WASHINGTON — The federal cybersecurity agency issued an advisory last week regarding a vulnerability in end-of-train devices that could allow an attacker to gain control of a train’s air brake system.
“Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure,” the Cybersecurity & Infrastructure Security Agency warned on July 10.
End-of-train devices collect brakeline pressure data and send the information via radio signal to a head-end device aboard the locomotive, allowing the engineer to monitor the braking system. EOTs also relay data about whether the rear end of a train is stopped or moving forward or backward.
The devices send regular telemetry about every 40 seconds but will immediately send a signal if it detects a change in train status.
CISA is unaware of any attempts to exploit the vulnerability in the EOT communications system.
The Association of American Railroads, which sets standards for the industry, is pursuing new technology to replace the current brake monitoring system.
“The standards committees involved in these updates are aware of the vulnerability and are investigating mitigating solutions,” CISA said. “The AAR Railroad Electronics Standards Committee (RESC) maintains this protocol which is used by multiple manufacturers across the industry, including Hitachi Rail STS USA, Wabtec, Siemens, and others. Users of EoT/HoT devices are recommended to contact their own device manufacturers with questions.”
The cybersecurity agency recommended that railroads take defensive measures to mitigate the risk of an attack on an EOT system.
The specific vulnerability, CISA said, is weak authentication. Using the Common Vulnerability Scoring System, the agency assigned a score of 8.1 to the EOT weakness, which puts it into the high severity category. The numerical scores are assigned to one of four categories: low, medium, high, and critical.
This is reminiscent of the Y2K scare. The problem was known for years, and yet nothing was done until it became a crisis. Why change now?
Nothing like advertising to the world that there is weakness in security. Hopefully the hackers of the world don’t read Trains Magazine. This is probably a low priority for the hackers, they are to busy causing bigger problems.
Note that although this security issue has been known in the railroad industry and was even discussed in a 2005 paper, it remains unresolved in North America’s railway control systems to this day.
Dr. Güntürk Üstün
Gorgeous cabooses… Gone but not forgotten.
Dr. Güntürk Üstün
Bring back the caboose ! Can’t hack a real person the brakeman.
Gorgeous cabooses… Gone but not forgotten.
Dr. Güntürk Üstün