Inspired by Movement | Driven by Data
Cyber Security

Cyber Security

Beyond the Display | Securing the UK’s Rail Network’s Digital Front Line

Cyber Assessments | Protecting passenger trust and rail operations in an era of digital transformation and rising cyber threats.

Customer Information Systems (CIS) are at the heart of the UK rail sector’s digital transformation. While traditional LED displays and mainboards, along with Windows-based public address systems, remain common, the industry is rapidly adopting cloud-connected, automated platforms that enhance real-time communication and operational efficiency. This shift brings significant opportunities for improvement but also introduces new cyber security risks.

The Digital Shift: Opportunity and Exposure

Modern CIS platforms are essential for delivering accurate, real-time information on arrivals, departures, platform changes, and service disruptions. These systems now integrate data from scheduling and operational sources, providing passengers with up-to-date information throughout their journey. However, as CIS becomes more interconnected and remotely managed, the attack surface for cyber threats expands.

Key points:

  • Increased sophistication: Modern CIS leverages advanced data integration, automation, and remote management.
  • Expanded attack surface: More connected devices and remote access points increase vulnerability to cyber threats.
  • Legacy technology: Many stations still rely on older systems lacking contemporary security features, necessitating a coordinated approach to cyber security.

Lessons from Recent Incidents

Recent cyber incidents have highlighted the persistent and evolving nature of threats to CIS:

  • Transport for London (2024): A cyber attack exposed customer data and disrupted digital services, forcing an extensive IT reset.
  • UK Rail Station Wi-Fi: Attackers exploited admin credentials to hijack public Wi-Fi at major stations, displaying offensive content and causing service disruption.
  • Polish Railways: Hackers triggered emergency stops on trains, demonstrating the operational impact of cyber threats on both legacy and modern rail systems.

These incidents underscore that attackers target vulnerabilities in both established and emerging technologies, exploiting supply chain weaknesses and human factors.

image

Progress and Persistent Challenges

Advances

  • Physical security: Fewer public-facing screens with exposed ports or insecure housings, thanks to tamper-resistant designs and dedicated enclosures.
  • Supplier accreditation: Operators increasingly require certifications such as Cyber Essentials, ISO/IEC 27001, and RISQS, ensuring a baseline of cyber hygiene.
  • Technical assurance: Penetration testing, independent cyber security assessments, and continuous monitoring are becoming standard for both new and legacy systems.

Ongoing Challenges

  • Legacy systems: Many traditional LED displays and mainboards, as well as Windows-based public address systems, remain in service. While reliable, they can provide easy entry points for attackers if not properly managed, upgraded, or isolated.
  • Supply chain complexity: Multiple vendors can complicate oversight, and a single weak link may compromise the entire network. Rigorous supplier management and regular audits are essential.
  • Ongoing maintenance: Older systems require diligent patching and robust technical controls to remain secure as threats evolve.

Broader Insights: The Legacy Debt Challenge

The issues facing the UK rail sector echo a much wider challenge across the public sector, as highlighted by the recent State of Digital Government Review Report. This landmark study reveals:

  • Rising Legacy Debt: 28% of central government IT systems are now classified as legacy technology—up from 26% in 2023. In sectors like the NHS and police, the proportion ranges from 10% to 70%, underscoring the scale of the challenge.
  • Quantification Gaps: 15% of surveyed organisations can’t even quantify their legacy estate, making risk management and investment planning especially difficult.
  • Financial Impact: With one in four government systems outdated, the estimated productivity savings lost reach £45 billion.
  • Security Exposure: 40% of cyber incidents in the public sector exploit vulnerabilities in aging systems, highlighting the direct link between legacy technology and increased risk.
  • Resource Strain: The cost of maintaining outdated systems is spiralling. For example, HMRC’s recent technology contracts included £591 million in non-competitive agreements, and consultant fees across government hit £14.5 billion annually—funds that could otherwise fuel modernization.

The inability of legacy systems to integrate with modern technology is a major roadblock to innovation, especially in critical areas like artificial intelligence. This is particularly concerning given the government’s ambitions outlined in the AI Opportunities Action Plan.

Rail’s Move to State Ownership: Implications for the Treasury

While the State of Digital Government Review limits its sector-specific findings, the move to state ownership in rail will bring these legacy challenges into sharper focus for the Treasury. As rail operators transition into public hands, the Treasury will inherit not only the operational responsibility but also the significant financial burden of maintaining and upgrading life-expired digital assets. This includes:

  • Direct exposure to legacy debt: The costs of replacing or supporting outdated mainboards, displays, and PA systems will fall squarely on public finances.
  • Heightened cyber and operational risk: Without urgent investment, the risk of disruption, data breaches, and service failures will grow.
  • Pressure to modernize: The need for digital transformation will be more urgent and visible, with the Treasury accountable for progress and outcomes.
  • Resource and skills gap: Addressing legacy debt will require both capital investment and specialist digital skills within the public sector workforce.

What Can Be Done?

To address these intertwined challenges in both rail and the broader public sector, a multi-pronged approach is essential:

  • Accelerate Modernisation: Prioritise investment in replacing or upgrading life-expired systems, focusing on those with the highest operational and security risks.
  • Mandate Asset Registers: Require all departments and operators to maintain up-to-date, detailed registers of legacy systems to enable targeted risk management.
  • Enhance Security by Design: Embed robust security controls, end-to-end encryption, and strong authentication in all new projects and upgrades.
  • Continuous Monitoring and Testing: Implement real-time monitoring, regular penetration testing, and independent cyber security assessments for both new and legacy systems.
  • Improve Supply Chain Oversight: Strengthen supplier accreditation requirements and conduct regular audits to ensure all partners meet rigorous security standards.
  • Reduce Reliance on Expensive Support: Phase out systems that require costly, non-competitive support contracts and reinvest savings into transformation.
  • Foster Digital Skills and Awareness: Invest in training and awareness programs for staff to build a culture of cyber vigilance and digital capability.
  • Promote Interoperability: Ensure new systems are designed for compatibility and integration, supporting future innovation in areas like AI.

By tackling legacy debt head-on and embedding resilience at every level, the rail sector—and the wider public sector—can unlock the full potential of digital transformation while safeguarding operational integrity, public trust, and national security. As rail moves into state ownership, the Treasury will be directly responsible for addressing these legacy challenges, making decisive action both a financial necessity and a public service imperative.

If you’d like to learn more about securing digital information displays and public address networks, please get in touch using this link on our website.