Future Rail Signaling: Cyber and Energy Resilience Through AI Interoperability

Abstract

In today’s world, everything changes at lightning speed, making what is relevant today potentially obsolete tomorrow. This author’s scientific article addresses the issues of energy resilience and cybersecurity in railway signaling. A new proposal based on artificial intelligence is made to improve the fault tolerance of rail transport signaling infrastructure by ensuring increased energy efficiency and detecting cyber-attacks in real time. A linearly coupled neural network model was designed and implemented in a railway signaling simulation to simultaneously track the energy characteristics of signaling and detect abnormal behavior. The authors’ model was validated based on MATLAB(24.2.0.2863752 (R2024b) Update 5) simulations of a real double-track railway line under normal operating conditions and in a ransomware cyber-attack scenario. The AI simulation model correctly predicted the resilience of the signaling system, achieving an average absolute error of 0.0331 in predicting the fundamental performance indicator, and successfully identified an upcoming cyber-attack 20 min before the incident. This study demonstrates the promising architecture of the AI-based signaling system, which provides a significant increase in resilience to emergency situations in relation to power supply and cyber-attacks. By optimizing the signaling infrastructure with AI, it is possible to ensure safe and continuous movement of trains, including emergency situations, representing a promising approach to improving the resilience and safety of railways.

1. Introduction

The railway signaling system is characterized as a structural framework that ensures safe and coordinated operation of all components of the railway infrastructure. The inoperative state of this component leads to violation of the algorithms of the transport and technical activities of the railways. Maintaining a continuous operating mode in the conditions of fluctuations in energy savings and cyber-attacks is of critical importance. Recent events highlight the priority of this area. For example, in 2023, an alleged sabotage by the special services of the Russian Federation, through unauthorized radio signals, disrupted the signaling system of Polish railways, which entailed emergency stops of trains [1]. A second example is the mid-2024 incident in France, when the local rail operator SNCF’s signal infrastructure was hit by a coordinated attack just hours before the Olympic opening ceremony [2]. The above-mentioned abnormal incidents illustrate that the geopolitical situation or persons committing illegal actions implement destabilizing measures against the architecture of the railway signaling infrastructure. It should also be noted that worn-out or obsolete infrastructure elements and modified technical requirements cause regular obstacles in maintaining the stability of signaling. An accident in Frankfurt, Germany in 2017 (Grafenröde station) occurred due to an error in the signaling system and led to a collision of two trains on the same track. All of these accidents indicate the advisability of ensuring the stability of the signaling infrastructure from both deliberate attacks and unintentional failures. Based on the above, it is necessary to begin researching new solutions to improve the energy and cyber-resilience of rail transport signaling. In reviewing previous studies, it was found that they explored multiple, at that time, technologically advanced principles for monitoring and protecting railway system components—hybrid models of complex learning for identifying anomalies in multi-layer networks, and federated learning for distributed data processing. But, at the same time, these works considered cybersecurity and energy efficiency independently. The novelty of this research paper lies in the proposal of a general technical solution that simultaneously eliminates these problems in the context of railway signaling and demonstrates the interoperability of AI with this component of rail transport infrastructure. In comparison with the research methods used in previous work, which have focused mainly on detecting digital threats (usually using multi-layer and distributed frameworks), the current authors’ approach ensures the interoperability of the AI-based model directly in the signaling system to optimize performance in two aspects: maintaining stable power supply parameters and ensuring early detection of a digital attack. An innovative linear-connection neural network approach is implemented, and its interoperability with real operational tasks of railway signaling is presented through simulation. The current AI model implements the function of predicting the stability of the signaling system and identifying abnormal situations, thereby providing an applied decision-support function for railway system operators. Considering the above, it seems reasonable to consider that the initial contributions of this study are as follows:

• Integrated resilience model: The authors propose a unified AI model that has the functionality of simultaneously solving problems of forming technological resilience and detecting cyber-attacks in the signaling infrastructure. This synergistic approach provides a broader coverage than traditional studies, which study the problems of cyber and energy resilience in isolation.
• Modeling in an approximate operational environment: The effectiveness of the model is confirmed by validation under conditions that best demonstrate real operation—a double-track railway line with high intensity, variable traffic parameters and a simulated digital threat staged according to a predetermined schedule. AI demonstrates the potential to maintain functional compatibility with signaling processes and provide early warning of potential cyber-attacks.
• Functional conclusions: The authors formulate which initial parameters have the greatest impact on signaling resilience, and analyze the optimal balance between model complexity and performance. The obtained results provide practical guidance for railway infrastructure stakeholders (railway system operators) on how to implement AI to improve signaling resilience and security.

