Railway cybersecurity in the age of hybrid threats
The threat landscape for the global rail industry has changed, and digitalization is the primary driver of this shift. Signaling interlockings, radio block centers, traffic management systems, traction power, condition monitoring, depot automation, and customer-facing ticketing and revenue platforms have moved from proprietary, isolated designs to interconnected architectures with remote maintenance, vendor portals, cloud telemetry, and data-driven optimization.
The need for connectivity and convenience sacrificed the need for isolation between corporate IT and operational technology. Attackers now exploit maintenance tunnels, shared identity stores, misconfigured firewalls, and weak network segmentation to move from office networks into safety critical systems.
What makes rail different from most industries is that the operational endpoint of compromise can be an enforced halt of traffic across a corridor, a regional timetable meltdown, or a safety incident that affects public trust and leads to political scrutiny.
Hybridization of threats in railways is the deliberate combination of cyber operations with physical, psychological, or procedural attacks to maximize disruption and complicate defense and attribution.
An example illustrates how this works in practice and why traditional security thinking in the rail sector is no longer sufficient.
A hybrid stress test scenario against a rail network
There is a coordinated hostile campaign against a national railway operator. The attacker’s objective is systemic disruption that undermines public confidence, causes economic losses, and exerts geopolitical pressure.
Phase 1: Reconnaissance and positioning inside the supply chain. The operation begins months in advance. The attackers do not initially target the rail operator directly. They infiltrate a third-party maintenance contractor responsible for remote diagnostics of signaling equipment. Because the rail operator trusts this vendor, and gives them legitimate access for OT maintenance, the attackers gain a stealthy privileged foothold into the signaling network.
At the same time, small probes are launched into the corporate IT environment. Harmless looking malware implants disguised as routine tools are staged for later activation. Nothing is triggered yet.
Persistence is achieved using legitimate looking processes and tools, including service accounts that appear ordinary. They exploit service accounts used for telemetry collection, remote maintenance, or asset management. They abuse vendor maintenance processes designed precisely to give remote engineers access to field devices. OT teams often permit vendor access for urgent fixes. From a governance standpoint, this is where procurement and contract language matters, as maintenance access that lacks detailed, time-limited authorisation and session monitoring is a systemic vulnerability.
Phase 2: Physical Sabotage to Trigger Emergency Procedures
On a busy weekday morning, operatives on the ground simultaneously cut two trackside fiber optic cables near a major junction, causing communication loss between field interlockings and the central traffic management center. This alone would normally trigger standard safety procedures, train movements would fall back to manual block operations, and delays would be manageable. However, this is where hybridization emerges.
Phase 3: Cyber exploitation of safety protocols
Within minutes after the fiber cut, dispatchers see multiple device timeouts (pieces of equipment that normally report their status or respond to control commands stop answering within the expected time window).
After a physical cut to a fiber cable, field devices stop sending their regular heartbeat, and stop responding to polls. The dispatcher console flags those devices as unresponsive or timeout.
Then, automatic safety logic reacts. Signalling systems are safety-first, and if a vital piece of information cannot be confirmed, the system treats it as a potential hazard. That can trigger conservative protective modes, and trains may be prevented from entering affected blocks. Those automatic protections generate additional alarms and operator prompts.
The loss of multiple devices across a corridor produces correlated alarms. Correlation increases uncertainty. Is it a common network fault, a controller malfunction, or deliberate interference?
Manual fallback procedures are invoked. If automated routing and signalling cannot be relied upon, human controllers must apply degraded modes (like authorization by-telephone, or local confirmations). The more devices that time out, the larger the area that must be operated manually and the longer the delays.
The attackers already have a hidden route into the signalling network, exploiting the compromise in the vendor’s remote maintenance account. The signalling system is designed to stop trains or slow them down, because people’s lives come first. Attackers add confusion by sending error signals into the signalling/control equipment. The control room sees alarms and conflicting signals, so it stops or severely restricts traffic, if it has not already done so.
The attackers can transmit fake emergency signals over legacy radio systems near stations. These radio emergency stop messages were originally designed to let anyone quickly halt a train if someone is on the tracks. They are intentionally permissive. An attacker with a transmitter can send the same signal. Trains respond immediately by stopping.
Large unidentified drones reported over airports and military areas in Europe in October 2025 can (from a technical and operational perspective) transmit railway emergency stop signals. They are capable of carrying radio transmission equipment powerful enough to mimic or interfere with legacy railway communication channels, particularly analogue emergency stop frequencies still used in some regions. Such flights are consistent with hybrid preparation activities and require serious security and intelligence assessment.
The safety architecture is conservative by design. It does not try to guess whether an alarm is fake, it assumes worst case and acts to protect people and equipment. But when many conservative actions happen at once across a region, the consequence is a network-wide shutdown or severe disruption. The control room becomes flooded with alarms and calls. Standard procedures that work for single equipment failures become impossible to execute quickly.
Phase 4: Disinformation intensifies the crisis
Minutes after the attack begins, social media accounts post claims that the rail network is under cyber attack and that passenger safety is at risk. Messaging apps start circulating videos from trains that have stopped and passengers that complain that nobody has explained to them what has happened. Public fear grows rapidly. Traffic controllers now face not only operational overload but external pressure from media and government. Call centers collapse under a flood of inquiries. Panic begins to spread at major stations.
