Cyberattacks on railway systems have increased by more than 200 percent in the last five years, with incidents increasing worldwide over the last decade.
"We've seen a 220% increase in railway-associated cyberattacks over the last five years," said Col. Cedric Leighton, CNN Military Analyst; USAF (Ret.); Chairman, Cedric Leighton Associates, LLC. "In fact, over a 10-year period, we've seen cyber incidents impacting railway systems in countries as diverse as Belgium, France, Poland, the Czech Republic, Germany, Denmark, Italy, Belarus, Ukraine, India, and the United States. So this is clearly a worldwide problem."
"In the U.S., NIST and TSA have issued standards and directives designed to put the railway industry on a more solid foundation so it can better deal with cyberattacks," Leighton added. "TSA's October 2022 directive, as well as the EU's directive from ENISA (the EU Agency for Cybersecurity) in February of the same year, are designed to shore up rail network cyber defenses."
A recent market research report from The Business Research Company highlights a growing concern in the railway sector: cybersecurity. As digitalization and automation increasingly define modern rail networks, the need to secure these systems against cyber threats has never been more critical.
The report provides an in-depth look at the current state of the railway cybersecurity posture, along with key measures railway companies must implement to protect their operations now and in the future. Key points from the report:
-
Increased cyber threats in railways
Rail systems are becoming more automated and interconnected, which unfortunately makes them more vulnerable to cyberattacks. Threat actors could target critical infrastructure, disrupt operations, or steal sensitive data. The report emphasizes the need for railway companies to stay ahead of these threats by adopting advanced cybersecurity measures that can identify and mitigate potential vulnerabilities.
-
The shift to predictive and proactive security
The report highlights a shift from reactive to proactive cybersecurity strategies. Railways must not only respond to threats but also anticipate them. This requires predictive threat intelligence, where AI and machine learning models are used to analyze vast amounts of data to detect anomalies and identify possible attacks before they happen. Implementing these proactive measures can prevent costly downtime and breaches.
-
Securing Operational Technology (OT)
The increased convergence of IT and OT (Operational Technology) is a critical factor in rail cybersecurity. Many rail systems rely on legacy OT infrastructure that was not designed with modern cybersecurity in mind. The report urges railway operators to adopt solutions that provide enhanced security for OT systems without compromising the operational efficiency of their networks.
-
Focus on compliance and regulation
Cybersecurity regulations are tightening, with railway companies increasingly subject to national and international standards. The report discusses the importance of staying compliant with cybersecurity regulations such as the European Union’s NIS2 Directive, which mandates that operators of essential services, including railways, implement stringent cybersecurity measures. Non-compliance can lead to hefty fines and operational sanctions, so railway operators must prioritize meeting these regulatory requirements.
-
Supply chain security
One of the emerging concerns is supply chain cybersecurity. Rail systems rely heavily on third-party suppliers for everything from signaling systems to data management software. The report recommends that railway companies evaluate the cybersecurity practices of their suppliers and partners to ensure end-to-end security across the entire supply chain. This includes requiring vendors to follow strict cybersecurity protocols to reduce the risk of a supply chain-based attack.
-
Collaborative approaches to cybersecurity
The report stresses the importance of collaboration between railway companies, cybersecurity vendors, government agencies, and other stakeholders. Sharing threat intelligence, developing common standards, and collaborating on cybersecurity strategies can significantly improve the industry’s overall resilience to attacks.
"Not only are cybercriminals targeting the overall logistics, freight, rail, and entire supply chain companies, this highlights yet again that we need to be more vigilant in protecting our supply chain," said Erika Voss, CISO, DAT Freight & Analytics. "Given the amount of inter-connective systems that drive our supply chain from carrier to consumer susceptible to attacks, cybersecurity needs to constantly look at the ways beyond a normal attack landscape to help protect our rail."
While the railway industry has been relatively slow to adopt digital technologies compared to other sectors, it's increasingly becoming a target for cyberattacks.
"I ran the cyber team for a big National Petroleum Council (NPC) study a number of years back that had broad representation from industry, government, regulators, suppliers, and other stakeholders," said Al Lindseth, Principal, CI5O Advisory Services LLC, who spent 23 years at Plains All American Pipeline, most recently as SVP, Technology, Process and Risk Management. "It was focused on midstream and in regards to cyber, we scoped it entirely around OT. We dug into the different operator types, including rail."
"If rail got shut down, it would take more than 120 million additional trucks traveling on public roadways daily, consuming four times the amount of fuel, to handle the freight," Lindseth said. "Six hundred railroads collectively maintain total route miles, which is the equivalent of 5.6 trips around the earth. The overwhelming majority of funding comes from the railroads themselves. Sixty percent of all rail cargo travels over lines owned by more than one railroad, which means they have to ensure that any other railroad's locomotives can safely travel over lines they own or maintain—so they are dependent on each other's decisions."
