European railway undertakings and infrastructure managers systematically address cyber risks as part of their security risk management processes, especially after the Network and Information Security (NIS) Directive came into force in 2016. Addressing cyber risks in the railway sector can raise entirely new challenges for railway companies who often lack the internal expertise, organisational structure, processes or the resources to effectively assess and mitigate them.

The nature of railway operations and the interconnectedness of railway undertakings, infrastructure managers, and the supply chain requires all involved parties to achieve and maintain a baseline level of cybersecurity. European RUs and IMs use a combination of good practices, approaches, and standards to perform cyber risk management for their organisations, as they need to assess cyber risks for all functions and for both OT and IT. This report gathers insights on these current practices in a single document and can assist railway undertakings and infrastructure managers in their efforts to apply them. It provides examples of reference material, such as available taxonomies of assets and services, threat taxonomies, seven comprehensive threats scenarios, derived from real incidents, and available cyber risk mitigation measures, derived by guidelines and standards.

This report aims to be a reference point for current good practices for cyber risk management approaches that are applicable to the railway sector. It offers a guide for railway undertakings and infrastructure managers to select, combine or adjust cyber risk management methods to the needs of their organisation. It builds upon the 2020 ENISA report on cybersecurity in the railway sector, which assessed the level of implementation of cybersecurity measures in the railway sector.

This report provides actionable guidelines, lists common challenges associated with the performance of the relevant activities, and outlines good practices that can be readily adopted and tailored by individual organisations. Additionally, a list of useful reference material is available, together with practical examples and applicable standards.