Outdated doesn’t mean safe: Cyber risks in legacy rail systems

As companies invest in new fleets with advanced digital systems, it is easy for attention to shift away from legacy rolling stock. But when it comes to cybersecurity, that can be a mistake. Older trains are sometimes assumed to be less exposed to digital threats, but in reality, their integration with newer systems or reliance on outdated protections can make them vulnerable.

Legacy fleets often lack modern security protections because cybersecurity was not as much of a focus as it is now. This makes them an attractive target for cyber criminals as they can serve as a gateway for attackers to access other systems on the network or within the organisation.

Why older fleets can be a cyber weak spot

Legacy rail fleets often operate on much simpler systems than those found in newer trains. Typically, these systems run on unsegmented networks, meaning there is no clear separation between different functional areas.

Without defined security boundaries, an attacker who gains access to one part of the network can often move laterally to others with little resistance.

Keeping legacy systems secure is made more difficult by ageing or outdated software. Unlike modern applications, which are regularly updated to address new vulnerabilities, older systems often miss out on these critical updates.

This may be due to discontinued supplier support, incomplete documentation, or simply because the need for updates has been overlooked. And because updates are typically applied during planned maintenance windows, any delays or gaps in maintenance routines can leave known vulnerabilities unaddressed for extended periods.

Cyber risks in depot practices

While maintenance depots often have formal security policies in place, day-to-day operations tend to rely heavily on trust. Technicians are expected to follow best practices, but cybersecurity can sometimes take a back seat. Depots are also occasionally overlooked in broader organisational cybersecurity strategies, which means critical controls, like software access and authentication, can be poorly enforced.

A common example is the use of weak or shared passwords on maintenance laptops. According to IEC 62443, strong authentication measures, such as complex, unique passwords, are essential for protecting industrial systems. Legacy fleets are no exception.

 

Securing the supply chain

A major risk to older fleets often comes from suppliers. While TOCs maintain strict security protocols for managing third-party vendors, gaps can emerge during procurement from external suppliers. Attackers frequently target weaker links in the supply chain to gain access to critical systems.

Legacy rail systems often depend on external vendors for hardware and software support. However, many of these suppliers may not prioritise cybersecurity to the same extent as TOCs or ROSCOs. To mitigate this risk, it is essential to ensure that your suppliers follow the same stringent security practices when accessing your networks and systems.

Summary: Top cyber risks for legacy fleets

As rail operators invest in modern fleets with advanced digital systems, legacy rolling stock is often overlooked from a cybersecurity perspective.

Yet older trains can pose significant risks. Many were not designed with cybersecurity in mind and may run on unsegmented networks, giving attackers easier access. Ageing software and a lack of updates further expose critical vulnerabilities.

Risks also extend to depots, where inconsistent security practices and weak vendor controls can leave systems open to attack.

Protecting legacy fleets requires a comprehensive strategy covering system updates, secure maintenance, and supply chain security.

 

Ready to improve your cyber resilience?

Cybersecurity threats are a growing concern for the rail industry, and protecting your systems is essential for safe and reliable operations.

At Encompass, we help our customers develop a thorough understanding of potential vulnerabilities and the associated risks, so you can strengthen your defences and ensure a swift, effective response to potential cyber incidents.