Cyber Security In Modern Railways

Eurostar High Speed Trains at Waterloo Station, London

Railways belong to the critical infrastructure of a country, along with power-plants, water facilities, electric grids. The team of experts are warning of the presence of security holes in the railroad systems that open them to cyber attacks, during the Chaos Communication Congress they disclosed a long list of security issued affecting railroad systems.

The experts did not mention specific trains when presented the results of their study, their presentation was focused on an overview of the security issues that potentially affect modern railroad systems.

In their presentation, the team of experts detailed SIBAS, a train protection system that is widely adopted in Europe. The SIBAS used the Siemens SIMATIC components, including  the WinAC RTX controller, which is designed for different purposes, such as the PC-based automation solutions. The WinAC RTX is affected by several security vulnerabilities that could be exploited by hackers.

The researchers also examined the computer-based interlocking (CBI), a signaling system designed to prevent the setting up of conflicting routes. The hacking of CBI would cause serious problems, including physical damage.

According to Sergey Gordeychik, for threat actors, “it’s absolutely easy,” to exploit these vulnerabilities, despite in some cases, the attackers would need a deep knowledge of railroad systems to exploit the flaws.

Most of the problems affect automated systems in railroad networks, such as signaling components and locks, the experts highlighted the huge presence of technology in modern railway systems.

The railway systems examined by the team are affected by a large number of vulnerabilities, including the lack of authentication protections, poor maintenance, operating systems and software components not updated, and of course, hard-coded passwords.

The attack surface of modern railway systems is enlarging due to the presence of new solutions, including connected systems and entertainment devices.

“We worked with operators for 3 years and at the beginning there was a lot of skepticism, but now they understand the threats,” Gordeychik said via email to SecurityWeek. “A lot of devices work on the same channel: like engineering equipment and user systems,”

Fortunately, there is no news of significant cyber attacks against trains and other transportation systems. While cyber criminals are not financially motivated in hacking such kind of systems, other illegal activities are more profitable for them, nation-state hackers could start exploring this opportunity.

Cyber security of railroad systems must be a priority for any government as the risk that hackers will exploit the vulnerabilities discovered by the experts is concrete.

Security Affairs: http://bit.ly/1kAYd2s

« Ukrainian Power Grid Hack
Top 2016 Big Data Challenges: Skills Shortage »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BCS, The chartered Institute for IT

BCS, The chartered Institute for IT

BCS provides IT professionals with up to date and relevant certifications enabling them to manage IT security effectively within their budget.

Roka Security

Roka Security

Roka Security is a boutique security firm specializing in full-scale network protection, defending against advanced attacks, and rapid response to security incidents.

Bsquare

Bsquare

Bsquare DataV software and engineering services help enterprises implement business-focused Internet of Things systems.

Apricorn

Apricorn

Apricorn provides hardware-based 256-bit encrypted external storage products to companies and organizations that require high-level protection for their data at rest.

Dispersive Networks

Dispersive Networks

Dispersive Virtual Network is a carrier-grade software-defined programmable network that is inspired by battlefield-proven wireless radio techniques.

360 Total Security

360 Total Security

360 company is the largest provider of Internet and mobile security products in China.

LEADS

LEADS

LEADS is considered as a leading ICT Solution Provider and an IT partner of choice in Bangladesh.

iosiro

iosiro

iosiro was created to guide companies through securely using blockchain technologies. We help teams launch and manage ICOs, deploy secure dApps, and integrate private networks into business practices.

CipherBlade

CipherBlade

CipherBlade specializes in blockchain forensics, data science and transaction tracking.

Infinidat

Infinidat

Infinidat delivers enterprise-proven solutions for data storage, data protection, business continuity, and sovereign cloud storage.

NWN Carousel

NWN Carousel

NWN Carousel delivers AI-powered technology solutions for the modern workplace. From unified communications and intelligent infrastructure to robust cybersecurity.

Roberts & Obradovic Law

Roberts & Obradovic Law

Roberts & Obradovic Law Group is a corporate, privacy, employment and litigation law firm.

Sequentur

Sequentur

Sequentur is an award-winning Managed IT Services company. We are SOC 2 certified and provide Managed IT Services and Cybersecurity services to businesses nationwide.

ClearSale (CLSA3)

ClearSale (CLSA3)

Clearsale’s innovative fraud solutions combine advanced technology with a passionate team of seasoned experts that understand every client’s unique needs.

Nicos AG

Nicos AG

Nicos AG specializes in secure, global data communication.

Exaforce

Exaforce

At Exaforce, we are on a mission to 10× improve the productivity and efficacy of security and operations teams using our transformative multi-model AI engine.