Rail signal upgrade 'could be hacked to cause crashes

[whole diary]

[PhilWakely]

(not sure if this is the right place for this - mods feel free to move)

From the BBC^» (British Broadcasting Corporation - home page)

Rail signal upgrade 'could be hacked to cause crashes'
By Richard Westcott BBC Transport Correspondent

 
Prof Stupples fears a rogue employee could hack the new rail system and cause a crash

A hi-tech signalling system that will eventually control all of Britain's trains could potentially be hacked to cause a serious crash, according to a scientist who advises the government.

Prof David Stupples told the BBC that plans to replace ageing signal lights with new computers could leave the rail network exposed to cyber-attacks.

UK^▸ (United Kingdom) tests of the European Rail Traffic Management System are under way.

Network Rail, which is in charge of the upgrade, acknowledges the threat.

"We know that the risk [of a cyber-attack] will increase as we continue to roll out digital technology across the network," a spokesman told the BBC.

"We work closely with government, the security services, our partners and suppliers in the rail industry and external cybersecurity specialists to understand the threat to our systems and make sure we have the right controls in place."

^Nasty Accident^
Once the ERTMS^▸ (European Rail Traffic Management System.) is up and running, computers will dictate critical safety information including how fast the trains should go and how long they will take to stop.


A hack attack could theoretically cause trains to travel too quickly

It is scheduled to take command of trains on some of the UK's busy intercity routes by the 2020s.
 
The system is already used in other parts of the world and there are no reported cases of it being affected by cyber-attacks.
In fact, it is designed to make networks safer by reducing the risk of driver mistakes.
 
But Prof Stupples - an expert in networked electronic and radio systems at City University in London - said if someone hacked into the system they could cause a "nasty accident" or "major disruption".

"It's the clever malware [malicious software] that actually alters the way the train will respond," he explained.

"So, it will perhaps tell the system the train is slowing down, when it's speeding up."

"Governments aren't complacent", the professor added.
 
"Certain ministers know this is absolutely possible and they are worried about it. Safeguards are going in, in secret, but it's always possible to get around them."

He added that he had spoken up to raise awareness of the threat.

"We keep security arrangements under constant review to take account of the threat and any new challenges we face," responded a spokeswoman for the Department of Transport.

Rogue Worker
According to the professor, the system is well protected against outside attack, but he says danger could come from a rogue insider.


Hundreds of signal boxes are being replaced as part of the upgrade

"The weakness is getting malware into the system by employees. Either because they are dissatisfied or being bribed or coerced," he explained.

He added that part of the reason that transport systems had not already been hacked as frequently as financial institutions and media organisations was that much of the technology involved was currently too old to be vulnerable.

All of that will change in the coming years, as aircraft, cars and trains become progressively more computerised and connected, he said.

Odd Behaviour
Independent security expert Graham Cluley agreed that the sector could be vulnerable.

"Seeing as we have seen nuclear enrichment facilities targeted with state-sponsored malware attacks and 'massive damage' done to a German steelworks, you have to ask yourself whether it is likely that a train signal system would be any better defended?" he asked.

"The most obvious danger is going to be human.

"The risk is that staff will either be deliberately and clandestinely assisting attackers or - most likely - make poor decisions, such as plugging in a device that is malware-infected that could expose the system's security."


The professor warns that malware could be introduced from an infected peripheral

Prof Stupples said he was working with Cranfield University to develop a security system that would tell when a train or other mode of transport was acting oddly.

"It would take it back into a safe state," he explained.

[ellendune]

Prof Stupples said he was working with Cranfield University to develop a security system that would tell when a train or other mode of transport was acting oddly.

"It would take it back into a safe state," he explained.

Is he trying to drum up support (funding) for his research?

[Chris from Nailsea]

The system is already used in other parts of the world and there are no reported cases of it being affected by cyber-attacks.
In fact, it is designed to make networks safer by reducing the risk of driver mistakes.

So, ... yes he is, basically. 

[JayMac]

Nice to see the Press Association picture of the Glasgow Central station approaches again making a not very relevant appearance in a rail related news item.

