top of page

How to keep train security on track

  • Writer: ESET Expert
    ESET Expert
  • 11 hours ago
  • 7 min read


ree

The arrival of threat actors on the railway scene may cause some lengthy delays and several late departures.


The arrival of threat actors on the railway scene may cause some lengthy delays and several late departures.


Trains are strategic elements of state infrastructure, especially in the U.S., which has the longest total rail network in the world. While mostly focused on freight, it provides around 167,000 jobs. A legacy of the industrial revolution, trains bring benefits in the form of more efficient logistics, delivered via both lower transport costs as well as reduced road congestion, among others.


However, many of these benefits have been put in increasing jeopardy in the last five years as cyberattacks against railways have increased by around 220%. Railway systems in places like Ukraine or Poland are also being tested as threat actors force operators to secure their progressively digitized systems, increasing the convergence of OT and IT, and enabling easier access to train and rail control systems.


Key points of this article:


  • Recent cybersecurity advisories, cyberattacks on sensitive railway systems, and industrial malware highlight rail’s vulnerable nature.


  • Outdated protocols, frameworks, and devices present novel risks in an environment that often mixes more than a century’s old infrastructure with modern digital control systems, the overlap of which makes for an exploitable opening for threat actors.


  • Sadly, upgrades are costly and made more difficult by the rail system’s many bureaucratic factors, slowing down investments and crippling supply-chain efficiencies as well as their security.


  • Via smart budgeting, provided for by a tailor-fit risk management strategy, responsible managers can cover the diverse strata of railway devices and protocols (with air-gapping, threat intelligence, and/or Managed Detection and Response), and state-owned or private enterprises can enjoy a more secure delivery of passengers and freight.


Railways: Endangered arteries of a country

Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an advisory (ICSA-25-191-10) regarding a vulnerability in the End-of-Train Device (ETD) and Head-of-Train Remote Linking Protocol, which could enable attackers to “send their own brake control commands to the end-of-train device causing a sudden stoppage of the train, which may lead to a disruption of operations, or induce brake failure.”

Sound familiar? Yes, in 2023, Polish State Railways got spoofed by hackers when they sent an unauthorized radio-stop signal to trains in the northwest of Poland. As many as 20 trains were brought to a standstill — befuddling railroad engineers and rail traffic controllers. Apparently, the spoofing, or radio impersonation, was done with a cheap radio transmitter, made easier by the railway communication network’s legacy infrastructure.

The implications of this vulnerability are twofold. One, the internet-connected nature of ETDs invariably exposes them, and two, the frameworks that are supposed to oversee the security of these devices are completely outdated. This isn’t a surprise; critical infrastructure is difficult and costly to modernize — any investment needs to have long-term viability, especially when paid for or subsidized by a state body.


According to ESET telemetry, globally, the transportation sector is among the most targeted industries by threat actors. (Source: ESET APT Activity Report Q2 2025–Q3 2025)
According to ESET telemetry, globally, the transportation sector is among the most targeted industries by threat actors. (Source: ESET APT Activity Report Q2 2025–Q3 2025)

However, when key companies (like manufacturers or large agribusiness firms) and both civilian and military logistics rely on rail infrastructure, they are left open to interference and sabotage, inherently reducing a state’s ability to respond to crises. For context, see how important the rail system in Ukraine is, with both sides fighting to control key infrastructure as a means to secure efficient delivery of military personnel, supplies, and equipment.

A costly bureaucratic furnace

What makes the security situation for railways even worse (compared to other critical sectors like manufacturing) are the difficulties they face in agile management. Relearning to readily shift cybersecurity posture within the context of prevailing regulatory and life cycle management of rail assets measured in multiple decades, not to mention the low visibility into their suppliers’ security posture, is no small feat. Ultimately, becoming more agile means insulating the discussion around security posture from the bureaucracy, incremental change, and lack of budget to rapidly address operational woes. Doing so successfully means moving security forward without disrupting the flow of people and goods.


As an example, reportedly only 1.6 percent of the German rail network is equipped with a secure European Train Control System (ETCS). The federal government’s plan is to fix this by 2040; however, it might be a tall order seeing as it would require massive spending and coordination between it, related industries, and German states to effectively rebuild the entire network — a task that has faced decades of underinvestment, resulting in erosion of services and infrastructure. 


