According to a report by the Telegraph, cybersecurity company Darktrace said that the UK rail network was the subject of at least four cyber attacks in the past 12 months.
Cybersecurity specialist Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com, said that if the EU's recently finalised Network and Information Security (NIS) Directive was already implemented and in force in the UK then the cyber attacks might have needed to have been flagged by the organisation running the systems under attack.
Hon said, though, that in light of the UK's vote to leave the EU it is not yet clear whether the UK will implement the NIS Directive into national law.
"Assuming the UK implemented the NIS Directive, if the railway company concerned was designated by the UK as an operator of essential services, or falls within any criteria issued by the UK for that purpose, it would have to notify incidents having a significant impact on the continuity of the essential services they provide," Hon said. "Rail is certainly one of the sectors envisaged under the Directive as having 'critical infrastructure' in need of preserving."
"Under the Directive 'incident' means any event having an actual adverse effect on the security of network and information systems. So the incident first has to have had an actual adverse effect on the ability of the company's network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored/transmitted/processed data or related services on those systems, before the notification requirement is triggered," she said.
Hon said it is important for companies to have "systems that will track and log accesses and operations on data, to work out if there was an impact on confidentiality or integrity" of data, as well as for monitoring network intrusions and maintaining availability against, for example, distributed denial of service attacks.
"If there was no significant impact on the continuity of an essential service – the Directive spells out certain minimum factors to help decide when an incident should be considered 'significant' – then notification is not necessary, although some organisations may wish to do so anyway," she said.
Hon said that even if notification requirements are not triggered under the NIS regime, operators of essential services might still face penalties for a breach of their security obligations under the Directive.
As well as determining which organisations in their jurisdiction are 'operators of essential services' and subject to the NIS Directive rules, EU countries must set their own "effective, proportionate and dissuasive” penalties for infringement.
The NIS Directive requires operators of essential services to "take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations".
Those operators will also need to "take appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of those services", for instance encryption and resilience and business continuity measures.
Technology law expert Luke Scanlon of Pinsent Masons assessed which businesses can expect to be subject to the new NIS Directive earlier this year.