Rail networks face an evolving cyber threat landscape as interconnected systems create a larger attack surface, providing more entry points for malicious intruders. On June 29th, representatives from every end of the rail supply chain converged in Tel Aviv to discuss the challenges cyber threats pose and how the industry as a collective should tackle them. 

Where to plug the gaps in a complicated system architecture 

As Dimitri van Zantvliet, CISO at Dutch Railways, reminded the audience – rail is not the first to embrace or address cyber – but it is apparent that now more than ever, there is a corporate imperative to assess when and how to secure an operator’s infrastructure diligently. Rails’ systems are diverse, overlapping, and complex. Where the potential weak spots are and how to secure them are the CISO’s purview. Asaf Gal, Head of Cybersecurity for NTA, Israel’s mass transit system, has experience overseeing a massive transport project. His call for a dedicated specification with a cyber management plan was unequivocal. This enables cyber by design and allows strict controls to be built into the systems before they become unwieldy. 

‍

This message was reiterated across the panel of distinguished rail infrastructure and security experts – that looking ahead and building security controls intelligently would make the difference. Cylus’s CTO, Miki Shifman, spoke earlier about standardizing security protocols across operators. This will, of course, require an assembly of industry voices singing in harmony. Still, alongside the early adoption of said protocols, it feels like the right direction for rail if the defenses are to be bolstered successfully. 

Security solutions – the ideal and the reality 

Eddy Thesee, VP of Products and Solutions, Cybersecurity, at Alstom, quipped that complex rail models could take ten years from design to reality. With 150,000 vehicles installed, Alstom has some serious skin in the game. It sets ambitious targets and has cyber at the heart of its strategy. Thesee cautioned that roles and principles for cyber management must be decided at the beginning of a project. Like Cylus, Alstom advocates a set of agreed standards to deploy and regulate rail cybersecurity. NTA understands the impacts of potential cyber-attacks, and with the constant, the looming threat of regional adversaries, it is unsurprising they are insistent on an effective enforcement mechanism, ensuring the initial cybersecurity specifications are upheld by all involved in the project.

Rail has become a more attractive target to cybercriminals in recent years. The volume of overlapping digital systems built on open-platform software with standardized equipment presents countless openings for cyber-attacks. The connections to public and private networks allow for remote access and means anything from the signaling to train control systems, passenger information systems to Wi-Fi are more susceptible to being compromised. The more digitized rail networks become, the more vulnerable rail systems are to sabotage, especially when connecting to an external network. The rate of digitalization requires full visibility from inception to implementation to predict, manage and mitigate breaches, with real-time threat detection underpinned by actionable intelligence, allowing rail operators to review and respond to live reports.   

Cybersecurity must be part of rails’ culture

Trains are changing, becoming more powerful and more accessible – with dozens of systems jockeying for position, they are supercomputers on tracks. This is rail’s biggest asset and, simultaneously, a flare in the sky for those with criminal intent. Amtrak’s AVP Deputy Chief Information Security Officer, Mark Conrad, told the conference that “cyber is a way of doing business today” - this is the cultural shift that must permeate through the c-suites of rail operators. 

Amtrak has the largest passenger rail in the US and is occupied with transforming legacy systems into digital powerhouses. – no small feat. Dutch Railways took the company 184 years to get where they are now regarding safety. Nowadays, no worker would climb onto the roof of a train without the proper personal protective equipment. As Dimitri van Zantvliet cautioned, the same instincts for enforcing cybersecurity protocols must not take another 184 years. Cybersecurity has to become part of the everyday maintenance and delivery of rail operations, employees must be trained and standards adhered to. The threats posed are real and growing, according to those sitting on the panel rail must work to employ countermeasures earlier, more consistently, and with sharper teeth.

All aboard

Rail’s architecture is fertile ground for sophisticated cyber-attacks but has the backing of its industry leaders to face this reality with a willingness to collaborate. This conference wasn’t just about company posturing but about understanding the emerging threat as existential to rail and other critical infrastructure, not just to one operator. Assessing potential frailties from the beginning, fostering a culture of shared learnings, working in consort with suppliers to reinforce consistency in robust defenses, and investing in cybersecurity expertise across the whole supply chain will ensure rail remains structurally resilient and strategically forward-thinking.