Rail

The threat picture

Rail operators run safety-critical systems where availability and safety are inseparable: signalling, traction control, train management, and depot-level OT. Even where signalling itself is segmented from corporate IT, the surrounding stack — train-management platforms, depot control, fleet telemetry, ticketing — has well-documented exposure.

A rail incident does not stay inside the operator. It hits passengers, freight customers, and (often) the news cycle.

What xCIRT covers

• Signalling-adjacent IT — The systems that interact with signalling without being part of the safety-certified core.
• Train-management and traffic-control systems — Cloud-connected platforms supporting operations.
• Depot OT — PLCs and embedded controllers in maintenance and stabling environments.
• Fleet telemetry and IIoT — Connected systems on rolling stock and trackside assets.
• Ticketing and customer systems — Often the most internet-exposed part of the estate, and a frequent foothold.

Where we help

• Rail-sector IR playbooks including network-segmentation-failure scenarios between corporate and operational rail networks.
• SOCI / CIRMP readiness with explicit attention to safety-adjacent systems.
• Containment planning that recognises the safety case sitting underneath signalling.
• 24/7 retainer engagements with sector-aware responders.

The questions we usually start with

• Is the boundary between your corporate IT and your operational rail network audited, or assumed?
• What does containment look like for a compromised depot environment without disrupting the running railway?
• Who on the operational side has decision rights during a cyber incident, and have they exercised them in a drill?