Adapting railway sector to repel cyber threats: A critical analysis

Wahiba Erriadi; Suresh Renukappa; Subashini Suresh; Panagiotis Georgakis; Adel Almohammad; Luke Seabright

doi:10.1016/j.hspr.2025.05.002

High-speed Railway ›› 2025, Vol. 3 ›› Issue (3) : 229 -237. DOI: 10.1016/j.hspr.2025.05.002

Review article

review-article

Adapting railway sector to repel cyber threats: A critical analysis

Author information +

History +

PDF (2321KB)

Abstract

Given the unique challenges facing the railway industry, cybersecurity is a crucial issue that must be addressed proactively. This paper aims to provide a systematic review of cybersecurity threats that could impact the safety and operations of rolling stock, the privacy and security of passengers and employees, and the public in general. The systematic literature review revealed that cyber threats to the railway industry can take many forms, including attacks on operational technology systems, data breaches, theft of sensitive information, and disruptions to train services. The consequences of these threats can be severe, leading to operational disruptions, financial losses, and loss of public trust in the railway system. To address these threats, railway organizations must adopt a proactive approach to security and implement robust cybersecurity measures tailored to the industry’s specific needs and challenges. This includes regular testing of systems for vulnerabilities, incident response plans, and employee training to identify and respond to cyber threats. Ensuring the system remains available, reliable, and maintainable is fundamental given the importance of railways as critical infrastructure and the potential harm that can be caused by cyber threats.

Keywords

Cyber threats / Operations / Railway sector / Risks and safety

Highlight

Cite this article

Download citation ▾

Wahiba Erriadi, Suresh Renukappa, Subashini Suresh, Panagiotis Georgakis, Adel Almohammad, Luke Seabright. Adapting railway sector to repel cyber threats: A critical analysis. High-speed Railway, 2025, 3(3): 229-237 DOI:10.1016/j.hspr.2025.05.002

登录浏览全文

4963

注册一个新账户忘记密码

CRediT authorship contribution statement

Wahiba Erriadi: Writing – original draft, Investigation, Formal analysis, Data curation. Suresh Renukappa: Writing – review & editing, Supervision, Project administration, Conceptualization. Suresh Subashini: Writing – review & editing, Visualization, Supervision, Conceptualization. Panagiotis Georgakis: Writing – review & editing, Supervision, Methodology, Conceptualization. Adel Almohammad: Writing – review & editing, Visualization, Methodology. Luke Seabright: Conceptualization, Methodology, Writing – review & editing.

Declaration of Competing Interest

The authors declare the following financial interests/personal relationships which may be considered as potential competing interests: Luke Seabright is currently employed by Colas Rail Ltd.

References

Publishing order | Descend order by publishing year | Descend order by cited within

[1]	K. Williams, The role of the railway in Great Britain. Available at: 〈https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/955352/role-of-railway-evidence-paper-rail-review-document.pdf〉.

[2]	K. Badhesha, A. Basi, D. Fodey, Cyber-security in the rail industry. Available at: https://www.shlegal.com/docs/default-source/news-insights-documents/2019/cyber-security-in-the-rail-industry.pdf?sfvrsn=7364135b_2.

[3]	UIC, Guidelines for cyber-security in railways. Available at: 〈https://shop.uic.org/fr/autres-documents/9228-guidelines-for-cyber-security-in-railways.html〉.

[4]	S. Soderi, D. Masti, Y.Z. Lun. Railway cyber-security in the era of interconnected systems: A survey. IEEE Trans. Intell. Transp. Syst., 24(7)(2023), pp. 6764-6779.

[5]	C.M.L. Willgress, UK rail network hit by multiple cyber attacks last year. Available at:〈https://www.telegraph.co.uk/technology/2016/07/12/uk-rail-network-hit-by-multiple-cyber-attacks-last-year/〉.

[6]	M. van Gompel, Wannacry virus was 'wake-up call' for railway industry. Available at: 〈https://www.railtech.com/digitalisation/2017/12/11/wannacry-virus-was-wake-up-call-for-railway-industry/?gdpr=accept〉.

[7]	M. Hill, Danish railway company DSB suffers ddos attack. Available at:〈https://www.infosecurity-magazine.com/news/danish-railway-ddos-attack/〉.

[8]	F. Truta, Denmark’s train network frozen due to cyberattack on subcontractor. Avaiable at: https://www.bitdefender.com/en-us/blog/hotforsecurity/denmarks-train-network-frozen-due-to-cyberattack-on-subcontractor.

[9]	D. Tofan, T. Nikolakopoulos, E. Darra, The cost of incidents affecting CIIs, European Union Agency for Network and Information Security (ENISA), Heraklion, Greece. Available at: 〈https://www.enisa.europa.eu/publications/the-cost-of-incidents-affecting-ciis〉.

[10]	M. Rudner. Cyber-threats to critical national infrastructure: An intelligence challenge. Int. J. Intell. Count., 26(3)(2013), pp. 453-481.

