Railway cybersecurity training

Cybersecurity training for railway undertakings (RU) and infrastructure managers (IM)


For decades, when we were using the words “railway security”, we were usually referring to the protection and safeguarding of railway property, to the removal of any obstruction in the movement of trains, to the identification of potential situations where crime can take place against railway property or passengers, or the use of a train for criminal purposes or terrorism.

Cybersecurity is the new challenge for the railway industry.

Customers and employees of the railway industry expect that the same level of protection extends to the digital assets that reside on railway systems, including their personal and financial information. The industry is obliged to respect this expectation, especially after the new privacy regulations, including the General Data Protection Regulation (GDPR).

The railway industry must comply with cyber security and privacy laws and regulations, and must follow international standards and best practices that protect customers and employees.

A new cybersecurity culture is necessary. It refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms, values, and expectations of customers regarding cybersecurity. Managers and employees must be involved in the prevention, detection, and response to deliberate malicious acts that target systems, persons, and data.

During the past decades, the railway industry has made substantial investments in information technology solutions that contribute to improved operational efficiency, safety, and customer satisfaction. The more complex and interconnected the systems, the more awareness and training is required for all managers and employees that use these systems.

Important threats for the railway industry are cyber criminals with financial motivation, politically-motivated groups, state-sponsored agents and groups, terrorists, but also disgruntled or terminated employees with access to the systems.

Railway operators often report low cybersecurity awareness and differences in culture, especially among safety and operations personnel. Cybersecurity awareness for all managers and employees in the railway industry is necessary, in order to make information security considerations an integral part of every job.

We tailor the program to meet specific requirements. You may contact us to discuss your needs.

Target Audience

The program has been designed for all managers and employees working in the railway industry that have authorized access to systems and data. They may work:

- for a railway undertaking (RU), in charge of providing services for the transport of goods and/or passengers by rail, and

- for an infrastructure manager (IM), in charge of establishing, managing, and maintaining railway infrastructure and fixed installation, including traffic management, control-command and signalling, but also station operation and train power supply.

They are in the scope of the EU NIS Directive (directive on security of network and information systems), as operators of essential service (OES).

The program is beneficial to suppliers and service providers, employees responsible for reviewing schedules and maintaining communication with crew members of trains, train operators, engineers, train crew members responsible for operational and safety duties, station managers and agents, and revenue protection officers.


One hour to one day, depending on the needs, the content of the program and the case studies. We always tailor the program to the needs of each client.


Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

Course synopsis, recommended training modules


- Railway stakeholders must strike a balance between operational requirements, business competitiveness and cybersecurity.

- Important developments in the railway industry after the new privacy regulations, including the General Data Protection Regulation (GDPR).

- Understanding the challenges.

Who is the “attacker”?

- Countries, competitors, criminal organizations, small groups, individuals, employees, insiders, service providers.

- Hacktivists and the railway industry.

- Professional criminals and information warriors.

- Cyber-attacks against passengers, baggage, cargo, catering, systems, staff, and all persons having authorized access to systems and data.

How do the adversaries plan and execute the attack?

- Step 1 – Collecting information about persons and systems.

- Step 2 – Identifying possible targets and victims.

- Step 3 – Evaluation, recruitment, and testing.

- Step 4 - Privilege escalation.

- Step 5 – Identifying important clients and VIPs.

- Step 6 – Critical infrastructure.

Employees and their weaknesses and vulnerabilities.

- Employee collusion with external parties.

- Blackmailing employees: The art and the science.

- Romance fraudsters and webcam blackmail: Which is the risk for the railway industry?

What do we need? How can it be exploited?

- a. Speed and convenience.

It is difficult to balance speed, convenience, and security.

- b. Effective and efficient access to the web site, computers, and systems.

Examples of challenges and risks.

- c. Great customer service.

Example - how it can be exploited.

- d. A nice facility and great housekeeping.

Example - “The cleaning staff’s hack”.

- e. Food, drinks, and entertainment.

Point-of-sale (POS) fraud and challenges.

Credit card cloning.

- f. Internet access.

Honeypots, rogue access points, man-in-the middle attack.

- g. Security.

Unauthorized access is a major problem, and social engineering is a great tool for attackers.

- h. Privacy.

The railway industry is considered one of the most vulnerable to data threats.

- i. Money (if they can sue the service provider for negligence).

What must be protected?

- Best practices for all employees that provide services and have authorized access to systems and data.

- What to do, what to avoid.

- From client satisfaction vs. cyber security, to client satisfaction as the result of cyber security.


- Trojan Horses and free programs, games, and utilities.

- Ransomware.

Social Engineering.

- Reverse Social Engineering.

- Common social engineering techniques

- 1. Pretexting.

- 2. Baiting.

- 3. Something for something.

- 4. Tailgating.

Phishing attacks.

- Spear-phishing.

- Clone phishing.

- Whaling – phishing for executives.

- Smishing and Vishing Attacks.

Cyber Hygiene.

The online analogue of personal hygiene.

- Preparing and maintaining records.

- Entering and retrieving data into computer systems and devices.

- Researching and compiling reports from outside sources.

- Maintaining and updating files.

- Responding to emails and questions by telephone and in person.

- Ensuring that sensitive files, reports, and other data are properly tracked.

- Dealing with personnel throughout the company as well as external parties, customers, suppliers, service providers.

Case studies.

- July 2015-2016, United Kingdom. Four cyberattacks, considered as part of a reconnaissance operation before an APT (Advanced Persistent Threat) attack, probably led by a national state threat actor.

- May 2017, Germany. Deutsche Bahn was a victim of the WannaCry ransomware.

- October 2017, Sweden. The first attack affected the Sweden Transport Administration (Trafikverket) via its two internet service providers, TDC and DGC. The attack reportedly affected the IT system that monitors trains' locations. It also took down the federal agency's email system, website, and road traffic maps. Customers during this time were unable to make reservations or receive updates on the delays.

- May 2018, Denmark. An attack impacted the ticketing systems of DSB. The Danish travelers could not purchase tickets from ticket machines, the online application, website, and certain station kiosks.

- March 2020, United Kingdom. The email addresses and travel details of about 10.000 people who used the free Wi-Fi provided in UK railway stations have been exposed online. The database contained 146 million records, including personal contact details and dates of birth.

- May 2020, Switzerland. A Swiss rail vehicle manufacturer was hit by a malware attack that impacted all of its locations. Attackers reportedly infected systems with malware that was then used to exfiltrate sensitive corporate data from breached systems. Internal documents stolen during the cyber-attack have been published online.

- July 2020, Spain. Spanish Infrastructure Manager ADIF has been hit by a ransomware not affecting critical infrastructure but exposing gigabytes of personal and business data.

- What has happened?

- Why has it happened?

- Which were the consequences?

- How could it be avoided?

Closing remarks and questions.

For more information, you may contact us.