Ransomware on the rails

According to the latest edition of the European Union Agency for Cybersecurity (ENISA) Threat Landscape Report, 11% of cyberattacks reported between June 2023 and July 2024 targeted the transport sector. Three quarters of these were distributed denial of service (DDoS) attacks, followed by ransomware (13%), and data thefts (6%). 

While the main threat appears to be the impact on operational services, rather than critical ones, a successful cyber breach in the rail sector can have far-reaching consequences – enabling malicious actors to manipulate, disrupt, or even disable services.

“Impacts of these attacks vary from financial loss, reputational damage, potential personally identifiable information (PII) theft, and disruption to services through to destabilisation of critical infrastructure systems and potentially hazardous physical conditions in the emergency stop hacking incident in Poland,” notes Greg Linares, principal threat intelligence analyst at cybersecurity platform developer Huntress.  

In its current form, Bow Goods Yard is a major supply point to the city’s construction industry, supplying over one million tonnes of concrete and aggregates each year, and removing an equivalent amount of construction spoil.

An isolated spot, large parts of Bow Goods Yard aren’t accessible to the local community, and many residents overlooking the site consider it a dusty eyesore.

Railways are a cornerstone of critical infrastructure, making them a prime target for cybercriminals looking to cause widespread disruption or damage. Furthermore, the high stakes of safeguarding sensitive operational data means that attackers see the sector as a lucrative opportunity for ransom demands.

The rail sector is particularly vulnerable to such attacks due to the fact it typically operates on long investment cycles and continues to rely on some legacy systems for operational assets. These often lack security-by-design principles and are difficult or costly to upgrade.

“In some cases, the cost-benefit analysis for upgrading legacy assets, while considering the added value for enhanced security, could be negative,” notes Thomas Chatelet, ERTMS project officer at the European Union Agency for Railways (ERA).

In addition, the rail industry has a wide number of attack vectors that broaden its appeal to cybercriminals. Rail networks are made of many interconnected networks, from communication and control through to passenger information systems, and the interdependence of these systems could see the breach of one potentially compromise the entire rail network, notes John Cullen, strategic marketing director of digital identity at Thales.

“Modern digital advancements, such as IoT sensors and automation, are revolutionising how operators monitor and manage railway systems,” he explains. “However, this increased connectivity also introduces more entry points for cybercriminals, heightening the industry’s vulnerability.” 

“Previous applications have been very inward-looking and the site has been under considerable pressure for some years to redevelop as a better neighbour,” notes Ushma Samani, real estate development manager, Network Rail.

“As a strategic industrial freight site, it was important to safeguard these operations in propensity, but lessons learnt from previous applications really helped shape how we’re working with our tenants and neighbours. We’re not just looking at sustainability from an environmental perspective, we’re also looking at constructability and the socio-economic benefits we want to bring to our site.”

While there are many attack vectors that cybercriminals can exploit, ransomware incidents from recent years highlight a particular weakness in the security of rail networks’ supply chains.

Take the October 2022 ransomware attack on third-party vendor Supeo, which halted Danish State Railways (DSR) services nationwide. “The DSB experienced a significant disruption when a ransomware attack targeted Supeo, a subcontractor providing critical IT services. This rendered Supeo’s servers inoperable, leading to the suspension of train operations across Denmark as conductors could not access essential systems,” notes Martin Riley, CTO of cybersecurity consultants Bridewell.

More recently, in January 2024 we saw the ransomware attack on IT service provider Tietoevry, which led to widespread outages of online services across government agencies and businesses including the Swedish Public Transport Authority.

These highlight the risk from indirect attacks on critical rail infrastructure and should serve as a wake-up call for the rail industry, according to Chatelet.

“They underscore the importance of recognising cybersecurity as a strategic risk,” he explains. “One that requires attention at the highest levels of management and must be reflected in both governance and budget planning.” 

So what can – and should – rail organisations be doing to improve their cybersecurity standing?

Start with the basic cybersecurity measures, like those required by the EU’s NIS2 Directive and Cyber Resilience Act.

According to Marianthi Theocharidou, cybersecurity expert at ENISA, prioritisation of cybersecurity investments largely depends on sectorial and/or organisational maturity. In March, the organisation published its NIS360 report, which assesses the maturity and criticality of NIS2 sectors, and this placed the railway sector tenth among the 22 subsectors assessed.

