Power and Control: The Role of SCADA in Railway Infrastructure

While signaling controls the trains, SCADA (Supervisory Control and Data Acquisition) controls the infrastructure. It allows operators to remotely monitor and manage traction power, tunnel ventilation, and station facilities from a central location.

December 8, 2025 11:16 am | Last Update: March 20, 2026 10:21 pm

⚡ In Brief

SCADA (Supervisory Control and Data Acquisition) is the industrial control system that monitors and remotely operates the physical infrastructure of a railway — traction power substations, tunnel ventilation, station facilities, and environmental systems — from a central Operations Control Centre (OCC).
The most safety-critical SCADA function on electrified railways is traction power isolation — the ability to remotely de-energise specific sections of overhead line or third rail within seconds during trackside emergencies, allowing first responders to access the scene without risk of electrocution.
A modern metro SCADA system may monitor and control over 100,000 individual data points — voltages, currents, temperatures, door states, pump levels, fan speeds, and alarm conditions — across dozens of stations, substations, and tunnel sections, updating in real time with scan rates of 1–5 seconds.
The architecture uses Remote Terminal Units (RTUs) or Programmable Logic Controllers (PLCs) at each field location, communicating with a central SCADA server via fibre optic networks using industrial protocols such as DNP3, IEC 60870-5, or IEC 61850.
Railway SCADA systems are prime targets for cyberattack because they control critical infrastructure — disrupting traction power or tunnel ventilation could directly affect passenger safety — and they often run on legacy software platforms with limited security patching, creating a growing cybersecurity challenge for operators.

At 18:47 on a Tuesday evening, a passenger falls onto the track at a busy underground station. The station supervisor presses the passenger alarm. In the Operations Control Centre 15 km away, an alarm activates on the power controller’s screen — the section of third rail protecting that platform bay has automatically isolated in response to the alarm signal, removing 750 V DC from the rails in under 3 seconds. Train service in that section is suspended. Ventilation fans in the tunnel section adjacent to the station continue running normally. Emergency services are being called. The station lighting remains at full intensity. The escalators continue operating to allow passenger evacuation from the platform above.

Every one of those actions — power isolation, ventilation maintenance, lighting, escalators — is managed by the SCADA system. The signalling system stopped the trains. The SCADA system managed the environment in which the incident is occurring. The two systems are separate, parallel, and complementary: one keeps trains from colliding; the other keeps the physical infrastructure functioning safely.

What Is SCADA?

SCADA stands for Supervisory Control and Data Acquisition. It is a category of industrial control system architecture used across many critical infrastructure sectors — power grids, water treatment, oil pipelines, and railways — to monitor and control geographically distributed physical systems from a central location.

In railway applications, SCADA provides the Operations Control Centre with real-time visibility of and control over the railway’s physical infrastructure assets — everything that powers the trains, maintains safe tunnel environments, and operates station facilities. It is not involved in train movements or safety signalling; those are handled by the signalling system and the interlocking. SCADA manages what surrounds those systems.

SCADA Architecture: From Field Device to OCC Screen

Layer	Component	Function	Typical Location
Field layer	Sensors, actuators, meters, alarms	Measure physical quantities (voltage, temperature, flow); receive control signals (open/close, on/off)	Substations, tunnel sections, station plant rooms
Control layer	RTU (Remote Terminal Unit) or PLC (Programmable Logic Controller)	Aggregates sensor data; executes local control logic; communicates with SCADA server; buffers data during comms loss	Each substation, each major station, tunnel portals
Communication layer	Fibre optic network; industrial protocols (DNP3, IEC 60870-5, IEC 61850)	Carries data between RTUs/PLCs and central SCADA server; provides redundant paths	Along railway corridor; ring or star topology for redundancy
Server layer	SCADA server (hot standby redundancy)	Receives all data; manages alarm states; processes control commands; logs historian data; runs automatic control sequences	OCC; possibly secondary backup OCC
Presentation layer	HMI (Human-Machine Interface) workstations; large-format display screens	Displays network status; accepts operator commands; shows alarms and trends	Operations Control Centre

