“Those are questions that have been raised at the highest level to the lowest levels. Those are continuously being audited and addressed every single day and will be as long as there are people on trains and they’re going through areas where people live,” says Jim McKenney, technical director at NCC Group’s Transportation Assurance Practice.
Unlike other critical infrastructure, such as energy or water management systems, rail networks have avoided specific cybersecurity regulations as lawmakers have focused many of their recent efforts on safety due to high profile crashes, says Jesus Molina, director of business development, for Waterfall Security Solutions.
“There is no question that a PTC-rollout without managing the cybersecurity risk will open new attack vectors due to increased connectivity and new software added to the networks and onboard train,” Molina says. “In these cases, PTC may actually decrease the safety of passengers due to an unacceptable increased risk of cyberattacks that may lead to accidents.”
Railroads are installing PTC on nearly 57,848 route miles and on 19,912 locomotives, according to numbers from federal agencies.
“The use of IT-focused security tools, in particular, software tools, such as firewalls, to protect control critical networks is a huge mistake, and with increasingly connected rail networks, it is becoming a dangerous trend,” Molina says. “The focus of critical control networks is to be reliable and safe, and IT tools meant to protect data and confidentiality are not suitable to defend them.
“The most secure rail sites are not concerned with the steadily increasing sophistication of cyber-attacks, nor with the steadily increasing rate of disclosure of new attack vulnerabilities in control systems, network, firewalls and other security software,” Molina added. “This is because the most secure sites protect their automation systems from cyber-attacks physically, with hardware-based solutions such as unidirectional security gateways.”
Unidirectional security gateways are, as the description implies, computer devices that allow information to flow in only one direction, rather than backward.
Experts seem to agree that cybersecurity concerns around PTC are part of a larger discussion, said Allan Rutter, a former Federal Railroad Administration administrator.
“The railroads’ cybersecurity challenge isn’t unique to PTC,” Rutter says. “It has to do more with the expansion of technology and wayside measurement and train control system and vehicle tracking. Their concerns about cybersecurity cover the entire waterfront of everything they do. And PTC is a subsystem, but I think their cybersecurity concerns are broader and wider than that.”
The topic has caught the attention of lawmakers, who broached the subject during a May hearing on state-owned enterprises in public transit and freight rail.
“Any disruption or corruption to these functions or to our transportation network as a whole would have a debilitating effect,” U.S. Rep. Sam Graves, R-Mo., ranking member on the Committee on Transportation and Infrastructure, said in his prepared remarks.
“Bad actors” have successfully compromised rail networks in Denmark, the United Kingdom, Germany, Poland, and the United States, Molina says.
“The targets for most of these breaches was to install malware and ransomware for financial gain, but once a system has been breached, more sophisticated targets, including cyber-physical, rather than pure IT, are possible,” Molina said.
“New targets will start appearing once these actors find a reason to go beyond the IT system, and the new payloads after a successful network breach may include modifying signaling systems to cause collisions, or forcing a malfunction in the software at the control center to impair service,” Molina added. “The question is not if payloads threatening safety will appear, but when.”
And, what happens when a bad actor hacks into a railroad’s PTC system?
“A malicious cyber breach of PTC or underlying existing rail signaling systems could wreak havoc and cause accidents or derailments on the highly interdependent freight railway network,” retired U.S. Army Brig. Gen. John Adams, president of Guardian Six, said in prepared testimony to the House Committee on Transportation and Infrastructure.
Since PTC does not allow for operating a train, hacking the system might merely bring trains to a halt.
“With positive train control, if you quote-unquote break into or hack into positive train control, you will probably break a component, which is going to cause a train to stop,” McKenney said. “It’s a very complex set of paths that you must really contemplate and have a lot of information, a lot of very specific technologies and skillsets to even contemplate trying to quote-unquote hack into positive train control and cause it to not stop a train and cause a derailment or cause a head-on train collision.”