The future of rail cybersecurity – The evolving cyber threat landscape in rail

Guest Writer article by David Muse, Chief Technical Architect at Petards Rail Solutions.

Cybersecurity is no longer a back-office concern – it is now a frontline issue for the entire rail sector. As rail systems become increasingly digitised, interconnected, and data-driven, the risks posed by cyber threats are escalating rapidly. From train control and signalling to real-time passenger information and remote maintenance systems, every digital touchpoint is a potential entry vector for attackers. The consequences of a cyber breach in the rail domain go far beyond data loss – they can disrupt services, impact safety, and undermine public trust in what is considered critical national infrastructure.

For the rail industry – where operational technology (OT) systems interface with IT networks, and digital systems control the movement of trains and people – these figures are a wake-up call. The sector cannot rely solely on physical security or legacy safety protocols. Instead, it must embrace a cybersecurity mindset that spans every asset, from onboard systems and trackside equipment to enterprise IT and third-party integrations.
In this article, we explore how the rail industry can rise to the challenge, tackling emerging cyber threats, securing legacy infrastructure, and building digital resilience for the future of rail.

Rail is designated as critical national infrastructure because it plays a critical role in maintaining the UK’s economic stability, public safety, and national connectivity. It enables the daily movement of millions of passengers and the efficient transport of goods, including essential supplies such as food, fuel, and medical equipment. Rail networks support commuter mobility, reduce road congestion, and underpin the operation of other critical sectors such as healthcare, energy, and emergency services. A major disruption to rail services – whether caused by cyber-attacks, system failures, or physical events – can have widespread consequences, not only for economic productivity but also for public confidence and safety. As such, the rail sector is recognised under the UK’s Critical National Infrastructure (CNI) framework and is subject to specific regulations and protections to ensure its resilience against evolving threats.

Despite the high stakes, only a few cyber incidents targeting UK rolling stock or rail infrastructure have been publicly documented. Notable cases include:

• 2015–2016: Multiple network intrusions – Cybersecurity firm Darktrace revealed that the UK rail network suffered at least four cyber intrusions within a 12-month period. These breaches appeared exploratory rather than disruptive – hackers infiltrated railway IT systems (including information displays and possibly control systems) but did not cause service outages. The incidents raised alarm because access to critical management systems (e.g. those controlling signals and trains) was demonstrated, highlighting the real possibility of hackers causing damage if they had malicious intent. UK officials stressed that rail operators were strengthening security as more rail technology goes digital.
• April 2021: Merseyrail ransomware attack – Merseyrail, a regional UK train operator, was hit by a LockBit ransomware attack in early 2021. The attackers compromised internal systems and even hijacked a director’s corporate email account to publicise the breach. In an email sent to staff and media, the hackers (posing as the Merseyrail director) revealed a weekend IT outage was caused by ransomware and that employee and customer data had been stolen. Merseyrail confirmed the cyber-attack and notified authorities. While train operations continued (the outage was brief and mainly IT-focused), the incident underscored the risk of ransomware in rail and led to an investigation. (Financial costs were not disclosed, but the attack likely incurred recovery expenses and could attract regulatory scrutiny for the data breach.)
• July 2021: Northern Trains ticketing system – In mid-2021, a cyber-attack struck Northern Trains’ newly installed ticket vending machines across its network. A ransomware infection took the machines offline for about one week, forcing passengers to use alternative payment methods. The ticket machines (which had cost £17 million to install) could not vend tickets during the outage. While this attack did not affect train movement or safety, it disrupted ticket sales and potentially led to revenue loss and customer inconvenience. Northern Trains and government agencies treated it as a serious incident, given that it directly targeted rail infrastructure hardware used by the public.
• September 2024: Station Wi-Fi “cyber vandalism” – A bizarre attack occurred in 2024 when public Wi-Fi networks at 19 major UK railway stations were compromised to display an extremist message. Users who connected to free Wi-Fi at stations (including London Bridge, Euston, Manchester Piccadilly, etc.) saw an Islamophobic terror-alert message. Investigation found that an insider account from a third-party Wi-Fi provider was used to deface the captive portal page (an “unauthorised change” via a legitimate admin login). In response, Network Rail suspended the station Wi-Fi service for several days as a precaution while the issue was fixed. No personal data was compromised, and train operations were unaffected, but the incident highlighted a security gap in passenger-facing systems and caused public alarm until resolved.

Industry experts and academics warn that cyber threats to UK rolling stock are growing as rail systems become more digitized and connected. Risk assessments by the Department for Transport (DfT), National Cyber Security Centre (NCSC), and rail regulators outline several potential vulnerabilities and attack scenarios that could impact trains and rail infrastructure:

