Critical infrastructure

Information Security Vulnerabilities of Trains

Daniel Dimov
April 25, 2016 by
Daniel Dimov

1. Introduction

Since the invention of the steam locomotive, there have been continuous technological developments in the field of railway transport. For example, AGV Italo (a train which entered into service in April 2013) has a maximum operational speed of 223 miles per hour, whereas the maximum speed of the locomotive "Blucher" built in 1814 was only 4 miles per hour. The technological developments in the railway industry bring not only speed and comfort to train passengers, but also cause information security challenges.

Learn ICS/SCADA Security

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

This article examines the security vulnerabilities related to three railway infrastructure components, namely, Siemens Railway Automation System (Section 2), computer-based interlocking (Section 3), and GSM-R SIM cards (Section 4). Further, a discussion of the consequences of information security attacks on trains (Section 5) and two past attacks on railway infrastructure (Section 6) will be provided. Finally, a conclusion is drawn (Section 7).

2. Siemens Railway Automation System (SIBAS)

The train protection system Siemens Railway Automation System (SIBAS) is widely used in many European countries. In 2015, three security researchers disclosed several security vulnerabilities of WinAC RTX controller, one of SIBAS' components, which may allow hackers to control trains. More specifically, the security vulnerabilities relate to the use of the widely known protocols (e.g., XML over HTTP) as well as a self-written web server and a self-written XML parser. The use of the HTTP opens the door to man-in-the-middle attacks (MITMA). MITMA are performed by secretly relaying and possibly altering the communication flow between two persons who are unaware of the compromised network.

3. Computer-based interlocking (CBI)

The computer-based interlocking (CBI) is a signaling system which aims to prevent the set up of conflicting routes. CBI is vulnerable to social engineering attacks which manipulate a legitimate CBI user to install and execute malicious code on CBI. It should be noted that the lack of information security awareness is one of the main reasons for the success of social engineering attacks. Many organizations operating in the field of railway transport lack such awareness. For example, in 2015, a BBC documentary revealed a login and a password used at a rail control center. The login and the password were written on a piece of paper glued on a monitor. Although the login was relatively long (CO-WSX-WGO 01A), the password was very simple (Password3). Thus, the operators of the rail control center have not complied with two basic information security rules, namely, (1) login credentials should not be left unattended and (2) weak passwords should be avoided.

4. GSM-R SIM cards

Some train operators use GSM-R SIM cards that connect trains to control centers. Although generally GSM-R SIM cards use a good encryption, hackers may block the connection between the train and the control center by using a GSM jammer. GSM jammer is an instrument which prevents mobile phones from receiving signals from base stations. Although most jurisdictions worldwide prohibit the use of GSM jammers, such devices can be easily purchased online. GSM jamming devices are used at schools (to prevent students from distracting), prisons (to prevent illicit communication between inmates and visitors), and cinemas (to prevent disturbing phone ringing). According to security researchers, trains operating under the European Train Control System (ETCS) automatically stop if the connection between the train and the control center is interrupted. Hence, by using a GSM jammer, a hacker is able to stop a train.

Another problem related to the use of GSM-R SIM is that their users rarely change the default pin code 1234. 1234 is considered to be the most common PIN code. The second most common PIN code is 1111. 0000 takes the third place. Hackers can easily guess commonly used codes and connect to a train or a control center. In order to avoid information security attacks, users of GSM-R SIM cards should use random PINs. Furthermore, six-digit PINs are preferable than four-digit pins.

5. Consequences of information security attacks on trains

Information security attacks on trains are not futuristic fantasies. A letter sent by the U.S. National Defense Research Institute (NDRI) to the U.S. Secretary of Defense clearly indicates that such threats are real enough. The letter contains a detailed description of the consequences of a rail-related cyberattack. The description follows:

"An Amtrak Acela Express Train traveling at 150 mph slammed into an apparently misrouted freight train near Laurel, Maryland. The Maryland State Police estimated that the train wreck had killed over 60 passengers and crew and critically injured another 120 persons. Within three hours, the National Transportation Safety Board's (NTSB) Chief Rail Investigator notified the Secretary of Transportation that there was 'clear evidence' that the freight train had been misrouted onto Acela track with 'some evidence' pointing to a sophisticated intrusion into the East Coast Train Control System."

