Why is Cybersecurity so Important for the Rail Industry?

Roie Onn
June 9, 2019
yellow metro in station|close up of train tracks

The advent of railway control systems’ digitization, combined with the adoption of Over-the-air technologies and automated operations and remote control, has resulted in increased freight and transport efficiency.

But as this digitization progresses, its advantages are deterred by the introduction of new cyber threats that create new challenges in securing network operations.

It is imperative that these are overcome to ensure secured operations and service continuity public safety, no financial loss, and reputational damage. These industry concerns are driving the implementation of new risk mitigation strategies.

But because the industry constantly faces multiple challenges in form of increased competition from other modes of transport and massive maintenance cost, the challenges of overcoming Cyber-attacks have not gained priority in the past. Unfortunately, such attacks are far from theoretical.

In 2016, the San Francisco Municipal Transportation Agency (SFMTA) experienced a ransomware attack and the British Rail Transport suffered four attacks Japan Railways Hokkaido was attacked in 2015. Following such and other breaches Federal1 and national cybersecurity enactments have become far more stringent and the railway industry now must adhere to these railway cybersecurity regulations.

There are three main elements to be considered:
1. The main change in technology
2. The new system’s overall lifecycle
3. The associated costs of the change.

Cybersecurity paradigms in the railway sector

The railway sector is left with no alternative than opting for a complete paradigm shift from any proprietary technology that the industry has been using – switching to as many off-the-shelf components as possible.

Not only will this help the whole system become more adaptable and flexible, but in the long run allow for more rapid adoption of technological advances. These will consequently cause many changes in terms of system lifecycles, IT systems, and central control.

Finally, the element of cost has to be taken into consideration. The general rule of thumb is that the more obsolete the technology is, the more expensive it will be. This is because of the ever-increasing scarcity of important components, parts, and vital software. These in turn will impact the overall economies of scale, or alternately, the lack of them.

Threat landscapes today

The threat landscapes of the railway sector are steadily increasing. Many cybersecurity challenges that are part of the overall threat and cybersecurity paradigm are not necessarily specific to technical attacks: They are not restricted to malware and viruses. In the railway sector, there is a far more lethal aspect of terrorism to take into consideration.

This is why, for rail, there is more to the concept of cybersecurity management in comparison to the ‘run of the mill’ form of protection which other business sectors use. For instance, there are several pressing issues surrounding cybersecurity governance in this industry. These include security operations risk management and compliance monitoring activities that require near-constant attention to be able to maintain a reasonable level of maturity.

Various roles and responsibilities

There are several actors in the railway industry that have to be taken into consideration when assigning responsibilities. Amongst those actors, there are divisions and departments that must share the overall responsibility of rail cybersecurity for the industry. These responsibilities will almost certainly differ depending on the capability and the capacity of the individual actors.

For instance, asset owners will share responsibility for railway management, risk operations, mitigation, and network management. System integrators will be responsible for access management, technical evaluation, and system-wide architecture. Finally, product suppliers will be responsible for a secure product design, secure software design, and overall product engineering security.

It’s clear that the railway sector has an all-too-real opportunity to address a myriad of different cybersecurity concerns at the highest possible level within the company. The top-level management is ultimately accountable for cybersecurity for the whole organization, with the responsibility to ensure the company’s assets and information are adequately safeguarded.

The top-tier management can delegate responsibility to other entities in order to implement the various cybersecurity countermeasures. The organization will also be directly responsible for validating cybersecurity resourcing requirements and investments for the management of all cybersecurity-related information.


To me it’s obvious that Cybersecurity will become a necessary component of various railway businesses, The digital railway projects across the globe, and the pressing need to integrate with various other modes of transport, will slowly but surely make it necessary for the railway community to open their businesses to other active players working in the field of multimodal transportation solutions.

The article was originally published in the Global Railway Review, by Cervello’s CEO.