UK rail system could be susceptible to catastrophic hack attacks

Any ‘smart’ device can be hacked, there’s no doubt about it – but when a high-tech train signalling system gets hacked, that potentially means a crash and most likely – human casualties.

That’s exactly what Prof David Stupples is warning the UK, as it tests the European Rail Traffic Management System (ERTMS).

Britain’s train signalling system is ageing and needs replacement, but risks must be taken into account.

Many are concerned with the risks that could potentially arise. Piers Wilson, Product Manager of Huntsman Security said that;

"it will be critical for Network Rail to react quickly and effectively when necessary to prevent damage or the harmful effects of faults that are introduced into train control and signalling systems. The challenge will be spotting that the attack has actually happened before the effects (in the real world) are apparent."

Network Rail, which is in charge of the upgrade, acknowledges the threat, BBC reports.

"We know that the risk [of a cyber-attack] will increase as we continue to roll out digital technology across the network," a spokesman told the BBC.

"We work closely with government, the security services, our partners and suppliers in the rail industry and external cybersecurity specialists to understand the threat to our systems and make sure we have the right controls in place."

Once set up, the ERTMS will control the speed of trains and their braking times. It is scheduled to take command of trains on some of the UK's busy intercity routes by the 2020s.

Even though the system is already in use elsewhere in Europe, with no reported cases of it being affected by cyber-attacks, Prof Stupples still believes a hack can cause a "nasty accident" or "major disruption".

Professor Stupples is an expert in networked electronic and radio systems at City University in London.

"It's the clever malware that actually alters the way the train will respond," he explained. "So, it will perhaps tell the system the train is slowing down, when it's speeding up."

“As such, we would recommend that Network Rail implements rigorous security measures as part of its upgrade. Network security alone will not be enough; it will be essential to have always-on, continuous monitoring and recording on every endpoint. Protecting each endpoint device in this way not only allows organisations to detect any breach much faster, but the replay will allow them to track the ‘kill chain’ left by successful attackers, to better understand the level of risk exposure and defend against future threats.”

UPDATE: Various industry experts have been quick to offer their thoughts on the subject:

David Flower, managing director EMEA at Bit9 + Carbon Black:

“New, digital technologies are being ushered in to replace and optimise legacy systems everywhere you look.

"As technological innovation gathers momentum, so too will this trend, so it’s no surprise to see that Network Rail is looking at ways in which it can improve its own infrastructure by going digital. However, there is of course an inherent risk that such a system could be exposed to attack from malicious cybercriminals.

"The examples brought to light by Prof. David Stupples this morning show that the impact of such an attack could have the most severe consequences.

“As such, we would recommend that Network Rail implements rigorous security measures as part of its upgrade. Network security alone will not be enough; it will be essential to have always-on, continuous monitoring and recording on every endpoint. Protecting each endpoint device in this way not only allows organisations to detect any breach much faster, but the replay will allow them to track the ‘kill chain’ left by successful attackers, to better understand the level of risk exposure and defend against future threats.”

Piers Wilson, Product Manager, Huntsman Security

“Given the potential effects of any attack on transportation control networks, it will be critical for Network Rail to react quickly and effectively when necessary to prevent damage or the harmful effects of faults that are introduced into train control and signalling systems.

"The challenge will be spotting that the attack has actually happened before the effects (in the real world) are apparent. With insider threats, there may be very little evidence beyond some small changes in system behaviour that security has been breached until it is too late. Similarly, attackers are always becoming more sophisticated and developing new ways to penetrate defences. As a result, there is every chance that an attack will be completely new, and its effects and warning signs completely unknown, before it actually affects the signalling network.

“To avoid this, it will be important to be able to spot not only known, expected threats but also those unknown ones that may not even have been devised yet. The only way to do this is to monitor systems for any unusual behaviour, whether from users or from the system itself, to spot the beginnings of any potential problem.

"While not every discrepancy will be an actual threat, the organisation needs to be able to identify every one and then determine which pose a risk to the signalling network, the trains themselves and the thousands of passengers that could be affected by any disruption or accidents that happen on the rail network.

"Without this level of intelligence, there is always the risk that attacks won’t be uncovered until it’s too late - and we won't be talking about impacts like data loss or system downtime here, it will be real world events that affect real systems, real people and real lives.”

Chris Boyd, malware intelligence analystat Malwarebytes:

“Whether we're talking planes, cars or trains, nobody wants to take risks with passenger safety and a piece of malware designed to target transport systems could be potentially catastrophic in the right environment.

"Having said that, these systems are designed with redundancy in mind and if a "rogue employee" was going to try and intentionally infect the underlying technology, the trail would lead back to them quite quickly.

“We may as well ask why they wouldn't just perform a malicious act without the aid of an advanced piece of malware. We could also debate the likelihood that someone with access to these systems would obtain malware like this, or understand how to use it.

"Developers of attacks such as these certainly wouldn't be giving them away, and I suspect a rail worker probably couldn't afford it - never mind find where it would be on sale in the first place.”

David Emm, Principal Security Researcher at Kaspersky Lab:

“Whilst Kaspersky Lab is not privy to the security tests conducted by the rail lines, the fact that our train network could be compromised by cybercriminals, is another warning sign of the risks we face as our critical infrastructure becomes increasingly connected.

“The news comes only a couple of days after the FBI has issued an alert to airlines over Wi-Fi hacking. While many will dismiss these threats as merely fiction, we’re already seeing examples of cybercriminals exploiting new technology. For example, in Moscow, speed cameras and traffic monitoring systems were infected with an unidentified Trojan which stopped authorities catching traffic offenders. A seemingly minor attack which had huge effects on function, and revenue collection.

“We should view the recent warning as a wake-up call, not only for the transport industry, but for critical infrastructure as a whole. Governments and businesses around the world are now grappling with the potential threat to ‘critical infrastructure’ installations and the need to defend systems that, if successfully attacked, impact not just the organisations concerned, but society at large.

“Too often security is an afterthought, but systems can and should be designed to meet not just today’s, but tomorrow’s security needs and requirements. While obviously this will involve a significant capital investment initially, the long term benefits fair outweigh the costs.”