Rail Transport: Critical Infrastructure on the Boundary Between Cyber and Physical
In August 2023, something happened on the Polish railways that until then had belonged to the realm of scenarios, not reality. Unknown actors abused the radio system for emergency stopping (radio-stop) and transmitted a signal that brought more than 20 trains to a halt in various regions of the country. The attack required no access to digital systems and no sophisticated malware. A radio transmitter and knowledge of publicly available tones were enough. It was a demonstration of why rail transport ranks among the most complex categories of critical infrastructure. It brings together older analogue and radio technology with contemporary IT and OT systems, and each of these layers has its own vulnerabilities.
The Slovak rail system
The Slovak rail system has three main actors. Železnice Slovenskej republiky (ŽSR), as the infrastructure manager, administers approximately 3,580 kilometres of track, signalling and safety systems, traffic control workplaces and communication networks. Železničná spoločnosť Slovensko (ZSSK) operates passenger transport. Železničná spoločnosť Cargo Slovakia (ZSSK Cargo) operates freight transport, which is strategically important for the transit between Ukraine, the EU and the countries of Western Europe.
It is precisely rail freight transport that has acquired a new strategic dimension since February 2022. The Slovak railway has become one of the principal routes for the transport of humanitarian and military aid to Ukraine, for the export of Ukrainian grain and for the logistical support of defence cooperation within NATO. This shift has transformed the railway infrastructure from a domestic transport service into a cross-border strategic corridor.
Layers of vulnerability
Rail transport has four layers at which it may encounter an attack. The first is the signalling and safety layer, which encompasses onboard train protection systems, fixed signals, automatic train operation and GSM-R radio communication systems. The European Rail Traffic Management System (ERTMS), which is being gradually rolled out on Slovak lines, brings modernisation, but also new digital dependencies.
The second is the traffic control and command layer, which encompasses traffic control workplaces, train operation control systems and integration with neighbouring operators. The third is the commercial and administrative layer, including reservation systems, ticket sales, freight logistics systems and integration with customs and border systems. The fourth is the physical infrastructure of tracks, bridges, tunnels and junction stations, the disruption of which can have a direct physical impact on the safety of operations.
Attacks on railways in recent years have affected each of these layers. The cyber attack on Britain’s Network Rail in September 2024 through Wi-Fi networks in stations. The ransomware attack on the Italian operator Trenitalia in March 2022, which disabled ticket sales at stations. The physical sabotage of DB Netz fibre-optic cables in Germany in October 2022, which paralysed northern Germany for several hours. Ukrainian railway Ukrzaliznytsia has been facing virtually continuous cyber and physical attacks since 2022, which it has withstood thanks to the exceptional improvisational capability of its personnel.
Regulatory framework
Rail transport is classified under Act No. 367/2024 Coll. on Critical Infrastructure within the transport sector, as one of the 11 sectors of critical infrastructure. Act No. 366/2024 Coll. (the transposition of NIS 2) places railway infrastructure managers and carriers among the entities providing critically important services. To these are added specific rail regulations, in particular EU Regulation 2016/796 on the European Union Agency for Railways (ERA) and Regulation 2023/1230 on the common safety method for cybersecurity in the rail sector.
In July 2024, ENISA, jointly with ERA, published guidelines for the cybersecurity of ERTMS, which set out minimum requirements for the protection of signalling systems, identity management, network segmentation and the management of vulnerabilities in supply chain components. Decree of the National Security Authority No. 227 of 2025 supplements these requirements with the Slovak regulatory context.
Three practical priorities
For operators in the rail sector, three practical priorities emerge. The first is segmentation between operational systems (signalling, traffic control, GSM-R) and corporate IT, including the management of remote access by suppliers to OT environments. The second is the management of vulnerabilities specific to rail components with a long life cycle, where firmware and operating systems are updated on a timescale of years, not months. The third is cross-border coordination with operators in neighbouring countries, in particular in the context of transit between the EU and Ukraine, where a failure on one side has an immediate impact on the other.
“Rail transport shows why the Act on Critical Infrastructure cannot be implemented solely from the perspective of IT security. The security risks for a train can take the form of phishing aimed at a traffic controller, the compromise of a software supplier, the jamming of a radio signal or the physical sabotage of a track. Functional resilience means seeing all these layers simultaneously and having an operationally rehearsed response for each of them,” states Ing. Tibor Straka, President of AKI SR.
The railway is a 19th-century technology that has become digital in the 21st century. It is precisely this layered character that makes it one of the most fascinating and most demanding sectors of critical infrastructure, and one that deserves systematic professional attention.
