Trains as targets: why attackers want to raid the rails

BY KERRY TOMLINSON, AMPERE NEWS

March 30, 2022

If you're riding the subway, light rail, or commuter train, you may be happy to have Wi-Fi. In 2022, trains are connected, not just for a more productive commute, but to run systems, signaling and more.

These connections can also give criminals a way in. Back in 2008, a 14-year-old built his own remote control device that derailed trains and injured passengers in Lodz, Poland.

Here's the most likely train attack now, 14 years later.

Watch here:

Attacks in 2022

On the big screen this summer, train attacks will require guns, swinging metal briefcases, and even a bottle of sparkling water, as seen in the trailer for the still-in-progress comedy ‘Bullet Train’ starring Brad Pitt.

But real train attacks in 2022 may look less like an action movie and more like dark computer screens and long delays. Cyber attacks feature frozen ticket machines, disabled dispatching systems, and possibly trains carrying troops or military cargo stopped in their tracks.

A group calling themselves the Cyber Partisans say they hit the train system in Belarus at the start of Russia's invasion of Ukraine in February. Their goal was to slow down Russia's war movement into Ukraine. They claimed they disabled crucial software and paralyzed hubs at the capital of Minsk and other cities.

Rail Attacks

The Cyber Partisans are not the first to raid the rail system by digital means.

In July 2020, Iranian cyber attackers claimed they caused "severe damage to equipment and infrastructure" at 28 train stations in Israel, saying they wanted to "show that we can plan the collisions of tens of trains if we so wish."

A year later, someone hacked Iran's trains, reportedly paralyzing the system and destroying crucial data. Messages showed up on screens in stations reading, "Long delays due to cyberattack," along with the number for the Office of Iran's Supreme Leader.

War Impacts

Now with the war in Ukraine, cybersecurity professionals say trains in other countries could potentially become targets.

Russian-backed attackers could focus on NATO countries or other Western regions, said security consultants Mitchell Clarke and Thomas Scriven with security firm Mandiant at the Cyber Senate Rail Cybersecurity conference in London in March.

"Organizations making public statements condemning Russian aggression and/or supporting Ukraine face an elevated risk," they told Ampere News in an email.

Most Likely Attack

War-related attacks are a risk. But they say the most likely form of siege is ransomware. Attackers use ransomware to scramble --- or encrypt --- files, locking up systems until victims pay a ransom.

One of the first big ransomware rail attacks hit San Francisco's BART commuter trains in 2016. Reports say the malware took over hundreds of computers, including stations kiosks, employee laptops and payroll systems. Attackers demanded about $70,000 in ransom.

Ransom demands are rising. Attackers required a payment of more than $7 million to unlock computers for Vancouver, Canada's train systems in 2020.

Ransomware gangs tortured more rail systems and transport agencies in 2020 and 2021, including two different systems in the U.K. and another in New South Wales, Australia.

No crashing trains in these ransomware attacks, but millions of dollars spent in ransoms and/or fixing broken systems and headaches for people trying to both run and ride the trains.

Ransomware can be serious, said Clarke and Scriven. "The cost to victims from disruptive, economic and regulatory perspectives can be significant. "

What to Do?

If you run a train system, they advise steps including the following:

Create a program to fix vulnerabilities, or security gaps, and to patch or update as soon as possible.
Segment your computer networks. Separate the operations --- or train-running --- technology from the office technology, which is much more easily invaded by, for example, someone simply clicking on a bad link in an email.
Monitor the operations systems for signs of cyber invaders out to get money or in a few extreme cases, out to stop trains.

Rail operators should look at and follow the Shields Up cybersecurity guidance provided by the Cybersecurity and Infrastructure Security Agency to protect critical infrastructure from war-related attacks, said Nik Urlaub, senior cybersecurity engineer with the not-for-profit organization MITRE.

"If you're not complying with those, ask yourself why and if there's steps you can take to match those recommendations," he said in an interview with Ampere News.

Heading for a crash?

What if you're not a train operator, but a rider? Could cyber attackers make your train crash?

Not likely, Urlaub said.

"Attackers compromising stuff back at the control center is unlikely to have any safety implications for anyone," he explained "If I was riding the train, I wouldn't have any special concern that a cyberattack would cause the train I was riding on to derail or to collide with another train."

"In the U.S., there are some significant safety mechanisms that are built into the equipment that's actually operating the switches and the signals that the engineers, conductors rely on to tell whether it's safe to proceed," Urlaub said.

No end in sight

Cyberattacks impacting trains continue. On March 23, a report came out of Ukraine that people couldn't buy train tickets online or by phone because of a cyber attack hitting communications systems.

The same day, Italy's national rail company endured a cyberattack that lead to freight trains stopped on the tracks.

As a rider, be ready for attacks causing severe delays and disabled digital things, like ticket machines, display screens, customers service computers and more, said Clarke and Scriven.

Not life-and-death issues, but certainly some very unpleasant side effects of cyber attackers seeing the value of trains as targets.