Based on the existing literature, and optimizing the aspects missing in existing solutions, this paper aims to demonstrate the interoperability of AI with railway signaling, thereby increasing the resilience of railway operations against modern threats.

2. A Literature Review Regarding the Energy and Cybernetic Sustainability of Railway Signaling Systems

The use of AI in energy supply and cybersecurity for railway signaling infrastructure significantly enhances its resilience to both external and internal threats, considering that this infrastructure serves as a vital life-support system within the broader global structure of the railway network. An important solution for the implementation of AI in signaling infrastructure systems is the phased planning of the steps for including this technology. Zhang et al., in their scientific article, analyze in detail the structures of computerized control of rolling stock based on AI. The authors indicate that the digital operation of rolling stock is a multifunctional and multi-stage problem [3]. There are three stages to develop a new AI-based system:

• The first stage: Selection of a railway line designated for technology implementation, collection of detailed information about the rolling stock intended for use, and preparation of a train control scheme based on AI technologies;
• The second stage: Implementation of the testing process and experiments on the operability, reliability and sustainability of the new technology, in experimental conditions, on the test section of the railway track;
• The third stage: Application of AI on an existing railway line [3].

Vatakov and others, in their work, explored two technologies that involve the use of AI for railways—IoT and digital twins [4]. The use of IoT involves the interfacing of physical devices, that are equipped with sensors, specialized software, actuators and communication modules for converting data, with other equipment and systems using the Internet. Given the level of development of digital technologies, it is recommended to use cloud data storage technologies for optimal use of IoT. Thus, there is a possibility to digitalize important railway processes as a component of Industry 4.0. Digital twin technology is applicable in such an environment as the development of railway systems. This method allows for the reproduction of a physical object with high accuracy. A digital twin can be used to detect, prevent and predict the behavior of a physical object, taking into account real-time assessment. In addition, the technology under consideration can be used to coordinate rolling stock and control infrastructure.

Wu and others, in their work, investigated security measures and the resilience of the signaling infrastructure to external threats [5]. In particular, the authors determined features for determining whether the railway signaling meets safety criteria. These properties include the following:

• Resilience: This indicator analyses the ability to perform the conditioned function of the signaling without errors in the specified period and at a given position. The position is determined by the operating mode, load scale and environmental conditions.
• Reachability: A parameter that represents the option to provide a given functionality at a specified time and position. Reachability demonstrates the frequency of failures and the possible consequences of each error.
• Serviceability: A parameter that examines the ability to carry out maintenance on time and universally. The service complex includes inspection, analysis, detection of malfunctions and modification of devices.
• Safety: A criterion that gives an understanding of protection from harm to nature and humans. This category includes the analysis of possible emergency situations and associated dangers due to device errors [5].

Tang et al., in their article, focused on the number of articles that relate to the interoperability of AI and rail transport systems [6]. During their study of a number of works investigating the above-mentioned research question on the interoperability of AI and railways, it was found that one of the main sub-topics is the use of AI for the maintenance and inspection of rolling stock, which accounted for 57% of the total number of scientific papers, followed by the sub-topic of using AI in traffic planning and coordination, which accounted for 25%. The third place was occupied by studies focusing on the sub-topic of using AI in the field of railway network safety, which accounted for 8%. Articles on the use of AI in autonomous control and passenger mobility accounted for no more than 5%.

Fu investigated artificial intelligence and communication algorithms [7]. In the first case, the algorithms investigated were deep learning and deep reinforcement learning. Deep learning implies a teaching method that has the ability to describe a solid model based on the original data. The purpose of this method of analysis is to regulate the problem of autonomous learning of rational concepts of indicators from the analyzed data. Deep reinforcement learning (DRL) algorithms are designed to address complex, dynamically evolving problems through continuous interaction with the environment and iterative learning of optimal solutions. The deep reinforcement learning algorithm implies that solid neural networks can independently detect optimal, small-sized concepts of multi-aspect data—image, text and audio.

