On the escalating battlefield of cybersecurity, what needs to be done to keep rail systems on track?
In May 2017, commuter turmoil erupted when the Deutsche Bahn railway system was hacked. The vast and seemingly secure network had fallen victim to a cyber-attack, affecting the rail giant’s global operations.
Red windows appeared on passenger announcement boards, with a message demanding cash payment to restore services. Panicked passengers rushed to exit stations, resulting in congestion and a series of safety issues.
“Passengers thought it was a terrorist attack,” said Yanif Mallet, Lead Cyber Security Architect at rail cyber security business Cylus, in Engineers Australia’s Thought Leaders Series webinar, Cybersecurity in the railway industry.
The incident provided a wake-up call for rail operators around the world.
Rail cyber – a growing concern
It’s in the last five years that railway systems worldwide have become the target of cyber terrorists, Mallet says. Incidents are on the rise in Australia and globally.
Difficult to defend, the railway sector is a particularly vulnerable target for cyber criminals due to its inherent geographical distribution. Then there’s the fact that in the past, railway systems have been designed with physical safety and reliability in mind, rather than cybersecurity.
According to Hugh Hunter, Independent Safety Assessor Director and Lead Cybersecurity Assessor at Certifer, railways have become increasingly vulnerable due to their move to computer-based systems using IP protocols, wireless communication and networking.
In other words, systems that were closed are now open, meaning it’s much easier for outsiders to get in.
Hunter says cyberattacks can have varying purposes. However, money is most often the key driver.
Many strikes are ransomware attacks. With the threat of financial and reputational damage, and the fact that transport systems can be brought to their knees within minutes, railways must ensure their systems are ready for the inevitable attack.
“Imagine if there was a ransomware attack on an Australian metro rail system, and somebody encrypted the smart card payment system,” Hunter says. “The company wouldn’t be able to charge for the service.”
“If the perpetrator was to demand a ransom to unencrypt the system, what would the company do? It’s their reputation on the line, and every hour that passes means more lost revenue.”
However, there are also deliberate acts of sabotage which sometimes have political motives.
In February 2022, Hunter says, various “hacktivist” groups including Anonymous and Cyber Partisans stopped trains in various Belarussian cities. By paralysing the rail network, they hoped to stop Vladimir Putin mobilising troops and artillery.
Also, Hunter says, there are the “script kiddies”, so named because they write cybersecurity scripts and then deploy them. Hunter points out the motives of these individuals are neither financial nor political – they simply want to disrupt.
“They might drop the boom gates and stop all traffic at level crossings,” he says.
As well as the move to IP systems, COVID has impacted railway cybersecurity. The maintenance of railway systems, once executed exclusively on-site, has become a job that is often carried out remotely by maintenance staff, from home or elsewhere.
“Before COVID, staff would have visited the site to check and modify the systems,” Hunter says. “Security measures would be in place to lessen the chance of human error or deliberate sabotage by disgruntled employees.”
“In 2015 an IT professional was fired by Canadian Pacific Railway. He then went in and deleted key permissions, passwords and files in the network hardware. It resulted in multiple outages in the railway network. He was charged and sent to prison for the hack.”
Being cyber safe
As railway systems become more complex and unique, they also become more difficult to defend. However, there are simple processes railways can implement to ensure they are far better defended, when it comes to cyber attacks.
- addressing cybersecurity in both IT and OT environments for existing and new systems
- carrying out frequent risk assessments to determine if there are vulnerabilities in the system
- implementing adequate security solutions and equipment
- performing regular updates and scanning for viruses
- allocating skilled staff to the management of cybersecurity
- complying to international standards
- training all staff in cybersecurity
- identifying current threats and countermeasures through membership of agencies such as the Australian Cyber Security Centre (ACSC)
Hunter says railway networks in Australia are beginning to move in the right direction.
“Many networks now are doing penetration testing on their network,” he says. “Companies are realising they’re no longer cyber safe and therefore they’re developing cyber departments.”
Ignorance is not an option when it comes to cybersecurity and railways, he says. It’s all about awareness and vigilance.
“If railways don’t believe they can be attacked, then they’ll not know when an attack occurs.”
Watch Engineers Australia’s Thought Leaders Series webinar to learn more from Certifer about managing cybersecurity risks in the railway industry.