Bengaluru Metro Rail Corporation Limited (BMRCL) is poised to establish a dedicated Security Operations Centre (SOC) aimed at addressing cyber threats. This initiative positions BMRCL as potentially the first metro operator in India to implement such a facility. A senior official from BMRCL informed Moneycontrol that the primary objective is to prepare for possible cyberattacks, particularly as advancements in AI and machine learning facilitate automated threats. The SOC will ensure comprehensive oversight of the network by aggregating logs from all devices.
Bengaluru Metro operates 66 stations, each outfitted with approximately 200 cameras, culminating in a total of around 13,200 cameras. Additionally, each of the 57 six-car trains is equipped with four cameras per coach, resulting in 1,368 cameras. The system also includes around 1,200 computers.
Recently, BMRCL has issued a tender for the establishment of an SOC at Byappanahalli, which will oversee the security of its IT and CCTV networks, ensuring continuous monitoring and swift responses to emerging threats. According to a senior BMRCL official, this SOC will play a crucial role in monitoring, preventing, assessing, detecting, and responding to cyber threats aimed at BMRCL’s IT systems and infrastructure. The SOC will oversee the entire IT and CCTV networks, collecting logs to identify and mitigate cyberattacks. In the event of an incident, it will conduct post-incident analyses. A cybersecurity playbook will facilitate traffic management, while threat detection platforms from government agencies will assist in identifying and blacklisting malicious IP addresses. Notably, BMRCL prepared the tender documents internally without the assistance of consultants.
Furthermore, the SOC will monitor the health and operational uptime of the entire CCTV network and the Network Operations Centre (NOC), both of which are essential for effective surveillance and operational reliability. Given the interconnected nature of IT systems, even a single vulnerability can jeopardize the entire network, underscoring the necessity for a robust SOC capable of comprehensive threat detection. In subsequent phases, plans include the integration of operational technology systems, such as monitoring passenger numbers through QR ticketing, as stated by the official.
Cybersecurity threats are increasingly alarming within the global rail transportation industry. In 2022, Polish authorities conducted an investigation into a hacking event that disrupted the nation’s rail network by tampering with railway communication frequencies. Additionally, in 2016, South Korea accused North Korea of attempting to breach its rail systems, highlighting significant cybersecurity weaknesses. Moreover, ransomware attacks have led to significant interruptions in metro services, notably in Germany in January 2022 and in San Francisco in November 2019. The complex nature of rail operations—encompassing track management, ticketing systems, and safety protocols—makes these systems particularly vulnerable to cyber threats.
Officials indicated that proficient cybersecurity experts would utilize advanced monitoring tools to analyze numerous devices and logs, facilitating early detection of incidents and prompt responses.
“Data will be gathered from diverse sources and processed in a centralized manner. Sophisticated detection methods, such as anomaly and behavioral analysis, will be employed to uncover potential threats. Alerts generated will be prioritized according to their severity, allowing security analysts to evaluate and address risks effectively,” the official stated.
The security analysts will examine identified threats by analyzing logs and event data to comprehend the context and potential ramifications of each incident.
“This enables them to prioritize critical threats, determine root causes, and implement essential security measures to prevent future occurrences. The remediation process will involve collaboration between BMRCL’s IT teams and security analysts to neutralize threats, which includes patching vulnerabilities, isolating affected systems, and eliminating malicious software,” the official elaborated.
Continuous monitoring will be essential to the operations of the Security Operations Center (SOC) for identifying both recurring and emerging threats. This constant vigilance, combined with regular updates on threat intelligence, will enable us to adopt a proactive approach to cyber threats. Such a strategy will facilitate the adaptation of our defenses in response to the changing digital environment. The SOC will be located in Byappanahalli, with the chosen firm tasked with supplying, installing, configuring, testing, and commissioning all required hardware and software components.
Compliance will be maintained through regular audits, efficient processes, and adherence to standards during cybersecurity posture assessments. Operating around the clock, the selected firm will implement an on-premises Security Information and Event Management (SIEM) system, along with malware detection, threat intelligence, and automated Security Orchestration, Automation, and Response (SOAR) workflows to bolster security measures.
The solution will incorporate both open-source and commercial Indicators of Compromise (IOC) sources. This integration will facilitate visual alert analysis and support customizable reporting. Additionally, it will feature a Security Data Lake for centralized data and analytics, ensuring real-time visibility and compliance management, as stated by the official.
Bengaluru Metro, which operates a network spanning 73 kilometers, serves approximately 800,000 passengers daily.
