Sector Overview
Railway and mass transit systems represent some of the most complex OT environments in critical infrastructure. A modern rail network integrates multiple technology generations across:
- Train control and signalling: European Train Control System (ETCS), Automatic Train Protection (ATP), cab signalling, interlocking systems (relay-based through to processor-based)
- Positive Train Control (PTC): US-mandated overlay system for collision avoidance
- SCADA/ECS: Energy control systems managing traction power, substations, and overhead electrification
- Station systems: Platform screen doors, passenger information, ticketing and access control
- Trackside communications: GSM-R/FRMCS radio, balise readers, axle counters, level crossing control
- Operations control centres: Centralised traffic management systems integrating all of the above
The interconnection of these systems — increasingly through IP-based networks as GSM-R modernisation and ETCS rollout proceeds — creates an OT attack surface that has grown substantially over the past decade. Legacy signalling equipment designed without any network connectivity is now integrated into managed environments through remote diagnostics gateways, creating paths that the original designers never envisioned.
Documented Attack Surface
Signalling and Train Control
Signalling systems present the highest safety consequence if compromised. Modern processor-based interlockings and ETCS Level 2/3 implementations use standardised communication protocols over IP infrastructure. The ETCS protocol stack (Euroradio, Eurobalise messaging) includes authentication mechanisms, but implementations vary and older ETCS deployments may have configuration weaknesses.
Key attack paths that ICS security researchers have documented:
-
Euroradio message injection: ETCS communication between Radio Block Centre (RBC) and onboard units uses authentication, but the GSM-R radio infrastructure that carries it has known weaknesses. GSM-R is a 2G-era technology with limited encryption. Its successor, FRMCS (5G-based), addresses some of these issues but is not yet widely deployed.
-
Interlocking remote access: Many rail operators have introduced remote maintenance access to interlocking computers — either through dedicated links or, in some cases, general IT networks. These paths represent the most exploitable entry point for an attacker targeting signalling: the interlocking equipment itself may be air-gapped, but the remote access gateway is not.
-
Data concentrators and SCADA: SCADA systems managing traction power and substation equipment are standard OT targets. In rail environments, the added safety dimension is that traction power interacts with train operations — disruption to substation control can create operational incidents beyond the electrical domain.
Passenger Systems and Station Infrastructure
Passenger systems operate at lower safety consequence but serve as a foothold into rail networks. Ticketing systems, access gates, passenger information displays, and CCTV all connect to networks that, in some operator environments, are insufficiently segregated from OT networks. Several documented incidents have begun in passenger-facing IT infrastructure and traversed network paths that should not have existed.
Operations Control Centre (OCC)
The OCC is the highest-value target — it integrates signalling, traction, passenger information, and communications management into a single operational picture. OCC workstations run commercial operating systems, often with connectivity to corporate IT for reporting and HR functions. The convergence of IT and OT connectivity at the OCC level creates lateral movement paths that are difficult to fully sever without disrupting operations.
Threat Actors Targeting Transport OT
Volt Typhoon (China)
US government advisories have specifically identified railway and transit systems as among the infrastructure categories pre-positioned by Volt Typhoon (BRONZE SILHOUETTE). The CISA/NSA/FBI joint advisory on Volt Typhoon explicitly includes “transportation systems” in the critical infrastructure categories where the group has established persistent access, alongside energy and water.
Volt Typhoon’s methodology in transport environments follows their general pattern: living-off-the-land techniques using legitimate system tools and credentials, minimal malware footprint, extended dwell time oriented toward capability establishment rather than immediate disruption. The assessed intent is pre-positioning for potential use during a geopolitical crisis, not active sabotage under current conditions.
Sandworm (Russia, 74455 GRU)
Sandworm’s targeting of Ukrainian infrastructure has included transport systems. The 2022 conflict saw Sandworm activity against Ukrainian railway systems alongside the power grid attacks that are more widely documented. The Industroyer2 malware framework demonstrated Sandworm’s capability to target OT environments directly through ICS-protocol-level manipulation.
