Key Takeaways
- Transit systems mix safety-critical signalling (CBTC, interlockings) with operations control, passenger information and fare collection IT.
- Signalling is the highest-consequence domain: a cyber fault here threatens passenger safety, so it must be strongly isolated and governed by rail safety standards.
- A ransomware hit on transit business IT or fare systems can halt service and revenue even without touching signalling, as several transit agencies have experienced.
- IEC 62443 zoning separates signalling, SCADA (power, ventilation, fire), operations control and corporate IT into defensible zones.
- Priorities: isolate signalling, segment station and depot SCADA, secure remote and supplier access, and build OT monitoring plus an incident plan that keeps trains running safely.
Why Transit Networks Are a Growing Target
Metro and bus systems move millions of people daily and are deeply embedded in a city's economy. Disruption is highly visible and quickly becomes a public-order and economic issue, which makes transit operators attractive targets for ransomware crews and disruptive actors alike. Across India, Singapore, the UAE and Malaysia, rapid metro expansion has increased both the value and the digital footprint of these networks.
Transit is unusual because it combines genuinely safety-critical control with consumer-facing technology. A signalling system that prevents two trains occupying the same track is life-safety equipment. A fare gate, a passenger app or a ticket-vending machine is consumer IT. Both run on the same agency's infrastructure, and weak separation between them is a common and dangerous finding.
Several transit agencies have suffered ransomware that disabled ticketing, scheduling and back-office systems, forcing free travel, manual operation or service reductions. Even where signalling was never touched, the operational and financial impact was severe, illustrating that protecting transit means protecting both the safety-critical and the business-critical estate.
Signalling, SCADA and Operations Control
Signalling is the safety core. Modern metros use Communications-Based Train Control (CBTC), where trains and trackside equipment continuously exchange position and movement authority over a network. Interlockings ensure routes are only set when it is safe. These systems are developed and certified to stringent rail safety standards, and any security control must respect that safety case.
SCADA systems run the supporting infrastructure: traction power, tunnel ventilation, fire and life-safety, lighting, escalators and drainage. These are conventional OT systems with PLCs and HMIs, and while not part of the signalling safety case, they are essential to safe operation and passenger welfare.
Operations control centres supervise the whole network, integrating signalling status, SCADA, CCTV, public-address and passenger information. Fare collection, vehicle telematics for buses, and depot management round out the estate. Each domain has a different consequence profile and therefore deserves a different target Security Level.
Need an OT and ICS Security Assessment?
Codesecure delivers IEC 62443 and NIST SP 800-82 aligned OT assessments: Purdue model segmentation review, SCADA and PLC testing, secure remote access design and OT monitoring. Named consultants, fixed-price proposals, board-ready evidence.
Book an OT Assessment →Isolating Safety-Critical Signalling
The single most important principle in transit cyber security is the isolation of safety-critical signalling from everything else. CBTC and interlocking networks should be strongly segmented from operations IT, corporate networks and the internet, with any necessary data exchange brokered through tightly controlled gateways rather than direct connectivity.
Because signalling is safety-certified, security changes cannot be made casually; they interact with the safety case and must follow the rail assurance process. This makes designing security in from the start, and working with signalling suppliers who build to recognised security standards, far more effective than bolting controls on afterwards.
Supplier and maintenance access to signalling is a critical control point. Vendors need access to update and diagnose CBTC and interlocking equipment, and this access must be brokered, authenticated with multi-factor methods, time-boxed and recorded, with no standing remote connection into the safety-critical network.
IEC 62443 Zoning for a Transit Network
IEC 62443 maps well onto transit. A typical zoning separates a corporate enterprise zone, an IDMZ, an operations control zone, a SCADA zone for power and station systems, and a strongly isolated signalling zone, with fare collection and passenger systems in their own zones because they are internet-facing and handle payment data.
Conduits between these zones must be explicit and minimal. The operations control centre legitimately needs to see signalling and SCADA status, but that visibility should flow through controlled, monitored, ideally one-way feeds rather than full network connectivity. The fare and passenger zones, which face the public internet, should never have a path into signalling or SCADA control.
Applying target Security Levels makes the priorities clear: the signalling zone warrants the highest level, station SCADA a high level, and public-facing systems a level appropriate to internet-exposed payment infrastructure. NIST SP 800-82 supplies the supporting OT control catalogue, and payment systems additionally fall under card-industry security requirements.
Remote Access, Fare Systems and OT Monitoring
Fare collection deserves particular attention because it bridges OT and IT: gates and ticket machines are field devices, but they connect to back-office payment and account systems exposed to the internet. A compromise here can stop revenue, leak passenger data, or provide a foothold toward operational systems if segmentation is weak. Fare systems should be treated as both critical OT and as payment infrastructure subject to card-security obligations.