Efanov and others, in their article, described the standards of synthesis of the signaling system of rail transport [8]. First of all, it was determined that the procedure for synthesizing these elements of the infrastructure would be carried out using deviations in the impact of events, which imply an erroneous implementation of the coordination sequence and the formation of critical failures. To minimize the risk of such situations, it is necessary to include structures of controlled equipment, self-government operation and the functioning of components with a disproportionate failure characteristic. The authors also established some definitions of the safety of railway signaling systems, namely the following:

• Internal safety of signaling devices refers to their inherent inability to be influenced by erroneous or non-standard computational conditions that could disrupt the execution sequence within strategies aimed at preventing transitions to critical states.
• External, fragmentary safety of signaling equipment is designated as the functionality of the equipment to parry certain disorganizing circumstances that can be detected by a machine.

Hu et al. [9] identified several technical strategies that help strengthen the cybersecurity of railway signaling and information systems, including the following:

• Network segmentation: This step involves counteracting possible non-standard situations. This concept is aimed at preventing the lateral movement of people who threaten the digital security of railways between multiple elements of the virtual infrastructure.
• The implementation of improved network security protocols, such as MQTT, which uses TLS encryption.
• The implementation of firewalls and intrusion detection technologies at key intersections of the digital security infrastructure.

In addition to the above recommendations, the authors determined that in order to increase the cyber-resilience of railway signaling infrastructure, it is necessary to improve the security protocols that have already been implemented. Such actions include the inclusion of a systematic structure for sensors and actuators, the recognition of flaws, and experiments on intrusion into the system. The first step is to perform remote firmware upgrades, ensuring that all equipment includes the latest security modifications. The second step allows for modeling probable cyber-attacks and analyzing the resilience of the signaling infrastructure to future threats [9].

Cao et al., in their article, described the use of AI to detect erroneous actions of railway signals in a signaling system [10]. According to the results of the study, it was found that the following modules can be used to solve this problem:

• Modules for collecting and processing fault data (implemented on switching activity, and also cover several analog values for determining the relay starting current);
• A database coordination module (based on the functionality of storing fault data, information on transportation and processing operations);
• An expert module for error inspection (designed on Prolog software, the purpose of the module is to evaluate and diagnose damage indicators).

In addition to the above modules, the authors created a model for dynamic detection and investigation of faults. A feature of the model is the administration of all operational modules without exception; interactive work is carried out between the effective module and the diagnostic mode. By processing outgoing signals of two operational positions separately, there is a possibility of increasing the efficiency and accuracy of detection of system diagnostics. The changeable signal generated by the state controller has two options: the changeable signal generated by the state controller performs two functions: (1) transforming the incoming information of each function into predefined values, and (2) supplying signals to indicate technical serviceability, identify operational states, and extract detection parameters in the results analysis module [10].

Liu et al. analyzed the concept of cyber-physical systems for railway signaling infrastructure in [11]. The considered approach is defined as an engineering structure where natural and man-made systems are functionally combined with information, communication and coordination systems in all proportions. With the use of CPSs, equipment, rolling stock or embedded technology such as AI can be converted into digital space, which will improve the cyber-resilience of the signaling system. In the AI-assisted CPS methodology, rolling stock and railway infrastructure elements have the functionality to use the current information flow to study the performance conditions and detect potential defects. Thus, it is possible to analyze the performance status and warn of future errors and risks.

Skalozub, Zhukovsky and others considered, in their article, improvement of the information and signaling infrastructure of Ukrainian railways using AI. For example, the authors proposed automatic intelligent control of technological processes of rail transport in Ukraine, namely analytical services. The authors note that the analytical methodology and tools are multifunctional [12]. The design and operation of standardized models and actions provides an improvement in the efficiency of processes and authenticity of the results regarding the condition of infrastructure components, inspection and forecasting. The analytical services based on AI proposed by the researchers allow for the expansion of standardized models and actions that comprehensively coordinate railway processes.