Sandworm’s tactics in transport contexts are more disruptive than Volt Typhoon’s — consistent with a wartime operational priority to degrade logistics and movement rather than preserve capability for later use.
Financially Motivated Ransomware
Several ransomware incidents have affected railway operators, typically hitting IT infrastructure rather than OT. The operational impact depends on the degree of IT/OT integration:
- SNCF (France, 2020): Ransomware hit IT systems; core train operations continued on OT systems that maintained manual fallback capability.
- RailCorp operations (multiple incidents): Ticketing, scheduling, and communication systems affected; train movements generally continued.
- The risk is escalation — if OT depends on IT-resident components (scheduling data feeds, centralised control centre applications) for normal operations, ransomware that takes down IT can impair OT operation even without directly targeting signalling or traction systems.
Regulatory Requirements
TSA Rail Security Directives (US)
The Transportation Security Administration issued cybersecurity directives for passenger and freight rail operators:
TSA Security Directive (SD) 1580/82-2022-01 (issued 2021, updated 2022): Required passenger and freight rail operators to:
- Designate a primary and alternate cybersecurity coordinator reachable 24/7
- Report cybersecurity incidents to CISA within 24 hours
- Develop and implement a cybersecurity incident response plan
- Conduct a cybersecurity vulnerability assessment
TSA SD 1580/82-2022-01 Series updates: Subsequent directives shifted from prescriptive controls to a performance-based model, requiring operators to develop approved Cybersecurity Implementation Plans (CIPs) demonstrating how they achieve defined security outcomes rather than compliance with a specific control checklist.
The current TSA framework requires rail operators to achieve four cybersecurity outcomes:
- Reduce attack surface and assess cybersecurity risks
- Develop network segmentation policies to ensure that OT systems can operate safely in the event of an IT compromise
- Create cybersecurity detection policies and procedures
- Establish response and recovery programmes
NIS2 (EU)
Rail operators in EU member states are covered by NIS2 as operators of essential services under the transport sector. NIS2 requirements include: risk management measures, incident reporting (24-hour notification to the competent authority), supply chain security, and board-level accountability for cybersecurity compliance. Member states have incorporated NIS2 into national law with varying transposition dates and enforcement approaches.
UK Transport Sector Cyber Resilience
UK rail operators are subject to guidance from the Centre for the Protection of National Infrastructure (CPNI) — now part of NPSA — and NCSC transport sector guidance. The Network Rail SCADA and Control Systems security programme sets baseline requirements for infrastructure managed by Network Rail.
Priority Hardening Areas for Rail OT
Network architecture review: Validate that signalling networks are not reachable from corporate IT, passenger Wi-Fi, or ticketing systems. Perform regular firewall rule review to confirm that firewall rules enforcing OT/IT separation remain current and have not been silently modified for troubleshooting and never reversed.
Remote access control: Catalogue all remote access paths to OT systems — vendor remote maintenance links, operations centre connectivity, engineering workstation VPN access. Each path should have formal authorisation, monitored use, and the ability to be disabled when not actively required.
GSM-R to FRMCS migration security: As operators transition from GSM-R to FRMCS for train radio communications, the migration creates a period where both network generations coexist. Security requirements for FRMCS implementations should be validated against 3GPP specifications and ENISA guidance for critical communications infrastructure.
Incident response with OT context: Tabletop exercises for rail cyber incidents should explicitly model scenarios where IT systems are compromised but OT must continue operating — and scenarios where OT is directly targeted. The response procedures for each differ significantly from standard IT incident response playbooks.
Supplier access management: Rail suppliers — signalling contractors, SCADA integrators, traction power vendors — typically require ongoing remote access for maintenance and diagnostics. This creates a supply chain risk dimension: a compromise of a signalling supplier’s remote access credentials provides access to interlocking systems across multiple operator clients simultaneously.