[11]

Headmind Partners, Cybersecurity in the EU: European Commission’s strategy and legislation, Available at: https://www.headmind.com/en/cybersecurity-in-the-eu-european-commissions-strategy-and-legislation/#:~:text=The%202nd%20EU%20Cybersecurity%20Strategy%20and%20the%20NIS%20Directive%20era&text=This%20new%20strategy%20aims%20to,rights%20of%20citizens%20in%20Europe.

[12]	Cyber Security Professionals, About the NCSC. Available at: 〈https://www.ncsc.gov.uk/information/about-the-ncsc#:∼:text=The%20NCSC%20was%20set%20up,live%20and%20do%20business%20online〉.

[13]	Social Exclusion Unit, Making the connections: Transport and social exclusion.Available at: http://mtcwatch.com/pdfiles/3819-CO.pdf.

[14]	N. Liu, A. Nikitas, S. Parkinson. Exploring expert perceptions about the cyber security and privacy of connected and autonomous vehicles: A thematic analysis approach. Transp. Res. Part F: Traffic Psychol. Behav., 75 (2020), pp. 66-86.

[15]	A. Ozerov, Cybersecurity of railway command and control systems. Available at: 〈https://www.academia.edu/68076568/Cybersecurity_of_Railway_Command_and_Control_Systems〉.

[16]	K. Kimani, V. Oduol, K. Langat. Cyber security challenges for IoT-based smart grid networks. Int. J. Crit. Infrastruct. Prot., 25 (2019), pp. 36-49.

[17]	Department for Transport, Rail cyber security: Guidance to industry. Available at: 〈https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/897091/rail-cyber-security-guidance-to-industry-document.pdf〉.

[18]	P. Oman, E. Schweitzer, D. Frincke, Concerns about intrusions into remotely accessible substation controllers and SCADA systems. Available at: https://selinc.com/api/download/2592/?lang=en.

[19]	B.E. Kovacs, Cyberattack causes trains to stop in Denmark, Available at: 〈https://www.securityweek.com/cyberattack-causes-trains-stop-denmark/〉.

[20]	P.C. Evans, M. Annunziata, Industrial internet: Pushing the boundaries, General Electric Reports, pp. 488 508.

[21]	Razor Secure, Rail cyber security. Available at: 〈https://www.razorsecure.com/〉.

[22]	M. Rudner. Cyber-threats to critical national infrastructure: An intelligence challenge. Int. J. Intell. Count., 26(3)(2013), pp. 453-481.

[23]	B. Brocke, S. Charters. Guidelines for performing systematic literature reviews in software engineering. Keele, Joint Report, UK (2007).

[24]	R. Bloomfield, M. Bendele, P. Bishop, et al., The risk assessment of ERTMS-based railway systems from a cyber security perspective: Methodology and lessons learned, Reliability, Safety, and Security of Railway Systems Modelling, Analysis, Verification, and Certification, Paris, 2016.

[25]	H.M. Cooper. The structure of knowledge synthesis: A taxonomy of literature reviews. Knowl. Soc., 1(1)(1988), pp. 104-126.

[26]	National Infrastructure Commission, Infrastructure, resilience and security. Available at: 〈https://nic.org.uk/app/uploads/NIC-Infra-resilience-sec.pdf〉.

[27]	P. López-Aguilar, E. Batista, A. Martínez-Ballesté, et al., Information security and privacy in railway transportation: A systematic review. Sensors, 22(20)(2022), p. 7698.

[28]	J.V. Brocke, A. Simons, B. Niehaves, et al., Reconstructing the giant: On the importance of rigour in documenting the literature search process, The 17th European Conference on Information Systems (ECIS), AISeL, Verona, 2009.

[29]	S. Keele, Guidelines for performing systematic literature reviews in software engineering. Available at: 〈https://edisciplinas.usp.br/pluginfile.php/4108896/mod_resource/content/2/slrPCS5012_highlighted.pdf〉.

[30]	M. Schiavenato, F. Chu. PICO: What it is and what it is not. Nurse Educ. Pract., 56 (2021) 103194.

[31]	L.J. Valdivia, I. Adin, S. Arrizabalaga, et al., Cybersecurity-the forgotten issue in railways: Security can be woven into safety designs. IEEE Veh. Technol. Mag., 13(1)(2018), pp. 48-55.

[32]	R. Kour, Cybersecurity in railway: A framework for improvement of digital asset security, Doctoral dissertation, Luleå, Luleå University of Technology, 2020.

[33]	A. Thaduri, M. Aljumaili, R. Kour, et al., Cybersecurity for eMaintenance in railway infrastructure: Risks and consequences. Int. J. Syst. Assur. Eng. Manag., 10 (2019), pp. 149-159.

[34]	R. Kour, A. Thaduri, R. Karim. Railway defender kill chain to predict and detect cyber-attacks. J. Cyber Secur. Mobil., 9(1)(2020), pp. 47-90.

[35]	É. Masson, C. Gransart. Cyber security for railways—A huge challenge—Shift2Rail perspective, International Workshop on Communication Technologies for Vehicles. Springer, Cham (2017).