Rail-related cyber attacks may have an impact not only on the safety of passengers and train workers but also on the revenue of train operators and the reliability of railway transport in general. The attack-related costs may amount to millions of dollars. By way of illustration, the damages resulting from the train collision in Washington D.C. which occurred on 22 of June 2009 amounted to USD 12 million. However, a train operator would need to cover not only all attack-related costs but also the reputational damages caused by the attack. Such reputational damages may be severe and long-lasting. Cyber attacks on trains may affect the reliability of rail transport which, in turn, may affect transportation preferences of entire populations. For example, if rail transport is perceived as an unreliable means of transport, many individuals may prefer to use road or air transport instead of rail transport.

6. Discussion of past attacks on trains

In this section, we will discuss two cyber attacks on railway infrastructure, namely, a malware attack on an Ukrainian railway operator (see Section 6.1) and an attack on a web page of Indian Railways' Railnet (see Section 6.2).

6.1 Malware attack on the Ukrainian railway operator

Security researchers revealed that a malware attack on a large railway operator in Ukraine was conducted by using BlackEnergy Trojan. The conclusion was drawn on the basis of a combination of data from Trend Micro's Smart Protection Network and telemetry data from open-source intelligence. BlackEnergy Trojan enters into a computer system through a spear-phishing email that contains a document infected with the malware. Once installed on a computer system, BlackEnergy Trojan may delete important system files. Some versions of BlackEnergy Trojan are activated after the expiration of a predetermined time period.

BlackEnergy Trojan may have tremendous consequences on public infrastructure. For example, on 23rd of December 2015, BlackEnergy Trojan caused a power blackout in Ukraine. As a result, more than 80,000 Ukrainian residents were left in the dark. The blackout lasted almost six hours. The Ukrainian Computer Emergency Response Team (CERT-UA) reported that BlackEnergy Trojan was installed on computers of Prykarpattyaoblenergo power plant. According to the U.S. cyber intelligence firm iSight Partners, a Russian hacking group known as Sandworm caused the power outage in Ukraine. John Hultquist, iSight's director of espionage analysis, said: "It is a Russian actor operating with alignment to the interest of the state."

6.2 The attack on a web page of Indian Railways' Railnet

In 2016, the terrorist group al-Qaida allegedly hacked a web page of Indian Railways' Railnet. The hacked page was replaced with a statement purported to be written by Maulana Aasim Umar, al-Qaida chief in south Asia. The message was addressed to all Indian Muslims and contained various religious pronouncements, such as "Will the land of Delhi not give birth to a Shah Muhadith Delhvi who may once again teach the Muslims of India the forgotten lesson of Jihad and inspire them to take to the battlefields of Jihad?"

It should be noted that public infrastructure components are usual targets of cyber terrorists. For example, the U.S. intelligence found that two Al Qaeda affiliated terrorist groups (Al Qaeda Digital Army and the Tunisian Electronic Army) invited jihadists worldwide to conduct information security attacks on U.S. public infrastructure. An excerpt of the invitation follows:

"We bring you glad tidings that the 'Al-Qa'ida Digital Army' and the 'Tunisian Electronic Army' are preparing and mobilizing members to carry out a comprehensive electronic raid to target the vital services of the United States of America."

The attack on Indian Railways' Railnet and the aforementioned invitation clearly indicate that there may be further cyber attacks on public infrastructure, including railway infrastructure. If the governments do not take sufficient cyber security measures, such attacks may have a long-lasting detrimental impact.

7. Conclusion

This article initially examined security vulnerabilities related to Siemens Railway Automation System, computer-based interlocking, and GSM-R SIM cards. According to security researchers, these three railway infrastructure components have security vulnerabilities which may allow criminals to hack railway networks. Further risk-based analysis is required with regard to other components of railway infrastructure, such as electronically controlled pneumatic (ECP) brakes, knowledge display interfaces (KDI), track forces terminals (TFTs), wayside equipment sensors, wayside track sensors, intelligent grade crossings (IGC), and yard management systems (YMS).

