The digitalization of railways is well underway. Railways have increasingly embraced commercially available technologies that offer improved capabilities at reduced cost. The scale of innovation in the ICT field is impossible to replicate in the much smaller railway sector, so it is a natural evolution. Unfortunately, tapping these more general technology platforms further introduces some of the cyber-security challenges faced by the ICT sector more broadly. This is overwhelming many railway operators that don’t have the resources and internal expertise to deal with them.


The recent increase in sophisticated, targeted security threats by both insiders and external attackers has increased the awareness and urgency of communications service providers, mission-critical network operators and utility and infrastructure enterprises for implementing comprehensive security strategies.

The ability of traditional security management systems to detect and investigate unknown threats and exfiltration alone are insufficient. They are typically deployed to look at the perimeter of the network. Whereas outsiders that have already infiltrated the network and malicious insiders pose a significant risk as well, because they are already inside the network.

In response, there is a growing trend to implement cognitive security analytics systems as an enrichment to traditional existing security information and event management (SIEM) solutions for advanced and context-aware detection and response provisioning. Security management enrichment with cognitive security software helps security teams achieve key strategic objectives including improving operational costs, regulatory compliance, and enabling and protecting new technology introductions.

Railway regulators have created regulations such as the EU Cybersecurity Strategy to ensure railway operators take the required actions to secure their operations. However, regulators also struggle to keep up with the speed at which cyber-attacks and defenses evolve, thus standards such as IEC62443 are constantly evolving to capture railway specific requirements and describe and benchmark best practices.

The current approach by many railways is to handle security events manually. The various silos each take their own approaches, which is limited, inefficient, and time consuming. Just as railways are consolidating their various operational networks, they will need to consolidate their approach to security in order to achieve integrity, confidentiality and availability through a combination of technical controls, processes and procedures.

Cognitive security analytics are not a replacement for traditional incident response systems such as SIEM. They complement existing systems by taking a more holistic approach to collecting and analyzing data from a wider range of sources. This gives them the ability to contextualize threats for more accurate identification and improved response times. In some cases, it even enables them to anticipate threats.

Analytics also makes it possible to automate the response. Security operations, analytics and response (SOAR) can automate response workflow to make analytics data immediately available to stakeholders as well prioritize which threats need to be addressed. They can also learn from historical data patterns to get better at predicting potential issues in advance of them happening, leading to proactive responses.

An active and automated security strategy is a good way for railways to get ahead of the cybersecurity curve, but it needs to be implemented as part of a multi-layered approach that keeps costs down and still provides defense in depth. Security analytics must be implemented end to end with security-related data being collected from across the network, devices and the cloud. Beyond the operation of the communications network, the security strategy should also cover business processes, incident response plans, regulations and policies.

Nokia has developed such a multi-layered solution for railways and mass transit systems that supports workflow management and automation, advanced analytics and reporting.

Based on the SOAR approach, it can measure security compliance in real time and automate the configuration of the network from end to end to meet compliance standards. It can manage, control, analyze and audit user activity as well as identify and mitigate threats using machine learning algorithms. All of this information is presented using the customizable dashboard to empower security teams with timely reports covering endpoints, servers, and networks.

The Nokia Security Solution for Railways seamlessly integrates with the railway operator’s existing infrastructure including existing SIEM systems and operational support systems such as LDAP, ticketing and virtual resource management. From the dashboard, security personnel can also access its powerful search and reporting capabilities, receive real-time alerts and select predefined and automated mitigation workflows for faster response times.

Deploying the right level of security is a high priority. While all railway networks are different, sound security typically requires a move from manual processes to automation, the application of data analytics and machine learning, end-to-end encryption and a full lifecycle evaluation of cyber-security risks.

Nokia offers an advanced and comprehensive approach built on its long experience and in-depth expertise in both security and mission-critical network design and operations. In line with best practices and published standards, the Nokia solution can provide the highest levels of protection for railway communications.

Visit us to learn more about Nokia’s railways solutions.