Cyber Security: A Critical Element in Safeguarding Modern Rail Infrastructure

Abstract

In a vast country like India, which is home to approximately 144 crore people, the railway network is no less than a lifeline. Serving as the backbone of the country, Indian Railways holds the 4th position among the world’s largest rail networks. It not only serves as a mode of transport but also stimulates economic growth, bridges the social gap between different communities, and caters to critical industries, including minerals and logistics.

Over the past decade, the rail network in India, including metro systems, has seen unprecedented growth. This extensive expansion stems from the need to accommodate the increasing number of commuters in cities that act as commercial hubs, propelling the nation toward sustainable economic growth and its long-term vision of becoming a developed nation by 2047.

However, the rail infrastructure faces inherent limitations, including infrequent service, congestion, high expansion costs, and bureaucratic obstacles, which impede its capacity to efficiently serve a wider geographical area. These constraints, coupled with projected future growth and funding challenges, give rise to several industry issues related to affordability, asset sustainability, capacity, and performance.

This is where modern technological solutions, including advanced signalling systems, predictive maintenance systems, and innovative payment solutions, come into play to enhance operational efficiency and improve the overall passenger experience.

The inclusion of intricate modern digital rail infrastructure enables the safe, fast, and efficient movement of large volumes of passengers and goods between major economic centres, their catchment areas, and international gateways. However, modern digital rail systems are vulnerable to cyber-attacks, which can not only disrupt operations but also lead to massive financial losses and passenger inconvenience.

This study examines the challenges and vulnerabilities associated with digital rail infrastructure. It investigates the security threats and attack methodologies that railway operators will encounter as they increasingly digitize their operational technology systems and automate their processes. Additionally, it addresses the urgent necessity for railway operators to commence the establishment of quantum-safe networks by integrating encryption measures within a comprehensive defense-in-depth security framework.

Cybersecurity: An Integral Part of Modern Railways

Railway operators worldwide are modernizing their infrastructure by integrating digitalisation, automation, and the Internet of Things (IoT) into their operations. This transition has increased their reliance on communication networks, making them more vulnerable to cyber threats. Modern railway systems consist of interconnected digital components across onboard systems, wayside infrastructure, stations, and control centers, facilitating real-time data exchange and operational efficiency.

However, this interconnected nature exposes railway networks to risks such as data interception (eavesdropping), unauthorized access (man-in-the-middle attacks), and service disruptions (denial-of-service attacks). Ensuring cybersecurity in railway operations is necessary to maintain data integrity, system reliability, and operational safety. Implementing secure communication protocols, intrusion detection mechanisms, and network segmentation can mitigate potential threats and enhance the resilience of railway infrastructure against cyber risks. Below are some of the examples of cyber attacks that were executed by hackers:Staf

1. Italian Railway Ransomware Attack (March 2022): A ransomware attack on an Italian railway company disrupted real-time passenger information systems, which led to a complete halt in train operations.
   
2. Denmark’s Supeo Ransomware Attack (October 2022): A cyberattack on Supeo, a critical railway software provider, disabled essential applications used by Denmark’s train operators, forcing a countrywide train suspension.

These incidents highlight the growing dependence of rail systems on digital infrastructure and the need for cybersecurity measures to minimize risks and ensure uninterrupted operations.

Digital Railway Infrastructure

The increasing demand for railway capacity, passenger convenience, and safety has led to the digitalization of railways. This transformation has led to a heavy reliance on digital technologies, subsequently increasing the vulnerability of railway systems to cyber threats.

Digital rail infrastructure comprises several critical components, including:

1. Signal Control System: The Signal control systems combine signaling equipment, level-crossing protection, and Automatic Train Protection (ATP) systems to regulate train movement and maintain safe operating speeds. These systems enable automatic speed control. Modern rolling stock, especially in metro systems, is increasingly equipped with advanced signaling technologies such as Communications-Based Train Control (CBTC). CBTC operates through a complex network of interconnected IoT (Internet of Things) sensors that continuously collect real-time data. This data enables operators to make informed decisions, optimise train operations, and take immediate action in emergencies.

The digital infrastructure supporting IoT-driven signaling consists of several key components, including:

• Onboard and Wayside Sensors – Monitor train location, speed, and track conditions.
  
