Insight from Benoît Leridon, Transportation Segment Leader, Network Infrastructure, Nokia
One step forward, two steps back. That’s how it might sometimes feel when tackling cyberthreats against your rail communications networks. Digitalisation has transformed operations, systems, and infrastructure but it’s also increased the attack surface. Today, the risk of a cyberattack grows with each byte of data produced and transferred through these networks.
The question now is: How do we stay ahead of the cyberthreat?
The path forward is not simple. Critical applications like signalling and asset monitoring depend on robust communications networks – yet many rail systems still run on legacy infrastructure that lacks modern cybersecurity defences. Fragmented global regulations further complicate protection efforts.
And the threats themselves are evolving. From Denial-of-Service (DoS) attacks to physical sabotage – like the one that disrupted the Paris Olympics – to more sophisticated acts like the attack on Poland’s national railway that halted 20 trains, today’s risk landscape is wide-ranging and very real.
That’s why, to be most effective, the cyberthreat strategy you choose to protect your railway communications networks should focus on the five pillars outlined below.
- Secure network management systems
Management interfaces can be a major point of vulnerability. If breached, attackers can gain full network control. Here, it’s recommended that you implement best practices including secured management protocols as well as multi-factor authentication (MFA), encryption, and fine-grained, role-based management. The management platform is also key to administering security functions and managing security-related alarms.
- Strengthen network infrastructure protection
The network itself must be secured, across network availability, nodes, protocols, and software. In a multi-service network, make sure your equipment providers comply with common criteria (minimum EAL3+ level) to ensure they have a fully controlled development cycle that prioritises security.
“Secured boot” should become the norm. This approach guarantees that the software has not been tampered with to introduce malware or backdoors and that it is certified by the vendor. Other mechanisms such as the encryption of config and log files will protect against the theft of a physical asset to get information on the network.
- Protect critical applications
Attacks can strike any critical railway system, from Supervisory Control and Data Acquisition (SCADA) to asset tracking and of course signalling based on Future Railway Mobile Communication Systems (FRMCS) or Communications-Based Train Control (CBTC).
Zero-trust, including Network Access Control (NAC), is the right approach to secure a network. Application-device diversity (such as age and operating system) can make NAC challenging to implement, but other network automation-based options can provide similar protection. After authentication, controlling risks through traffic filters and rate limiting provide the necessary protection against traffic-level DoS.
Minimising the risk of an attack is critical but so is minimising its impact. This is where an IP/MPLS based network, with its capacity to provide segmentation, is crucial. Complemented by well-positioned, application-aware firewalls, these networks can protect against most threats. Encrypting your applications at the network level is also strongly recommended, regardless of whether they have built-in encryption capabilities.
- Limit external threats
Although operational technology (OT) networks are not directly connected to the internet, they can still be vulnerable. That’s why it’s critical to adopt firewalling, access controls, proxies, and secure interconnection frameworks that can help to reduce external risks to your OT networks.
- Implement strong operational policies
To further improve your security posture, prioritise regular security audits, workforce training, and real-time monitoring. It’s also essential that you comply with NIS2 (in Europe), International Electrotechnical Commission (IEC) rail standards and Informational Sharing and Analysis Centre (ISAC) recommendations. There is much operational policy guidance in NIS2 that can help ensure the protection of your communications network.
Quantum threats
Adopting this five-pillared approach to securing railway communications networks will help you address key security gaps and exposure points, ensuring resilience against evolving threats.
However, there’s another threat on the horizon: quantum computing. While not imminent and likely more of a threat to the banking sector rather than the rail industry, there is chatter about a technique called ‘harvest now, decrypt later’ (HNDL). HNDL allows bad actors to harvest and store encrypted data until quantum computing gives them the power to access the data. Therefore, look for quantum-safe encryption at the network level to proactively safeguard your applications and data against threats.
Your network is your strongest line of defence — if it’s ready
Cyberthreats are evolving, but so are the tools to counter them. By modernizing your railway communications network, you’re not only safeguarding today’s operations — you’re building a foundation that supports innovation, resilience, and trust. Let security be your enabler, not your obstacle.
Benoît Leridon is the Head of Transportation Business for Network Infrastructure at Nokia where he is responsible for global business development targeting transportation verticals. Benoit has 25 years of telecom pre-sales background covering enterprise and carrier markets for data, and voice solutions, and joined Alcatel-Lucent in 2010 after holding different pre-sales management positions in companies such as Wellfleet, Bay Networks and Nortel.
