The UK Government’s new Cyber Action Plan might be aimed at the public sector, but its signal travels much further, says Steve McEvoy, VP Rail and Automotive at Expleo, an engineering, technology and consulting services provider.
It reflects a growing recognition that cyber resilience rarely collapses because of one bug or one bad actor. More often, disruption slips in through the gaps between ageing systems and shared assets. For rail and transport, digital control has become part of the everyday rhythm of operations, so that shift in mindset really matters.
Why resilience now matters more
This is not a distant or theoretical risk. The UK Government’s Cyber Security Breaches Survey 2025 reports that around four in ten businesses experienced a cyber breach or attack in the previous twelve months. Many of those incidents never hit the headlines and did not involve data loss, yet still knocked services off balance and forced teams into firefighting mode.
The sheer volume of these events keeps attention on resilience as an ongoing operational concern while pure prevention starts to look like only part of the story. Rail and transport operators feel this pressure every day. Large estates mix legacy signalling and control systems with new digital platforms that sit on long asset lifecycles and tight upgrade windows.
Operational technology and enterprise IT now share data and infrastructure in ways they did not when many routes were first built. Maintenance and support sit across a web of suppliers and long‑term partners. Cyber risk in this kind of landscape does not stay in a separate IT box and becomes part of how the network runs.
Beyond tick‑box compliance
The Cyber Action Plan puts a spotlight on assurance and learning when things go wrong. That reflects a broader move away from treating cyber security as a checklist to complete once and file away.
Meeting baseline requirements still matters for governance and regulation, yet does not guarantee resilience when systems move through small, steady steps and when dependencies blur over time. Static controls struggle to keep up with a live railway that changes with every timetable shift or technology refresh. The National Cyber Security Centre echoed this in its 2025 Annual Review. It underlined that preparation, response and recovery sit alongside preventive controls if organisations want true cyber resilience.
For rail operators, this feels familiar. Safety and engineering cultures already treat assurance as something continuous rather than a single sign‑off. Testing and validation under stress conditions are already part of daily practice. The opportunity now is to fold cyber into that same way of thinking, so digital risk gets the same disciplined attention as safety and reliability.
Legacy technology makes this more challenging. Older platforms can be difficult to patch, hard to monitor and reluctant to talk to security tools. At the same time, they often carry core services and cannot simply be switched off without major disruption or cost. That creates a constant pull between keeping trains moving and tightening digital defences.
The path forward lies in acknowledging those constraints, planning upgrades as a series of realistic steps and building resilience into each move rather than waiting for a perfect replacement.
Supply chains add another layer to this picture. Rail operators depend on specialist partners like managed service providers and maintenance firms who each hold a piece of the puzzle. Cyber responsibilities spread across organisational boundaries that do not always match the technical layout of the network. The Cyber Action Plan’s emphasis on supplier assurance recognises that resilience depends on how these relationships work in practice, not only on what contracts say on paper. Shared playbooks and transparent reporting both help close that gap.
Seeing the network clearly
In such a connected environment, visibility matters as much as control. Operators need to understand how data moves through the network, which systems are truly critical and how a fault in one part can ripple into delays or failures elsewhere.
Without that clear view, it becomes hard to test assumptions or decide where to invest time and budget. Frameworks that only inspect single devices or isolated services risk missing cracks in the network that emerge when everything is running together at full load.
Here, interest in AI‑led cyber security is gathering pace, especially in sectors that manage complex, sprawling estates. Used carefully, AI can watch the digital pulse of a railway in real time, drawing on logs, events and even sensor feeds at a scale that human teams cannot track alone. It can flag unusual patterns and surface early warning signs to help teams focus on the alerts that really matter. In that role, AI supports assurance and extends human capability.
At the same time, rail remains a safety‑critical environment, so any AI‑driven decision‑making should be met with caution. Automated actions that trigger without the right guardrails can introduce new forms of risk, especially where physical operations and passenger safety are involved. Human oversight and clear lines of accountability therefore remain essential. AI can strengthen those processes, while disciplined engineering practice and clear operational rules still set the boundaries.
Pressure into progress
The World Economic Forum’s Global Cybersecurity Outlook 2026 reinforces this balanced view. It identifies supply chain exposure as one of the biggest cyber resilience challenges facing large organisations and notes that AI will increasingly shape how cyber security is run at scale. The key takeaway message here is that technology can help tackle complexity when operators embed new tools inside governance and assurance models that people understand and trust.
For rail and transport operators, moving beyond compliance means treating cyber resilience as part of how the railway is built and maintained. Cyber risk becomes another dimension of system assurance, assessed alongside safety and performance. That calls for regular testing and clear ownership of digital responsibilities and a recognition that resilience grows through repeated, practical steps rather than a single programme or one‑off investment.
The Cyber Action Plan should be read as a prompt in that direction. It points towards a future where cyber resilience is part of everyday railway operations and cuts across organisational charts and technical diagrams.
Rail offers a vivid example of why this matters. People rely on these systems every day and often do not think about the digital layers behind the timetable. In a safety‑critical environment, resilience is more than a technical ambition and works as the foundation for trust in the journeys that keep the country moving.
