The intersection of information technology (IT) and operational technology (OT) in railway systems has created a cybersecurity landscape that is both complex and unforgiving. In a detailed conversation, Jorge Aldegunde, Global Head of Railway Services at DNV, shed light on the unique vulnerabilities that arise when decades-old operational technology is retrofitted with modern IT layers. Monorail systems, once isolated and proprietary, are now open, networked, and increasingly targeted by sophisticated threat actors.
Aldegunde explains that the traditional railway environment relied on vendor-specific SCADA systems and dedicated communication protocols like SDH-PDH. The push toward IP-based networks brought undeniable benefits: open standards, multi-vendor compatibility, and lower operational costs. However, this transformation also shattered the long-held assumption of air-gapped security. SCADA systems became interconnected through middlewares, public transport data migrated to public and private clouds, and condition-based maintenance turned every component into a continuous data source. The advent of AI further multiplied the attack surface and vectors. The key lesson, Aldegunde emphasizes, is that the IT/OT boundary is no longer a boundary—it is an interface that must be actively managed.
One of the most pressing operational challenges is patching. Unlike an email server that can be taken offline for updates, a train cannot stop running to fix a vulnerability in a signaling or door-control component. Aldegunde outlines a decision-making process that begins with assessing whether the vulnerability is exploitable and, if so, its risk to the system. If a patch exists, the goal is to integrate it into planned maintenance windows without disrupting service. If no patch is available, compensating measures—such as network segmentation, enhanced monitoring, or operational restrictions—must be implemented. New regulations like the Cyber Resilience Act (CRA) and the Network and Information Security Directive (NIS2) are pushing accountability, but adoption remains uneven. The real challenge lies in complex railway contracts where components, subsystems, and systems are managed by multiple stakeholders, making responsibility diffuse. Working groups are trying to harmonize these regulations with existing vertical standards, but progress is slow, as seen in the lack of consensus on the CRA implementation guidelines.
Training veteran engineers who have spent decades ensuring trains move safely is another delicate task. Aldegunde draws a parallel to the introduction of RAMS (Reliability, Availability, Maintainability, and Safety) two decades ago, which shifted mindset from siloed engineering to systems integration. That change seemed impossible at first, but now RAMS is fundamental. The same approach can work for cybersecurity: start with people, communication, and awareness. Practitioners often come from adjacent rail disciplines—safety, signaling, communications—so leveraging that foundation is crucial. Solid, well-understood regulation is a major enabler. DNV is active in applying IEC 62443 and participating in the IEC 63452 project, as well as contributing to conformity assessment through European associations. These technical cybersecurity documents are being adopted as building blocks for Technical Specifications of Interoperability (TSIs).
Detecting an attacker who has been inside the network for months requires vigilance. Aldegunde looks for changes in OT traffic patterns, undesired component behavior, unavailability, and uncontrolled configuration changes. Systems like EDR, IDS, and SIEM are valuable, but they must be supported by skilled SOC teams and properly trained railway staff. Business continuity plans should be rehearsed under worst-case scenarios. A latent threat is complacency: when rail staff—operations, maintenance, contractors—relax their awareness, harm can occur. Weak or uncontrolled supply chains, especially involving industrial SMEs that struggle to implement security-by-design, SBOMs, or lifecycle patch management, are particularly risky.
Aldegunde’s hard-won advice for his successor is simple: manage your risks. A risk-based approach is more than a start. He cites an uncertainty principle: attackers’ ability will always equal or exceed your own. Visibility does not equal control. The ultimate objective is resilience—systems must operate safely even under degraded or uncertain conditions. This means combining risk-based decision making, continuous monitoring, and preparedness for worst-case scenarios. As he puts it, “If we fail to prepare, we are simply preparing to fail.”
To deepen understanding, it’s worth examining how these challenges play out in practice. Consider a monorail line where an older signaling system was never designed to connect to the internet. When a vendor’s driver update inadvertently exposes a backdoor, the operator must decide whether to apply a patch that could take the line offline during peak hours, disrupt thousands of commuters, and potentially trigger contractual penalties. Without clear liability clauses, the decision often defaults to accepting the risk or implementing temporary speed restrictions. Such scenarios underscore the need for pre-defined risk thresholds and multi-stakeholder governance.
Another dimension is the human factor. A veteran engineer who can diagnose a traction motor fault by sound may have no concept of a phishing email. Training these professionals to recognize threat indicators without undermining their confidence requires a respectful, incremental approach. One effective method is to embed cybersecurity lessons into existing safety briefings, showing how a cyber incident could lead to a safety incident. Over time, this builds a cybersecurity-conscious culture without overwhelming staff with jargon.
The regulatory landscape is evolving rapidly. The CRA imposes cybersecurity requirements on products with digital elements, including many components used in railways. NIS2 extends obligations to critical infrastructure operators and their supply chains. Yet, vertical railway regulations like the TSIs sometimes clash with horizontal laws. For example, the CRA requires incident reporting within 24 hours, while railway safety investigations may take weeks. Harmonizing these timelines is an ongoing challenge. Aldegunde’s involvement in working groups aims to bridge these gaps, but he acknowledges that full alignment may take years.
Finally, the financial aspect cannot be ignored. Implementing robust cybersecurity for OT systems is expensive. SMEs in the railway supply chain often lack the resources to adopt security-by-design or produce ongoing SBOMs. Regulatory compliance may force them to pass costs to operators or exit the market, reducing competition. Policymakers must balance security improvements with economic viability. Some jurisdictions are exploring government subsidies or liability-sharing schemes to support smaller players.
In the end, the message from DNV is clear: railway cybersecurity is not a one-time fix but a continuous process of risk management, adaptation, and resilience engineering. The industry must prepare for the worst while hoping for the best, knowing that every new connection, every upgrade, and every decade-old component carries both risk and opportunity.
Source: Help Net Security News