Rail Signaling Is Not Like Other OT
Rail signaling equipment operates under the highest safety integrity levels in any industry. An interlocking system — the logic that prevents conflicting train movements — is certified to SIL 4 under EN 50129, meaning the probability of a dangerous failure must be below 10⁻⁹ per hour. That is the same safety threshold as aircraft flight controls.
This certification comes with a non-negotiable constraint: you do not modify SIL 4 equipment. Not the software, not the configuration, not the network stack. Any change invalidates the safety case and requires full recertification — a process measured in years and millions of euros.
Meanwhile, NIS2 classifies rail operators as essential entities with mandatory cybersecurity requirements. As covered in our overview of NIS2 enforcement timelines and what to do first, the directive does not care about safety certification constraints. It requires risk management, access control, incident reporting, and supply chain security. Rail operators are caught between two regulatory frameworks with fundamentally different assumptions.
The Safety Certification Constraint
Rail OT systems are certified under a family of European standards (the CENELEC EN 50xxx series):
- EN 50126 — Reliability, Availability, Maintainability, and Safety (RAMS)
- EN 50128 — Software for railway control and protection systems
- EN 50129 — Safety-related electronic systems for signaling
A safety case documents every aspect of a system's design, implementation, testing, and operational environment. The safety case is the certification artifact. If you install a security agent on a SIL 4 interlocking controller, you have introduced uncertified software into a safety-critical system. The safety case is invalidated. The system cannot legally operate until recertified.
This is not a theoretical concern. Railway safety authorities enforce this rigorously. The cost of recertification for a single interlocking system starts at €2M and takes 18–36 months.
Rail OT Systems and Their Certification Constraints
| System | Function | Safety Level | Agent Feasible? | Why Not |
|---|---|---|---|---|
| Interlocking | Prevents conflicting train routes | SIL 4 | No | Safety case invalidation, recertification required |
| ATP (Automatic Train Protection) | Enforces speed limits and signal compliance | SIL 4 | No | Safety-certified onboard and trackside components |
| ETCS (European Train Control System) | Continuous train supervision via GSM-R/FRMCS | SIL 4 | No | Type-approved equipment, modification voids approval |
| Axle counters | Detect train presence on track sections | SIL 4 | No | Embedded systems with no general-purpose OS |
| Points machines (controllers) | Operate rail switches | SIL 2–4 | No | Proprietary embedded controllers |
| Level crossing systems | Control road traffic barriers and signals | SIL 3–4 | No | Safety-certified, tamper-evident enclosures |
| SCADA (traction power) | Monitor and control overhead line/third rail power | SIL 0–2 | Possible but risky | Legacy systems, no patch path, uptime critical |
| Passenger information systems | Station displays, announcements | SIL 0 | Possible | Often Windows-based, but low security priority |
The pattern is clear: the systems that matter most for safety are the ones where endpoint security is impossible.
The Unique Challenge of Distributed Rail Infrastructure
Rail networks are not factories. The infrastructure is spread across hundreds or thousands of kilometers:
- Wayside cabinets house interlocking controllers, axle counters, and communications equipment at each signal location along the track
- Station equipment rooms contain local SCADA terminals, passenger information servers, and network switches
- Operations control centers run centralized traffic management and traction power SCADA
- Maintenance depots connect diagnostic tools and vendor laptops to signaling equipment
These locations are connected by wide-area networks — often a mix of fiber, microwave, and legacy copper — with varying levels of physical security. A wayside cabinet on a rural stretch of track has a different threat profile than a control center, but both connect to the same signaling network.
Network-Level Security for Rail
The approach that works within safety certification constraints is network-level enforcement — securing the communications between systems rather than modifying the systems themselves:
-
Overlay segmentation at wayside cabinets — Deploy Access Gate appliances in equipment rooms and cabinets to create encrypted, authenticated network segments. The signaling equipment connects to the same physical ports as before; the security layer is transparent to the certified systems.
-
Zero-trust access for maintenance — Replace persistent VPN connections and shared credentials with per-user, per-session, audited access. When a signaling engineer needs to connect a diagnostic laptop at a wayside cabinet, they authenticate through the Access Gate. The session is logged, time-limited, and restricted to the specific equipment they need.
-
East-west traffic control — In a flat signaling network, any compromised node can reach every other node. Network-level micro-segmentation limits lateral movement so that a compromised passenger information system at a station cannot reach the interlocking controllers.
-
Distributed deployment without centralized dependency — Each Access Gate operates independently. If the WAN link to a wayside cabinet goes down, the local security policy continues to enforce. This matches the distributed, resilient architecture that rail operators already require for safety.
NIS2 Requirements Specific to Rail
Under NIS2, rail operators must implement:
- Risk analysis and information system security policies — Network segmentation and access control are foundational risk management measures
- Incident handling — The ability to detect, log, and report security events across distributed infrastructure
- Business continuity and crisis management — Security controls must not compromise operational availability
- Supply chain security — Vendor and contractor access to signaling equipment must be controlled and audited
- Encryption and access control — NIS2 Article 21(2)(h) specifically calls out cryptography and access management
The penalty for non-compliance is up to €10M or 2% of global annual turnover. For major rail operators, that is a material financial risk.
Mapping Security to Rail Operations
Deploying network-level security in rail requires understanding the operational model:
- Planned possessions — Track maintenance windows are the primary opportunity for physical installation of appliances at wayside locations
- Signaling technician workflows — Security must integrate with existing maintenance procedures, not create parallel processes
- Safety authority coordination — While network-level security does not modify certified equipment, the railway safety authority should be informed as part of change management
- Phased rollout by line — Start with a single line or corridor, validate the approach, then expand across the network
What Compliance Looks Like
A rail operator that deploys network-level security can demonstrate to NIS2 auditors:
- Asset inventory — Every device on the signaling network is identified through network discovery
- Access control — Every connection to signaling equipment is authenticated, authorized, and logged
- Segmentation — Critical signaling systems are isolated from lower-security systems
- Incident detection — Anomalous network behavior is detected and alerted in real time
- Supply chain controls — Vendor access is brokered, time-limited, and auditable
All of this without a single modification to safety-certified equipment. The safety case remains intact. The NIS2 obligations are met. Airport operators face the same certification-vs-security dilemma with baggage handling systems — our analysis of securing airport BHS without requalification covers that parallel challenge. Rail operators do not have to choose between safety certification and cybersecurity compliance — network-level enforcement satisfies both.
Full NIS2 on-premise compliance guide → /resources/nis2-on-premise
