Global Rail & TRAKO 2025: When railway technology goes digital – can cybersecurity keep pace?

The railway industry is accelerating digitalisation: AI, networked systems and smart maintenance are changing operations. But what about cybersecurity, incident response and a culture of evidence? A field report from TRAKO and Global Rail 2025.

Between screws, software and security issues

We spent four intensive days at TRAKO 2025 in Gdańsk – a trade fair that, at first glance, has little to do with cybersecurity. It's all about trains, signal boxes, power supply, doors, brakes, maintenance tools – the real "metal and screws" of railway operations.

And yet, in almost every conversation, the same question arose:

How do we keep operations stable when something goes wrong – in the midst of digitalisation?

Looking secure is not the same as operating securely

From day two onwards, we had a routine: coffee and biscuits at the IHK stand, then a tour of the halls. Many teams presented clean system architectures, firewalls in the right places, segmented networks.

But when we asked:

"How do you actually respond to vulnerabilities in accordance with CRA?"

– there was silence. Hardly anyone had a clear communication process, let alone a plan for how to roll out a corresponding update securely afterwards. Most simply hoped that "nothing would happen". But in an emergency, a nice diagram is no help; what helps is a clear procedure: Who decides? Who communicates? How is the vulnerability closed (or at least mitigated)?

This very difference between "looking secure" and "operating securely" was a recurring theme throughout the entire trade fair.

From ISO 27001 to IEC 62443: a culture of verification instead of trust

The tone changes when it comes to procurement. Buyers no longer ask for promises, but for reliable evidence:

  • documented incident response plans
  • hardened builds
  • verifiable security tests and audit results
  • maintained software bills of materials (SBOMs) throughout the entire lifecycle

In short: no trust without evidence.

ISO 27001 remains the foundation for a solid management system – but IEC 62443 and CLC/TS 50701 translate security into technical implementation rules: segmentation, patch strategies, testing procedures, and incident management. Only the combination of both approaches makes railway technology truly cyber-resilient.

AI in the railway sector: innovation without a safety net

Artificial intelligence (AI) was also a topic of discussion – and here it became clear how quickly the market is advancing. Many manufacturers and operators are integrating AI into predictive maintenance, scheduling or energy optimisation. But rarely is the question asked of what happens when the algorithm is wrong.

We saw impressive demonstrators, but hardly any solid risk analyses, fail-safe concepts, or clear responsibilities in case of malfunctions.
Terms like Explainable AI, AI safety, resistance to manipulation, or certifiability are usually mentioned only in passing – even though they will soon become key requirements under the NIS2 Directive and the EU Cyber Resilience Act.

In short, the railways are rapidly digitising, but they rarely test what happens when the 'intelligent' component fails.

Global Rail 2025: New skyline, same questions

The Global Rail in Abu Dhabi brought the same topics – just with warmer temperatures.
Many great conversations, a strong sense of momentum. But again: more budget, yet still no clear requirements from end customers and no overarching approaches.

This time, Christian took the stage as a speaker – with a presentation that immediately stuck in people’s minds:

"What do Terminator and Tom Cruise have in common?" or "Cybersecurity Challenges in AI-Driven Railway Systems"

Conclusion: Security wins when it fits the operation

Trains are getting smarter, networks denser, and the boundaries between IT, OT, and energy are blurring.
Cybersecurity succeeds when it’s aligned with operational reality – with plans that work at 3:00 a.m., not just diagrams that look good at 3:00 p.m..

Those who invest in rail cybersecurity today are not just protecting technology, but also timetables, reputation, and trust.
Because the digital trackbed of 2025 is no longer made only of gravel and steel – but of solid evidence that the system keeps running when the unexpected happens.

WE ARE HERE FOR YOU

Get in touch with us

Do you have questions or wish to schedule a consultation?

Get in touch with us now!

Contact us
LinkedIn

Contact | ImprintPrivacy Policy  •  © 2025 CS-Consulting GmbH – Alle Rechte vorbehalten.  •  Design by – HOMEPAGE HEXXER

Home
About us
Sustainability
Career
Your challenges
Our services
Areas

Contact | ImprintPrivacy Policy  •  © 2025 CS-Consulting GmbH – Alle Rechte vorbehalten.  •  Design by – HOMEPAGE HEXXER

An den Anfang scrollen