The Association of American Freight Railroads has previously issued its Freight Rail Policy Position, stating, "Freight railroads recognize that cyber resiliency is a must, as is maintaining the public's trust as a proactive critical infrastructure organization."
Before diving into specific incidents, it's essential to understand the broader challenges facing railway cybersecurity:
- Legacy Infrastructure – Many railway systems still operate on outdated technology, making them vulnerable to exploitation.
- Human Error – Despite technological advancements, human error remains a significant risk factor.
- Interconnected Systems – Modern railways rely on complex networks of interconnected systems, increasing the potential attack surface.
"Rail, freight, and logistics overall is an easy hit against fraud and crime. What started out as a way to get a means to an end, has exploded into an area that needs constant protection, constant authentication, and constant zero trust efforts," Voss said. "We can't leave any industry behind, we need to come together stronger and fight for zero trust transportation efforts that help, detect, protect, and secure our entire supply chain goods."
While there have been no publicly reported major cyberattacks resulting in significant disruptions to railway operations in the U.S. or Europe, the threat is real and growing.
- Iran and Belarus: While not directly targeting major Western railway systems, cyberattacks on railway infrastructure in Iran (2021) and Belarus (2022) serve as stark reminders of the potential consequences of such attacks. These incidents involved disruptions to signaling systems and power supply, highlighting the vulnerability of critical infrastructure.
- Increased Cyber Espionage: There's evidence to suggest that state-sponsored actors are increasingly targeting railway systems for espionage, aiming to steal intellectual property and sensitive data related to train control systems and signaling technologies.
"Many of the cyberattacks we've seen impacting the railroad industry have taken the form of ransomware. They've disrupted rail networks by halting ticket sales and suspending passenger and freight services," Col. Leighton said. "Cyberattacks coupled with physical sabotage, like we saw this year as the Olympics got underway in France, can bring a rail-dependent country to its knees. Luckily, engineers from the French national railways (SNCF) were able to reestablish service fairly quickly. A combined cyber and physical attack on a rail system might be even more difficult to overcome the next time it happens."
The Railway Academy, Asia's top railway and smart mobility-focused training company with credentials of training 3000-plus professionals across the world, wrote a helpful blog for railway security professionals titled "Railway Cybersecurity: Everything You Need to Know."
"...Cybersecurity is essential for protecting the invisible infrastructure that powers rail travel. From signaling systems to passenger information systems, traffic management systems to train control systems, railways rely on a complex network of computer systems to operate safely and efficiently," the report concludes. "As railways become increasingly digitized, they also become more vulnerable to cyberattacks."
The future of railway cybersecurity will see further integration of advanced technologies such as AI, cloud computing, and edge computing. As rail systems continue to evolve, the need for sophisticated cybersecurity frameworks will only intensify. The report indicates that companies investing in long-term cybersecurity solutions, such as automated threat detection and secure OT-IT integration, will be better positioned to navigate the challenges of the digital age.
"Increased interconnectivity means an increased cyberattack surface. As interconnectivity increases and railways modernize their fleets with faster trains along the lines of Japan's Shinkansen or France's TGV, securing the cyber portion of rail networks becomes as important as securing the physical portion," Col. Leighton said.
"Technology is playing a larger part in their major goals of accident prevention, mitigation, and emergency response," Lindseth said. "For example, recurring physical inspections of locomotives, cars, and tracks are conducted to avoid accidents. Defect detector sensors are integrated into the tracks to detect axle and signal problems in trains that pass over them."
"Hot-box detector sensors detect when axle bearings overheat,
Lindseth added. "The principal concern in railroads' cybersecurity programs is protection of systems involved in the management, monitoring, or control of train operations, including whether an attacker could interfere with safety systems such as Positive Train Control, which is a terrifying scenario indeed."
The experts quoted in this article will all be adding thought leadership at these upcoming SecureWorld conferences:
- Col. Leighton, co-presenting on "When Enterprise and World Events Collide: Driving Outcome-Based Cybersecurity Transformation" at SecureWorld Dallas on Oct. 3; and speaking on "Cyber World on Fire: Global Digital War's Impact on Governments, Societies" at SecureWorld Denver on Oct. 10.
- Lindseth, speaking on "Integrate Transformative OT Cybersecurity Programs to Increase Effectiveness" at SecureWorld Dallas on Oct. 3.
- Voss, joining two different panels at SecureWorld Seattle on Nov. 6-7, one on "Beyond the Single Point of Failure: Lessons from Recent Vendor Incidents and Strategies for Resilience"; the other on "ASPIRE Your Approach: Application Security Program Investments Repaying Engineering."