Then a small explosion occurs on a passenger train that has stopped because of the incidents. The blast is limited in scale, deliberately chosen to create visible damage, and a few injuries. Its immediate effect is to convert what might have been handled as a regional communications outage into a criminal or terrorist incident. Media coverage spikes. Eyewitness videos, CCTV and social media posts explode. By introducing a physical, attention-grabbing event, they collapse multiple investigative options into a single narrative that points toward a coordinated attack rather than isolated faults or criminal extortion.
There is no loss of life. This is a tactical choice by an adversary who wants maximum narrative and operational leverage with minimal moral and diplomatic cost. A non-fatal blast is very different from a mass-casualty terrorism. The absence of fatalities accelerates disinformation. Visual content enables rapid story propagation, anonymous channels can attribute responsibility to any number of actors, while state and non-state actors can amplify competing narratives to create confusion.
Because the blast is dramatic but not catastrophic, political actors will speculate publicly, creating divergent official and unofficial narratives. A main objective of many hybrid attacks is to materially worsen the blame game, deepen partisan division, and accelerate erosion of public trust. The kinetic image provides an emotional hook, attribution is slow and uncertain, and information vacuums are filled instantly by partisan actors, opportunistic media, and malicious influence operations.
We must make it clear. When attribution is slow, rival parties or factions will advance competing explanations to score political points. Each side recruits sympathetic media, influencers, and social channels to push its framing. Social media’s algorithmic amplification rewards certainty and emotion. Corrective messages rarely travel as far or as fast as a sensational claims. Over time, repeated framing produces hardened narratives within different information silos. One community accepts the foreign attack narrative, another accepts the incompetence and mismanagement narrative, and few examine the corrective evidence when it arrives. That divergence is the kernel of political polarisation.
Malicious influence actors weaponise that dynamic. They seed disinformation to polarise debate, amplify partisan messaging, and target trust in institutions (transport authorities, police, national agencies). The goal is to erode baseline trust.
Phase 5: Imagination is the limit.
We will not continue. Adversaries have pushed us into strategic misdirection combined with tactical paralysis, deepened partisan division, and accelerated erosion of public trust. All actions are chosen because they produce predictable human and institutional reactions. All responses consume scarce cognitive bandwidth and resources, and delegitimize forensic evidence as fabricated.
Attackers can use several variants of this tactic. They will plant a classic criminal signature that misleads into believing the organized crime is involved. It complicates attribution and response authority.
Phase 5 also degrades the evidentiary environment. Many rapid remediation steps taken to restore business continuity can destroy forensic evidence, obscure cross-domain indicators, and close investigative windows into the attacker’s true capabilities and origin. Attackers prefer this outcome. A rushed focus on getting systems up without strict forensic protocols hands the adversary plausible deniability, making later legal or geopolitical response more difficult.
For the railway sector, preparation to deal with hybrid threats should begin well before an incident. Hybrid Stress Testing is necessary. This is the methodology to evaluate the resilience of an organization under combined financial, operational, cyber, legal, regulatory, technological, and geopolitical stress conditions. It includes the design, execution, and evaluation of multi-domain and cross-sectoral scenarios that reflect the convergence of traditional and non-traditional threats.
Geopolitics accelerates the risk transformation. Rail corridors are economic arteries and strategic logistics assets. During heightened tensions, they become targets for state actors and aligned proxies who aim to produce outsized social and economic disruption without crossing thresholds that would invite kinetic retaliation. Hybrid and cyber operations against infrastructure are increasingly accompanied by disinformation that amplifies fear, erodes confidence in authorities, and lengthens the half-life of a disruption. This changes the doctrine of incident response. Restoring services is necessary but insufficient if public communication, rumor control, and evidence preservation are not conducted with the same detail as technical recovery.
Disclaimer: The facts and events set out in this hybrid stress test scenario are hypothetical and have been prepared exclusively for analytic, training and preparedness purposes. They are not a factual account of any known incident and do not constitute a finding, allegation, or attribution of responsibility. Any resemblance to actual persons, organisations, locations, incidents, or dates is purely coincidental. This hybrid stress test scenario should not be relied upon as an evidentiary record. Any operational, investigative or legal conclusions should be based only on evidence and formal investigations conducted by competent authorities.
Learn more about hybrid risk, in the following Cyber Risk GmbH websites:
1. https://www.hybrid-risk.com
2. https://www.hybrid-risk-management.com
3. https://www.hybrid-stress-testing.com
4. https://www.defensive-hybrid-intelligence.com
This website is developed and maintained by Cyber Risk GmbH as part of its professional activities in the fields of risk management and regulatory compliance.
Cyber Risk GmbH specializes in supporting organizations in understanding, navigating, and implementing complex European, U.S., and international risk related regulatory frameworks.
Content is produced and maintained under the professional responsibility of George Lekatis, General Manager of Cyber Risk GmbH, a well known expert in risk management and compliance. He also serves as General Manager of Compliance LLC, a company incorporated in Wilmington, NC, with offices in Washington, DC, providing risk and compliance training in 58 countries.
Cyber Risk GmbH, some of our clients
