Railway cyber security: an imperative for operational resilience

Cyber attacks on railways are doubling each year. Ricardo's Michael Newman and Tony Gao explain how rail organisations can maintain their resillience. 

In autumn 2024, the BBC treated viewers in the UK to Nightsleeper, its latest Sunday evening big-budget action drama. The plot revolved around a sleeper train travelling from Glasgow to London that had been hijacked via a sophisticated cyber attack.

Judging by reactions on social media and newspaper reviews, audiences were required to suspend disbelief during some of the action sequences, but the underlying concept -  the capture of the onboard systems of a modern high speed train - was barely questioned. No longer far-fetched science fiction, the notion seems, well, plausible.

That's because in an era marked by rapid digital transformation, the public understand that the rail industry, like all critical infrastructure, is a viable target for malicious actors. 

In fact, in the same month Nighsleeper was launched a real-world cyber incident had caused the temporary closure of public Wi-Fi services at some of the largest stations on the UK network.

This came barely 12 months after an attack on the Polish network saw infiltrators of the VHF radio system issue emergency stop messages to services on the network causing widespread disruption.

Indeed, Poland was the location of one of the earliest high profile attacks on a rail system when, in 2008, four trams were derailed in the city of Lodz after a hacker momentarily took over the network's command and control system. The perpetrator turned out to be a teenager.

A rising cyber security threat

Rail systems are undergoing a profound digital evolution, integrating advanced technologies like IoT, the Cloud, AI, and connected control systems to deliver day-to-day efficiencies. However, these advances have also brought increased exposure to cyber threats.

The rail sector - whether operators, infrastructure managers or equipment suppliers - are thus confronted by an ever-evolving, dynamic landscape with unpredictable and malicious actors seeking to exploit vulnerabilities in signalling systems, rolling stock and communication networks.

Current trends suggest cyber attacks on railways are doubling annually. Alongside the UK and Poland incidents, France, Germany, Belgium, Denmark, Italy, India and the USA have all recently reported malicious attempts on their networks.

As a result, cyber security has become a priority not only for Chief Information Security Officers, but for senior leaders throughout the sector. 

Common vulnerabilities in rail cyber security

In our experience of working with rail operators globally, we have identified recurring vulnerabilities that underscore the need for ongoing assessments:

•    Weak authentication mechanisms: Outdated password policies and inadequate multi-factor authentication (MFA) are common issues that leave systems vulnerable to unauthorised access.

•    Unpatched software: Legacy systems and unpatched software can serve as entry points for attackers, particularly in signalling and control systems.

•    Lack of network segmentation: Insufficient segmentation of operational and corporate networks increases the risk of lateral movement by malicious actors, potentially compromising critical safety systems.

•    Inadequate phishing awareness: Social engineering attacks, including phishing, remain a primary vector for cyber intrusions. Many organisations lack comprehensive training programs to mitigate this risk effectively.

Cyber security assessments

Given the evolving threat landscape, railway organisations need to maintain a constant vigilance. Annual cyber security assessments provide a structured, proactive approach to assessing current resilience, identifying gaps, and developing appropriate and proportionate responses.

Key benefits of regular expert assessments include:

Proactive Risk Management: Annual assessments help rail operators identify and address system vulnerabilities before they can be exploited. By uncovering weaknesses in control systems, software applications and network architecture, assessments allow for timely mitigation, reducing the risk of incidents that could disrupt operations and compromise safety.

Enhanced Regulatory Compliance: Compliance with cyber security regulations is critical to fully safeguarding critical infrastructure. Annual assessments help organisations stay aligned with evolving standards and regulatory frameworks, such as the NIS (Network and Information Systems) Directive and CENELEC EN 50159 for railway signalling. Demonstrating due diligence in this area is crucial for maintaining operational integrity and stakeholder confidence.

Improved Incident Response: Regular assessments are essential for refining incident response strategies. Testing and enhancing response protocols in a controlled environment will help rail operations reduce response times and minimise the impact of incidents. Ultimately, preparedness is central to protecting passenger safety.

Building Stakeholder Confidence: Demonstrating a commitment to security through documented assessments and transparent reporting will significantly enhance trust among the stakeholder community. By showing measurable progress in cyber resilience organisations are sending a message of assurance to customers, investors and regulators that robust protections are in place.

The value of unbiased and objective evaluations 

While internal teams play a crucial role in maintaining day-to-day security operations, engaging an independent assessor can provide a deeper, unbiased and objective evaluation of your security posture.

External experts bring specialised knowledge and experience, offering insights that may be overlooked by in-house personnel. By leveraging the expertise of independent assessors, rail operators can ensure that their cyber resillience measures are up-to-date, aligned with industry best practices, and tailored to address specific operational risks.