3. Aspects and Requirements for the Interoperability of Railway Signalization with AI, Taking into Account EU Standards

When examining the features and requirements of the functional compatibility of artificial intelligence with railway signaling, it is necessary to pay attention to the legislative act that regulates the use of AI in the European Union. This act is EU Directive 2024/1689, which establishes balanced rules regarding artificial intelligence and makes corrective amendments to existing amendments, including EU Directive 2016/797—the act on the interoperability of railway systems. In EU Directive 2024/1689, namely in Section IV, paragraph 2, it is noted that AI developers are obliged to ensure that technical solutions generated by digital intelligence are optimal, rational, functionally compatible and sustainable, taking into account the possibility of technical regulation, features and limitations of the type of task, implementation costs and the degree of technology, which is likely to be reflected in existing technical standards [13]. According to paragraph 28 of EU Directive 2016/797, for each railway subsystem, it is necessary to define the main criteria and identify technical characteristics, especially for elements and digital interfaces. Therefore, for the planned functional compatibility of AI and signaling, it is advisable to analyze for which elements of a given type of railway infrastructure a tool such as artificial intelligence is intended [14]. AI in signaling systems can improve the Common Safety Methods (CSMs) detailed in EU Directive 2016/798. In particular, the CSMs were designed to maintain a high level of rail transport safety and to analyze the compliance of CST systems. In addition, the CSM missions include risk analysis and monitoring methods, supervision methods used by each national transport safety authority, and methods for assessing compliance with the safety level and indicators of rail transport operators at each national and union level [15]. Ren and Du, in their article, indicated that the key point in AI interoperability in critical infrastructure is technology transfer, namely, helping countries that are lagging behind in technical development to form the necessary complex to support the latest AI systems, design data centers, communication capabilities and other fundamental components that make it possible to create an AI ecosystem [16]. Ferdousi, in her scientific work, focused on such issues as data quantity, absence of errors and data completeness. The author points out that the main obstacle is that the current state of secondary data and the theorem of indirect optimization do not offer the option of delegation of probability, which implies real multi-stage distribution of information, and there are no detailed studies on why the functionality of AI is positive only with empirical values for actual tasks. In addition, it was found that for the use of AI in global structures such as railways, modern regulatory documents can complicate the interoperability of the technology in question, due to the applicable conditions regarding information and its management. After all, such components of AI as statistical, mathematical and computational theorems are still at an early stage of development [17].

Gesmann-Nuissl and Kunitz, in their scientific work, studied the obstacles, in a legislative context, to the progress of AI in the field of rail transport [18]. In particular, a significant challenge lies in establishing a convincing safety justification, especially when the AI-generated solution is unpersuasive due to limitations in the training data or the unexpected need to incorporate ethical considerations into the automated decision-making process. Such a step of coordinating safety is one of the results of the proportionality analysis, which was carried out to present the necessary functionality and sustainability of the product. In addition, the author found that the AI directive uses an approach formulated based on risk monitoring. For this reason, the AI systems that are currently used are divided into different hazard categories. In the directive under consideration, AI is classified as unsuitable, high-risk, or minimal-risk. When examining the sustainability requirements in current legislation and directives, it was determined that the criteria remain unchanged. The EU Directive does not define these sustainability conditions directly, but relies on existing regulations and directives. In addition to the problem of diffuse legislation, the problem is that the existing technical standards concerning rail transport do not interpret the use of AI in a mass manner, and a special procedure and confirmation of system options for the safe deployment of AI are still required.

4. Methodology for Studying the Interoperability of AI in the Signaling Infrastructure of Railway Transport. Cyber- and Energy Resilience of Railway Signaling

The research methodology was formed based on two hypotheses:

• A comprehensively designed AI model can optimize and strengthen the energy resilience and cyber-resilience of railway signaling systems;
• Increasing the resilience of the signaling infrastructure by introducing AI will have an increasing effect on other components of the railway infrastructure (in accordance with the strategic guidelines for railway transport).

To validate the hypotheses, we used an optimization method and designed a new AI model for signaling infrastructure.

In order to compile a set of measures to create an original model with AI integration that would improve energy and cyber-resilience, preference was given to the optimization method. The selection of this method was dictated by the fact that this method is one of the best for designing a new model. The methodology includes several stages:

• Design of the threat identification algorithm: Initially, AI algorithms were proposed to facilitate the implementation of the detection of cyber threats (ransomware attacks) in the alarm infrastructure.
• Design of the simulation model: A simulation environment of the alarm system in the operating and offline mode provoked by the ransomware was implemented. The simulation was based on realistic characteristics, such as the supply voltage of the paths (50 V) and the cyber-attack scenario.
• Training the model with subsequent validation of the results: By applying the simulation data, the authors trained the neural network to generate predictive estimates of key parameters (energy stability and cyber-attack status) and performed its adaptation, comparing the output values of the model with the real simulation results.
• Scenario model of independent operation: The operation of the signaling equipment was tested in autonomous mode with an active AI model, in conditions of the presence of several trains on the line for scaling to operational traffic conditions.

