Top Cyber Threats in the Freight Rail Sector

The importance of freight rail to the U.S. economy and its position as a backbone of the nation’s infrastructure cannot be overstated. Freight rail accounts for almost 40% of U.S long-distance freight volume in ton-miles, more than any other mode of transportation.[1] According to the Association for American Railroads (AAR), the freight rail industry network is nearly 140,000 miles, and in a typical year, freight railroads haul around 1.5 billion tons of raw materials and finished goods.

In terms of total weight per mile, the rail industry is by far the safest and most efficient method of transportation, moving one ton of freight nearly 500 miles per gallon of fuel, making railroads three to four times more efficient than trucks. The AAR further claims that advances in software improve fuel efficiency by up to 14% by calculating the most efficient speed, space, and timing of trains. By comparison, if railroads did not move freight in the United States, it would take more than 80 million additional trucks traveling on public roadways and would take four times more fuel to handle.[2]

SOURCE: Association of American Railroads (AAR)

The statistics published by the AAR demonstrate that freight rail, like an old steam engine furnace, fuels economic activity in the United States, generating $233.4 billion in total economic output in 2023, and reinvesting $26.8 billion in modernizing infrastructure, enhancing safety, and improving reliability. Every dollar invested in rail transportation drives 2.5x in economic activity. The industry employs 153,000 people and supports 749,000 jobs nationwide through supply chains and consumer spending, according to their website.

Obviously, and as evidenced by the fuel efficiency software, technology is embedded throughout the rail network and supporting systems to support this ever-evolving mesh of delivery assets. And the rail industry has not been shy about adopting new technology both in the field and back in the office as quickly and safely as possible. Car positions, loads, maintenance status, type, and other telemetry are tracked and shared amongst participants as needed to safely and effectively operate the network. Some even see a future with self-driving rail cars that can be more easily pooled and assembled as trains when needed.

As freight rail continues down the road of digital transformation, common threats have come along for the ride. Modern signaling and safety systems rely on these interconnected systems of digital networks, train control networks, SCADA systems, and industrial control systems, making railway cybersecurity a continuously evolving challenge focused on managing fleets of assets intended to last more than 30 years of continuous service. Criminals target these operational support and logistics platforms and providers to disrupt shipping operations, steal cargo, and sabotage safety controls. According to the UK Department for Transport’s Rail Cyber Security Guidance to Industry, attackers could exploit weaknesses in the digital rail system to cause delays, derailments, and even catastrophic failure.

To illustrate this point, we need look no further than the Positive Train Control system (PTC). If a Wayside Interface Unit has a vulnerability, a replay, message corruption, or a guessing attack on the WIU beacon could result in trains stopping when they should not be due to the fail-safe nature of the onboard system design. Similarly, these attacks on a WIU could result in a train failing to stop when it should.[3]

FRA PTC

Architecture of U.S. PTC System

SOURCE: U.S. Department of Transportation Federal Railroad Administration

The guidance from the UK Department for Transport’s Rail Cyber Security highlights that in order to mitigate risks in a digital railway infrastructure, robust cybersecurity measures, including network segmentation, continuous monitoring, and multi-layered authentication controls are necessary.

Recent cyber incidents demonstrate these risks posed to freight rail, and why cybersecurity is a top priority, especially when safety is involved.

Fictional Scenario: The Black Signal Ransomware Crisis

In early 2026, the campaign “Black Signal” is launched by a little know hacker group indirectly named after a trading card series. The multi-pronged ransomware campaign begins with phishing employees of freight rail services operations. Once an employee clicks the attachment, an exploit called Indexsinas is triggered, and a worm begins self-replicating in the company’s systems.[4]

Our worse case scenario begins to play out as the ransomware spreads laterally. Train dispatch systems, cargo tracking databases, messaging systems, and some OT devices are hit within 48 hours. The attack encrypts operational data and effectively shuts down train routing systems. Emergency shutdowns stopping trains around the country are triggered due to false alerts and unreachable monitoring systems. Rail yards in Chicago, Atlanta, and Los Angeles are rendered inoperable, impacting the nation’s supply chains.

