HomeResourcesGuides › Rail & Railways
Practical Guide · 13 pages · Free

OT Cyber Security in Rail: Protecting Signalling, Control Systems and Rolling Stock

Rail cyber security has moved from a theoretical risk to a documented threat. Signalling systems, train control software, and passenger information systems are all targeted by threat actors. This guide addresses the specific OT security requirements for rail organisations under NIS2 and ORR oversight.

Published May 2026·Rail & Railways·Rail Cyber Security OT Security NIS2 Signalling

Why Rail OT Cyber Security Has Unique Characteristics

Rail operational technology — signalling systems, train management systems, level crossing controllers, passenger information systems, and rolling stock software — has safety-critical characteristics that create cyber security requirements that go beyond standard IT or even industrial OT security. A compromised signalling system is not just a business continuity risk — it is a safety risk. This safety dimension imposes additional requirements on change management, testing, and recovery that do not apply in most other OT environments.

NIS2 classifies rail as an essential entity sector, imposing the Directive's most demanding security requirements on train operating companies, infrastructure managers, and rolling stock operators above the Directive's size thresholds. The ORR has signalled growing attention to cyber security as a component of its safety and operational oversight of UK rail operators.

Access the complete guide
All 13 pages — practical implementation guidance, checklists and templates. Free, instant access.
No spam. No sales calls. AjaCertX will email you a copy for reference.
Guide unlocked ✓
A copy has been sent to your email for reference.
Step 01
Rail OT asset inventory and classification
Inventory all OT assets in your rail operation: signalling systems, train management systems, level crossing controllers, SCADA networks for power and infrastructure, passenger information systems, ticketing infrastructure, and rolling stock software systems. Classify each by safety criticality and cyber security risk: safety-critical systems (signalling, train control) require the highest protection standards; operational systems (passenger information, ticketing) require standard enterprise security controls extended to OT environments.
Step 02
Safety-critical system cyber security
For signalling and train control systems, cyber security measures must be implemented without compromising safety integrity. This requires coordination with the system supplier and — for modifications to certified safety systems — regulatory engagement. Key controls for safety-critical systems: network isolation from non-safety systems, physical access controls to system components, change control that includes cyber security impact assessment, and monitoring that does not introduce latency that could affect safety timing requirements.
Step 03
Rolling stock cyber assurance
Modern rolling stock contains software systems — traction control, braking systems, diagnostic systems, passenger entertainment networks — that are increasingly networked and potentially internet-connected. Rolling stock cyber assurance must address: segregation between safety-critical and non-safety-critical software domains, secure software update processes, network access controls for maintenance and diagnostic connections, and cyber security requirements in rolling stock procurement and maintenance contracts.
Step 04
NIS2 compliance for rail operators
Rail organisations above NIS2 size thresholds are essential entities with the Directive's most demanding obligations. Implement: risk analysis and security policies covering both IT and OT, incident handling capability with 24-hour early warning and 72-hour initial reporting for significant incidents, business continuity covering OT disruption scenarios, and supply chain security for OT and signalling system vendors.
Rail OT Cyber Security Readiness Checklist
OT asset inventory completed including safety-critical signalling and train control systems
Safety-critical systems are isolated from non-safety networks with validated segregation
Rolling stock cyber assurance requirements are included in procurement and maintenance contracts
NIS2 applicability confirmed and incident reporting procedures established with correct timelines
OT-specific incident response procedure addresses rail operational and safety implications
ORR cyber security expectations have been reviewed and incorporated into the security programme
Building your rail OT cyber security programme?

OT security specialists with rail sector expertise. Assessment within 48 hours.

Get a Proposal →WhatsApp
About AjaCertX
AjaCertX is a specialist compliance, certification and assurance partner serving rail operators and infrastructure organisations. Our Cyber and Digital Security practice delivers OT security assessments, NIS2 compliance, and IRIS/ISO 22163 quality management implementation.
WhatsAppConnect