In a first, Bengaluru Metro to set up Security Operations Centre to tackle cyber threats

Cyber threats are increasingly concerning in the global rail transportation sector.

Bengaluru Metro Rail Corporation Limited (BMRCL) will soon set up a dedicated Security Operations Centre (SOC) to combat cyber threats.

BMRCL is probably the first metro operator in India to establish a SOC. "The idea is to prepare for potential cyberattacks, especially with AI and machine learning enabling automated threats. SOC will provide comprehensive visibility across the network, collecting logs from all devices.", a senior BMRCL official told Moneycontrol.

Bengaluru Metro has 66 stations, each equipped with around 200 cameras, totalling around 13,200 cameras. Each of the 57 six-car trains is also fitted with four cameras per coach, amounting to 1,368 cameras. There are also around 1,200 computers.

BMRCL has recently floated a tender to set up an SOC at Byappanahalli to oversee the security of its IT and CCTV networks and ensure constant vigilance and rapid response to emerging threats. “This SOC will be pivotal in monitoring, preventing, assessing, detecting, and responding to cyber threats targeting BMRCL's IT systems and infrastructure.  SOC will monitor the entire IT and CCTV networks, collecting logs to detect and pre-empt cyberattacks. In case of an attack, it will conduct post-incident analyses. A cybersecurity playbook will guide traffic management, and threat detection platforms from government agencies will help identify and blacklist malicious IPs," said a senior BMRCL official. BMRCL prepared the tender documents in-house without consultants.

Also, read: What is IDOR, the cyber security threat that has CERT-In worried

“The SOC will also monitor the health and uptime of the entire CCTV network and the Network Operations Centre (NOC), which are critical for effective surveillance and operational reliability. Given the interconnected nature of IT systems, even a single vulnerability can impact an entire network , so there is a need for a robust SOC capable of detecting threats comprehensively. In the next phase, we will integrate operational technology systems, including monitoring passenger numbers through QR ticketing,” the official said.

Cyber threats are a growing concern in the global rail transportation sector. In 2022, Polish authorities investigated a hacking incident that disrupted the country’s rail network by interfering with railway communication frequencies. In 2016, South Korea accused North Korea of attempting to infiltrate its rail systems, raising alarms about cybersecurity vulnerabilities. Further, ransomware attacks have caused major disruptions in metro services - in Germany (January 2022) and San Francisco (November 2019). The intricate nature of rail operations—including track management, ticketing systems, and safety features—renders these systems particularly susceptible to cyberattacks.

Officials said that skilled cybersecurity personnel would leverage advanced monitoring capabilities to analyse multiple devices and logs, ensuring early incident detection and timely responses.

Also, read: Cyber threats are rising — And so is India's cyber insurance market

“Data will be collected from various sources and processed centrally. Advanced detection techniques like anomaly and behavioral analysis will identify potential threats. Alerts generated will be prioritised based on severity, enabling security analysts to assess and mitigate risks effectively,” the official said.

The security analysts will scrutinise detected threats by reviewing logs and event data to understand each incident’s context and potential impact.

“This allows them to prioritise critical threats, identify root causes, and implement necessary security measures to avert future incidents. Remediation will involve collaboration between BMRCL’s IT teams and security analysts to neutralise threats, including patching vulnerabilities, isolating compromised systems, and removing malicious software,” the official explained.

Also, read: Log out of your IT systems after work daily, it's important for cyber security: PM Modi tells senior bureaucrats

Continuous monitoring will be integral to the SOC's operations for the detection of recurring or emerging threats. "This round-the-clock vigilance, paired with regular threat intelligence updates, will empower us to maintain a proactive stance against cyber threats. This approach will allow us to adapt our defenses to the evolving digital landscape. SOC will be established at Byappanahalli, with the selected firm responsible for supplying, installing, configuring, testing, and commissioning all necessary hardware and software components,” he said.

Compliance will be ensured through regular audits, streamlined processes, and support for standards while conducting cybersecurity posture assessments. Operating 24/7, the selected firm will utilise an on-premises Security Information and Event Management (SIEM) system, malware detection, threat intelligence, and automated Security Orchestration, Automation, and Response (SOAR) workflows to enhance security.

"The solution will integrate with open-source and commercial Indicators of Compromise (IOC) sources. This integration will enable visual alert analysis and support customisable reporting. It will also include a Security Data Lake for centralised data and analytics which ensures real-time visibility and compliance management", the official adds.

Bengaluru Metro, which has an operational network of 73 km, has a daily ridership of around 8 lakh.

Also, read: Government issues advisory on CCTV cameras over security concerns