Rail at risk: Cybersecurity and asset management

By Max Schwartz and Todd Ellis|June 30, 2026

For decades, rail operators have invested heavily in the physical reliability of their systems: track, rolling stock, interlockings, power, and signaling. That focus made sense when risk was primarily mechanical and failures were visible, localized, and largely unintentional.

 

Mechanical failures were visible, localized, and largely unintentional.

How can asset management and cybersecurity work together to reduce risk and improve decisions

But the operating environment has changed in ways that traditional reliability strategies were never designed to address.

Digital systems have become integrated into every layer of rail operations. Positive Train Control (PTC), digital interlockings, onboard networks, supervisory control and data acquisition (SCADA), smart sensors, and cloud-connected maintenance platforms have transformed the way railroads function. With that transformation comes a new reality: physical and digital systems no longer fail independently.

Interdependent risks

A failure in one domain can cause a ripple effect. A misaligned circuit controller can trigger digital enforcement actions; a compromised Wi-Fi access point can expose a train control module. The boundary between mechanical and digital risk has effectively disappeared, extending beyond ballast, rails, and switch machines to include wireless and wired networks, and overlooked operational technology (OT) devices embedded within critical systems.

Cyber compromise is no longer a theoretical risk for rail, it’s an established fact. That gap between perception and reality is exactly where risk-based asset management (RBAM) and cybersecurity must converge.

Traditional RBAM approaches, such as the ISO 55001 standard, provide a strong foundation for asset management maturity and strategic alignment. While the standard supports transparent and informed judgment, supplemental tools such as failure mode and effects analysis (FMEA), reliability-centered maintenance (RCM), and predictive analytics remain essential for driving actionable, risk-informed decisions. Together, these frameworks, standards, and tools help operators understand how assets fail, prioritize corrective actions, and allocate capital where it reduces the greatest risk. At their core, these approaches force organizations to evaluate risk based on likelihood and consequence and to confront the myth that cybersecurity breaches will never happen.

Cyber risk, however, plays by a different set of rules.

A switch machine rarely fails because someone intentionally tries to break it. A network, by contrast, can be compromised with tools that are cheap, readily available, and easy to use, as one case study showed. In that incident, a person with no rail experience, acting as part of a cyber penetration test requested by a transportation agency, gained full access to a train’s onboard Ethernet network within minutes. The next day, he repeated the attack wirelessly. He ultimately deleted the firmware of the train control module, rendering the vehicle inoperable.

This wasn’t a hypothetical exercise. It demonstrated how quickly a modern rail system can be compromised when cybersecurity is not treated as a priority.

Standards are only as good as their application

Rail operators have structured frameworks for assessing cyber risk through IEC 62443 and the forthcoming IEC 63452. These standards require systems to be broken into zones and conduits, with security levels assigned based on exposure and consequence. But frameworks alone are not enough.

Many OT rail systems cannot technically support IT-style controls like multifactor authentication, yet they still require rigorous analysis. When assessors don’t understand how devices interconnect and behave in an operational environment, critical gaps are often overlooked or minimized.

This is where RBAM and cybersecurity intersect: both require a deep understanding of how assets function, fail, and interact with the systems around them.

Cyber risk is asset risk

Physical and digital risks often compete for the same capital dollars, but they shouldn’t. The question isn’t whether to fund a track renewal program or a cybersecurity upgrade. It’s about choosing the right combination of investments to reduce the greatest risk to the system as a whole.

A cyber intrusion that forces an emergency brake application for a train in motion is every bit as consequential as a broken rail. Both can cause service disruption, safety hazards, reputational damage, and regulatory scrutiny. Both belong in the same risk register.

RBAM gives railroads the framework to evaluate these tradeoffs transparently. Cybersecurity provides the controls to mitigate them. Together, they create a unified view of system vulnerability.

That same reality extends beyond rail. Any infrastructure sector that depends on OT faces similar cyber-physical risk and the same need to move beyond treating cybersecurity as an add-on.

What’s required is a shared culture where engineering, OT, IT, and operations inform, contribute to designing, and work from the same risk and decision-making framework and language toward the same objective: protecting the system so it can deliver value safely and reliably.

In practice, that means:

  • Integrating cyber scenarios into FMEA and RCM
  • Using zone and conduit modeling to map vulnerabilities
  • Applying security levels consistently across assets
  • Treating cyber intrusions as failure modes
  • Making capital decisions based on total system risk

From frameworks to real-world risk reduction

Hatch is already helping clients incorporate these comprehensive risk frameworks and is uniquely positioned to help organizations make this shift; not only because we understand rail systems, but because we already support OT-rich environments across ports, airports, terminals, mining operations, and energy infrastructure.

The same expertise that uncovers a vulnerability in a train control module can secure passenger information signage, a container crane at a port, or a mine’s SCADA system. The OT building blocks are the same, and so are the risks.

Hatch partners with clients to bridge that gap between cybersecurity and asset management, helping them move from isolated assessment to a coherent, risk-informed view of system vulnerability. Organizations that succeed will be those that treat cyber-physical risk as a core component of asset management, not an optional layer. Contact us to assess where cyber risk truly sits in your asset portfolio and define the actions that matter most.

Todd Ellis Headshot

Todd Ellis

Rail Systems Global Lead – Communications, IT/OT Infrastructure & Cybersecurity , Rail, Infrastructure

Todd specializes in helping transportation and critical infrastructure owners strengthen asset performance, resilience, and cyber readiness. Todd brings deep experience aligning digital strategy, risk management, and operational needs to support safe, reliable, and future-ready infrastructure systems.

Our perspectives

More conversations about the world's biggest challenges

More blogs