Railway Cybersecurity: The IT/OT Boundary Has…

Rail systems are abandoning isolated SCADA for IP networks and AI. DNV's Jorge Aldegunde explains why security is now an active interface, not a static perimeter.

On June 24, 2026, Jorge Aldegunde, Global Head of Railway Services at DNV, outlined the structural transformation of railway cybersecurity in an interview with Help Net Security. Systems that traditionally relied on vendor-specific SCADA and dedicated SDH-PDH networks have migrated to open-standard, multi-vendor IP stacks at lower cost. This transition has dissolved the IT/OT boundary, turning it from a static barrier into an interface that must be actively managed. The integration of cloud, consumer apps, and AI pipelines for predictive maintenance has multiplied attack surfaces, while safety and availability constraints prevent standard IT countermeasures.

Key Takeaways

Traditional railway systems based on vendor-specific SCADA and SDH-PDH have been replaced by open-standard IP networks, transforming isolated architectures into open systems with middleware and public/private clouds.
AI has multiplied attack surfaces and vectors: operational data stored in cloud for user apps and condition-based maintenance turns previously air-gapped assets into continuous data producers.
Patching in railway OT cannot follow IT cadence: it requires planned maintenance windows or compensating measures, including segmentation, monitoring, and operational restrictions.
Cybersecurity responsibility is distributed across many stakeholders due to stakeholders because of the sector's contractual complexity, while CRA and NIS2 still lack consensus on specific implementation guidelines.

From Closed SCADA to Open Networks: The Mechanism of Dissolution

Railway applications traditionally ran on vendor-specific SCADA and dedicated SDH-PDH communication systems. Projects then realized the advantages of IP-oriented networks, with open standards, multi-vendor capability, and lower costs. This choice broke the isolationist paradigm: open standards soon produced open networks. SCADA, closed by design, became open and connected via middleware. Public transport system data, stored in public or private clouds, became available for user app consumption. Condition-based maintenance and data-driven services transformed previously air-gapped assets into continuous data producers with multiplied attack surface.

The arrival of AI completed the chain. According to Aldegunde, "attack surfaces and vectors multiplied." AI pipelines for predictive maintenance and data-driven services introduce new layers of exposure: data pipelines, model outputs, inference engines, APIs, and cloud connections. In manufacturing OT, a corroborating source, studies indicate that even 0.001% of poisoned data can cause a model to behave erroneously. This poisoning mechanism is relevant for the railway sector, where predictive maintenance is in rapid adoption.

The Operational Paradox: When the Train Cannot Stop for Patches

In IT, downtime is inconvenient. In manufacturing, according to Ejona Preçi, Group CISO of Lindal Group, "downtime paralyses the business, sometimes completely." In rail, the constraint is even more rigid: safety systems and service availability prevent applying patches at the cadence of email servers. If a patch is available, the goal is to integrate it into planned maintenance windows. If not, compensating measures must be considered, including network segmentation, monitoring, or operational restrictions.

This asymmetry between attacker speed and defender rigidity is the heart of the paradox. Aldegunde frames it as an uncertainty principle: "attackers' ability ≥ yours." Visibility does not equal control. Risk management therefore shifts from perimeter defense to resilience architecture. Systems must be able to operate safely even in degraded or uncertain conditions. This is a cultural transition, not just a technological one: the railway engineer with twenty years of RAMS (Reliability, Availability, Maintainability, Safety) experience must now internalize a threat model that was previously foreign to their operational domain.

Distributed Responsibility and Regulatory Gray Zones

The real challenge lies in the integration layers, within components, subsystems, and systems managed by different stakeholders. Responsibility is rarely concentrated in a single entity, due to the complexity of railway contracts. This distribution of accountability creates interstices that attackers can exploit.

On the regulatory front, CRA and NIS2 are in the adoption phase, but consensus on implementation guidelines is lacking. Aldegunde explicitly cites "expert guidance on implementation of CRA" as a point of disagreement. NIS2, being a directive, presents differentiated implementation across EU member states. In Croatia, according to Antonija Vojnović of Span, the first audits are still awaited. The friction between horizontal regulation (CRA/NIS2) and vertical railway regulation (TSI, Technical Specifications for Interoperability) generates gray zones of accountability.

Supply Chain: The Achilles Heel of Industrial SMEs

The industrial supply chain, especially SMEs, is identified as vulnerable regarding security by design, SBOM, and patch lifecycle management. These organizations, according to Aldegunde, "may struggle to find a business case to apply paradigms like 'security by design', 'SBOM' or a lifecycle view to patch management." The problem is structural: the margins of industrial component suppliers do not support cybersecurity investments without downstream pressure from integrators or regulators.

The nearest correlated data point is the 96% of EMEA financial services organizations with insufficient data resilience for DORA requirements, reported by Vojnović. This data, while referring to a different sector, indicates the spread of cybersecurity maturity gaps in the European regulatory context.

"The IT/OT boundary is no longer a boundary, it is an interface that must be actively managed" — Jorge Aldegunde, Global Head of Railway Services, DNV

What to Do Now

For railway companies, the existing engineering skillset — the RAMS corpus — is the vehicle for cultural transition, not generic IT certification. Aldegunde recommends to "manage your risks. A risk-based approach is more than just a good start." The uncertainty principle must guide planning: assume the attacker's capability is at least equal to your own.

For policymakers, the CRA/NIS2 vs. TSI regulatory friction requires explicit alignment to avoid regulatory arbitrage. The lack of consensus on CRA implementation must be addressed with sectoral guidance that translates horizontal requirements into railway specifics.

For industrial vendors, pressure on supply chain SMEs is becoming a market requirement. Railway system integrators must embed security-by-design and SBOM requirements into contracts, turning regulatory pressure into downstream contractual obligation.

OT-specific incident response and rapid recovery are the most important capability to internalize, not outsource. According to Natalia Oropeza, Chief Cybersecurity Officer at Siemens, "when every minute of downtime might cost not only millions but also human lives, minimizing those minutes becomes crucial." The railway sector measures time in seconds of journey delay. Cybersecurity must now internalize that same granularity of urgency.

The dossier documents that IT/OT convergence is already reality in railway systems, the attack surface is already multiplied, and patch constraints are already structural. The absence of public incidents does not equal absence of risk: low-and-slow persistence in industrial environments, described for manufacturing via stale accounts and compromised workstations, is hard to detect because OT networks are built for stability with predictable patterns. The railway sector shares this architectural characteristic. The goal is resilience: systems must operate safely even in degraded or uncertain conditions.

Sources

Information is based on cited sources and current as of publication.

Sources

Sources and references