Railway SCADA Applications

1. Traction Power Management

Traction power SCADA is the most operationally and safety-critical SCADA application on electrified railways. The traction power SCADA system monitors and controls the entire electrical supply chain from the grid connection point to the contact wire or third rail:

Traction substations: Each traction substation converts grid AC power (typically 132 kV or 33 kV) to the traction supply voltage (DC 750 V, 1,500 V, or 3,000 V; or AC 25 kV). SCADA monitors transformer temperatures, rectifier current outputs, bus-bar voltages, and circuit breaker states at every substation. Operators can remotely open or close circuit breakers to de-energise individual feeding sections.
Section isolation: The contact wire or third rail is divided into electrical sections, each fed by its own circuit breaker at the substation. SCADA allows operators to de-energise specific sections without affecting adjacent sections — enabling safe access to a section where a train has broken down or an emergency has occurred, while maintaining power to adjacent sections so other trains can continue operating.
Load monitoring: SCADA tracks the real-time load on each substation and feeding section. If a section is overloaded (for example, if multiple high-power trains are accelerating simultaneously in a long section), SCADA alerts the power controller and may automatically redistribute load or shed non-critical loads.
Regenerative braking integration: On DC systems with reversible substations, SCADA manages the flow of regenerated braking energy — determining whether to store it in trackside batteries, export to the grid, or redistribute to adjacent accelerating trains.

2. Tunnel Ventilation and Fire Life Safety

Tunnel ventilation is critical for both routine operation (managing heat from trains and passengers in a sealed environment) and emergency response (controlling smoke in the event of a fire). SCADA controls the ventilation system — arrays of jet fans, axial fans, and dampers distributed along the tunnel — in real time:

Normal operation: Ventilation fans run at programmed speeds to maintain acceptable temperature and air quality in the tunnel. SCADA monitors temperature sensors distributed along the tunnel and automatically adjusts fan speeds in response to high temperatures from heavy train traffic.
Emergency ventilation: If a fire alarm is triggered in a tunnel section, the ventilation SCADA immediately switches to emergency mode — activating a specific longitudinal airflow pattern designed to push smoke in one direction (toward the portal away from passengers), allowing passengers to evacuate in the clear-air direction. This response is automatic and occurs within seconds of alarm activation.
Smoke extraction: In station areas, local smoke extraction systems are activated by SCADA on fire alarm to evacuate smoke from platform areas through ceiling extraction ducts.

3. Station Building Management System (BMS)

Station SCADA manages the building services equipment that makes stations operational and safe for passengers:

Lifts and escalators: status monitoring, fault reporting, remote stop/start
Lighting: normal levels, emergency lighting activation, energy management dimming during off-peak periods
Drainage and sump pumps: monitoring flood risk in below-grade stations; automatic pump activation
Platform screen doors (PSDs): status monitoring (open/closed/fault); alignment with train door control systems
Ticket gate and access control: gate status; remote open commands for crowd management or emergency evacuation
CCTV integration: camera health status; recording system monitoring

4. Drainage and Flood Management

Underground railway stations and tunnels are vulnerable to flooding, particularly in urban areas with combined sewer systems. SCADA monitors water levels in drainage sumps throughout the underground network and automatically activates pumps when levels rise above threshold. Operators can monitor rainfall data alongside sump level trends to anticipate flood risk and pre-position pumping resources. Automatic isolation of tunnel sections where flooding has reached hazardous levels is possible via the traction power SCADA integration.