While the scenario is fictional, and takes some liberties with specifics, it is based on actual events, is plausible, and does not require a zero-day exploit to pull off. Attacks like the one in this scenario, or you may have seen in the movies, are not purely fantasy. They are loosely based on real-world vulnerabilities that may have been exploited in critical infrastructure sectors, including freight rail. To prevent such devastating scenarios from occurring it necessary for stakeholders to understand these risks and fortify their defenses to prevent them from being realized. We’ve created a list of the top cyber threats in the freight rail sector from the VERIS Community Database (VCDB)[5], and mapped some recent incident examples of incidents to them here below.

What are the Top Cyber Threats in the Freight Rail Sector?

Ransomware Attacks
- Danish State Railways (2022) – A ransomware attack blocked a “critical logistics tool” for Denmark’s largest railway. It crippled the country’s railway system for several hours nationwide.[6]
- Ukraine’s NotPetya Ransomware (2017) – The infamous 2017 NotPetya incident had a significant impact on Ukrainian Railways. Systems were encrypted and operations halted, along with other critical infrastructure.[7]
Impact: Supply chain disruption, freight and passenger operations shut down, regional and potentially global financial losses.
Methods: Weak endpoint security, phishing, third-party or supply chain, trusted application update from a service provider.
Web Application Attacks and Credential Theft
- San Francisco Light-Rail (2016) – The San Fransico Municipal Transportation Agency (SFMTA), took its ticketing machines and fare gates offline after suffering a ransomware attack. Passengers were given a “free day,” and systems were restored from backups.[8]
- Polish Railway (2023) – According to the BBC and the Polish Press Agency, hackers broke into railway frequencies, stopping service in the northwest if the country. About 20 trains were brought to a stop, with services restored in hours.[9]
Impact: Operational shutdown, passenger and cargo delays, loss of revenue.
Methods: Multi-vector credential harvesting, phishing, web vulnerabilities, and weak access controls.
Supply Chain Attacks on Rail Vendors
- Danish State Railways (2022) – The previously cited ransomware attack that took down operations and stopped trains was an attack on a software supplier, Supeo that provides enterprise asset management to railroads, infrastructure operators, and public transportation agencies. The company shut down its systems due to a ransomware attack. As a result, train drivers’ software stopped working.[10]
- London North Eastern Railway (2025) – Customer personal data was accessed through files managed by a third party. They said that while operations and ticketing were not affected, they called it a vendor-side compromise with cascading impact on customers’ privacy.[11]
Impact: Supply chain disruption, freight and passenger operations shut down, loss of revenue, indirect economic losses.
Methods: Exploited weak vendor security, trust in the software supply chain, and third-party access controls.
Physical and Cyber Convergence Risks
- UK Rail Digital Signaling Vulnerability Warnings (2015) – Professor points out that plans to replace ageing signal lights with new computers could leave the rail network exposed to cyber-attacks. He adds, safeguards are going in, in secret, but it’s always possible to get around them.[12] This illustrates the continuous cat-and-mouse game played between the adversaries and defenders.
- Iranian Railways (2021) – The cyber infrastructure of Iran’s Railway Company was infiltrated, and internal documents were released, including identity documents, internal reports, and car designs.[13] Earlier in the year, the same company’s railway operations were forced to manual train management.
Impact: Compromised OT systems stopped the network from functioning correctly, and passenger and freight movement were slowed or stopped. Internal documents and customer data were exposed.
Methods: SCADA and IoT vulnerabilities, rail signal interference, injection, or compromise, phishing, and exploitation of a lack of network segmentation.
Insider Threats and Privilege Misuse
- Photographs of Engine Keys Leaked – locomotive engine keys were leaked in photographs. While this may seem innocuous, it is enough to make replications. Leaked access controls put physical and cyber security at risk of failing their mission.[14]
- Canadian Pacific Rail – a former IT employee, before turning in his equipment when resigning from the company, accessed the core network switches and deleted their configurations. Service was restored by reinstating the previous running configs.[15]
Impact: Operation outages, asset theft, safety impact, and potential train stoppages.
Method: Insider access, exploit the lack of awareness training and adherence to off-boarding procedures.
Information Leakage and Targeted Cargo Theft
- Modern Cargo Theft Techniques (U.S.) – Organized crime groups use cyber tactics to identify rail shipments, frequently using stolen logistics data to execute coordinated plans to intercept high-value targets.
- Supply Chain Cybersecurity (2024) – In 2024, over $700 million in cargo theft occurred. Reportedly, many of the cases involved stolen or purchased login credentials to access shipment tracking systems.
Impact: Loss of high-value cargo, disruption to the supply chain, and public safety through the loss of potentially dangerous goods that could be weaponized in the wrong hands.

