The security behind: Trains and railways
20/02/2024 Podcast
Felix introduces the topic of railway cybersecurity, encompassing various types of railways globally, including passenger and freight trains. He acknowledges the public’s concern over the potential hacking of trains and the disruptions it can cause. Felix notes that railway suppliers have recently begun to take cybersecurity more seriously, a change driven by the need to update industrial control systems and address vulnerabilities, especially in older legacy systems.
Felix then delves into the extensive attack surface of rail networks, dividing it into three main categories: track-side equipment, train equipment, and operations centres. He describes the complexities involved in each category, such as power distribution, presence sensors, heating for points, signalling, and various train systems including engine management, electronic doors, communications, and passenger amenities. Operations centres, he notes, handle aspects like platform management, traffic control, display boards, timetabling, and police communications, adding further layers to the network’s complexity.
The podcast discusses the motives behind attacking train networks, considering them critical national assets. Felix lists potential attackers including state-aligned groups, terrorists, activists, disgruntled employees, and individuals seeking free travel. The aim of these attacks usually revolves around disrupting or stopping train operations. He explains that stopping a train could involve a range of strategies affecting various aspects of the train and track systems, with each type of attack requiring different levels of skill and determination.
Felix recounts several high-profile cyber attacks on railways, such as the four attacks on the UK rail network in 2016, the hacking of Indian railways in 2022 leading to the theft of passenger records, and a ransomware attack on the Swiss railways in 2023. These incidents highlight different methods of cyber attacks, from operational disruptions to data theft.
He also describes low-end attacks, like the one by activists in the United States in 2016 using car jumper cables to disrupt track signals, and a simple attack in Poland in 2023 that triggered emergency stops on trains. These attacks, while simpler, effectively demonstrate vulnerabilities in railway systems.
The podcast touches on the issue of digital rights management (DRM) in railways, discussing a case where trains were rendered inoperable due to built-in lockout mechanisms by the manufacturer, highlighting ethical and legal concerns in cybersecurity.