With costs of ETCS upgrade operation having doubled between 2018 and 2022, and a retrofit costing around €337,000 per vehicle (in Czechia), and fleet-wide possibly £33 million (based on a UK-estimate of a Thameslink Class 700 retrofit); securing trains ain’t cheap. Subsidies can of course play a role, but millions in spending is still on the table, all of which requires approvals (depending on who owns the infrastructure) by multiple authorities — yielding delays upon delays.

Stopping railway stoppage

Obviously, the bureaucratic factor cannot be done away with unless a state-operated railway had direct control over the budget allocated to them by government. Even for private railway operators like those in the United Kingdom or the Slovak Republic, changes to railway networks operation require high-level permissions.


From a certain point of view it makes sense, railroad numbers are limited, and infrastructure needs to stay flexible enough not to alter existing operations. For national railway companies, their budgets also need to fit into planned annual government spending, with strict allocations per sector. 


Realigning the tracks

You might ask then: “How can I convince budget-holders about our security needs when my options are so limited?” The answers are simple:


  • Sell security as a national priority: With railways acting as focal points of cross-country transport and seeing how critical railways for states in conflict and crisis are, budget holders must understand that increased security spending to upgrade decaying and unsecure infrastructure must be a priority. If railways are secure by design, leadership can rest assured that they wouldn’t have to face accountability at a prime minister or president’s hands for failing to keep their operations running even during a crisis. 


  • Maintenance isn’t just about service: While a current practice at some aviation companies, railways have to see IT spending (including security upgrades) as a separate line in their annual reporting. Security’s just as important as parts replacement, with the lack of both capable of causing the loss of human life in the worst-case scenario.


  • Work across industries: Railways, in some respects, are more important than roads. They’re capable of transporting massive amounts of goods in a relatively short time frame. In the U.S. alone, rail accounts for around 40% of long-distance freight ton-miles, feeding industries and the populace. Thus, it’s in the interest of these companies and the government to keep this relationship alive, as the results of poor rail security can lower factory output, damage goods (like food, military equipment, parts, and more), and ultimately impact a country’s economic outlook.


  • Stress compliance: A big factor these days are cyber insurance and regulations, which especially in the European Union under NIS2 require comprehensive risk management for the transport sector. If essential entities are found non-compliant, enforcement may follow, including fines of up to €10 million or 2% of the company’s total worldwide annual turnover in the previous financial year, as well as personal liability for top management. This is true regardless of whether a company is a public or private. Hence, even national railways can find themselves under scrutiny, which is a great argument for better security budget allocations to prevent future compliance troubles.

Similar rules are also present in the U.S., where the Transportation Security Administration’s (TSA) Cyber Directive for Freight & Passenger Railroad Carriers from October 2022 details required security outcomes.

Railroads switching to the secure track

Making your railway security budget actionable in this recession-boding economic landscape could be difficult, but all it takes is to find the right solutions tailored to your industry, which, depending on your in-house resources, can be:


  • Air-gapping and network segmentation: While not 100% secure as demonstrated by ESET Research, this approach to separating OT and IT systems can play a critical role in making sure your systems, such as train switches, stay secure even when one’s been exploited by a threat actor by limiting their options to spread across your environment.


  • Patch management: An easy method to solve security gaps is to employ automatic patching, proactively solving known vulnerabilities for you.


  • Open XDR: Any high-quality SOC could do well with an extended detection and response (XDR) platform that is capable of ingesting data from multiple sources for a more accurate overview of their active threat surface. Especially with multiple OT devices in use (on or off trains and machinery), coalescing their security status could prove to be difficult without their integration into a singular security console, which Open XDR should easily provide.


  • MDR or MXDR: A step up from in-house resources is managed detection and response (MDR) services, which adds human expertise and machine intelligence, resulting in a fast (6-minute with ESET MDR) resolution time per incident. Even companies with fully equipped SOCs can multiply their capabilities thanks to tailored 24/7 coverage and expert-activated threat intelligence.


  • Threat intelligence: TI turns reactive defense into proactive protection. Instead of waiting for an attack to succeed, railway operators can use TI to identify which threats are most likely to target their systems, understand attackers’ tactics, and apply defenses where they matter most. This means limited budgets are spent on real, current risks rather than hypothetical ones.


Full steam ahead

Railways have long represented a stable yet constantly moving part of a state’s critical infrastructure, the disruption of which could cause delays in the important movement of supplies, goods, and people. Countries like Ukraine show that especially during a crisis, trains prove to be a lifeline for survival and are in fact worthy of cybersecurity investment.


Thus, unless railway company leadership and budget holders understand that security is now as important as running express trains on schedule, they might be in for a lot of headaches.




 
 
 
bottom of page