Case Study

Bombarder Aventra - Digital risk assessment

Bombarder Aventra - Digital risk assessment
Published: 08 March 2020 Client name: Bombardier Transportation Service provided: Digital Resilience

Expert appraisal of vehicle’s exposure to a range of cyber security threats.

We worked in partnership with Roke Manor Research Ltd, a leading UK cyber security and communications specialist, on a digital resilience project for Bombardier, a global rolling stock manufacturer, helping their in-house teams assess the exposure of the Aventra platform to a range of possible cyber security threats.

The Aventra was introduced to the UK rail network in 2017 and will become increasingly familiar to commuters as it joins fleets serving the south, west and midlands regions.

To provide confidence that the vehicle can meet the highest standards of security against current and emerging threats, Bombardier commissioned the Ricardo-Roke team to produce a full appraisal of the platform's digital risk profile.

The project represented one of the first examples of a major train manufacturer seeking to integrate cyber security assessments into their design and testing processes.

Our approach


Our methodology combined the client's own cyber security management plan, the recognised international standard, IEC 62443, and well-defined practices from specific sources, such as the International Information System Security Certification Consortium, the Ministry of Defence and the National Institute of Standards and Technology.

Analysis and zoning

Working closely with the client's in-house teams, our experts started with initial asset identification and initial zoning exercises, followed by high-level risk analysis. The analysis started with the opening question of 'What is the core business purpose of the system under investigation'?


Having completed their investigations, our teams provided Bombardier with the findings in a series of indexed reports, including threat assessments, vulnerability analysis, detailed risk assessment and recommended mitigations and countermeasures.

A high-level digital risk assessment

Upon completion, Bombardier was provided with a fully detailed, high-level risk-based assessment that highlighted the security risk of components, sub-systems and the Aventra platform, along with recommendations that Bombardier could incorporate directly into existing risk management practices. 

Our assessments also provided confidence to Bombardier's teams that the Aventra platform was capable of compliance with the Directive on the Security of Network and Information Systems (NIS-D).

What is the NIS-D and does it affect you?

The Directive on the Security of Network and Information Systems (NIS-D) was adopted by the European Union in 2016.

The intention is to ensure common standards of security across all member states and the Directive  sets out a range of security requirements that now apply to operators of essential services - including national railways and their supply chains.

Relevant organisations that fail to comply with the Directive risk incurring strict financial penalties - which can be up to 4% of turnover - and being subjected to increased supervision by their designated National Competent Authorities.

Ensuring full compliance with NIS-D is a complex challenge for organisations unfamiliar with its scope, its requirements and even the extent of materials and information they must be able to provide about their networks and information infrastructure.

To talk to an expert about the implications of the NIS Directive for your business, contact us directly using the form below, or visit our Digital Resilience pages.

Digital Resilience

Digital Resilience

Our Digital Resilience team help clients across the rail industry understand the vulnerabilities of their systems and protect against incidents.

Read more

Request more information

Please tick the boxes below if you give consent for Ricardo to contact you with additional information on our services, products or events. Your information will be stored on our secure systems, will not be shared with 3rd parties, click here for Ricardo’s privacy notice.