When it comes to protecting rail operations, the starting point isn’t firewalls or intrusion detection systems; it’s knowing what you actually have. Without a complete view of operational technology (OT) assets across trains, signaling, and control centers, defending them becomes nearly impossible.

That’s the central message in a new joint guide released by CISA and its international partners: “Foundations for OT Cybersecurity: Asset Inventory Guidance.” While the examples in the paper are drawn from energy and water utilities, the lessons are just as urgent for the rail industry - and rail has unique needs when it comes to putting this into practice.

The Case for an OT Asset Inventory in Rail

Rail systems are a patchwork of complex, interconnected technologies, onboard train control systems, signaling interlockings, SCADA networks, passenger information systems, and depots. Each plays a role in safe and reliable service. But without a structured way to catalog and classify these assets, operators face serious risks:

• Blind spots in safety-critical systems (e.g., ATP, ETCS/CBTC equipment)
• Untracked vulnerabilities in legacy devices or unsupported vendor software
• Difficulty coordinating IT/OT security without a common language or taxonomy
• Operational disruption when maintenance or patching decisions are made without clear visibility into interdependencies

The guide emphasizes that an asset inventory is the foundation of a defensible OT architecture. For rail, this means more than a list of devices; it’s a blueprint for resilience.

Taxonomy: Speaking the Same Language

One of the most useful recommendations is developing an OT taxonomy - a structured classification of assets based on function and criticality.

For rail, a taxonomy could look like this:

• Zones (IEC 62443 approach):
  
  
  • Onboard Systems: Train Control & Management Systems (TCMS), ETCS/CBTC equipment‍
  • Wayside Systems: Interlockings, signals, axle counters
  • Control Centers: Dispatching, SCADA, network management
  • Depots & Maintenance Facilities: Diagnostic systems, engineering workstations
  • Corporate Interfaces: Ticketing, passenger Wi-Fi, enterprise IT
    
    
• Conduits: Secure communication paths between zones, for example, train-to-ground radio links or control center-to-signaling connections.

This structure provides operators with a common framework to prioritize protections. If a signaling interlocking is compromised, the impact is far greater than if a passenger information display goes down. A taxonomy makes that prioritization explicit.

How Rail Can Implement the Guidance

The first step is defining scope: rail operators need to decide whether the inventory will include just critical safety systems (like interlockings and train control) or extend to supporting technologies (like station IT and passenger services). Starting with the safety-critical core ensures immediate value while leaving room to expand.

Next comes data collection: attributes like IP addresses, firmware versions, communication protocols, and physical locations are essential. In rail, special focus should be on assets that bridge safety and operations—such as radio communication systems, onboard/wayside interfaces, and SCADA links.

Finally, operators must tailor lifecycle management to the rail environment. Maintenance windows are limited, and many assets remain in service for decades. That means inventories must flag legacy systems that cannot be patched easily, align updates with operational schedules, and document every change tied to safety certification processes.

Turning the Inventory into Action

An OT inventory isn’t just paperwork; it becomes the backbone of rail cybersecurity strategy. The guide highlights several ways to use it effectively:

• Vulnerability Management: Cross-reference assets with CISA’s Known Exploited Vulnerabilities (KEV) catalog or vendor advisories.
• Risk Prioritization: Focus on safety-critical systems first (signaling, train control) while planning longer-term mitigation for lower-criticality assets.‍
• Maintenance Planning: Align patching and upgrades with operational schedules to minimize downtime.
• Resilience Checks: Ensure spare parts cover legacy systems still in active service.
• Monitoring: Implement real-time anomaly detection on signaling traffic, train-to-ground communications, and SCADA systems.

Why Rail Should Act Now

Energy and water utilities have been under sustained cyber pressure for years, and their guidance is a roadmap that rail cannot ignore. Rail networks are just as interconnected, just as safety-critical, and increasingly just as targeted. The difference is that rail requires adjustments: interoperability across borders, the coexistence of legacy and modern technology, and strict safety regulations all shape how asset inventories are designed and maintained. Creating and maintaining a rail-specific OT asset inventory and taxonomy is not just about compliance; it’s about ensuring safe, reliable, and resilient service. The question isn’t if rail operators need this foundation, but how quickly they can build it.

‍