In this study, the above tasks were carried out on the double-track railway line Vilnius–Klaipeda, an important artery of rail transport in Lithuania and the Baltic region. The importance of this route lies in connecting Ukraine, in transit through Poland, with the Baltic Sea. This direction is strategically important, given the limited implementation of export operations, the reason for which is the unauthorized activity of the Black Sea Fleet of the Russian Federation in the economic zone of Ukraine. Modeling and development of the model was performed in MATLAB(24.2.0.2863752 (R2024b) Update 5), a target environment for rapid verification of coordination algorithms and neural networks. First, it was necessary to set the parameters of the task (parameters were entered into MATLAB). The simulation parameters are shown in Figure 1.

The total coverage of the signaling system simulation was 120 min. The section under consideration was one with 10 rolling stocks moving on the 300 km long double-track Vilnius–Klaipeda line. The starting positions were uniformly distributed (with an approximate value of 30 km between them). The speeds were set based on a random distribution within the range from 70 to 150 km/h (to reflect mixed traffic). In addition, a track gradient value of 0.15 (15%) was included to accommodate load variability. The alarm was powered by a 50 V DC source, the nominal level for alarm system devices. For each minute of simulation, two arrays were recorded:

• energy_consumption;
• cyber_threat_detected.

In Figure 2, all indicators were zero until the start of the digital attack (at 60 min). At 60 min of the simulation, a ransomware attack was carried out: the alarm system went into autonomous (offline) mode, as in a “denial of service” cyber incident. The system_mode array (120 min long) detects the system state “Normal” or “Offline”. From the moment the attack is activated, all parameters are “Offline” if the AI cannot prevent it. This forms a strict separation of pre- and post-attack data for model training:

Figure 3 demonstrates the neural network architecture—the AI model is a direct multi-layer perceptron with two hidden layers:

• The input layer consists of 10 features (train speed, their location, slope, voltage, energy consumption, anomalies, etc.).
• The hidden layers are represented by 64 and 32 neutrons, respectively. The structure under consideration initially provides a wide range of connections, and then filters out less significant ones.
• The output layer is presented by two neutrons—one predicts energy sustainability, and the second predicts cyber sustainability (anomaly monitoring).
• Network training involved a maximum of 500 epochs, since this was a safe limit in the simulation. The hardware configuration on which the script was played was on an Intel Core i3-4160 processor (3.60 GHz, 2 cores/4 threads, 8 GB RAM (Random-access memory)). A series of runs from 100 to 1000 epochs revealed that starting from the 450th epoch, the validation MAE stabilized. After 550 epochs, the validation error began to increase, and therefore, 500 epochs was the upper limit, at which point the model demonstrated stable generalizing behavior and provided an optimal balance between the quality of the model and practical feasibility. Computing resources at 500 epochs reached 11 min of training; if the simulation was reproduced at 1000 epochs, then the training increased to 24 min and the RAM consumption increased from 2 GB to 4 GB. With a configuration with 8 GB of RAM with this number of cycles, “Out of memory” was recorded.
• A learning rate of 0.005 was selected based on the results of a series of tests. With smaller parameters, the model training did not meet the set accuracy threshold for 500 epochs; with larger values, error fluctuations and an increase in RAM consumption were recorded. Therefore, the specified value of 0.005 guaranteed stable convergence of the SCG algorithm and allowed the MAE to reach 0.033 in 11 min.

Figure 4 shows the partitioning process, which involves systematically dividing the original set of data indicators into different non-overlapping subsets, each of which serves its own purpose in the process of building and testing the model. This cycle is divided into three parts—a training set, a validation set and a test set. The training set is used for the actual training of the network (weight optimization and minimization of the error function). The validation set is responsible for the deferred set, where the quality is checked at certain intervals during training and is used to configure hyperparameters and the early-stopping algorithm. The test set operates for the model in the background and without direct visual manifestation until the end of all settings. It is used once for the final objective assessment of the accuracy of the model. In the partition, the metrics are mixed and distributed among the three subsets according to the specified shares (70/15/15%).

Figure 5 illustrates the creation of a multi-layer perceptron with an architecture formed by vectors [64,32] with the definition of the SCG training algorithm. In addition, the MAE error function is used at this stage. MAE was considered as the most suitable method for several reasons:

-

MAE calculates the mean absolute error between the forecast and the truth, and the scale of the results is interpreted directly (the same units as the goal);

-

MAE is less sensitive to rare outliers than MSE (mean squared error), which is advisable in the case of probable bursts in data (in our case, during cyber-attacks).

