Modern rolling stock is more connected than ever. That connectivity brings clear operational value, supporting critical operational functions, onboard services and passenger-facing systems. But it also raises an important question: if something goes wrong in one part of the onboard network, how far can it travel before a defined boundary contains it?
For many fleets, the honest answer is: further than it should.
This is not only about malicious access. Faults, configuration errors and unintended interactions can be just as disruptive. In rail, where digital systems sit alongside safety-critical and operationally important functions, boundaries matter for resilience and for the safety case that depends on them.
The open door problem
A modern train is a network of onboard systems supporting critical operational functions, maintenance access, passenger information, Wi-Fi and other onboard services. In some fleets, the boundaries between those systems are clear and well controlled. In others, they are weaker than they should be, or have become blurred over time.
That is not always the result of one poor design decision. In legacy fleets, it often reflects years of upgrades, retrofits, supplier changes, added services and practical engineering decisions made under operational pressure.
Third-party maintenance laptops plug into onboard networks. Remote monitoring and diagnostic links get added. New passenger services are layered on. Each change may be reasonable on its own terms, but the cumulative effect can be an onboard network that behaves more like an open door than a set of controlled boundaries.
The result is that systems with no operational reason to communicate often can, and do. A network intended to support operations and maintenance can also make it easier for problems to spread.
Before those weak boundaries can be properly addressed, teams need a clear picture of what is actually connected: which systems need to communicate, where the important interfaces sit, and which routes should not exist at all. In the new train design, that work should happen early. In legacy fleets, a structured network discovery exercise is usually the right first step. Without that picture, segregation work rests on assumptions rather than evidence.
Why weak boundaries create real risk
When boundaries are weak, a problem in one onboard system can spread to affect others. That might be a fault, a configuration error, an engineer connecting through a route that is broader than intended, or an unauthorised attempt to gain access.
The consequences are the ones fleet managers recognise. A passenger-facing system reaches into a maintenance channel. A CCTV fault disrupts traffic on a shared link. A supplier laptop used for a routine update has visibility of far more than intended. In a more serious scenario, a single weakly protected route could give an attacker visibility of multiple parts of the train network.
This is one reason segregation is such an important part of a cybersecurity approach for rolling stock. The aim is not to stop systems communicating. It is to make sure communication happens on defined terms, through controlled interfaces, and only where there is a genuine operational need.
What good segregation looks like
Good segregation starts by defining which systems need to communicate, under what conditions, through which controlled interfaces and protocols.
Critical and non-critical systems are placed into defined zones or domains. Users and systems only have access to what they need. Everything else is blocked by default, and maintenance access follows controlled routes rather than inheriting broad trust across the network.
The result is a clearer operating model. Problems are more likely to stay contained. Fault finding is more focused, and assurance is easier because teams can show what is permitted, blocked and recorded. By separating safety-related traffic from everything else, segregation can also simplify the safety case rather than complicating it.
The point is not to stop legitimate onboard communication, but to make crossings between important parts of the network limited, controlled and verifiable.
This also aligns with rail assurance expectations, including IEC 62443 and TS 50701, which emphasise clear system boundaries, defined interfaces and measurable controls.
Where RazorSecure Security Gateway fits
Security Gateway is an onboard network segregation control, purpose-built for rolling stock. It separates security zones, controls traffic between them, logs and alerts on unauthorised activity, and reduces the attack surface across the train.
It supports both new and existing fleets, with hardware and software designed for secure operation throughout the train’s life.
Intrusion detection can also be added to Security Gateway, bringing sn and detection together on a single onboard platform and giving a more holistic view of network activity. Together, these capabilities give fleets clearer oversight and stronger control of traffic across the onboard network, and a defensible answer to a simple question.
If a fault, misconfiguration or unauthorised access affected your onboard network, how far could it travel before something stopped it?
If you cannot answer with confidence, Security Gateway can help.
For more on RazorSecure’s segregation solutions, visit our Security Gateway page.