As the importance of cybersecurity in railway systems becomes increasingly recognized worldwide, attacks and disruptions in the industry are also on the rise. ‍The rail industry is facing increasing pressure to improve its cybersecurity, and for many operators, this means embarking on a rail security uplift project for installed-based systems. 

‍

This project usually consists of four steps. Project Identification, Vendor Review and Partner Identification, a Tender Process (optional), and Deployment. Below, we will review the first phase of this process, Project Identification, highlighting the steps Cylus has seen used by prior customers use successfully in efficiently purchasing rail cybersecurity platforms for installed-base systems. 

‍

The Project Identification phase of these projects typically takes one to three months and involves several key activities, including:

‍

1. Documenting the Project Triggers

Understanding the driving motive and objectives early helps focus steps later in the process and get the right team members on board. The project triggers can vary but typically include regulatory pressure, cybersecurity risk assessments, security incidents, changes (internal or on another operator), non-cyber-related upgrades and changes, and executive pressures. 

‍

2. Identifying the Initial Project Team

Installed-base rail security projects are often owned by the Chief Information Security Officer (CISO) or equivalent role and are led by a member of the IT security team. To make future project stages more efficient, we recommend involving the rail operations team sooner rather than later. 

‍

3. Conducting Basic Needs Research

Market research is conducted to determine how needs can be met, how other organizations address the needs, and whether best practices guidance exists. This includes online research, speaking to peers, reading relevant whitepapers and case studies, and reviewing industry sites.

‍

4. Identifying Vendors and Creating a Shortlist

The next step is identifying vendors who can provide security products or services and what options already exist in the marketplace. Consider the vendor's reference customers and the solution type, and collect helpful information for questions. Online research and peer references help produce a shortlist of vendors to evaluate in the next phase.

‍

5. Developing Budget Parameters

Customers typically look to estimate an overall budget for an initial purchase as well as specific constraints and requirements that must be considered. This usually involves consulting with key stakeholders and considering the expected contract term and solution lifespan.

‍

6. Scoping Possible Project Timelines

Considering the project triggers and objectives, the team members begin to think through initial project scope considerations and document high-level future project milestones. It's essential to have documented future project expectations and key questions to be addressed to ensure a successful purchase process.

‍

Read our complete guide to learn more about the Buying Process for Security Uplift Projects.