The net.trainParam.goal line of code defines the target error value. The threshold of 1 × 10⁻⁴(10-4) was defined as a value that is an order of magnitude less than the statistically achievable MAE and several times lower than the engineering-significant level of 0.1%. The threshold value under consideration performs the option of emergency termination of training in a situation of extremely fast convergence, without affecting the normal cycle. In addition, it eliminates the possibility of irrelevant iterations, which, at the threshold of 1 × 10⁻⁵(10-5), entail a twofold increase in time and memory on the i3-4160/8 GB RAM processor. Therefore, 1 × 10⁻⁴ provides an effective trade-off between the accuracy and computational efficiency of the model. The max_fail line implements an early-stopping mechanism: if the validation MAE is not optimized for 45 consecutive epochs (9% of the 500-epochs limit), then the model training is stopped. The study of the curve shape demonstrated that the real plateau is reached in 15–30 epochs, and an additional reserve of up to 45 makes it possible to smooth out random fluctuations, but stably blocks overfitting. This means that 45 epochs allow us to achieve a compromise in accuracy, protection from overfitting, and the standard computation time with an Intel i3-4160 processor and 8 GB of RAM. The mathematical form of the scaled conjugate gradient looks like this:

$$P_{k+1}=-g_{k+1}+{\beta }_k{P}_k,$$

(1)

where ${\beta }_k$ is computed to ensure that $P_{k+1}$ remains conjugate with respect to an approximate Hessian (i.e., second order) matrix. The “scaling” part of SCG uses an additional parameter, λ, to modify the Hessian approximation, preventing excessively large steps. The mathematical form of the mean absolute error is as follows:

$$MAE={\displaystyle \frac{1}{N}} {\sum }_{i=1}^N\left|t_i-\left.y_i\right|,\right.$$

(2)

where $N$ is the number of samples, $y_i$ is the predicted output, and $t_i$ is the target (true) output.

In MATLAB, constructing a feedforward network and incorporating the scaled conjugate gradient algorithm and the mean absolute error formula looks like this (Figure 5):

Figure 6 provides an illustration of ransomware attack detection over time. The X-axis (0–120 min) indicates the simulation timeline. From 0 to 59 min, the alarm is in normal operation; at 60 min, the simulated attack is triggered; and from 60 to 120 min, the alarm infrastructure operates autonomously under ransomware pressure. The Y-axis (Attack Probability, 0–1) indicates the probability of a cyber-attack as analyzed by the AI model (0 = no attack, 1 = attack in progress). The black curve appears as the AI forecast. Its jump from 40 min (the actual system shutdown at 60 min) is not a false positive. Such behavior is a consequence of a deliberate early warning mechanism, which is designed on the principle of “layer-by-layer” interoperability of weak signs of the preparatory phase of the attack. The logical explanation is the following argument: according to the report 8183 of the US National Institute of Standards and Technology (NIST) [19], 30 min before the activation of malware, as a rule, the following are recorded:

• A surge in port scanning;
• An increase in Heart-Beat packet delays in the service network;
• Single packets with an erroneous CRC (cyclic redundancy code).

The above micro-anomalies were purposefully embedded in the simulation from 40 min to reproduce the reality of the “prologue” of the attack. The red dotted vertical line indicates that the attack has started (at 60 min), and is the true “anchor point” for testing the accuracy of the model. The gray-shaded “Attack Phase” indicates the period during which the alarm is under attack and disabled, and the time when the dispatcher must take crisis measures. The broken curve in black reflects the output of the second neuron of the network, which is responsible for cyber-resilience.