[grahame]

There are risks in anything - and the more complex a system is, potentially the more things there are to offer fault, design, carelessness or malicious possibilities.   The rail industry is incredibly aware of this, and typically buds in checks and balances into systems so that any failure is "fail safe" and that it would need several things to go wrong at the same time, and in a particular pattern, for there to be an appreciable risk.  The very low rate of accidents (and perhaps the high rate of a failure bringing areas like the London to Reading ine to a halt) shows considerable success in the rail industry achieving its safety goals, but never the less it is useful to have the Professor and others take an independent view, raise awareness and ask questions just in case the common view / starting point for any analysis is drawn too narrowly and something gets missed.

The balance between the Professor's desire to have a safety / security issue looked at, and his desire to be funded for the development of a security system business, isn't best explored in a news article such as the one quoted from here, which only mentions his system almost in a footnote.

[ellendune]

The balance between the Professor's desire to have a safety / security issue looked at, and his desire to be funded for the development of a security system business, isn't best explored in a news article such as the one quoted from here, which only mentions his system almost in a footnote.

Yes I think that was the point of my remark really.  And is ERTMS^▸ (European Rail Traffic Management System.) fundamentally any more vulnerable than the earlier generations of computer based signalling?

[JayMac]

Anyone with criminal intent will find a way regardless of the systems used. The Germanwings air crash shows that. All that can be done is to minimise such risks and vulnerabilities in safety systems. You can never eradicate them.

[ChrisB]

Indeed. One rogue signaller could cause a collision now, if they really wanted to.

[IndustryInsider]

It would be pretty difficult to deliberately cause a collision as a signaller- they can't just set routes or pull points willy-nilly you know!

[ChrisB]

I assume that's tongue-in-cheek?

Foe example, Banbury South could easily set a route into the trap down siding south of the platform & a through train (yes, there are some) would come to a rather nasty end....the distance from when the driver sees the signal to entering the siding is only a hundred yards or so...maybe a lot mote difficult from a signalling centre, but there are still boxes  around that aren't computer controlled.

[IndustryInsider]

Not tongue-in-cheek.  What you describe couldn't happen.  That signal works on approach control so the speed of a train is reduced as they would be approaching a red signal and even if the driver didn't react to those caution signals, the TPWS^▸ (Train Protection and Warning System) override or overspeed sensors would.

Even in older signalling systems there are fail-safe measures in place for the vast majority of outcomes.  After all, if the route you describe above would be possible for a signaller to do maliciously then it could also be done accidentally.

[IndustryInsider]

Just to clarify on my above post that the signal in question is only approach control operated when a diverging route is set, not if a route for the main line is set.

[Tim]

Anyone with criminal intent will find a way regardless of the systems used. The Germanwings air crash shows that. All that can be done is to minimise such risks and vulnerabilities in safety systems. You can never eradicate them.

Trackside signals are vulnerable to malicious or wanton attack and also theft.  Remember the Train Robbers used a lamp battery to cause a signal to display the wrong aspect.  If you move to a system with no trackside signals you remove that risk (and also the not insignificant risk to trackside staff being sent out to polish the lenses) 

I would have thought that the biggest risk of ERTMS^▸ (European Rail Traffic Management System.)  is that it is just extremely complicated?

[Oxonhutch]

After all, if the route you describe above would be possible for a signaller to do maliciously then it could also be done accidentally.

For visitors to my heritage signalbox, I always point out the most dangerous signal in there.  It is the yellow flag - not connected to the rest of the fail-safe interlocking except through the signalman's head (rule book, procedures, and common sense). Double-check everything before displaying it. Oh, and just before that - check again!

[Visoflex]

Although not intimately involved with the ERTMS^▸ (European Rail Traffic Management System.) system directly, I do have some knowledge of railway communications systems over which the ERTMS data would be carried. 

The maximum disruption would be caused by hitting the system as close as possible to the central control computers.  Safety systems are duplicated, but the duplication (or even triplication) needs communication links between the central processors to sense check their data.  Disrupt these, and the system would fail - fail safe no doubt.  But wouldn't bringing many trains to a standstill because they couldn't get their movement authority cause more disruption than a solitary train crash?