Introducing Margo – the first AI-powered cybersecurity assistant for rail!

What is Rail Cybersecurity?

Cervello Team
December 27, 2021
moving train high speed|moving train in a station

Rail Cybersecurity: What is it and Why is it Important? 

Rail cybersecurity refers to the technology and processes that aim to secure rail systems, operations, and passengers from cyber attacks.

To be effective, rail cybersecurity solutions must be built specifically for the rail’s unique architecture, and have the ability to monitor, identify, and quickly respond to cyber incidents. Equally important, railway operators, infrastructure managers, and OEMs need to know what actions to take to prevent and mitigate threats.

As the prevalence of cyber attacks against rail organizations rises, rail cybersecurity has become a top priority on both the organizational and national levels — as it should.

Properly managing rail cyber risks is crucial. Today, increasingly connected OT, IIoT, and third-party software introduce new attack vectors.

In this article, we will explain what rail cybersecurity is, why it needs to be a priority for all rail professionals, and how to fulfill emerging security standards.

Why Rail Cybersecurity is Demanding More Attention

As the industry undergoes digital transformation, operational systems, control systems, signaling systems such as ETCS, and telecommunications networks are becoming highly interconnected. Bespoke stand-alone systems are being replaced with advanced, digitally connected assets that can be accessed remotely by public and private networks.

The vulnerabilities these systems introduce have become attractive targets to malicious actors.

According to Gartner, by 2025, 30% of critical infrastructure organizations, such as rail, will experience a security breach that will result in halting operations or mission-critical systems.
The NIST outlined 6 key rail cybersecurity threats to be aware of:

  1. Delaying or intercepting the flow of information through the ICS networks, which could disrupt or halt ICS operation
  2. Disabling or interfering with the operation of safety systems, which could endanger human life.
  3. Inserting malware into ICS software or modifying configuration settings.
  4. Interfering with the operation of equipment-protection systems, which could damage costly equipment that is difficult to replace.
  5. Making unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or completely shut down equipment. Such changes could lead to environmental impacts and passenger harm.
  6. Sending false information to system operators, either to disguise unauthorized changes or to cause the operators to initiate inappropriate actions.

The ability for a malicious actor to hijack and control crucial operational, safety, and communication systems should be a major concern for both rail organizations and national governments. By 2023, Gartner predicts that the financial impact of cyberattacks to OT and other cyber-physical systems, resulting in fatal casualties, will reach $50 billion.
As we can see from recent railway cyber attacks, attacks on OT assets have become more common, and the effects are costly.

Challenges of railway cybersecurity

The railway industry is one of the longest standing industries that still runs successfully today as it did more than a century ago. While this has allowed it to perfect its stance on various different types of security issues, it has also put the industry in a compromising position given the world’s digital progress. Railways are facing particularly unique challenges when it comes to implementing a cybersecurity solution. These include the technological limitations with legacy systems, the interdependencies and lack of proper asset visibility and management, and insufficient cybersecurity awareness and expertise within the industry. One of the best ways to combat these challenges is by implementing a cybersecurity strategy and solution that is specific to railways and that is already embedded in the design of the system from the get-go. 

Key Cybersecurity Threats in the Rail Industry

Like other industries, rail is susceptible to cyber threats. However, because of the potential gravity of a cyber attack on rail and the interconnectedness of railway systems, any threat to rail, especially if there is no visibility to its impact on critical systems and operations, is to be handled with utmost severity. One of the key threats we’ve seen in the past year included ransomware and DDoS attacks to railway IT systems and third party softwares. While in hindsight many of these incidents were either not very serious or difficult to handle, the lack of information caused a much larger and financially damaging reaction. Another less common yet much more severe threat is a cyber intrusion of railway signaling and interlocking systems. The danger in such attacks is not only the impact it can have on the economy, reputation, and, of course, human lives, but the complexity of fixing or patching such systems, after even the most minor interference. It can take months and years to develop the necessary fixes, test for safety and functionality, and receive approval, putting major economic strain on the organization. 

3 Key International Cybersecurity Standards to Know

Federal governments all over the world have introduced new regulations and standards designed to reinforce rail cybersecurity and prevent attacks. Here’s an overview of the three most important ones:

  1. In the EU, the European Committee for Standardization (CEN) released CLC/TS 50701 in 2021. This technical specification, also referred to as “Railway Applications Cybersecurity,” includes requirements and recommendations for protecting rolling stock and fixed installations in a unified way across Europe.
  2. The TSA took an even stronger approach with the release of its first Security Directive 1580-21-01. The Directive, effective December 31, 2021, applies to all freight railway carriers (owners and operators), and compels them to the following four actions:
    • Designate a cybersecurity coordinator who will be available to the TSA and the Cybersecurity and Infrastructure Security Agency (CISA) at all times;
    • Report all cybersecurity incidents to CISA;
    • Develop a cybersecurity incident response plan to reduce the risk of operational disruption;
    • Conduct a cybersecurity vulnerability assessment according to TSA’s directions.
  3. In an effort to fortify rail cybersecurity globally the International Electrotechnical Commission (IEC) adopted a series of standards known as IEC 62443, which provides a flexible framework for addressing and mitigating security vulnerabilities in industrial automation and control systems (IACSs). The standards address various rail stakeholders, including operators, service providers, and manufacturers, and offer role-specific approaches to prevent security risks.