Next, Figure 7 demonstrates the railway signaling system sustainability prediction. The X-axis (sample) contains 100 observations from the test sample. Each sample is a single time point (−1 min) of the signaling system, which is invisible to the system during training. The set within which the generalizing ability of the model was tested is presented. The Y-axis (stanability score 0…1) is the metric of the “energy-cyberstability” of the signaling system in a normalized form: 0 is a critical failure, and 1 is an ideal state. The blue solid curve consists of the true stability values that were calculated by the simulations and are the “gold standard” for checking the accuracy. The red dotted curve is the neural network forecast (the output of the first neuron), and the plotted curve must follow the blue line as closely as possible to demonstrate high accuracy of the model. The main observations in this figure are the following:

• A high trend coincidence rate: For almost every peak and trough, the red dotted line follows the blue solid line, with minimal fluctuations. This is confirmed by the indicators MAE = 0.0331 and R² ≈ 0.94 (the determination coefficient, indicating that the neural network explains about 94% of the spread of real stability values, and confirming that the model correctly tracks the dynamics of the system).
• The boundaries of level 0–1 are identically recreated: Within the range close to 1.0 according to actual data, the forecast also approaches 1. In the range where empirical “failure” occurs, 0.25–0.30, the model goes down to almost the same depth.
• Local discrepancies ≤ 0.10: Large inconsistencies are noted in the zones of sharp jumps in the real metric. Here, the red line reacts with a delay of 1–2 samples, and does not reach the most extreme values, which is typical for one-step predictors without a self-adaptive filter.
• Absence of systematic bias: An equal number of “overflows” of the red curve above/below the blue curve is detected—the system does not systematically overestimate or underestimate stability.

Figure 8 shows a multi-layer linear (feedforward) perceptron that was automatically generated in MATLAB. From top to bottom, there is a full “data flow” from the sensors to the two final indicators. The Input block consists of a 10-dimensional vector, and records the current signaling state every minute (50 V bus voltage, current, number of trains on the line, average speed, track slope, Normal/Offline states, network packet delay, voltage fluctuation value, short-term power consumption history, backup power status). The Hidden 1 module (the first hidden layer of 64 neutrons) sifts the inputs, namely searching for complex combinations of features, such as “an increase in average current with an increase in packet delay”—a likely manifestation of preparation for a digital attack. The Hidden 2 section (the second hidden layer of 32 neutrons) condenses the data, i.e., 32 neutrons extract the structural core from 64 primary patterns, rejecting noise and minimizing the risk of overfitting. The Output layer component linearly transforms the 32-dimensional vector into two final values in the Output block (energy resilience score and cyber-attack probability). The reasons for choosing such an architectural model are the following factors:

• Stable distribution of “expressiveness/resources”: The use of 64 and 32 hidden neurons provides sufficient nonlinearity, but does not overload the CPU (central processing unit) and RAM.
• Model transparency: The result is only two clearly defined indicators (energy resilience score and cyber-attack), and threshold values (0.5, 0.8) can be set without difficulty and for automatic actions.
• Compliance with legal aspects (EU AI Act): The authors’ model is compact and transparently logged (MAE, weights), which facilitates the audit process of “high-risk” AI.
• Modularity: When new devices appear in the alarm system, it is enough to scale the input layer and retrain the models, since the internal layers are already adapted for feature aggregation.

5. Scientific Discussion Evaluating the Effectiveness, Architecture, and Limitations of the Developed Model

Figure 6 shows that the growth of the attack probability indicator was recorded from the 40th minute of the experiment, which indicates early system response before the initiation of the active attack phase. At the same time, no false alarms were detected in the operating mode, so the norm was not classified as an attack. This is of particular importance, given that in typical IDS (Intruction Detection System) classes, the percentage of false positives reaches 90–99% in some cases [20]. Our system qualitatively determines the active phase without false positives, which coincides with the observations of Gupta et al., who established the possibility of detecting attacks at an early stage with high accuracy and reducing false alarms [21].

Figure 7 demonstrates the forecast of the stability of railway signaling, which was performed with minimal error: the graphs of predicted and actual values almost coincide, indicating high values of key metrics. The low mean absolute error (MAE = 0.033) and high coefficient of determination (R² = 0.94) indicate that the authors’ model convincingly interpreted the observed data. The R² coefficient, close to 1, reflects the fact that about 94% of the variation in the target indicator is explained by the model. The final indicators demonstrate high consistency between the predicted and actual values, and confirm the correctness of the model.

