Cybersecurity Moves to the Front of the Line on the Caribbean’s First Monorail
When DNV was named to run cybersecurity assurance on the Santiago de los Caballeros monorail, the more revealing detail was not the win itself but the shape of the contract. Independent cyber risk management has been carved out as a distinct, exclusive scope on a flagship transit project, sitting alongside the systems integrator’s delivery package rather than buried inside it.
For a sector that has long treated digital protection as a sub-clause of signalling procurement rather than a discipline in its own right, that is a meaningful reordering of priorities. The line will be the first monorail in the Caribbean, and it is being secured by an independent third party from the earliest engineering phases, which is precisely the model infrastructure owners across Latin America and beyond will be watching.
The reason that structure matters is technical, not ceremonial. The monorail is being built for fully automated, driverless operation, which makes the integrity of its digital control chain the safety case itself rather than an adjunct to it. On a system with no driver in the cab to override a fault, signalling, train control, traction power and rolling stock all depend on software and networks behaving exactly as intended, every second of every service.
Embedding security into the design, construction, integration and testing phases, and having it verified by a party with no stake in the delivery contract, is a way of protecting both the operator’s risk position and public confidence before the first passenger boards. That is the commercial story beneath the announcement: cyber assurance is becoming a procurement line item in rail, with its own scope, its own standards and its own independent sign-off.
Briefing
- DNV has secured an exclusive contract to provide independent, end-to-end cybersecurity advisory and assurance across the lifecycle of the Santiago de los Caballeros monorail, working with engineering firm EQP for the government-owned project promoter FITRAM.
- The scope spans safety-critical systems including signalling, train control, rolling stock and power supply, alongside supporting digital and electromechanical systems such as ticketing, Physical Security Information Management (PSIM) and CCTV.
- Work is aligned to the international rail and industrial cybersecurity standards TS 50701 and IEC 62443, and to the emerging IEC 63452 framework, with security embedded across design, construction, integration and testing.
- The line of more than 13km with 14 elevated stations is the Caribbean’s first monorail, delivered for fully driverless (GoA4) operation by an Alstom-led consortium, and is projected to cut commuting costs for the city by around 30%.
- DNV has folded its rail team into a newly created Industrial Services business unit, positioning independent cyber assurance as a discrete, exportable offering within large transit and industrial programmes.
Driverless operation raises the stakes on every packet
The Santiago system is being delivered for the highest grade of automation, GoA4, in which trains run without a driver or on-board attendant. Alstom’s consortium is supplying Innovia Monorail 300 trainsets running on Cityflo 650 communications-based train control, with a reversible power supply that recovers braking energy.
That automation is what allows headways of around 90 seconds and a design capacity approaching 20,000 passengers per hour per direction, but it also removes the human fallback that older, staffed railways relied on when a system misbehaved. In a driverless architecture, a corrupted command, a spoofed signal or a compromised controller is not merely an IT nuisance; it is a direct route to a physical consequence, which is why the safety and security cases can no longer be treated as separate documents.
The wider difficulty is convergence. Modern railways have dissolved the old separation between isolated operational technology and connected corporate IT, wiring signalling, traction, condition monitoring, ticketing, passenger information and video surveillance into interlinked digital estates with remote maintenance and vendor access. Each of those touchpoints is a potential entry vector, and the ones that look least critical, such as a ticketing gateway or a station media system, can become the soft edge an attacker uses to move toward the systems that actually move trains.
DNV’s remit explicitly reaches beyond the core signalling and train control functions to verify components such as PSIM, CCTV and ticketing precisely because interconnection means the whole estate has to be assessed as one attack surface. José M. Díaz, General Director at EQP, framed the integration challenge directly, noting: “The Santiago de los Caballeros monorail is a complex, safety‑critical system that integrates signaling, rolling stock, power and digital platforms. Working with DNV allows us to embed a structured cybersecurity approach across all railway and electromechanical systems, supporting a resilient and secure delivery for FITRAM and the city.”
