Cyber Security In Modern Railways

Eurostar High Speed Trains at Waterloo Station, London

Railways belong to the critical infrastructure of a country, along with power-plants, water facilities, electric grids. The team of experts are warning of the presence of security holes in the railroad systems that open them to cyber attacks, during the Chaos Communication Congress they disclosed a long list of security issued affecting railroad systems.

The experts did not mention specific trains when presented the results of their study, their presentation was focused on an overview of the security issues that potentially affect modern railroad systems.

In their presentation, the team of experts detailed SIBAS, a train protection system that is widely adopted in Europe. The SIBAS used the Siemens SIMATIC components, including  the WinAC RTX controller, which is designed for different purposes, such as the PC-based automation solutions. The WinAC RTX is affected by several security vulnerabilities that could be exploited by hackers.

The researchers also examined the computer-based interlocking (CBI), a signaling system designed to prevent the setting up of conflicting routes. The hacking of CBI would cause serious problems, including physical damage.

According to Sergey Gordeychik, for threat actors, “it’s absolutely easy,” to exploit these vulnerabilities, despite in some cases, the attackers would need a deep knowledge of railroad systems to exploit the flaws.

Most of the problems affect automated systems in railroad networks, such as signaling components and locks, the experts highlighted the huge presence of technology in modern railway systems.

The railway systems examined by the team are affected by a large number of vulnerabilities, including the lack of authentication protections, poor maintenance, operating systems and software components not updated, and of course, hard-coded passwords.

The attack surface of modern railway systems is enlarging due to the presence of new solutions, including connected systems and entertainment devices.

“We worked with operators for 3 years and at the beginning there was a lot of skepticism, but now they understand the threats,” Gordeychik said via email to SecurityWeek. “A lot of devices work on the same channel: like engineering equipment and user systems,”

Fortunately, there is no news of significant cyber attacks against trains and other transportation systems. While cyber criminals are not financially motivated in hacking such kind of systems, other illegal activities are more profitable for them, nation-state hackers could start exploring this opportunity.

Cyber security of railroad systems must be a priority for any government as the risk that hackers will exploit the vulnerabilities discovered by the experts is concrete.

Security Affairs: http://bit.ly/1kAYd2s

« Ukrainian Power Grid Hack
Top 2016 Big Data Challenges: Skills Shortage »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Arcitura Education

Arcitura Education

Arcitura is a leading global provider of progressive, vendor-neutral IT training and certification programs.

Secure Recruiting International (SRI)

Secure Recruiting International (SRI)

SRI is an industry leader in Information Security , Networking, Wireless and Storage recruitment.

Celestya

Celestya

Celestya is dedicated to providing the most advanced and cost effective systems for human behavior education on cybersecurity awareness training.

CSIRT-NQN

CSIRT-NQN

CSIRT-NQN is the Computer Incident Response Team for the Argentine province of Neuquen.

Inavate Consulting

Inavate Consulting

Inavate Consulting are experts in defining and implementing information assurance solutions and governance frameworks. Our ISO27001 consultants are the most experienced in the industry.

CHEQ

CHEQ

CHEQ provides fully autonomous, preemptive technology for brand safety and ad-fraud prevention.

Carve Systems

Carve Systems

Carve Systems was founded to bring enterprise level information security, training, and risk management services to organizations of any size and industry.

World Informatix Cyber Security (WICS)

World Informatix Cyber Security (WICS)

World Informatix Cyber Security provides a range of cyber security services to protect valuable information assets to global business and governments.

Bloc Ventures

Bloc Ventures

Bloc Ventures is an investment company providing long-term, ‘patient’ equity capital to early stage unquoted deep technology companies.

Information & Communications Technology Association of Jordan (int@j)

Information & Communications Technology Association of Jordan (int@j)

The Information & Communications Technology Association of Jordan is a membership based ICT and IT Enabled Services (ITES) industry advocacy, support and networking association.

HackEDU

HackEDU

HackEDU provides secure coding training to companies ranging from startups to the Fortune 500.

Tidal Cyber

Tidal Cyber

We formed Tidal for one simple reason—we believe that defenders need and deserve tools and services that make achieving the benefits of threat-informed defense practical and sustainable.

Fletch

Fletch

Fletch’s AI tracks the evolving cybersecurity threat landscape by reading and interpreting every threat article every day and matching those threats to a company’s exposure.

Amnet Technology Solutions (Amnet Systems)

Amnet Technology Solutions (Amnet Systems)

Amnet Systems is a technology services organization that provides Managed IT, Cloud Computing, Cyber Security, Data Center and Audio Visual services since 1995.

CBIT Digital Forensics Services (CDFS)

CBIT Digital Forensics Services (CDFS)

CDFS is Australia’s premier supplier of digital forensic tools, industry-embedded training and certification to Law Enforcement, Government, and Corporate Enterprise.

AXGATE

AXGATE

AXGATE is a specialized security solutions company based on our distinctive technological capabilities in the field of network information protection.