Information security

GRI 3-3

Information security remains a top priority for Russian Railways. During the reporting period, the Company operated under the critical threat level for targeted cyberattacks on Russia’s information infrastructure, as established by the Russian Security Council.

Russian Railways has implemented a comprehensive system of legal, organisational, and technical information security measures, including the approved Russian Railways industry standard 18.002-2024 Information Security Management. Basic Provisions and the Russian Railways Information Security Policy.

To enhance personal data protection controls through a risk‑based approach and in line with regulatory changes, the Company updated the following internal regulations:

  • Regulation on Personal Data Protection Compliance Monitoring at Russian Railways;
  • List of Personal Data Processing Purposes, Data Categories, and Data Subject Types at Russian RailwaysApproved by Russian Railways’ Order No. 72 dated 20 October 2023 (as amended by Russian Railways’ Order No. 75 dated 25 October 2024).;
  • Personal Data Operator Passport templateApproved by Russian Railways’ Order No. 1781/r dated 24 July 2024..

The cyber threat landscape underwent significant changes in 2024. The total number of cyberattacks against Russian Railways’ information infrastructure decreased by 34% compared to 2023, with 3,110,403 attacks detected and neutralised in absolute terms. However, targeted and technologically sophisticated attacks on the external perimeter increased, exceeding 600,000 incidents (+1.2% versus 2023 totals). The attack profile was dominated by distributed denial‑of‑service (DDoS) attacks, attempted malware injections on websites, and workstation infections. Notably, 46.2% of attacks involved reconnaissance scanning of Russian Railways’ infrastructure to identify and exploit vulnerabilities. The Company’s security monitoring systems successfully detected and neutralised all such attempts in a timely manner.

Through its comprehensive digital risk monitoring solution, Russian Railways blocked 11 phishing websites and submitted additional requests to block 142 extremist information resources to the Moscow Interregional Transport Prosecutor’s Office and the Federal Security Service of Russia. The Company’s email system implemented protection against spam, malicious emails, and antivirus scanning of attachments, which detected and blocked over 2 million emails in 2024. A dedicated mailbox was created for Russian Railways employees to forward suspicious emails for analysis.

Given the importance of maintaining uninterrupted transportation operations, one of the priority focus areas was ensuring the security of Russian Railways’ critical information infrastructure facilities.

As at the end of 2024, Russian Railways categorised 373 critical information infrastructure facilities, including 21 major facilities. The security measures for these facilities are being implemented in full compliance with applicable regulatory requirements.

Information security risks

Breach of data confidentiality, integrity, availability, reliability, etc., may, among other things, lead to:

  • disruptions of corporate systems thereby impacting operations and critical IT infrastructure facilities;
  • disclosure of information constituting a trade secret or other types of secret;
  • damages to the integrity of financial documents;
  • unauthorised access to the personal data of employees and customers;
  • direct and indirect financial losses.

The main risk factors related to the security of Russian Railways’ information infrastructure include tampering by third parties to gain unauthorised access to the information of the Company and its counterparties, including purposeful hacker and virus attacks, as well as internal threats of employee misconduct and analysis and SIEM tools failure.

The key information security measures implemented by Russian Railways include:

  • classification and categorisation of Russian Railways’ systems, information security threat modelling, development of information protection requirements;
  • sound arrangement of the information infrastructure components with due account for information security;
  • design and implementation of centralised protection tools and private information protection subsystems in the Company’s information infrastructure, certification of Russian Railways’ systems for compliance with information security requirements;
  • arrangements to analyse and control the security of IT infrastructure;
  • organisation of employee training in information protection;
  • ensuring the security of Russian Railways’ information systems in use, monitoring information security incidents and responding to them;
  • conducting internal investigations into information security and confidentiality incidents related to the use of computers;
  • enhancement of the Company’s information security policies and guidelines.
Train