Security built in, not bolted on
The standards named in the contract describe how that structure is meant to hold together. IEC 62443, the reference series for industrial automation and control systems, supplies the underlying concepts of security zones and levels that map onto the layered architecture of signalling and control. TS 50701, published by CENELEC in 2021, adapted those industrial principles to the specific operational realities of rail, and it has since begun shaping procurement, design and certification well beyond Europe.
Sitting above both is IEC 63452, the first dedicated international rail cybersecurity standard, drafted by a working group spanning more than a dozen countries and moving toward publication after several years of development. Aligning a greenfield project to all three at once is a deliberate hedge against a fast-moving regulatory picture, since a system designed to the emerging global benchmark is far less likely to require expensive retrofitting once that benchmark is formally in force.
DNV’s position here is not that of a bystander applying other people’s rules. The company sits within the expert group drafting IEC 63452 and represents rail cybersecurity interests within the relevant standards bodies, which gives its assurance work on Santiago a direct line back to the framework the industry is still writing.
The practical advantage for FITRAM is timing: because the monorail is being built from scratch, security can be designed into architecture, network segmentation and access control from the outset rather than layered onto legacy equipment that was never intended to face the internet. Retrofitting cyber resilience onto ageing signalling and rolling stock is one of the most expensive and disruptive problems established operators face, and a new-build line that gets the fundamentals right avoids inheriting that debt.
That greenfield advantage, verified independently and mapped to international standards, is what makes the project a credible template rather than a one-off.
A threat landscape that has already reached the tracks
The case for treating rail cyber as a first-order concern no longer rests on hypotheticals. In 2023, Poland’s rail network was disrupted by attackers exploiting deliberately permissive legacy radio commands, halting around twenty passenger and freight services for several hours. Ukraine’s state operator has repeatedly seen digital services knocked out, at one point forcing a temporary return to paper-based operations.
In the United States in 2024, a ransomware attack blinded Pittsburgh Regional Transit’s rail tracking systems, while a long-buried authentication weakness in the protocol behind end-of-train and head-of-train devices, catalogued as CVE-2025-1727, was found capable of letting an attacker trigger a train’s brakes from a distance with cheap hardware.
Academic researchers have separately identified a flaw in the EuroRadio protocol underpinning European train control that could allow unauthenticated stop commands to be sent to trains in service. These are not fringe events; the EU cybersecurity agency ENISA has attributed a meaningful share of analysed attacks to the transport sector, and regulators from Brussels to Washington have responded with binding obligations under NIS2 and successive TSA rail directives.
A recurring thread across those incidents is the supply chain. Attackers have repeatedly reached operational systems not by breaching the operator directly but through a trusted third party, a maintenance contractor with remote diagnostics access, or a vendor account with privileges into the signalling network. The defaced station Wi-Fi across nineteen British stations in September 2024, carried out through a legitimate administrator login at a third-party provider, showed how a peripheral, passenger-facing system can be turned into a public-confidence problem even without touching safety-critical functions.
For a project like Santiago, that pattern is the argument for independent, lifecycle-long assurance rather than a one-time audit at handover. Security embedded during integration and testing, and validated by a party outside the delivery consortium, is designed to catch the misconfigured firewall, the over-privileged service account and the unsegmented network before they become the foothold that matters.
DNV’s bet on industrial convergence
The commercial logic on DNV’s side is as much about corporate positioning as about a single Caribbean line. Having brought its rail assurance, advisory and digital services under a newly created Industrial Services business unit, the company is treating cybersecurity for safety-critical infrastructure as a horizontal capability that travels across sectors rather than a niche bolted to any one of them.
The convergence of safety, security and operations that defines modern rail also defines energy, water and heavy industry, and an assurance provider that can carry a consistent, standards-based methodology across all of them has a broader addressable market than one selling point solutions.
Mohamed Houari, CEO of Industrial Services at DNV, described the restructuring as a way to “deliver greater value to our customers through an integrated, end-to-end approach,” combining technical depth with a view of digital transformation across whole asset lifecycles.
