Rail signalling upgrade could expose network to cyber-attacks

The BBC has reported a planned rail signalling upgrade may be vulnerable to cyber-attacks that could cause a serious crash.

The new hi-tech signalling technology, known as European Rail Traffic Management System (ERTMS), is currently being tested by Network Rail and is due to be implemented in the 2020s. Once applied, ERTMS will report critical safety information including how fast the trains should go and how long they will take to stop. The system is ultimately designed to reduce driver error and create a safer network.

However, according to today’s BBC interview with Professor David Stupples, an expert in networked electronic and radio systems at City University in London, someone could hack into the system and  cause a “nasty accident” or “major disruption”. The professor noted that the system is currently protected against an external attack but is open to abuse from an insider.

David Flower, Managing Director EMEA of Bit9 + Carbon Black, commented on today’s report and Professor Stupples concerns:  “As technological innovation gathers momentum, so too will this trend, so it’s no surprise to see that Network Rail is looking at ways in which it can improve its own infrastructure by going digital. However, there is of course an inherent risk that such a system could be exposed to attack from malicious cybercriminals. The examples brought to light by Prof. David Stupples this morning show that the impact of such an attack could have the most severe consequences.

“Network security alone will not be enough; it will be essential to have always-on, continuous monitoring and recording on every endpoint. Protecting each endpoint device in this way not only allows organisations to detect any breach much faster, but the replay will allow them to track the ‘kill chain’ left by successful attackers, to better understand the level of risk exposure and defend against future threats.”

Piers Wilson, Product Manager, Huntsman Security, said: “Given the potential effects of any attack on transportation control networks, it will be critical for Network Rail to react quickly and effectively when necessary to prevent damage or the harmful effects of faults that are introduced into train control and signalling systems. The challenge will be spotting that the attack has actually happened before the effects (in the real world) are apparent. With insider threats, there may be very little evidence beyond some small changes in system behaviour that security has been breached until it is too late. Similarly, attackers are always becoming more sophisticated and developing new ways to penetrate defences. As a result, there is every chance that an attack will be completely new, and its effects and warning signs completely unknown, before it actually affects the signalling network.

“To avoid this, it will be important to be able to spot not only known, expected threats but also those unknown ones that may not even have been devised yet. The only way to do this is to monitor systems for any unusual behaviour, whether from users or from the system itself, to spot the beginnings of any potential problem. While not every discrepancy will be an actual threat, the organisation needs to be able to identify every one and then determine which pose a risk to the signalling network, the trains themselves and the thousands of passengers that could be affected by any disruption or accidents that happen on the rail network. Without this level of intelligence, there is always the risk that attacks won’t be uncovered until it’s too late – and we won’t be talking about impacts like data loss or system downtime here, it will be real world events that affect real systems, real people and real lives.”