[36]	R. Kour, M. Aljumaili, R. Karim, et al., eMaintenance in railways: Issues and challenges in cybersecurity. J. Rail Rapid Transit, 233(10)(2019), pp. 1012-1022.

[37]	D. Unwin, L. Sanzogni. Railway cyber safety: An intelligent threat perspective. J. Rail Rapid Transit, 236(1)(2022), pp. 26-34.

[38]	M.D. Bastow, Cyber security of the railway signalling & control system, 9th IET International Conference on System Safety and Cyber Security, IEEE, Manchester, 2014.

[39]	R. Kour, A. Patwardhan, A. Thaduri, et al., A review on cybersecurity in railways. J. Rail Rapid Transit, 237(1)(2022), pp. 3-20.

[40]	I. Lopez, M. Aguado. Cyber security analysis of the European train control system. IEEE Commun. Mag., 53(10)(2015), pp. 110-116.

[41]	M. Souppaya, K. Scarfone, Guide to malware incident prevention and handling for desktops and laptops. Available at: 〈https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-83r1.pdf〉.

[42]	National Cyber Security Centre. Available at: 〈https://www.ncsc.gov.uk〉.

[43]	I.H. Elifoglu, I. Abel, Ö. Taşseven. Minimizing insider threat risk with behavioral monitoring. Rev. Bus., 38(2)(2018), pp. 61-73.

[44]	D. Ding, Q.L. Han, Y. Xiang, et al., A survey on security control and attack detection for industrial cyber-physical systems. Neurocomputing, 275 (2018), pp. 1674-1683.

[45]	H. Zhao, X.W. Dai, L. Ding, et al., Resilient cooperative control for high-speed trains under denial-of-service attacks. IEEE Trans. Veh. Technol., 70(12)(2021), pp. 12427-12436.

[46]	N. Choudhary. The role of Safety Risk Management in the UK rail industry whendealing with cyber threats. Int. J. Safety Security Eng., 8(1)(2018), pp. 48-58.

[47]	S. Kohli, Developing cyber security asset management framework for UK rail, 2016 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA), IEEE, London, 2016.

[48]	D. Briginshaw, Italian railway it system suffers major cyber-attack, International Railway Journal. Available at: 〈https://www.railjournal.com/infrastructure/italian-railway-it-system-suffers-major-cyber-attack/〉.

[49]	Headmind Partners, Cybersecurity in the EU: European Commission's strategy and legislation. Available at: 〈https://www.headmind.com/en/cybersecurity-in-the-eu-european-commissions-strategy-and-legislation/〉.

[50]	R. Kour, A. Patwardhan, A. Thaduri, et al., A review on cybersecurity in railways. J. Rail Rapid Transit, 237(1)(2022), pp. 3-20.

[51]

International Electrotechnical Commission (IEC), IEC 62443: Security for industrial automation and control systems. Available at: 〈https://www.iec.ch/global/search?keyword=Security%20for%20industrial%20automation%20and%20control%20systems#gsc.tab= 0&gsc.q=Security%20for%20industrial%20automation%20and%20control%20systems〉.

[52]	M.S. Khan, N. Jamil, Security requirements and practices in IEC 62443: A survey, 22nd International Multi-Topic Conference (INMIC), IEEE, Islamabad, 2019.

[53]	Y. Tang, S. Amin. A holistic cybersecurity framework based on IEC 62443 for smart city critical infrastructure. IEEE Access, 8 (2020), pp. 169778-169796.

[54]	T. Sridhar, S. Radhakrishnan, Security assessment of automation system using IEC 62443, Cyber Security in Parallel and Distributed Computing: Proceedings of the 2nd International Conference, CSPDC 2020, Coimbatore, 2020.

[55]	European Union Agency for Cybersecurity (ENISA), Cybersecurity for the railway sector. Available at: 〈https://www.enisa.europa.eu/publications/railway-cybersecurity〉.

[56]	M.P. Barrett, Framework for improving critical infrastructure cybersecurity, National Institute of Standards and Technology (NIST). Available at: https://www.nist.gov/publications/framework-improving-critical-infrastructure-cybersecurity-version-11.

[57]

R. Bloomfield, M. Bendele, P. Bishop, et al., The risk assessment of ERTMS-based railway systems from a cyber security perspective: Methodology and lessons learned, Reliability, Safety, and Security of Railway Systems. Modelling, Analysis, Verification, and Certification: First International Conference, Paris (2016).

[58]	A. Thaduri, M. Aljumaili, R. Kour, et al., Cybersecurity for eMaintenance in railway infrastructure: Risks and consequences. Int. J. Syst. Assur. Eng. Manag., 10 (2019), pp. 149-159.

[59]	R. Kour, Cybersecurity in railway: A framework for improvement of digital asset security, Doctoral dissertation, Luleå, Luleå University of Technology, 2020.

[60]	National Cyber Security Centre, Phishing attacks: Defending your organisation. Available at: 〈https://www.ncsc.gov.uk/guidance/phishing〉 .

[61]	National Cyber Security Centre (NCSC), Standards and frameworks. Available at: 〈https://www.ncsc.gov.uk/collection/risk-management/cyber-security-risk-management-framework〉.