SCADA vs Signalling: The Distinction

Parameter	Signalling System	SCADA System
Primary focus	Train movements and collision prevention	Infrastructure systems and environment
What it controls	Points, signals, train authorities	Traction power, ventilation, lifts, pumps
Safety certification	SIL 4 (highest level — fail-safe)	SIL 2–3 for safety-critical functions (e.g., fire ventilation); lower for facility management
Failure consequence	Potential train collision if fail-safe is compromised	Service disruption; environmental hazard if ventilation or power fails unsafely
Operator	Train controller / signaller	Power controller / facilities engineer
Integration with trains	Direct — communicates with onboard systems	Indirect — traction power supply affects train operation

Cybersecurity: The Growing Threat to Railway SCADA

Railway SCADA systems have become significant targets for cyberattack. The consequences of a successful attack on traction power SCADA — cutting power to a section of mainline during the morning peak, or preventing emergency isolation during a trackside incident — are potentially severe in both operational and safety terms. Several factors make railway SCADA particularly vulnerable:

Legacy systems: Many operational railway SCADA systems were installed in the 1990s or 2000s on proprietary industrial computing platforms that have not been updated to modern cybersecurity standards. Systems running Windows XP or Windows 7 — no longer receiving security patches — are common in railway infrastructure. Replacement requires engineering planning, installation windows, and full requalification — not a rapid process.

Network connectivity growth: Railway SCADA systems that were originally air-gapped (physically isolated from external networks) have progressively gained internet connectivity for remote monitoring, maintenance, and data integration purposes. Each connectivity extension creates a potential attack vector.

IT/OT convergence: The integration of operational technology (OT — the SCADA systems) with information technology (IT — the corporate and enterprise network) creates pathways from the internet into industrial control systems. Malware that enters via an IT network can potentially reach OT systems if network segmentation is inadequate.

Notable SCADA-related cyberattacks on critical infrastructure — including the 2021 attack on a Florida water treatment plant and the 2022 attacks on Ukrainian power infrastructure — have highlighted the vulnerability of industrial control systems. No major railway traction power SCADA cyberattack resulting in service disruption or safety incident has been publicly confirmed as of early 2026, but security researchers have documented significant vulnerabilities in several commercially deployed railway SCADA platforms.

The Integrated Control Centre: SCADA and Signalling Side by Side

Modern railway operations increasingly integrate signalling and SCADA control into a single Integrated Control Centre (ICC), where train controllers and power/facilities controllers work in the same room, able to communicate directly and share situational awareness. This integration is operationally valuable when incidents occur that involve both domains simultaneously — a train fire in a tunnel simultaneously requires train control actions (stopping adjacent trains, clearing the section) and SCADA actions (activating emergency ventilation, preparing for traction power isolation). Separate control rooms require telephone communication between controllers; an integrated ICC allows face-to-face coordination.

The physical integration of control positions does not mean the systems are technically integrated — signalling (SIL 4) and SCADA (lower SIL) must remain architecturally separated, with no mechanism by which a SCADA failure can affect signalling system safety. The integration is operational, not technical.

Editor’s Analysis

Railway SCADA occupies a curious position in the safety hierarchy: it controls systems — traction power, tunnel ventilation — that are directly relevant to passenger safety, but it is certified to lower safety integrity levels than the signalling systems that manage train movements. The argument for this is that SCADA failures typically produce recoverable operational degradation (trains stop, ventilation defaults to a safe pattern, power can be locally isolated) rather than the irreversible kinetic consequences of a signalling failure. But this argument is less compelling than it once was, for two reasons. First, the cybersecurity threat has changed the failure mode landscape: a targeted cyberattack on traction power SCADA is not a random hardware failure that fails to a safe state — it is an adversarial action designed to produce unsafe states, potentially on multiple systems simultaneously. The fail-safe engineering assumptions embedded in SCADA system design are calibrated for equipment failures, not deliberate sabotage. Second, the integration of SCADA data into operational decision-making — energy management, predictive maintenance, regenerative power optimisation — means that SCADA failures now have operational consequences that propagate across the network in ways that simple fail-safe equipment design cannot contain. The railway industry’s cybersecurity investment in SCADA is growing, but the baseline it is starting from reflects decades of engineering culture where physical isolation was the primary security mechanism and digital threat was not part of the design envelope. Closing that gap is one of the most important infrastructure security challenges of the next decade. — Railway News Editorial