Regulatory and Industry Response

Over the years, the industry has responded by creating and adopting cybersecurity frameworks and regulations to enable and enforce the adoption of programmatic security measures. ISO 27001, NIST Cybersecurity Framework (CSF), CLC/TS 50701, and IEC 62443, along with the NIST RMF, and guidance such as Cyber Security Risk Management for Connected Railroads published by the U.S. Department of Transportation Federal Railroad Administration.

- ISO 27001: An internationally recognized standard providing companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining, and continually improving an information security management system.[16]
- NIST Cybersecurity Framework (CSF): The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks.[17]
- CLC/TS 50701: Developed by CENELEC, this technical specification specifically addresses cybersecurity in applications for the rail systems. Through the integration of cybersecurity into the RAMS (Reliability, Availability, Maintainability, and Safety) lifecycle, it ensures that cybersecurity measures are applied at all phases of rail operations.
- IEC 62443: Aligned with Zero Trust, this framework focuses on segmentation, access control, and risk assessments to secure SCADA, train signaling, and other critical rail infrastructure.

Next Steps

This guidance is meant to allow each organization to understand its current security posture, the gaps present in its environment when measured against an accepted standard, and provide for a programmatic means to resolve them, prioritized by risk. The recent events discussed, risks realized, and impacted people show that we are all vulnerable, but with a risk-based approach and investing in a cybersecurity strategy that includes integrated cyber risk governance, organizations can protect their infrastructure, employee and customer information, and provide safe operations for a national network of rail systems.

For a comprehensive risk-based cybersecurity assessment, contact HALOCK Security Labs to evaluate your organization’s current security posture against the top threats facing the freight rail sector.

Review Your Security and Risk Profile

ABOUT HALOCK SECURITY LABS

HALOCK is a risk management and information security consulting firm providing cybersecurity, regulatory, strategic, and litigation services. HALOCK has pioneered an approach to risk analysis that aligns with regulatory standards for “reasonable” and “appropriate” safeguards and risk, using due care and reasonable person principles. As the principal authors of CIS Risk Assessment Method (RAM) and board members of The Duty of Care Risk Analysis (DoCRA) Council, HALOCK offers unique insight to help organizations define their acceptable level of risk and establish reasonable security.

REFERENCES:

[1] Facts & Figures

[2] FREIGHT RAIL FACTS & FIGURES

[3] Cyber Security Risk Management for Connected Railroads

[4] SMB Worm Indexsinas

[5] VERIS

[6] How a supply-chain cyberattack paralyzed the Danish Railway

[7] The Untold Story of NotPetya, the Most Devastating Cyberattack in History

[8] San Francisco’s Muni hack: A case study in prepping for ransomware attacks

[9] Poland investigates cyber-attack on rail network

[10] How a supply-chain cyberattack paralyzed the Danish Railway

[11] LNER warns customers to remain vigilant after personal data exposed in cyber attack