Introducing Margo – the first AI-powered cybersecurity assistant for rail!

Don't Overlook These Factors in Your Rail Incident Response Plan

Cervello Team
December 21, 2021
Empty train tracks at sunset

The importance of developing a rail incident response plan cannot be overstated—and not only because having one is now a TSA cybersecurity requirement.
Building a robust response plan is fundamental to ensuring operational continuity and passenger safety in the event of a cyberattack. A professional and effective cybersecurity response playbook keeps ready the protocols, actions, and processes for mitigating incidents that target the railway’s unique and mission-critical assets. Assets such as railway signalling systems, rolling stock components, and telecommunications.

But that’s not all. Carrying out an effective rail incident response plan requires a high degree of coordination between various stakeholders. After all, it is people who will ultimately execute the playbook and resolve the situation.
The challenge is that not all stakeholders who are tasked with responding to cyber events in the rail industry are familiar with cybersecurity terminology, risks, threats, and possible outcomes. Unlike other types of disruptive operational events, in which the cause is more tangible and borne out of the system’s engineering, some stakeholders have little experience of how to perform their responsibilities during cyberattacks.

In this article, we will go over three important concepts to consider when building your own rail cybersecurity response plan. 

1. Reinforce your rail incident response plan with Cervello

Cervello’s proprietary playbook was built by leading cybersecurity researchers and railway veterans with deep expertise in the intricacies and complexities of railway architecture.

It not only enables relevant stakeholders to swiftly isolate and resolve cyberattacks, but it also allows railway organizations to fulfill new TSA requirements without imposing burdensome new workloads.

Here’s a breakdown of how Cervello’s remediation playbook works:

After identifying and investigating an attack, Cervello automatically dispatches highly optimized, actionable, and real-time guidance on how to remediate the threat. Guidance is customized to the unique needs and sensitivities of the railway organization and designed for each affected asset.

Armed with this playbook, all relevant organizational stakeholders can execute a coordinated response.

2. Stay proactive with a solution uniquely built for rail cybersecurity

While having a rail incident response plan is vital (and now a federal requirement), simply reacting to a malicious attack is not enough—railway organizations must be proactive. The only way to safeguard operations and ensure passenger safety day in and day out is with a cybersecurity solution that is designed to monitor your railway infrastructure, protocols, and systems 24/7 from the inside.

Cervello’s railway cybersecurity platform is a fully passive, non-intrusive solution that integrates directly into the railway architecture to provide continuous visibility, context, and control.

Here’s how a railway-centered solution supports your cybersecurity incident response plan.

Complete visualization provides essential context for remediation guidance

Cervello provides in-depth visualization of the entire signaling and operational environment, including a dynamic map of all assets and interconnectivities according to each asset’s physical location or predefined security zone. This essential contextual view allows responders to quickly understand and assess the risk, visualize potential attack vectors, and accurately predict the operational impact.

Full visibility into the operational environment, combined with the actionable, real-time guidance of Cervello’s response playbook, tells stakeholders exactly how to respond to a threat in order to mitigate and resolve it as quickly as possible.

Threat forensics enables an accurate and effective response

Threat detection is the first stage of any response plan—you can’t respond to what you don’t detect.

Once a threat is detected, all of the data is gathered passively and non-intrusively by Cervello. The platform then performs detailed cybersecurity forensics to guide the investigation into what happened before, during, and after the attack.

The forensics report includes a complete threat profile of the attack, including the type of affected assets, functions and connectivities, and event logs.

This information allows those responsible for executing the rail incident response plan to understand the scale and scope of the attack, as well as the potential operational impacts.


Along with the step-by-step guidance in the cybersecurity response playbook, Cervello’s Incident Scoring System tells stakeholders how to prioritize their response to suspicious activity by automatically identifying the correct severity level.

3. Communication is key for a coordinated rail incident response plan

Effective collaboration and a high degree of coordination are integral to efficiently responding to a cybersecurity threat. By establishing a CSOC, led by a CISO, you will have the necessary structure and expertise to carry out a coordinated rail cybersecurity incident response plan, in which every stakeholder understands their role and responsibilities.

A CSOC (cybersecurity operations center) is a centralized unit that is responsible for continuously monitoring the railway organization’s security posture. It is the command post that sits at the center of your IT and OT infrastructure, including your networks, communication and signaling systems, devices, and rolling stock and combines the knowledge of cybersecurity experts and railway managers.

When threats arise, cybersecurity experts in the CSOC will be the ones leading the response plan to resolve them. Guided by Cervello’s rail incident response playbook, CSOC members will dispatch optimized guidance to all relevant stakeholders to quickly resolve the threat and maintain operations.
Our playbook is customized to each customer’s unique needs, including the different personnel and stakeholders involved, to provide real-time alerts and tailored support.

Swift remediation is dependent on both technology and people

We all know that it’s not if an attack will occur, but when. In addition to having a proven remediation playbook, continuous asset mapping and monitoring, as well as threat investigation capabilities, are vital to attack preparedness.

When an attack does occur, effective remediation requires both technical know-how as well as predefined systems of communication so every relevant stakeholder can respond with confidence.

Our rail cybersecurity experts have the needed expertise to build this response playbook specifically for railway organizations. By proactively adopting a rail incident response plan, railway operators and infrastructure managers can quickly resolve threats, mitigate further escalation, and avoid operational disruptions during times of attack.