arrow
Back to Blogs

Vulnerability Management in Rail: Why Context Is Everything

Miki Shifman
Miki Shifman
CTO

Effective vulnerability management (VM) is one of the most widely accepted cornerstones of any cybersecurity program. Whether you look at NIST CSF, IEC 62443, CENELEC TS 50701, or any other modern cybersecurity framework, VM is always there, front and center. Many national and industry-specific regulations also mandate it.

The principle is simple: identify vulnerabilities, assess their risk, and take action. But in the rail industry, the reality is far more complex.

Rail systems are typically built to last for decades. When they’re deployed, they often arrive with vulnerabilities already present, due to outdated software. Once operational, the systems are rarely touched. If they work, there’s strong resistance to change, because any update may introduce downtime, safety concerns, or the need for full supplier re-certification. In many cases, even getting a validated patch from a supplier can take months, if it comes at all.

That’s why vulnerability management in rail can’t just be about scanning and patching. It requires a risk-informed, rail-aware approach.

So, What Can We Do?

In rail, you often can’t fix everything, and you probably shouldn’t try. Instead, the focus should be on prioritization: identifying what truly matters and addressing the most critical issues first.

This is not about giving up on patching. It’s about understanding that the path to security in operational rail environments lies in smart choices, not blanket actions. That means determining which vulnerabilities are high risk in your specific environment, and which can be tolerated or mitigated in other ways.

Why Prioritization Matters More in Rail

A vulnerability listed in the National Vulnerability Database (NVD) can apply to a wide range of systems, from laptops in the control center to onboard computers or interlocking equipment. But the consequences of exploiting that vulnerability can vary dramatically depending on where and how the affected asset is used.

This is why relying on CVSS base scores alone is insufficient. The same vulnerability may be rated 9.8 "Critical" in theory, but could represent very little risk in various environments.

Effective Vulnerability Management must take into account environmental factors that go far beyond the generic severity score.

How to Assess Real Risk: Key Parameters

To understand the real-world severity of a vulnerability in a rail environment, you need to evaluate:

  1. Asset function – What role does the device play? Is it controlling a critical train control system, or simply displaying a passenger timetable?
  2. System context – Is the asset part of signaling, traction power, safety-critical subsystems, or non-critical IT infrastructure?
  3. Network exposure – Is the system isolated? Connected to public networks? Accessible remotely or via wireless links?
  4. Impact on operations and safety – What could go wrong if the asset were compromised? Would it cause service disruptions, safety incidents, or reputational damage?

The Log4j Lesson

Same vulnerability - different score.

Taking Log4Shell as an example - a critical vulnerability from 2022. The image above, generated using the NVD CVSS calculator, demonstrates how its score can drop from 10.0 (Critical) to 6.6 (Medium) simply by setting the appropriate environment parameters in the formula.

Getting It Right: Contextual Asset Inventory is Key

Before jumping into scans or patch requests, the first step is to understand your environment. That means having an asset inventory that’s rich in context, not just a bunch of IP addresses.

Every rail asset should be cataloged with:

  • Its business and operational function
  • Its system and line-level context
  • Network topology and exposure
  • Its safety and operational criticality

This enriched view transforms vulnerability data into actionable insight. It allows operators to focus on what matters most, protecting assets that, if compromised, could disrupt service or endanger lives.

In rail, patching everything is rarely an option. But with the right context, patching what truly matters becomes achievable, and that’s how vulnerability management delivers real value.

Want to learn how Cylus can help you effectively manage your vulnerabilities in rail? Contact us.

Originally published
August 12, 2025
,
updated
August 12, 2025
.

Share this post

More from Our Blog
Cyber Senate Cybersecurity Rail Conference USA Recap
Cyber Senate Cybersecurity Rail Conference USA Recap
Don’t Lose Sleep Over Railway Zoning Compliance
Don’t Lose Sleep Over Railway Zoning Compliance
6 Cybersecurity Takeaways from Hack the Railroad 2023
Hack the Railroad 2023: From CISO Discussions to Addressing Cybersecurity Challenges
Cylus logo
PRODUCTSOLUTIONS
CBTCERTMSPTCCBI
COMPANY
Rail Tech SecurityAboutEventsNewsCareers
PARTNERSBLOGRESOURCESCONTACT USBOOK A DEMO
PRODUCT
BOOK A DEMO
SOLUTIONS
FreightPassenger RailMetroLight RailInfrastructure Manager
CBTCERTMSPTCCBITCMS
COMPANY
FreightPassenger RailMetroLight RailInfrastructure Manager
Rail Tech SecurityAboutEventsNewsCareers
PARTNERSBLOGPARTNERSRESOURCESCONTACT USBOOK A DEMO
GO TO TOP
© 2025 Cylus Ltd. All Rights Reserved.
Terms of UseVulnerability Disclosure PolicyPrivacy PolicyCookies Policy