• Wireless Communication Networks – Facilitate data exchange between trains, control centers, and trackside equipment.
  
• Supervisory Control Systems – Analyse collected data and optimise train scheduling and movement.
  
• Edge and Cloud Computing Platforms – Store and process vast amounts of real-time data for predictive maintenance and operational efficiency.

The cybersecurity of these interconnected elements is crucial to preventing disruptions, data breaches, or malicious attacks that could compromise railway operations and passenger safety. In August 2023, for example, a group of state-sponsored hackers compromised the integrity of the Polish national railway network’s radio signaling system and then issued a false command that stopped 20 trains. 

2. Integrated Passenger Information Systems (PIS)

Passenger Information Systems (PIS) are essential for real-time communication with passengers. These systems provide important details, including:

• Train schedules, expected arrival times, and delays.
• Emergency alerts and service disruptions.
• Audio-visual announcements in stations and trains.

These systems are vulnerable to attacks from hackers through various methods, including Data Manipulation Attacks, Denial-of-Service (DoS) Attacks, and Unauthorized Access. Such breaches can result in disruption at operational stations, potentially leading to substantial financial losses.

3. Smart Ticketing and Revenue Collection Systems

Modern railway ticketing has evolved from paper-based systems to digital and contactless solutions, including:

• NFC-enabled smart cards (e.g., India’s NCMC card, London’s Oyster card).
• QR-based digital tickets on mobile apps.

Cybersecurity Risks Associated with Smart Ticketing System

• Data Breaches and Privacy Violations: Ticketing systems frequently store sensitive information, including user credentials, payment details, and personal data, rendering them appealing targets for cybercriminals. 

• Malware Attacks: Malware or ransomware attacks have the potential to disrupt ticketing systems, which can result in service outages, delays, and financial losses. 

• Denial-of-Service (DoS) Attacks: Cybercriminals may overwhelm ticketing systems with excessive traffic, thereby rendering them inaccessible to legitimate users.

4. Cyber-Physical Control Systems (SCADA & PLCs)

• Most control centers use SCADA (Supervisory Control and Data Acquisition) systems to manage critical railway operations. These include communication networks, signal control systems, passenger information systems, and power control systems. The SCADA is a centralised system which is used for monitoring, controlling, and automating railway infrastructure. 
• Meanwhile, A Programmable Logic Controller (PLC) is an industrial computer used for automating electromechanical processes in railway systems. These both are integral parts of Digital Rail Infrastructure

Cybersecurity Risks

The firmware of Programmable Logic Controllers (PLCs) exhibits vulnerabilities that can be exploited through unsecured remote repositories. This situation poses the risk of allowing malicious code to penetrate the system, thereby compromising its integrity and security.

One of the most prominent attacks on programmable logic controllers (PLCs) is Stuxnet, which was identified in 2010. This malware was specifically engineered to target supervisory control and data acquisition (SCADA) systems.

• Remote Exploits: Unprotected access points can be exploited to manipulate train speeds, disrupt operations, or shut down power grids.
  
• Supply Chain Risks: Vulnerabilities introduced by compromised third-party vendors can create security backdoors, which can expose critical infrastructure to cyber threats.

5. Rail Network Communication Systems (5G & Private LTE)

The adoption of 4G LTE and 5G networks has transformed the railway sector. These networks enable the efficient transmission of data at high speeds, supporting modern railway operations.

In South Korea, the Korea National Railway (KR) has implemented an extensive LTE-based railway communication network to enhance connectivity and operations.

Similarly, the National Capital Region Transport Corporation (NCRTC) is deploying a 700 MHz private LTE network for the Delhi-Meerut Regional Rapid Transit System (RRTS). This network is intended to support voice and data communication, as well as facilitate signaling through the European Train Control System (ETCS) Levels 2 and 3 and Automatic Train Operation (ATO) functionalities.

However, these systems are vulnerable to cyber threats which are following 

Unauthorised Access & Network Intrusions

1. Weak Authentication Mechanisms: Rail networks often use SIM-based authentication for LTE/5G access. If SIMs are cloned or compromised, attackers can gain unauthorized access to the railway’s core network.
2. Insufficient Mutual Authentication (MA) between network components (UE, eNodeB, Core) can allow rogue base stations to intercept communications.
   