“National and sector relevant authorities note that all transport sectors still have work to do in fully implementing NIS2-aligned measures,” Theocharidou says. “Aviation is the most aligned, road the least and railway and maritime still rely heavily on legacy systems that pose challenges.”

Clearly, there’s still a lot of work to be done, but there are steps organisations can take now to strengthen their cybersecurity, and in particular mitigate their risk of a ransomware attack. Firstly, Riely advises that companies should know their assets.

Then, companies should make sure all vulnerabilities are patched and updates completed as soon as available. Comprehensive monitoring and robust incident response capabilities are also important, as is staff training – as they can be your weakest link, notes Theocharidou.

It’s also important to work with your partners, to ensure each link in your supply chain is secure.

Finally, knowledge sharing and collaboration can also make a big difference, something Europe is taking advantage of, as we’re seeing an increase in collaborative initiatives across the region. This includes the Expert Group on Land Transport Security (LANDSEC) supporting the European Commission in shaping policies, with collaboration further supported by the European CISO Forum for Railway, which brings together chief information security officers from European rail infrastructure managers and railway undertakings.

“ERA and ENISA also co-host the annual Cybersecurity in Railways conference to address challenges, best practice and advancements, and the EU railway industry has joined efforts to establish an overarching join working group on cybersecurity between The European Rail Supply Industry Association (UNIFE), the European Rail Infrastructure Managers (EIM) and the Community of European Railway and Infrastructure Companies (CER), and in close cooperation with the security domain team of the Europe’s Rail System Pillar,” says Theocharidou.

However, more still needs to be done in terms of preparedness and testing, she notes, and to this end ENISA, alongside Member States, has begun preparations for Cyber Europe 2026. This pan-European exercise simulates large-scale cybersecurity incidents that escalate to cyber crises affecting the whole union.

“Through this exercise, participants will have the opportunity to analyse advanced technical cybersecurity incidents, deal with complex business continuity and crisis management situations, requiring coordination and cooperation from local to EU level,” Theocharidou adds.

While cyberthreats are here to stay, the rail sector has a clear path forward. With the right tools and guidance available and collaborative support already in place, there’s real potential to strengthen resilience and reduce risk. If the industry continues to build on recent progress, it could significantly improve its cybersecurity maturity – and move up in ENISA’s future assessments. 

There are two key issues with the production of REEs. First, all the rare earth deposits are mixed together, so it is difficult and expensive for processors to separate them and to take advantage of their individual properties. It is similarly challenging to split up the more valuable ones, such as terbium, from those of little value, like lanthanum.

Second, REEs are bound up in mineral deposits with the low-level radioactive element, thorium, exposure to which has been linked to an increased risk of developing lung and pancreatic cancer.

These obstacles create a huge challenge for any Western company that wants to become involved in the industry. However, they must be overcome if the Western world is to end its dependence on China.

The biggest rare earth mines are located in China, and this source of domestic production has helped drive Chinese dominance. The Bayan Obo deposit in Inner Mongolia, north China – containing 40 million tonnes of rare earths reserves – houses the world’s largest deposits. The mine has been in production since 1957 and currently accounts for more than 70% of China’s light REE production.

However, Western mines are aiming to change this balance of production and power. The Mountain Pass Mine, owned by MP Materials , a Las Vegas-based mining company, is an open-pit mine of rare earths on the south flank of the Clark Mountain Range, 85km south-west of Las Vegas. In 2020, the mine supplied 15.8% of the world’s rare earth production and is the only rare earth mining and processing facility in the US.

In October 2020, Donald Trump, the former US president, signed an executive order declaring a national emergency in the mining industry, aimed at boosting the domestic production of rare earths. Trump ordered his cabinet to study the matter, with a view towards giving government grants for production equipment and imposing tariffs, quotas or other import restrictions against China.

The move, it said, would “allow the US Government to leverage the resources of its closest allies to enrich US manufacturing and industrial base capabilities and increase the nation’s advantage in an environment of great competition”.

The move, it said, would “allow the US Government to leverage the resources of its closest allies to enrich US manufacturing and industrial base capabilities and increase the nation’s advantage in an environment of great competition”.