For investors and infrastructure owners, the more interesting signal is that independent third-party cyber assurance is maturing into a recognised procurement category in transit, much as independent safety assessment did decades earlier. Regulatory pressure is doing much of the work: as NIS2 obligations bite across Europe and TSA and FRA requirements tighten in the United States, operators increasingly need demonstrable, evidenced compliance rather than assurances taken on trust, and that demand flows down to every new project and every supplier in the chain.
Jorge Aldegunde, Global Head of Railway Services at DNV, called the monorail “a groundbreaking project that will reduce congestion in the city and bring down travel costs for commuters,” and framed the appointment as a contribution to “a safer, more secure and resilient monorail system.” Behind that language sits a market thesis, which is that the professionalisation of rail cyber will keep generating demand for the independent verification DNV has organised itself to supply.
What Santiago sets in motion for the region
The Dominican Republic is not building in isolation. Elevated monorail and metro lines are advancing across Latin America and the Caribbean, from a second, larger monorail planned for Santo Domingo to schemes in Panama City and Monterrey, most of them running down the median of urban motorways to keep land take and costs down. Almost all of these are being procured as automated systems, which means each one arrives with the same fundamental dependency on the integrity of its digital control chain that Santiago now faces.
A first-in-region project that sets the precedent of independent, standards-aligned cyber assurance embedded from the design phase gives every subsequent scheme a reference point, and it gives national promoters a defensible answer when asked how a driverless railway will be kept safe from interference. Jhael Isa, Executive Director at FITRAM, positioned the work in exactly those terms, arguing: “Cybersecurity is a fundamental enabler of safe, reliable and trusted railway operations,” and that applying international best practice across all phases supports “long-term resilience and public confidence in this landmark infrastructure.”
There is a note of realism to add. The monorail’s construction has run past its original completion targets, a familiar pattern for first-of-a-kind transit in any market, and the cyber assurance programme will need to hold its discipline across whatever timeline the civil and systems works ultimately follow.
What the appointment establishes, regardless of the opening date, is a way of working that the next generation of automated urban railways is likely to adopt as standard: security designed in from the first line of the architecture, mapped to the international frameworks the industry is still finalising, and signed off by a party with no interest other than getting it right.
For construction professionals, infrastructure owners and the investors backing them, that shift from bolt-on protection to built-in, independently verified resilience is the development worth carrying forward from Santiago.

Key Industry Questions
- Why does a driverless monorail need a separate cybersecurity contract rather than relying on the systems supplier? On a GoA4 line there is no driver to intervene when a control system misbehaves, so the digital chain is the safety case itself. Bundling cyber assurance inside the integrator’s delivery scope creates a conflict of interest, because the party building the system also grades its own security. An independent assessor with no delivery stake can challenge design decisions, verify network segmentation and access control impartially, and validate that safety-critical and supporting systems meet international standards. Carving cyber out as its own scope also gives the operator and financiers an evidenced, auditable trail of compliance, which is increasingly demanded by regulators and insurers. For infrastructure owners, independence is the mechanism that turns a security claim into something a third party will actually stand behind.
- How does building security in from the design phase differ from securing an existing railway? Greenfield projects can define security zones, network architecture and access controls before any equipment is installed, which is far cheaper and more effective than retrofitting. Established operators face the opposite problem: signalling and rolling stock that may be decades old, never designed for internet connectivity, and expensive to segment or patch without disrupting service. Retrofitting resilience onto that legacy estate is one of the sector’s costliest cyber challenges. A new-build line like Santiago avoids inheriting that technical debt, provided the fundamentals are specified correctly at the outset. The trade-off is that greenfield decisions are locked in early, so getting the architecture, standards alignment and independent verification right during design carries outsized consequences for the whole operating life of the asset.
- What are TS 50701, IEC 62443 and IEC 63452, and why align to all three? IEC 62443 is the established international series for securing industrial automation and control systems, providing the underlying model of security zones and levels. TS 50701, published by CENELEC in 2021, adapted those principles to the operational realities of rail and now influences procurement well beyond Europe. IEC 63452 is the first dedicated international rail cybersecurity standard, still moving toward final publication, and is built on the foundations of the other two. Aligning a project to all three simultaneously hedges against regulatory change: a system designed to the emerging global benchmark is unlikely to need costly rework once that benchmark formally takes effect, which protects both the delivery schedule and the long-term compliance position.
