Rail operators manage safety-critical control systems — interlocking, ETCS, CBTC, and traffic management — alongside commercial passenger and freight IT systems, in an environment where a cybersecurity failure can directly impact physical safety and where the legacy OT assets in service have operational lifetimes measured in decades rather than years. The EU NIS2 Directive has explicitly categorised rail as critical infrastructure subject to enhanced cybersecurity obligations, and the UK NCSC and US CISA have both published rail sector-specific cybersecurity guidance referencing Zero Trust network segmentation.
Related: Zero Trust for OT · IEC-62443 · NIS2 · TMS · Ports