Data Interception & Spoofing Risks

1. Man-in-the-Middle (MitM) Attacks on LTE/5G Links: The Unprotected railway network endpoints can allow attackers to intercept or modify GTP-C (GPRS Tunneling Protocol-Control) messages.
2. LTE’s Paging Message Injection vulnerability can be exploited for location tracking and session hijacking.
   

Signaling Spoofing in ETCS & CBTC Networks:

1. The ETCS Level 2 & 3 use GSM-R and LTE-based signaling. Attackers can exploit the Diameter Signaling Protocol to inject false movement authorities, which can lead to incorrect braking or acceleration commands.
2. CBTC (Communications-Based Train Control) relies on continuous wireless communication; a spoofed access point can introduce incorrect train positioning data, causing potential derailments.

Big Data in Railways

Big data in railways originates from connected components that feed intelligence to the rail system. The entire big data infrastructure consists of cyber-physical systems, the Internet of Things (IoT) and Cloud computing, which, when combined, form ‘smart railways‘. The goal of railway big data is to make predictive algorithms possible from diverse data sources, scalable data structures, real-time communications, and visualisation methods.

Potential Vulnerabilities of Big Data Solutions in Railways 

1. The growing interconnectedness of railway systems facilitated by Internet of Things (IoT) devices introduces vulnerabilities to cyber threats, including ransomware attacks, which have the potential to disrupt operational activities.
2. Furthermore, the collection and analysis of substantial volumes of data, particularly pertaining to passenger information, raises privacy concerns related to data breaches and unauthorized access.

Intrinsic Risks to Data Confidentiality, Integrity, and Availability

Railway operators encounter three primary security risks when transmitting operational data over wide-area networks (WANs). The first is unauthorised access to data, which affects confidentiality. The second is data modification or tampering, which impacts integrity. The third is unauthorised interaction with connected devices and management systems, potentially affecting system availability.

To address these challenges, railways require security measures that ensure the confidentiality, integrity, and availability (CIA) of critical operational data and systems. 

The Basic Cyber Threats to Railway Communication

1. Eavesdropping for Harvest Now, Decrypt Later (HNDL): In this type of attack, an unauthorised entity intercepts communication between two parties, such as messages exchanged between the operations control center and a field asset like an interlocking (IXL) unit. The “Harvest Now, Decrypt Later” (HNDL) attack is a growing concern as quantum computing advances. Hackers, even without immediate access to a cryptographically relevant quantum computer (CRQC), can intercept and store encrypted railway communications for future decryption. By tapping into fiber networks between railway control centers, bad actors could accumulate vast amounts of encrypted data. This could lead to targeted cyberattacks against railway infrastructure, exposing vulnerabilities in operational control systems.

2. Man-in-the-Middle (MITM) Attack: An MITM attack goes beyond eavesdropping by not only intercepting communications but also modifying them. Railway interlocking (IXL) systems, which control signaling and switching equipment, are critical to operational safety. However, cybercriminals can exploit vulnerabilities to conduct Man-in-the-Middle (MITM) attacks by injecting spoofed commands that manipulate signals or track switches. By mimicking legitimate data traffic, attackers could alter train routes, create dangerous situations, or even cause collisions.
   
3. Denial-of-Service (DoS) Attack: A Denial-of-Service (DoS) attack on a railway Traffic Management System (TMS) can cripple train operations by overwhelming critical control centers with an excessive volume of fake data traffic. If communication with the TMS lacks strong encryption or is vulnerable to quantum decryption, attackers can inject massive amounts of malicious traffic disguised as legitimate data exchanges. This could cause severe congestion in server networks, which can reduce the availability of TMS applications and obstruct the railway operator’s ability to efficiently manage train movements. 

Protecting In-Flight Data with Encryption

In-flight data refers to data that is actively being transmitted between two points in a network. Railway networks use digital communication to send important information between trains, control centers, and other systems. However, this data can be at risk from cyber threats like eavesdropping, data tampering, and unauthorized access. To protect it, rail operators use encryption, which is a way of scrambling data so only authorized people or systems can read it.