Since attacks on components of railway infrastructure may have serious consequences on (i) the safety of passengers, (ii) the revenue of the train operators, and (iii) the reliability of railway transport in general, governments and producers should make sure that the identified security vulnerabilities are eliminated. Because the attacks on railway infrastructure may include social engineering attacks (see 6.1) and terrorist attacks (see 6.2), the preventive measures against rail-related cyber attacks should encompass (i) increased cyber security awareness, (ii) enhanced cooperation between railway operators and specialized anti-terrorist departments, and (iii) prohibition of public instructions on how to conduct penetration tests of railway infrastructure. The publication of instructions on how to conduct penetration tests may provide terrorists with valuable information about the security vulnerabilities of railway infrastructure.

When assessing the impact of future cyber attacks on trains, it is worth remembering the words of the U.S. Defense Secretary, Leon Panetta, who warned that: "the next Pearl Harbor that we confront could very well be a cyber-attack."

Learn ICS/SCADA Security

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

References

  1. Chen, C., Huang, M., Ou, Y., 'Detecting Web-Based Botnets with Fast-Flux Domains', in: 'Advances in Intelligent Systems and Applications - Volume 2', Proceedings of the International Computer Symposium ICS 2012 Held at Hualien, Taiwan, December 12-14, 2012, Pan, J. (Ed.), Yang, C. (Ed.), Lin, C. (Ed.).
  2. Cluley, G., 'Oops! Train control centre passwords revealed on BBC TV', 1 May 2015. Available at https://www.grahamcluley.com/2015/05/train-control-centre-passwords-revealed/ .
  3. Edwards, F., and Goodrich, D., 'Introduction to transportation security', CRC Press, 2012.
  4. Finkle, J., 'U.S. firm blames Russian 'Sandworm' hackers for Ukraine outage, Reuters, 7 January 2016. Available at http://www.reuters.com/article/us-ukraine-cybersecurity-sandworm-idUSKBN0UM00N20160108 .
  5. Horn, L., 'The 20 Most Common PINs are Painfully Obvious', Gizmodo, 26 September, 2012. Available at http://gizmodo.com/5946582/the-20-most-common-pins-are-painfully-obvious .
  6. Hughes-Wilson, J., 'On Intelligence: The History of Espionage and the Secret World,' Hachette UK, 2016.
  7. 'Indian Railways Website Allegedly Hacked by al-Qaida,' Gadgets, 2 March 2016. Available at
    http://gadgets.ndtv.com/internet/news/indian-railways-website-allegedly-hacked-by-al-qaida-808871 .
  8. Joxean, K., and Bachaalany, E., 'The Antivirus Hacker's Handbook', John Wiley & Sons, 2015.
  9. Kovacs, E. 'Trains Vulnerable to Hacker Attacks: Researchers', Security Week, 29
    December, 2015. Available at http://www.securityweek.com/trains-vulnerable-hacker-attacks-researchers .
  10. Lagazio, M., 'A taxonomy of cyber crime in the financial sector: a comprehensive approach to countermeasures', in: 'Managing Cyber Risk in the Financial Sector: Lessons from Asia, Europe and the USA', Taplin, E. (Ed.), Routledge, 2016.
  11. Leyden, J., 'BlackEnergy Trojan also hit Ukrainian mining firm and railway operator', The Register, 15 February 2016. Available at
    http://www.theregister.co.uk/2016/02/15/blackenergy_trojan_trend_micro/ .
  12. Mraz, S., 'The latest in high-speed train technology', Machine Design, 17 November 2011. Available at http://machinedesign.com/news/latest-high-speed-train-technology .
  13. 'Top ten fastest trains in the world', Railway Technology, 29 August 2013. Available at http://www.railway-technology.com/features/feature-top-ten-fastest-trains-in-the-world
  14. Zetter, K., 'Hackers Breached Railway Network, Disrupted Service', Wired, 24 January 2012. Available at
    http://www.wired.com/2012/01/ra

Co-Author

Rasa Juzenaite works as a project manager in an IT legal consultancy firm in Belgium. She has a Master degree in cultural studies with a focus on digital humanities, social media, and digitization. She is interested in the cultural aspects of the current digital environment.

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.