Learning about these standards, as well as guidance on how to fulfill them, encourages railway operators and manufacturers to strengthen cybersecurity defenses by implementing a security-by-design approach, where cybersecurity protocols are included in the design of the project.

Strengthen Your Defenses With a Solution That’s Built For Railway

To ensure safe and reliable transport, and at the same time avoid operational disruption, railway organizations require a cybersecurity solution that is built specifically for the domain’s protocols, technologies, methodologies, and systems. It must be designed to fit into railway systems’ unique architecture, operational workflow, and address their vulnerabilities.

A rail cybersecurity platform such as Cervello does just this.

A solution designed specifically for railways replaces the traditional perimeter defense model with a Zero Trust, yet fully passive and non-intrusive framework. Cervello’s proven methodology for rail cybersecurity involves five steps:

  1. Integration – A flexible and scalable integration fitted to quickly start monitoring railway infrastructure without causing any system downtime or interfering with highly sensitive railway networks is fundamental.
  2. Visualization – Cervello maps and segments all connected assets and clusters into their respective security zones. This gives rail operators and infrastructure managers the necessary context to impose safety restriction, meet railway safety standards, and quickly respond to suspicious activity.
  3. Detection – Cervello uses a fully passive, non-intrusive approach that assumes any connection or command is suspicious, providing early threat recognition.
  4. Investigation – When a threat is discovered, our platform performs deep forensics to produce a precise view and complete threat profile, including all of the potentially impacted connected systems, assets, and operational consequences.
  5. Response – Once the platform identifies the source of the attack, it immediately dispatches a highly optimized and actionable response playbook on how to remediate the threat and contain any operational disruptions.

Principles and Best Practices for Rail Cybersecurity

Here are three concrete ways to start building up your rail cybersecurity defenses.

1. Become informed on rail cybersecurity standards and best practices: Increasing regulatory oversight and requirements may seem overwhelming, but becoming familiar with new standards and best practices will help position you to more easily manage them. For example, check out the NIST Framework and CISA Toolkit. For European rail organizations, take ENISA’s recommendations into account.

2. Assess your current security posture and risks: A railway solution is built to fit into rail’s unique architecture. It continuously maps and segments your OT assets, signaling system technologies, IIoT, and more to gain a holistic view of your entire security posture. With this visibility, it’s easy to identify existing vulnerabilities and security gaps.

3. Evaluate your cybersecurity governance: Today, rail organizations need a formal and systematic approach to defining and enforcing cybersecurity processes. Moreover, it must be embedded into the core of your organization — not tacked on as an afterthought. Assigning a CISO to lead rail cybersecurity, as well as building a CSOC to create a cyber incident response plan, is essential to adequate cybersecurity governance.

The Rail Cybersecurity Imperative is Rising

Understanding the prevalence, threat, and impact of cyber attacks — as well as how you can prevent and mitigate them — is essential.

Railway operators, infrastructure managers, and manufacturers are all seeing their roles expand to include rail cybersecurity awareness and know-how. The only way to protect operations, infrastructure, and passengers is by being prepared. With the right knowledge base, cybersecurity solution, and processes, it’s possible to strengthen your defenses and prevent cyber attacks from causing irreparable damage to your infrastructure and reputation.


Who is responsible for rail cybersecurity?

Progress in the field of rail cybersecurity requires the cooperation of various entities. For starters, government, policy-makers, and cybersecurity associations support research and push for better regulations. Within rail organizations, it is the security teams, including the Chief Information Security Officer (CISO), Chief Information Officer (CIO), or Chief Technology Officer (CTO), that are responsible for the security of the rail network, including the design of new infrastructure developments.

How does rail cybersecurity impact passenger safety?

Immensely. Ensuring proper cybersecurity measures are in place has the ability to save lives and passengers from serious injury.

How is the future of rail cybersecurity evolving?

The evolution of rail cybersecurity is tied to the rapidly changing needs of the rail industry and the trends of cyber threats. Predictive monitoring, AI, and solutions focused on specific infrastructures and systems are likely going to become more readily available. There will be greater regulations and requirements to implement rail cybersecurity solutions, and a demand for rail cybersecurity experts within rail organizations

How can rail systems protect themselves against cyber threats?

By being proactive and implementing rail-specific solutions that offer the visibility and monitoring organizations need to safely run their operations.