Cryptography Techniques in Railway Networks

Cryptography involves algorithmic methods to protect data during transmission. There are three primary cryptographic techniques used today: Hash functions, Public key encryption and Pre-shared, Symmetric Key Encryption

1. Hash Functions: Hash functions are mathematical algorithms like MD5, SHA-1, and SHA-2 that take an input message and generate a unique, fixed-length output. This output, or hash value, is designed to represent the original message.

• Objective: The primary purpose of a hash function is to authenticate received messages and verify that they have not been tampered with during transmission.

Note: Hash functions can confirm whether the data has been altered but they cannot protect the actual content of the message itself.

2. Public Key Encryption (Asymmetric Encryption / PKI): Public key encryption, also known as asymmetric key encryption or Public Key Infrastructure (PKI), relies on two distinct keys: a public key and a private key. The public key is shared openly and can be used by anyone to encrypt a message intended for the key’s owner. After receiving the encrypted message, the recipient uses their private key to decrypt it.

• Algorithm: This technique utilises common algorithms like RSA (Rivest–Shamir–Adleman) and Diffie–Hellman, the latter of which includes an elliptic curve variant known as ECDH (Elliptic Curve Diffie–Hellman). These algorithms are vital components in protocols such as Transport Layer Security (TLS) and HTTPS, which are widely used to secure online communications. 

• Objective: This system allows secure communication even over untrusted networks since only the recipient can decrypt the message using their private key.

3. Symmetric Key Encryption (Pre-Shared Keys): Symmetric key encryption uses the same key for both encryption and decryption of data. This key is known as the session association key (SAK) and is shared between the sender and the recipient before any communication takes place, typically through a secure channel. The security of symmetric key encryption depends on the strength of the key used and the randomness, or entropy, of the key generation process. The longer and more complex the key, the more secure the encryption.

• Algorithm: One of the most widely used algorithms in symmetric encryption is the Advanced Encryption Standard (AES), which comes in several variations such as AES-128, AES-192, and AES-256 

• Note: Since sharing this key safely is tricky, another layer of encryption (Key Encryption Key) is used to protect it.

Quantum Computing: The Next Big Threat to Cybersecurity

The advent of Quantum Computing has emerged as a critical challenge for traditional cryptographic security. The existing encryption methods are effective in protecting the communications in railway networks; however, quantum computers have the potential to intrude on these systems.

Quantum Computing vs Conventional Computing

Traditional computers process data using binary bits (0s and 1s); on the other hand, Quantum computers use quantum bits, or qubits. In simple words, qubits work on quantum principles such as superposition and entanglement, which enables them to perform multiple calculations simultaneously. This parallelism enables quantum computers to solve complex calculations exponentially faster than classical systems.

• Shor’s Algorithm and the Threat to Public Key Encryption: One of the biggest concerns in quantum cryptography is Shor’s algorithm, which efficiently solves integer factorization and discrete logarithm problems. It can easily break widely used encryption schemes like RSA and Diffie–Hellman (including its elliptic curve variant, ECDH).
• Grover’s Algorithm: Quantum computing also threatens symmetric encryption through Grover’s algorithm, which accelerates the search for encryption keys and reduces their security strength by half.
  • For instance, AES-128 encryption is considered highly secure against classical attacks, but its security would be reduced to the equivalent security of AES-64 in a quantum-powered attack.

As quantum computing continues to evolve, railway operators have to be proactive to protect their networks from threats of future. Upgrading to post-quantum cryptography, enhancing encryption processes, and integrating sophisticated cybersecurity tactics are paramount in maintaining operational integrity.

Increasing Cyber Attacks In The Last Decade

A 220% increase in railway-associated cyberattacks has been observed over the last five years, according to Col. Cedric Leighton, CNN Military Analyst; USAF (Ret.); Chairman, Cedric Leighton Associates, LLC.

2015 

• Ukraine – DoS Attack: In Ukraine, An Advanced Persistent Threat (APT) targeted power stations, mining, and railway infrastructure, aiming to disrupt critical systems by disabling industrial control systems (ICS).
  

2016 

• United Kingdom – Intrusion & Reconnaissance Operation: Between July 2015 and July 2016, four cyberattacks were executed on the UK railway network, likely as part of reconnaissance for a future APT attack.
  