- What is the realistic threat to a system like this, and is it exaggerated? The threats are documented, not theoretical. Rail networks in Poland and Ukraine have been disrupted through operational technology and legacy radio systems, a US ransomware attack blinded a transit operator’s tracking, and a catalogued flaw in end-of-train devices was shown capable of triggering brakes remotely. Researchers have also found weaknesses in the radio protocols underpinning European train control. Many intrusions arrive through trusted third parties rather than the operator directly. For a driverless system, the endpoint of a successful attack can be a forced halt across a corridor or a safety incident, which is why the risk is treated as first-order rather than a compliance formality. The proportionate response is layered, standards-based defence verified independently across the lifecycle.
- Does compliance with these standards guarantee the monorail cannot be hacked? No security regime eliminates risk entirely, and no credible assurance provider claims otherwise. Standards alignment and independent verification substantially reduce the likelihood and impact of an attack by enforcing sound architecture, segmentation, access control, monitoring and incident response, and by catching misconfigurations before they are exploited. What lifecycle assurance provides is defensible evidence that the system was designed, built and tested to recognised international benchmarks, which matters for regulators, insurers and public confidence. Cybersecurity is also an ongoing operational discipline, not a one-time certification, so the design-phase work needs to be sustained through monitoring, patching and periodic reassessment once the line is in service. The goal is resilience and rapid recovery, not an unrealistic promise of invulnerability.
- What does DNV’s move to fold rail into an Industrial Services unit signal for the market? It signals that cybersecurity for safety-critical infrastructure is being treated as a capability that travels across sectors, since the convergence of safety, security and operations in rail mirrors energy, water and heavy industry. For DNV, a consistent, standards-based methodology applicable across all of them widens the addressable market beyond any single vertical. For the industry, it reflects the maturing of independent third-party cyber assurance into a recognised procurement category, comparable to how independent safety assessment established itself earlier. Regulatory drivers such as NIS2 in Europe and TSA requirements in the United States are pushing operators toward demonstrable, evidenced compliance, which sustains demand for exactly the independent verification services DNV has reorganised to provide at scale.
- What does this mean for other transit projects across Latin America and the Caribbean? Automated monorail and metro schemes are advancing in Santo Domingo, Panama City, Monterrey and elsewhere, and nearly all share the same dependency on a trustworthy digital control chain. A first-in-region project that establishes independent, standards-aligned assurance embedded from design gives every subsequent scheme a reference model and a defensible answer to how a driverless railway is kept secure. National promoters can point to a recognised methodology rather than improvising, and suppliers face a clearer expectation of what compliance looks like. Over time this can standardise procurement, reduce the risk premium on new automated lines, and make cyber assurance a routine, budgeted component of transit delivery rather than an afterthought negotiated late in the programme.
Strategic Takeaways
- Independent, lifecycle-long cyber assurance is emerging as a distinct procurement line in rail, separate from the integrator’s scope, and infrastructure owners should expect financiers, regulators and insurers to increasingly require evidenced third-party verification rather than supplier self-certification.
- Driverless operation collapses the old separation between safety and security cases, so any owner procuring an automated line should treat digital integrity as a core safety requirement and budget for it from the design phase, not as a late-stage addition.
- Aligning greenfield projects to TS 50701, IEC 62443 and the emerging IEC 63452 simultaneously is a practical hedge against regulatory change, reducing the likelihood of costly retrofitting once the global rail cybersecurity standard is formally in force.
- Supply-chain and third-party access remain the most common route into operational systems, which makes vendor and maintenance-access governance, not just core signalling protection, a priority for procurement teams and system integrators alike.
- Santiago sets a regional precedent that automated transit schemes across Latin America and the Caribbean are likely to follow, potentially standardising rail cyber procurement and lowering the risk premium attached to first-of-a-kind driverless lines.