The architecture of the created model is simple—a fully functionally conjugate model with an input layer, two hidden layers of 64 and 32 neurons, and an output of 2 neurons (64-32-2). The total number of trainable parameters is only ≈2850, which is an insignificant number by current deep learning standards. However, the model provides high computational efficiency and a fast response time during operation. In the process of comparison with “heavy” models, it is found that reducing the number of parameters leads to a significant minimization of the model size and resource savings with equivalent accuracy. The simple architecture provides ease of introducing solutions under conditions of limited hardware resources. In the context of a comparative analysis of alternative approaches, hybrid and federated approaches are rightly considered to be advantageous: the principle of federated learning helps to train a model on several decentralized data sets, thereby increasing the ability to recognize previously unknown attacks [22]. At the same time, multi-layering entails large overhead costs. Federated learning requires high standards for computing power and network bandwidth; in addition to this, it causes an increase in the load on communication and synchronization of models. Considering the principle of hybrid learning, high-level hybrid architectures create prerequisites for using more resources and increasing the duration of the configuration stage. Taking into account the high performance of the simple model proposed by the authors, its optimized structure in this context is justified—it provides an opportunity for stable identification and forecasting with minimal computing power.

Highlighting the key aspects of the limitations of the created model in situations of multiple attacks, it is worth noting that in the current version, the model is reduced to a binary classification (“attack or not”), and does not differentiate specific types of threats. In the case of multi-vector cyber threats or failures, the model produces an aggregated assessment of stability, without providing detailed insights into each incident.. Insufficient flexibility is due to the fact that the model was trained on single scenarios, and was not tested for the analysis of several simultaneously occurring events. To eliminate the limitations, modifications to the model are necessary. One solution is to expand the output layer and transform it into multi-class or multi-label classification, which facilitates the implementation of separate identification of different types of attacks or failures. This will cause the need for retraining on heavier, combined scenarios, where the model can extract unique characteristics for each type of incident. Another solution is the use of ensembles of models or recurrent neural networks. Ensemble technologies imply the simultaneous operation of various specialized models, the results of which can be integrated to obtain a comprehensive assessment. Recurrent networks help to take into account the temporal dynamics of incidents and identify complex sequences and overlaps of attacks, which will increase the model’s ability to analyze in detail. In the context of expanding complex threats, the above tools seem necessary to strengthen operational resilience and forecasting accuracy in real operational scenarios.

6. Conclusions

This study is the first to propose the interoperability of AI in railway signaling architecture, consolidating the tasks of energy sustainability and cybersecurity within a single model. In comparison with existing solutions, where AI is used solely for diagnostics or predictive maintenance, the constructed model is an applied monitoring and forecasting solution that is interoperable with existing equipment. The interoperability of AI with the established signaling infrastructure is substantiated based on modeling, which forms the basis for the widespread use of such technologies in real systems. Our enrichment of the existing research approach consists of proposing a methodology containing model optimization and validation using MATLAB simulation, which can be extended to other critical and vulnerable systems beyond rail transport.

The following practical recommendations are given:

• Phased implementation of AI monitoring: It is advisable, from a practical point of view, to introduce the system in the “shadow” mode initially, which will allow for configuration of the model and reduce the likelihood of false positives.
• Investments in sensor upgrades and data integration: The accuracy of the model’s forecasting is associated with a linear dependence on sensors and telemetry. It seems reasonable to equip the infrastructure with additional sensors (voltage, intrusion detection) and combine data from different subsystems into a unified information space.
• Preservation of traditional security components: Given the obvious advantages of AI, it is advisable to preserve established security tools (emergency locks, “red on failure” signals) and use them in interaction with AI.
• Strengthening basic cyber defense: Simultaneously with the implementation of AI, it is envisaged to implement supporting cybersecurity measures: network segmentation, encryption of coordination commands, regular updates and professional training of personnel in cybersecurity.
• Formation of professional competencies and algorithms for personnel actions: Dispatchers must have confirmed competence to interpret the results of AI work and make prompt decisions. The created model must be integrated into current dispatch procedures, taking into account clear algorithms for actions when warnings occur.
• Scalability and additional training of the model: It is recommended to assess the likelihood of scaling and regular retraining of the model with an increase in the volume of data on actual incidents and situations close to emergency situations, and, in addition, to implement continuous validation procedures.

Future research directions are as follows:

• Digital processing of multiple and highly organized attacks: Designing multi-output and recurrent architectures to classify complex cyber threat and failure patterns;
• Incorporating AI into the digital twin: Designing digital models of signaling infrastructure to safely test complex and abnormal scenarios;
• Formation of standards and regulation: Coordinated actions with rail network regulators to develop industry standards and regulations, including legal liability for decisions made by AI;
• Expanding the functional coverage of application: Reorganization from individual sections to the entire rail network using federated learning to share data and experience between lines without violating privacy.