Key vulnerabilities in modern rolling stock systems

• Onboard control systems & signalling: The shift to digital train control (e.g. the European Rail Traffic Management System, ERTMS) introduces new attack surfaces. Security researchers have cautioned that advanced malware could target signalling or onboard computers to manipulate train behaviour – for instance, sending false speed data or signal aspects. A successful compromise could theoretically cause collisions or derailments by overriding safety protocols. Professor David Stupples (UK Government advisor) noted that clever malware in an ERTMS-based system might trick a train into misjudging its speed or braking, creating a risk of accident. While these safety-critical networks are isolated and “well protected from outside attacks,” the greatest threat may come from insiders (disgruntled or bribed staff/contractors) introducing malware or malicious updates into train control systems.
• Remote diagnostics and maintenance links: Today’s trains continuously send operational data to remote maintenance centres for diagnostics and performance monitoring. For example, newer rolling stock can transmit huge datasets to the cloud for analysis on IT systems. This IT/OT convergence means that a breach in the maintenance network or cloud platform could be a conduit to onboard systems. If hackers infiltrate remote diagnostics channels (or compromise the portable devices and software used by maintenance engineers), they might inject false data or malicious commands into trains. A worst-case scenario is an attacker issuing unauthorised control inputs or disabling critical subsystems (brakes, signals, etc.) via the maintenance interface. The rail industry recognises this overlap of enterprise IT and operational train systems as a security weak point, since traditional rail OT was not designed with internet connectivity in mind.
• Passenger-facing systems and third parties: Systems like on-train Wi-Fi, entertainment, or station kiosks are less critical to safety but can be avenues for attack. As seen in the 2024 Wi-Fi incident, an insider or attacker who gains admin access to a third-party service can deface or disrupt operations without touching core signalling. However, there’s concern that passenger-facing networks (e.g. onboard Wi-Fi or power outlets) might be used to jump into train control networks if not properly segregated. Researchers have demonstrated theoretical exploits where a virus on a passenger device could spread to train subsystems if firewalls are misconfigured. Similarly, third-party suppliers (train manufacturers, software vendors) are part of the supply chain – a breach at a vendor could expose technical details or backdoors affecting UK rolling stock. The insider threat extends to contractors and suppliers, not just railway employees, underlining the need for strict access controls and vetting across the rail ecosystem.
• Legacy systems and upgrades: Much of Britain’s rail infrastructure is an integration of legacy equipment (decades-old signalling interlockings, SCADA systems, etc.) with newer digital overlays. Older systems often lack built-in cyber protections and can be vulnerable if networked. As upgrades occur, any gap in securing the interface between old and new systems can be exploited. For example, a legacy signalling system brought onto a network for remote monitoring could be attacked to cause a denial-of-service on signals (forcing them to fail-safe to red and stopping trains). Ensuring backward compatibility while plugging security holes is a constant challenge. The Office of Rail and Road (ORR) has warned that “poorly designed or maintained software-based systems” in railway operations pose safety risks – meaning cybersecurity must be engineered in from the design stage, especially when retrofitting digital control onto legacy rail lines.

Projected attack scenarios and impacts

While the UK has yet to experience a catastrophic rail cyber-attack, simulations and expert models paint a picture of what a large-scale incident could entail:

• Mass service disruption: A coordinated cyber-attack on critical rail control systems could bring train operations to a halt across one or multiple regions. For instance, if malware took down the signalling and train management system on a busy mainline, all trains on those routes would stop until systems are restored. A UK Government scenario analysis (looking at cyber impacts on infrastructure) found that in a severe case, over 800,000 train journeys per day might be disrupted – effectively paralysing commuter and freight movement. This kind of disruption would have cascading effects on the economy, as workers can’t reach workplaces and goods are delayed. The indirect impact goes beyond passenger delays: missed deliveries, knock-on congestion, and public safety concerns among stranded travellers.
• Safety-critical failures: Though purely theoretical and extremely guarded against, the nightmare scenario is a cyber-induced train collision or derailment. Experts warn that if sophisticated attackers (potentially state-sponsored) gained control of signalling logic or onboard braking systems, they could override fail-safes. For example, an attacker might disable a trackside sensor or tamper with an interlocking so that two trains are cleared onto the same track. Another vector is manipulating the train control software (as posited with ERTMS) to prevent a train from automatically stopping at a danger signal. A successful attack of this nature could lead to loss of life and catastrophic damage, on par with a major train crash.
• Ransomware on rail operations: Ransomware attacks on rail operators’ IT systems (like scheduling, signalling control, or train control) could force operators to suspend services for days. A real-world example occurred in Denmark in 2022, when a rail operator’s IT supplier was hit by ransomware, causing a nationwide train stoppage for several hours. In the UK context, an attack encrypting Network Rail’s signalling control centre or a major train company’s dispatch system could result in widespread train cancellations and delays until backups are restored. The financial cost of such an incident is difficult to overstate – beyond ransom payments or IT restoration costs, operators must refund tickets, arrange alternative transport, and may face regulatory fines. Based on analogous infrastructure scenarios, a multi-day outage across UK rail could easily cause direct economic losses in the £billions. (One integrated cyber crisis study estimated around £7.2 billion in direct losses from a 3-week infrastructure outage scenario, plus £4.4 billion in indirect costs – rail being a significant component of that scenario.) Even a shorter disruption would rack up millions in costs per day (lost fares, overtime, passenger compensation) and erode public trust in rail safety.

The rail industry stands at a critical juncture where digital transformation has brought both significant innovation and unprecedented cyber risk. As real-world incidents demonstrate, attackers no longer need to compromise physical infrastructure to cause disruption – digital vulnerabilities now present clear and present dangers to safety, service continuity, and public confidence. From ransomware attacks on ticketing systems to insider-enabled vandalism of public Wi-Fi.

What makes the rail sector uniquely vulnerable is its reliance on legacy systems integrated with modern technology, often with limited native security controls. As operational technology becomes increasingly connected – to the cloud, to enterprise systems, and even to passenger devices – the attack surface widens considerably. Simulations and risk assessments suggest that the consequences of a successful, targeted cyber-attack could be catastrophic, ranging from mass service disruption to, in worst-case scenarios, safety-critical failures.

This evolving threat landscape reinforces the urgent need for the rail sector to adopt a proactive, system-wide cybersecurity mindset. Securing the future of rail is no longer just about physical protection or compliance – it demands embedded cyber resilience, continuous risk assessment, and a shared responsibility across stakeholders to defend what is undeniably critical national infrastructure.