2017 

• Germany – Ransomware (WannaCry on Deutsche Bahn): Deutsche Bahn was impacted by WannaCry ransomware. The attack caused failures in passenger information displays, though train services remained operational.
  

2018

• Denmark – DDoS Attack
  On April 13, DSB, the Danish state rail operator, experienced a Distributed Denial-of-Service (DDoS) attack, which disrupted its network connectivity. As a result, 15,000 passengers were unable to purchase tickets through ticket machines via mobile apps, or at station kiosks.

2020

• United Kingdom – C3UK Data Breach

In early 2020, C3UK, a provider of free Wi-Fi services at UK railway stations, left a database unsecured online, which exposed the personal data of approximately 10,000 passengers. The exposed database contained 146 million records, including dates of birth, email addresses, and travel plans. 

2021

• Switzerland – Ransomware Attack on Stadler Rail
  Hackers stole sensitive data from the Swiss train manufacturer Stadler Rail, demanding ransom and threatening to release the information if it was not paid.

2022

• Denmark – Cyber Attack on Danish State Railways
  Hackers breached an IT subcontractor’s software testing environment, causing a major train network breakdown.
• A data breach on December 27, 2022, compromised the personal data of approximately 30 million individuals associated with Indian Railways

2023

• Israel – Phishing Attack on Railway Electrical Infrastructure:
  Iranian hackers targeted Israel’s railway network through a phishing campaign which hit the electrical infrastructure, attempting to disrupt operations.
• Poland – Radio Signaling System Hack (August 2023): Hackers exploited an unencrypted communication link in the radio signaling system, issuing unauthorized stop commands that disrupted the movement of over 20 trains.
  

2025

• Ukraine – Cyberattack on Railway Ticketing System (March): The Ukrainian government attributed a cyberattack on 23 March 2025 to Russian-backed hackers. The attack disrupted Ukrzaliznytsia’s online ticketing system. 

Cyber Security Challenges & Measures for Railway Operators

The cybersecurity challenges in the railroad industry arise from the complexity, scale, and critical nature of rail systems.

• Real-Time Requirements: Rail operations rely on real-time monitoring and control, which requires cybersecurity measures that do not introduce latency or disruptions.
• Legacy Systems: Most of India’s rail network continues to operate on outdated technology that was not designed with cybersecurity in mind. These legacy systems often have vulnerabilities that are difficult to patch, making them prime targets for cyber threats. This highlights the need to transition from older systems to modern, secure infrastructure to enhance cybersecurity and operational resilience. 
• Network Complexity: Indian Rail network is very vast and interconnected, which involves multiple subsystems like signaling, control, communications, and passenger information systems. This complexity makes it difficult to monitor and secure all components.
• Adopting Predictive Security Measures: Railways must transition from reactive security approaches to proactive threat anticipation. With the help of AI and Machine Learning models rail operators can detect the anomalies and potential cyberattacks before they occur. This can mitigate the risk of costly downtime and breaches.

• Securing Supply Chain: The signaling systems and data management software are critical components of digital infrastructure. However, The Railway systems are dependent on third – parties for the procurement of these systems. The railway operators must scrutinize the cybersecurity practices vendors ensure end-to-end security across the entire supply chain.
• Industry-Wide Cybersecurity Collaboration: Successful railway cybersecurity needs collaboration between operators, cybersecurity companies, regulatory agencies, and other stakeholders. Through the exchange of threat intelligence, the implementation of common security standards, and collaboration on cybersecurity efforts, the sector can strengthen its defenses against constantly changing cyber threats

Conclusion 

As the railway infrastructure undergoes digital transformation, cybersecurity has emerged as an essential support in facilitating secure and efficient operations. The adoption of IoT, AI, and cloud-based control systems has optimized railway infrastructure while presenting vulnerabilities for cybercriminals to attack. Collaboration between rail operators, cybersecurity experts, and regulatory bodies is also essential to implementing global cybersecurity standards and ensuring resilience against cyber threats. As cyber threats grow more sophisticated, railway authorities need to remain one step ahead by embracing next-generation cybersecurity infrastructures and multi-layered defense mechanisms. A secure rail infrastructure is not a technological requirement; it is crucial for the safety of the people, the efficiency of operations, and the future of smart transportation.