Frequently Asked Questions

Q: How quickly can SCADA de-energise a section of electrified railway?: Traction power isolation via SCADA can be accomplished in 2–5 seconds from the operator’s command to the circuit breaker opening at the substation, depending on communication latency and the substation’s circuit breaker operating time. On metro systems where passenger alarms are directly interfaced to the SCADA power isolation system, automatic isolation can occur in 1–3 seconds without any operator intervention — the alarm activation immediately triggers isolation of the relevant section. On mainline railways, power isolation typically requires an operator command, but the response time from command to isolation is typically under 5 seconds. The critical path is often not the SCADA communication speed but the time for the operator to identify the relevant section on the HMI and issue the correct isolation command — training and interface design that minimises this response time is an important safety engineering priority.
Q: What is the difference between an RTU and a PLC in SCADA?: Both RTUs (Remote Terminal Units) and PLCs (Programmable Logic Controllers) are field devices that collect data from sensors and execute control actions, but they differ in origin and primary strengths. RTUs were developed specifically for SCADA applications — they are designed for rugged environmental conditions, long communication distances, and reliable operation with minimal maintenance in remote locations. They typically have robust communication protocols optimised for slow or unreliable communication links. PLCs were developed for factory automation and are designed for high-speed, complex local control logic. They are increasingly used in railway SCADA where the local control logic is complex (e.g., coordinating multiple ventilation fans with complex interdependencies). In modern railway SCADA deployments, the distinction has blurred — many devices marketed as RTUs incorporate PLC-like programmability, and many PLCs have SCADA communication capabilities built in.
Q: Can a SCADA failure stop trains from running?: A SCADA failure does not directly affect signalling or train control — trains can continue to run on the basis of the signalling system alone. However, a SCADA failure that causes a traction power outage (through an incorrect isolation command, a failure to clear a fault condition, or a loss of control of substation switching) would stop electric trains in the affected section, as they cannot run without power. A SCADA failure affecting ventilation in a long tunnel during a heat emergency might require trains to be stopped for passenger safety reasons even though the signalling system remains functional. In practice, modern SCADA systems incorporate redundancy — hot standby servers, redundant communication paths — and field devices have autonomous local control logic that maintains safe states during communication loss. A complete SCADA failure is an extremely rare event, but contingency procedures exist for operating critical infrastructure elements locally in the event of SCADA outage.
Q: Why is railway SCADA a cybersecurity target?: Railway SCADA is a high-value target for several categories of adversary. Nation-state actors targeting critical infrastructure disruption can cause significant economic and social impact by disabling a major railway network’s traction power or stopping trains during peak hours. Ransomware operators have targeted industrial control systems across multiple sectors, and railway operators represent large organisations with potential willingness to pay ransoms to restore critical operations. The legacy software environments common in railway SCADA — with limited patching and outdated security controls — make successful penetration more achievable than in better-secured IT environments. The combination of high value, high impact potential, and often-inadequate security baseline makes railway SCADA an attractive target. The 2021 ransomware attack on the Irish health service and similar attacks on critical infrastructure organisations have demonstrated that attackers are capable and willing to disrupt essential services; railways face the same threat landscape.
Q: How does SCADA manage energy efficiency on an electrified railway?: SCADA plays an increasingly important role in railway energy management beyond simple power delivery. Modern traction power SCADA systems integrate energy monitoring data from all substations to provide a real-time view of total network energy consumption. This data supports several efficiency measures: tracking regenerative braking energy recovery (comparing power fed back to the grid against power consumed, to quantify regeneration efficiency and identify sections where reversible substations should be installed); optimising substation transformer tap settings to minimise reactive power demand charges from the grid operator; identifying sections of contact wire with higher than expected resistance (indicating degraded connections or cable damage); and feeding operational data to energy dashboards that help operators identify high-consumption periods and trains for targeted efficiency improvement. Some advanced systems are beginning to integrate traction power SCADA data with timetable data and ATO systems to optimise regenerative energy transfer — adjusting train departure times slightly to maximise the probability of a braking train and an accelerating train sharing the same feeding section simultaneously.