Remote and supplier access across signalling, SCADA and fare systems must run through hardened brokers with multi-factor authentication, recording and least privilege. Bus fleets add mobile telematics and onboard systems that connect over cellular networks, extending the attack surface to vehicles and requiring secure device management.
OT monitoring should cover the operations control environment, station SCADA and the boundaries around the signalling zone. Detecting new devices, unexpected cross-zone traffic, or engineering connections to safety-critical networks gives operators early warning. As elsewhere, alerts must reach both the SOC and the control centre so cyber and operational pictures are reconciled in real time.
Worried About a Cyber-Physical Incident?
Whether you operate a plant, a grid, a pipeline or a transit network, our OT incident response leads can scope a tabletop, an architecture review or a continuous monitoring rollout in a 30-minute call.
Talk to an OT Lead →Incident Response That Keeps Service Safe
A transit incident response plan must prioritise passenger safety and the ability to keep moving people, even degraded. It defines how to operate trains under manual or restricted signalling working if systems are isolated, how to keep stations safe when SCADA is affected, and how to maintain passenger communication when information systems are down.
The ransomware experiences of transit agencies show the plan must cover business and fare systems too: how to keep gates open and accept passengers when ticketing is unavailable, how to protect and restore back-office systems, and how to manage the revenue and public-communication impact. Pre-agreed degraded-mode procedures turn a crisis into a managed inconvenience.
Tested, offline backups of signalling configuration, SCADA logic, operations systems and fare back-office data underpin recovery. Exercises that bring together signalling engineers, SCADA operators, the SOC and corporate IT against realistic scenarios are the best way to confirm the whole organisation can respond coherently rather than in silos.
Procurement and supplier management are where much of this is won or lost. Metro and bus systems are delivered by integrators and specialist suppliers, and the security characteristics of signalling, SCADA, fare and telematics products are largely fixed at the point they are designed and bought. Embedding security requirements into tenders, requiring suppliers to follow recognised secure-development practices, demanding signed firmware and a defined patching commitment, and assessing the supplier's own security posture all shift risk upstream to where it can be addressed most cheaply, long before a system is carrying passengers.
Frequently Asked Questions
What is CBTC and why is its security so important?
Communications-Based Train Control is a signalling system where trains and trackside equipment continuously exchange position and movement authority over a network, allowing trains to run safely and closely spaced. Because it is life-safety equipment that prevents collisions, a cyber fault could threaten passenger safety, so CBTC must be strongly isolated and any security control must respect the rail safety case.
Can a ransomware attack stop a metro or bus service?
Yes, even without touching signalling. Several transit agencies have suffered ransomware that disabled ticketing, scheduling and back-office systems, forcing free travel, manual operation or service cuts. This is why transit security must protect both the safety-critical signalling estate and the business and fare systems that keep services running and revenue flowing.
How is signalling separated from passenger and payment systems?
Through strong network segmentation aligned to IEC 62443 zones. Signalling sits in a strongly isolated zone with the highest target Security Level, while operations control, station SCADA, fare collection and passenger systems occupy their own zones. Any data the control centre needs from signalling flows through controlled, monitored, ideally one-way feeds, and public-facing systems never have a path into signalling.
Are transit fare collection systems an OT or IT security problem?
Both. Gates and ticket machines are field devices like OT, but they connect to back-office payment and account systems exposed to the internet and subject to card-industry security requirements. A compromise can halt revenue, leak passenger data or, with weak segmentation, provide a foothold toward operational systems, so fare systems need both OT and payment-security controls.
How is supplier access to signalling equipment secured?
Vendors need access to update and diagnose CBTC and interlocking equipment, but it must be brokered through a hardened jump host with multi-factor authentication, time-boxed and recorded sessions, and least privilege. There should be no standing remote connection into the safety-critical signalling network, and any change must follow the rail safety assurance process.
How does Codesecure approach a metro or bus cybersecurity assessment?
We assess the full estate: signalling boundaries, station and depot SCADA, operations control, fare collection and bus telematics. Using IEC 62443 and NIST SP 800-82 as references, we review zoning and isolation, supplier and remote access, and OT monitoring, coordinating with signalling safety processes and scoping active testing to avoid any impact on live service.
Keep Your Transit Network Safe and Running
Codesecure assesses metro and bus systems end to end: signalling isolation, station SCADA, operations control, fare collection and OT monitoring, aligned to IEC 62443 and rail safety practice. Named consultants, fixed-price proposals, evidence your safety and security authorities can rely on.
