The software-based platform that protects against rail cyber attacks

Posted: 31 May 2023 | | No comments yet

CEO and Co-Founder of Cervello, Roie Onn, discusses the thinking behind the Cervello software-based platform and how it detects vulnerabilities and suspicious network behaviour, protecting against cyber-attacks, without disruption to rail services.

How does Cervello‘s platform identify vulnerabilities or suspicious activities within a railway’s network?
Let’s first understand what a vulnerability is or suspicious activity in a railway network; A vulnerability is a weakness in an IT or OT system that can be exploited by an attacker to deliver a successful attack. Suspicious activities are some kind of unusual network traffic indicating that a cyber-attack is already affecting a network. Rail systems, such as signalling, brakes, customer data, and others, have been targeted in the past, causing disruptions in service or putting passengers and cargo at risk.
From its conception, the Cervello platform is designed for rail organisations. The software-based platform passively monitors traffic from rail critical networks covering the entire operational environment, including signalling systems, rolling stock interfaces, telecom sites, and operational assets, including various IT interfaces. By leveraging patented technology, the platform detects vulnerabilities and suspicious network behaviour without disruption of rail services.  At the same time, it offers end-to-end visibility covering all parts of the network, including legacy assets, shedding light on network activity in all 3rd-party vendor systems. The platform may be deployed on the railway’s network or in the cloud and runs over any hardware.

Following the initial monitoring stage, Cervello Platform applies advanced patented security technology to analyse, assess and prioritise cyber risks within the context of actual railway risk.  It leverages operational data and security data to assess operational risks. The platform integrates with all SIEM/SOCs, as well as other security and administrative tools, before delivering the information containing the operational impact on the specific rail asset or system to one unified dashboard.   

What specific information does the platform provide to railway managers when an alert is triggered?
With every alert, rail teams are notified of the operational implications of potential damage or disruption, as well as the impact regarding the exact location of the affected train stations, the affected customer or transportation services, the affected maintenance or supply chain logistics, among other consequences.

Can Cervello’s platform identify the location of a vulnerability or suspicious activity within the railway’s network?
Yes, it identifies the type of vulnerability or suspicious activity and gives precise information on what assets, services, stations and systems may be or already are affected. 

If so, how precise is the location data?
There is exact precision in the information including its geo-location which is automatically isolated so it can’t affect other segments of the railway. In the time that it takes for railway personnel to mitigate the cyber threat, rail service in other areas continues to operate safely.

What are some of the potential operational implications and impacts of a vulnerability or suspicious activity within a railway’s network?

Probably one of the most dangerous and most vulnerable impacts on a railway lies in its signalling system as it directly affects the possibilities of collisions and derailments, to put short – safety incidents. From service disruptions to loss of life, when vulnerabilities or misconfigurations exist in a network (and they always exist), they provide the opportunities for hackers to get in and move around the network until reaching their target. From amateurs to nation-state level, attackers look for these weak points to enter, and pivot around a network until they arrive at a point to cause damage to physical, environmental, financial or business matters.

How does Cervello’s platform classify the severity of a vulnerability or suspicious activity within a railway’s network?

Classification of the severity is a matter of context. As Cervello’s platform is purpose-built for rail, the measurement of risk is in accordance with railway requirements around safety and operational effectiveness, or any other parameters set by the specific railway organisation.

What types of transportation services, maintenance activities, or supply chain logistics may be disrupted by a vulnerability or suspicious activity?

Any aspect may be affected by a cyberattack, such as malfunctioning in signalling, disruptions of service that delay deliveries in supply chains, brake issues requiring immediate repair delaying services, and even malfunctioning of air conditioning can cause delays and reduced satisfaction of services. 

How does Cervello’s platform help railway managers to understand the specific operational results of a vulnerability or suspicious activity if left unattended?

Cervello’s platform ranks and scores the risk of each vulnerability or suspicious event within the context of railway operations. It spells out the specific operational issue, where it will occur, e.g. which train stations or lines might be affected, and recommends how to fix the vulnerability or remediate the suspicious event.

Can railway managers take immediate action based on the alerts generated by Cervello’s platform? If so, what kind of action can they take?

Yes, railway managers can and should take immediate actions based on the alerts received by the Cervello Platform. Alerts are received in real time together with playbook recommendations for mitigation and remediation of the problem, taking advantage of the numerous integrations of the platform with other tools within the customer environment.

What role does Cervello’s platform play in ensuring the safety and security of railway assets and customers?

Operational security solutions do exactly what they say – they protect the operations of a network. In the case of rail, operational safety is easily affected by cyber events – for both passengers and freight (in the case of freight there are the other issues of damage to the environment and to residents in the area of a spill or another type of accident). Cervello’s real-time automated monitoring makes it simple for railway teams to discover any cyber issue, to know exactly the level of operational risk, the geo-location context of that risk, all the related operational consequences, and to take immediate action for remediation to limit the potential damage and disruption throughout the entire network.

How does Cervello’s platform help railway managers to prioritise their response to alerts based on severity and operational impact?

The platform spells out the operational risk per event or incident that is detected, assisting the user in better understanding the potential each of them possesses. By displaying a clear priority queue, based on Cervello’s operational impact assessment, railway managers don’t need to spend much time making an evaluation before moving into concrete action.


Roie Onn is Cervello’s CEO and Co-founder, a rail cyber-security trusted-provider dedicated to protecting railway safety worldwide. Roie brings extensive experience in cybersecurity – specialising in hacking operations, risk assessments, malware analysis and computer forensics. 

Related organisations

Related regions

Related people