Access Control: From Railway Block Tokens to Cybersecurity Sessions on Limbrick Consultancy LLP

cybersecurity

access control

session management

IT best practice

digital security

railway history

historic lessons

heritage railways

risk management

technology leadership

When it comes to keeping trains — and technology — safe, the principles have not changed all that much over the centuries. In fact, some of the smartest practices in modern cybersecurity have their roots in the very earliest days of the railway.

A Truncheon, a Train, and the Birth of Access Control

In the earliest days of railways, particularly on single-line tracks, collisions were a terrifying risk. With no electronic signalling, how could railway companies stop two trains from heading toward each other on the same stretch of track?

The responsibility originally lay with the railway police, who were tasked with ensuring the safety of train movements. Drawing on their experience with policing and the authority symbolised by truncheons, they developed a system where possession of a physical object signified the right to proceed. This practice evolved into the use of a block token: a physical item that granted exclusive access to a section of track. If a train driver had the token, they were the only train allowed on that stretch. No token? No movement. It was a clear, unmistakable form of control.

Later, block tokens evolved into complex systems of electrically locked instruments, but the principle stayed the same: only one train could have the right of way at a time.

Fun fact: even today, railway signalmen are sometimes affectionately known as Bobbies — a nod to those original railway police. The nickname itself traces back to Sir Robert Peel, founder of modern policing in Britain.

As someone who is proud to serve as a director of a heritage railway, I see daily how these traditions are still respected and preserved. It is a reminder that good systems — whether on the track or in technology — are built on clear authority, trust, and well-managed control.

What This Means for IT Today

Fast forward to our connected digital world, and the concept of the single token of authority still underpins some of the most critical parts of cybersecurity:

Access Control: When users log into a system, they are issued a secure session token. This token confirms their right to access the system — just as a driver’s block token confirmed their right to the track.
Session Management: Tokens are time-limited and controlled. If someone tries to use an old, copied, or stolen token, the system will reject it — just like a driver could not duplicate a block token to access multiple sections at once.
Preventing Collisions: Without proper session control, two users might access the same resource simultaneously, leading to data conflicts, corruption, or worse. Token-based access ensures orderly, safe operations.

Just as the railways knew they could not trust every driver to simply "check the line was clear," modern systems know they cannot just trust every user request. Authority must be granted, verified, and tightly controlled.

What We Can Learn

Whether managing trains or technology, the lesson is the same: clear, well-managed authority prevents accidents. Systems work best when it is obvious who has the right to do what — and when that authority cannot be faked or guessed.

For anyone responsible for systems, data, or even day-to-day processes in schools and organisations, the takeaway is simple:

Make sure access to sensitive systems is properly controlled and documented.
Use secure login methods like two-factor authentication wherever possible.
Regularly review who has access to important systems and remove unnecessary permissions.

Good security is not about trusting everyone to 'check the line is clear' — it is about having clear signals, clear authority, and clear processes. Just as it was on the railways all those years ago.