Why IT and OT convergence complicates railway cybersecurity

The convergence of legacy operational technology with modern IT systems in railway environments has fundamentally reshaped the cybersecurity landscape. In a discussion with Help Net Security, Jorge Aldegunde, Global Head of Railway Services at DNV, detailed the challenges that emerge when open networks expand attack surfaces, teams must decide whether to patch a signalling vulnerability without halting trains, and liability becomes fragmented across multiple stakeholders.

Aldegunde addressed key regulatory frameworks such as the Cyber Resilience Act (CRA) and NIS2 Directive, the difficulty of training veteran engineers to recognize threat actors, and the reality of intrusions that go undetected for months. His central principle: manage your risks and plan for resilience rather than chasing perfection.

Monorail control systems operate at the awkward intersection of operational technology installed decades ago and IT layers added later. When asked about a moment where these two worlds collided, Aldegunde noted that while new projects like the SDLC monorail incorporate state-of-the-art IT-OT integration, older systems traditionally relied on vendor-specific SCADA and dedicated communication networks like SDH-PDH. The shift toward IP-based networks brought open standards, multiple vendors, and lower costs, but also broke the old paradigm. SCADA systems became open and connected through middlewares, and data from public transport systems stored in public or private clouds became accessible for user applications. Condition-based maintenance and data-driven services accelerated this change, turning isolated assets into continuous data producers. Then AI arrived, and attack surfaces and vectors multiplied. The key lesson: the IT-OT boundary is no longer a boundary , it is an interface that must be actively managed.

When a known vulnerability appears in a signalling or door-control component but the line cannot be taken out of service, the decision process starts with assessing whether the vulnerability is exploitable and how. If it is, the next step is a risk-based evaluation of likelihood and impact. If a patch exists, the goal is to integrate it into planned maintenance windows without disrupting operations. If no patch is available, compensating measures such as network segmentation, monitoring, or operational restrictions must be considered. New horizontal regulations like CRA and NIS2 are driving accountability, but adoption and stakeholder harmonization remain difficult in complex railway contracts. The real challenge lies in integration layers managed by different stakeholders, where responsibility is rarely concentrated in one entity. Ongoing working groups aim to guide implementation and balance horizontal regulation with vertical rules, though consensus remains elusive , as seen in the lack of agreement on expert guidance for CRA implementation.

Training an operations engineer with twenty years of experience to think about threat actors requires a careful approach. Aldegunde compared it to the earlier shift from silo engineering to systems integration with RAMS (Reliability, Availability, Maintainability, and Safety). Twenty years ago, that change seemed insurmountable; now RAMS is standard practice. Railway cybersecurity practitioners typically come from related rail disciplines like safety, signalling, or communications. As with any paradigm shift, it starts with people, communication, and awareness. Solid, well-understood regulation is a major enabler. DNV has strong experience applying the IEC 62443 series and participates in the IEC 63452 PT. They are also active in conformity assessment through NB Rail and contribute to working groups that adopt technical cybersecurity documents as building blocks for inclusion in Technical Specifications of Interoperability (TSIs).

If an attacker has been inside the network for months, the signals to trust include changes in OT traffic patterns (assuming those patterns are known and controlled), undesired component behaviour, unavailability, and uncontrolled configuration changes. Vigilance through systems like EDR, IDS, and SIEM is valuable, but it must be paired with strong SOC processes and proper training for railway staff. Business continuity plans should be rehearsed assuming worst-case scenarios. The latent threat, Aldegunde warned, is when rail staff relax their awareness and when weak or uncontrolled supply chains cause harm , especially when industrial SMEs struggle to find a business case for applying principles like security by design, software bill of materials (SBOM), or a lifecycle approach to patch management.

If Aldegunde could hand his successor one hard-won rule that no certification course teaches, it would be this: manage your risks. A risk-based approach is more than a good start. Assume the uncertainty principle: attackers’ ability is greater than or equal to yours. Never assume that visibility equals control. The objective is resilience. Systems must operate safely even under degraded or uncertain conditions. This means combining risk-based decision making, continuous monitoring, and preparedness for worst-case scenarios. If you fail to prepare, you are simply preparing to fail.