Infrastructure at risk: can trains be hacked?


Interfering with supply chains, ransomware attacks, causing accidents – what risks do cybercriminals pose to the railway industry? With rising political tensions, cybercriminals might be attacking critical infrastructures, and railways are potential targets, warns a cybersecurity expert.

Many industries currently face rising cybersecurity concerns. Increasing numbers of cyber threats show that malicious actors might be going not only after their financial gains but also attacking critical infrastructures.

In May, the US State Department warned that China is capable of launching cyberattacks against critical United States infrastructure, including oil and gas pipelines, and railway systems after researchers discovered a Chinese hacking group had been spying on such networks.

Europe is also witnessing rising numbers of cyberattacks against its governmental and strategic organizations. While most of the attacks are limited to DDoS attacks, causing only short-term nuisance, is there real damage that hackers could potentially cause to infrastructures, such as transportation?

While at first trains might not seem like the most obvious targets for cybercriminals, the ability to “hack” a train is real. Modern trains and railways have complex digital systems for control and navigation, and, of course, everything that’s digital can also be hacked.

In 2022, an anonymous hacktivist group managed to stop trains in Belarus to disrupt Russia’s military build-up in Ukraine. The attack served a political purpose and attempted to disrupt military aggression. However, the fact that hackers were able to access such critical infrastructure is a cause for concern.

We sat down to talk about railway cybersecurity with Amir Levintal, Co-founder and CEO at Cylus, a cybersecurity firm focusing on the railway industry. Levintal served for 22 years in the elite technological unit of the intelligence corps in Israel and led a cyber research and development division.

From stealing data to disrupting supply chains

Levintal identifies two main threats to railways. One is in a non-operational environment and affects railway companies’ data, which can be stolen and exploited.

For example, in April, Cybernews reported an attack on the Alaska Railroad Corporation (ARRC), where cybercriminals stole sensitive information about the company’s vendors and employees from its systems. This included highly sensitive information such as Social Security numbers, medical and health insurance information, drug screening results, work evaluations, and birth or marriage certificates.

In March, a similar case occurred in the Netherlands. The Dutch national railway warned about 780,000 customers that their personal data – e-mail addresses, telephone numbers, and names, may have been accessed by external parties when the software supplier networks were breached.

Another significant cyber threat is in the operational environment. Malicious actors can disrupt the functioning of trains, ranging from stopping them or manipulating their speeds to sabotaging operations by tampering with railway switches or even causing intentional collisions. Additionally, there’s a looming concern of physical ransomware attacks, wherein malicious actors prevent trains from moving until their ransom demands are met.

The act of halting trains presents significant dangers, as it not only hinders individuals' mobility between locations but also disrupts vital supply chains. It can cause potential disruptions to military logistics and pose a risk to national security.

The disruption of food supply chains would be a concerning issue if malicious actors were to exploit train controls. Freight trains carrying perishable goods, such as livestock or meats, are particularly vulnerable. In the event of a train stoppage, the interruption could result in spoilage and damage to valuable cargo.

In 2022, there was a case in Denmark when trains were stopped for a couple of hours because a third-party IT service provider was hit by a ransomware attack. The affected company provided a mobile application that train drivers used to access critical operational information, such as speed limits and information on work being done to the railroad.

Trains are autonomous – which makes them vulnerable

Levintal points out that the cybersecurity concerns of trains, which have been already operating autonomously for the past 10-15 years, receive considerably less attention than the security concerns of autonomous cars, an industry still in its development phases.

Advanced Driver Assistance Systems (ADAS) used by autonomous cars typically rely on 100-meter sensors to make driving decisions, but intercity trains have much longer braking distances, sometimes up to one kilometer. Consequently, more complex solutions are needed for train safety.

“All the decisions are being made by the center and the trains are being controlled through wireless communication. The control center can control the train,” he explains.

Levintal says that the main attack vector by malicious actors is exploiting these wireless communications.

“Hackers can gain control over the train. They can use the same wireless communication to control the transit, increase the speed, decrease the speed, stop the trains, and so on. This is the main threat to them,”

he continues.

Trains are controlled via standardized digital communication. In Europe, there is the European Rail Traffic Management System (ERTMS), which can control the speed of trains and stop them in case of danger. ERTMS is the European standard for automatic train control systems, and it helps railways to be interoperable within different countries in Europe.

While standardized train operating systems contribute to efficiency in the railway industry, on the other hand, it also opens the door for attackers to break into these systems on a wide scale.

“The ability to make an impact on a huge network is a very big threat to the rail industry,” states the cybersecurity expert.

Human error is always a threat

Another danger to the cybersecurity of the railway industry, according to Levintal, is human error. The train control systems are maintained by numerous people, increasing the risks of systems being insecurely connected to the internet or employees using laptops infected with malware.

The rail industry faces a significant challenge with the longevity of its systems, as they possess extensive lifespans. While cars typically last no more than a decade, trains, on the other hand, are expected to remain in service for around 30 years. Consequently, the train control systems currently in use were designed a decade or more ago.

“Advanced cyber security wasn't there when they were designed. Cyber attackers have more resources today than 15 years ago and they know how to attack them,”

says Levintal.

Also, train control systems include an extensive range of elements such as switches, light signals, and other components. Maintaining such a complex system is challenging, particularly as the operators often possess outdated PDFs or Excel files from years ago, and it is not always clear where information is stored.

Levintal emphasizes that having monitoring systems that provide visibility into what happens within the network, and what kind of components are in the network is essential.

“When people use a train, they usually think about safety because it's the safest mode of transportation until there is an accident. Usually, it's safe, but cyber attacks might impact this,” he says.

“Usually, if something works, you don't want to change anything because it works. With cybersecurity, whenever there’s a new patch or an update, you want to upgrade. This is the main challenge in rail. If everything works, they want to continue, they won't patch this, then they won't do anything in cyber security.”