A deep dive into the Indian Railways' new Cybersecurity policy for SCADA systems 

The Indian Railways, a critical component of the nation's infrastructure, has come out with a robust cybersecurity policy to safeguard its Supervisory Control and Data Acquisition (SCADA) systems. Declared as Critical Information Infrastructure (CII) by the National Security Council Secretariat, these systems are essential for monitoring and controlling railway operations.  

The new policy, outlined in a technical instruction issued by the Research Designs and Standards Organization (RDSO) in February 2025, provides a comprehensive framework to ensure the availability, integrity, and confidentiality of these vital assets. 

In today’s blog post, we do a deep dive into the recommendations of this policy document.  

Name: Cybersecurity policy for Indian Railways SCADA systems  

Scope 

This policy is applicable to all SCADA systems, their components, and associated network infrastructure under the control of Indian Railways. It covers all phases of the system lifecycle, including design, implementation, operation, and maintenance. 

Key pillars of the Indian Railways cybersecurity policy 

The policy document, in essence, a Technical Instruction from the RDSO, provides a comprehensive set of recommendations to protect the SCADA systems of the Indian Railways. These are not mere suggestions but mandatory directives for ensuring the integrity and security of the nation's Critical Information Infrastructure (CII). The policy document outlines cybersecurity measures and standard operating procedures for protecting SCADA systems operated by the Indian Railways.  

Policy and governance 

Cyber Security and Resilience Policy: The policy mandates the creation of a formal Cyber Security and Cyber Resilience Policy, which must be aligned with guidelines from the Railway Board, RDSO, and the NCIIPC. This document is not static; it must be reviewed annually by a subject matter expert, with any updates requiring approval from the Railway Board. This ensures the policy remains current and responsive to evolving threats.  

Organizational Structure: The policy requires the appointment of a Chief Information Security Officer (CISO), who is responsible for managing cyber risks and ensuring compliance with IT rules. This establishes clear accountability. A dedicated cybersecurity division with skilled personnel and a sufficient budget is also mandated, highlighting the commitment to a robust security posture.  

System and network security 

Hard Isolation of OT Systems: This is a crucial recommendation. The policy requires a complete "hard isolation" of the Operational Technology (OT) network from any internet-facing Information Technology (IT) systems. This is achieved through network segmentation using firewalls. This physical and logical separation aims to prevent direct access from the public internet, a primary vector for cyberattacks. 

Strict Data Transfer Protocols: To prevent the introduction of malware, the policy severely restricts data transfers from IT to OT systems. Any necessary data transfer must be conducted using whitelisted devices and must be scanned for viruses and malware on a standalone system. Detailed digital logs of these activities must be maintained for at least six months for forensic purposes.  

Whitelisting: The CISO has been made responsible for creating and maintaining a comprehensive list of whitelisted IP addresses for all firewalls within the CII environment. This "deny-by-default" or least privilege approach ensures that only explicitly permitted traffic can enter or exit the network. 

Procurement and supply chain 

Trusted Sourcing: To mitigate the risk of supply chain attacks, all Information and Communication Technology (ICT) equipment used in the CII must be procured from a list of "Trusted Sources." This list is maintained by the Railway Board and RDSO, ensuring that only vetted and secure hardware and software are used in critical systems.  

Risk management and Incident Response 

"Identify, Protect, Detect, Respond, and Recover" Framework: The policy adopts this well-known cybersecurity framework to manage risk holistically: 

• Identify: All critical SCADA assets have been identified. 

• Protect: The deployment of necessary controls and tools, as specified by the RDSO, is a mandatory step. 

• Detect: This involves constant monitoring through regular checks of firewall logs and the use of Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) solutions. 

• Respond: The policy calls for a dedicated incident response team with a documented plan to handle security breaches effectively. 

• Recover: This final stage includes implementing incident management, disaster recovery, and business continuity frameworks to ensure swift restoration of services after an incident.  

These recommendations do offer a multi-layered, defense-in-depth approach to cybersecurity, recognizing that protecting critical infrastructure requires a combination of strong governance, technical controls, and a proactive response strategy. In addition to the above, in order to strengthen the policy, Shieldworkz recommends these additional measures: 

• IEC 62443/TS 50701 based cyber risk assessments to be done for the OT systems every year with the identified gaps being remedied well before the next assessment cycle 

• Legacy systems and/or crown jewels should be protected through micro segmentation  

• Incident response strategy should be tested using IR drills simulating multiple scenarios  

• Incident Response teams to be backed by teams with cyber forensic capabilities to investigate every incident and derive learnings  

• All staff managing SCADA and those connected to SCADA operations should be trained in OT security practices  

• All SCADA assets to be inventoried on an ongoing basis. Each asset should be fingerprinted and monitored for vulnerabilities, end of life and patch status 

• Roles and responsibilities for each function to be clearly spelt out from a cybersecurity standpoint  

• The Intrusion Detection System should have access to OT specific threat intelligence   

Learn how your railway infrastructure can be secured using IEC 62443.  

Learn more about our NDR solution for railway operators.