP7 deliverables. Furthermore, with the upcoming Cyber Security and Resilience Bill set to expand the scope of regulated entities and mandate stricter reporting, rail operators and their supply chains cannot afford to treat CAF compliance as an afterthought. "Grandfathering" in old, insecure, systems because they are too hard to upgrade will face unprecedented regulatory pushback. 

How We Can Help 

At Cyro Cyber, we understand that you cannot simply airgap a modern digital railway, nor can you treat a train’s OT network like a corporate LAN. 

We help rail operators, ROSCOs, and the wider supply chain navigate the CAF by: 

• Rail Specific Gap Analysis: Translating the DfT's CAF expectations into actionable engineering tasks for both rolling stock and trackside assets (applying a specific profile with bespoke indicators of good practice).  

• Safety Aligned Security Design: Designing network architectures and monitoring solutions that protect OT environments without violating safety cases or SIL requirements. 

• Supply Chain Risk Mapping: Untangling the complex responsibilities between TOCs, ROSCOs, and OEMs to ensure seamless CAF Principle A4 compliance. 

Get in touch today to learn more and understand how we can keep your systems compliant and operational and your passengers safe. 

Enquire Now

One of our experts will be in touch shortly to better understand your requirements and challenges.