Onboard switch-based IDS for full train visibility
Enhance resilience of modern rail networks by monitoring traffic at the egde.
By detecting threats directly inside the on-board network, the switch-based Intrusion Detection System provides clear visibility into what is happening across the train, without changing the network configuration. Traffic is processed locally on each switch, and only important alerts are flagged, minimizing the impact on network bandwidth.
The result is faster detection, simpler deployment, and more comprehensive picture of network activity, without adding complexity or extra hardware, making it well suited for retrofitting existing fleets as well as new builds.
Curious about switch-based IDS?
Explore the benefits of
switch-based IDS
Avoid network redesign
The IDS is deployed on the switch, where the packets are directly visible. Only alert data is sent, keeping bandwidth overhead extremely low.
Full network visibility
Turn every switch into a network sensor, giving visibility of all traffic across the entire train network and not just in certain locations.
Proactive threat detection
Spot unusual activity from maintenance ports and externally-connected subsystems, detect hardware changes or rogue devices, and alert on abnormal traffic patterns.
Why switch-based IDS?
Modern on-board rail networks were never designed with monitoring in mind. Unicast traffic on switched networks takes the shortest path between devices, which means there is no single point where all packets can be observed. At the same time, trains have no clear perimeter, and threats can enter from many places, including maintenance ports, externally-connected subsystems, interfaces like CCTV and HMI, USB ports, or even the software supply chain.
By embedding detection across all switches, threats entering anywhere in the train network can be detected where they occur.
Most on-board switches do not support observability technologies like sFlow or RSPAN, and even if they did, the limited bandwidth of train-to-wayside links makes centralised monitoring impractical. As a result, conventional IDS architectures create complexity, require additional hardware, are costly, or fail to capture the full picture of what’s happening inside the train network.
A switch-based IDS solves this by placing detection exactly where the packets enter or leave the network. Traffic is monitored passively at the switch, without redirection, introducing latency, or interrupting communications.
Instead of routing traffic through dedicated monitoring devices, the IDS runs directly on the network edge, giving operators full visibility into local behavior without re‑architecting the network or introducing heavy data loads. The IDS runs as a bounded, isolated application, ensuring switching performance and critical traffic handling are not affected.
The result is a more comprehensive cybersecurity approach tailored for rail that detects threats early and causes minimal disruption to train operations.
Application hosted intrusion detection
Application hosting in containers lets you safely run isolated applications directly on Westermo WeOS 5 devices. This gives operators the flexibility to deploy custom tools, analytics, and services without adding external hardware.
Containers make it easy to update, manage, and scale applications while keeping the underlying system secure, consistent, and future-proof. Built on Westermo’s IEC 62443-4-2 certified switches and RazorSecure’s proven rail IDS solution Delta.
IEC 62443-4-2 SL2 Certified Ethernet Switches
The Viper-3000 series is a range of rugged, managed Ethernet switches designed specifically for onboard applications. The IEC 62443-4-2 (SL2) certified Viper-3000 series combines robust hardware, secure design principles, and WeOS 5 software to ensure reliable, resilient, and future-ready connectivity for modern rail systems.
Discover the Viper-3000 seresKhawar Naeem
Sales, Trains & Trackside
For support inquiries, click here to contact Technical Support