back to article UK rail signals could be hacked to cause crashes, claims prof

The rollout of a next generation train signalling system across the UK could leave the network at greater risk of hack attacks, a university professor has claimed. Prof David Stupples warns that plans to replace the existing (aging) signalling system with the new European Rail Traffic Management System (ERTMS) could open up …

  1. Ralph B

    "Reg reader Charles pondered"

    >Reg reader Charles pondered

    Hmm. Commentards are appearing in the articles themselves now, are they? How does that work? Is there a badge level beyond gold now?

    (Seems unlikely, if it's this fella with just one post to his name.)

  2. Refugee from Windows
    Coat

    Ageing?

    Some of the systems designed over 100 years ago have proved to be extremely safe over that time. It's some of the new innovations that appear to have inherent weaknesses. Possibly because there's not a Mk1 brain of a signaller keeping an eye on them.

    I'll get my coat, it's got a Bardic lamp in the pocket.

    1. Dan Paul

      Re: Ageing? Electromechanical Controls

      1950's era Electromechanical Controls are pretty much immune to hacking because there is no computer or PLC that needs to communicate with anything. Direct sabotage is possible but more difficult, unless some thieves steal all the wires for scrap value.

      They also have the benefit of being less susceptible to EMP than electronics.

      1. John Brown (no body) Silver badge

        Re: Ageing? Electromechanical Controls

        "the benefit of being less susceptible to EMP than electronics."

        Well, to be fair, the only current way of generating a feasibly disruptive EMP is to set off a nuclear bomb so I suspect "OMG! the train signals don't work!" would not be very high on the list of "Things To Worry About In The Event Of Nuclear Attack" checklist.

      2. Anonymous Coward
        Anonymous Coward

        Re: Ageing? Electromechanical Controls

        "1950's era Electromechanical Controls" also have predictable failure modes. A relay with metal to carbon contacts does not (cannot) have a failure mode where the contacts weld together.

        Now who is going to tell me how we know what the failure modes are on a system based on software and microprocessors?

        Derby, I'm looking at you (either of you).

  3. Anonymous Coward
    Anonymous Coward

    It it only me...

    "recommends that Network Rail has security deployed on each and every signalling device"

    Read that and pictured an armed rent-a-cop stood by each and every signal box...

    1. Anonymous Coward
      Anonymous Coward

      Re: It it only me...

      Not I. I was imagining a teeny weeny armed airport style propercopper posted at every transistor. Rather puzzling it was too. Think I might need to get out more :-|

  4. Sealand
    Facepalm

    To make any safe system hackable, just add a computer.

    Duh!

  5. Anonymous Coward
    Anonymous Coward

    I've heard that before, somewhere...

    “To avoid this, it will be important to be able to spot not only known, expected threats but also those unknown ones that may not even have been devised yet."

    You are Donald Rumsfeld and I claim my £5.

    1. Mark 85

      Re: I've heard that before, somewhere...

      There will be some commentards by soon to tell you how you are not thinking of the children and all that. Also, that GCHQ will have to up its budget and "watchfulness" to counter these threats.

    2. ecofeco Silver badge

      Re: I've heard that before, somewhere...

      Well played AC, well played.

      And correct as well!

  6. Anonymous Coward
    Coat

    I've always been amazed that the drivers can keep such a long vehicle on such incredibly narrow tracks. Amazing skill.

    1. Hans Neeson-Bumpsadese Silver badge

      on track

      I've always been amazed that the drivers can keep such a long vehicle on such incredibly narrow tracks. Amazing skill

      Like that guy in Spain a year to two back?

      1. Anonymous Coward
        Anonymous Coward

        Re: on track

        Well, in the Santiago crash one of the causes was that ERTMS was out of order for over than a year and usng only the older ASFA system.

        Had ADIF, Spanish's National Rail equivalent, fixed it, the accident would had never happened.

  7. Anonymous Coward
    Anonymous Coward

    Beware consultants flogging snake oil

    Any system devised by man is capable of being manipulated with evil intent by man. Those apparently super-safe, air-gapped systems the Victorians developed, with mechanical semaphores next to the track, wouldn't have exactly been difficult to sabotage to show that the line ahead was clear. The electrically signalled lights that followed and that we've relied upon up to now would have been more difficult to subvert, but still relatively vulnerable. Sure, the new signalling system will have potential weaknesses, but it's still better than what it's replacing, and life isn't risk free - get a sense of proportion, FFS.

    1. Anonymous Coward
      Anonymous Coward

      Re: Beware consultants flogging snake oil

      Rather difficult to sabotage an ex GWR Lower Quadrant Home signal from the other side of the world...

      Sure a phyical attack can work but remote exploits.... forget it.

      Nary a computer in sight let alone a TCP/IP network.

      1. Anonymous Coward
        Anonymous Coward

        Re: Beware consultants flogging snake oil

        Sure a phyical attack can work but remote exploits.... forget it.

        So what? What matters isn't whether something is remotely exploitable, or locally exploitable, or physically exploitable, but how readily exploitable it is, full stop. An easy local exploit can be much more dangerous than a relatively difficult remote exploit.

  8. Hans Neeson-Bumpsadese Silver badge
    Coat

    all academic

    "...tell the system the train is slowing down, when it's speeding up."

    Based on the performance of the trains I travel on, I would say that particular attack vector is moot.

    1. Keven E.

      Meaningful

      "Other countries have already successfully rolled out the system and there are no reports, at least, of any meaningful cyber-attack to date."

      When your computer blows a power supply do you take out your typewriter and send off a letter to your boss/teacher to tell them that the world+dog ate your report?

      Are they really gonna (attempt to) establish UPS's along *the whole system?

      Were there any reported cyber-attacks that really weren't full of *meaning?

      1. Doctor Syntax Silver badge

        Re: Meaningful

        "Are they really gonna (attempt to) establish UPS's along *the whole system?"

        Would that they were. I recall a miserable journey from Marylebone to High Wycombe via Aylesbury because the wrong type of diesel was in the signalling system's generator tank.

    2. Vince

      Re: all academic

      You beat me to the punch there - a train moving at any speed is the thing of spotters around here. Too hot, cold, or even indifferent for the services to run most of the time.

  9. Roland6 Silver badge

    Needs a sense of proportion

    And on his regular visits to Cranfield, Prof Stupples gets off the train at Milton Keynes Central and hops into a waiting Google driverless car for the cross town journey to Cranfield...

  10. spacecadet66

    So what you're saying here is, there may be security problems in a network-capable product that's relatively new in production?

    Tell me more!

  11. Anon5000

    Thanks Prof David Stupples

    Would never thought about hacking the system to help my train jump the queuing system at London bridge or Victoria at rush hour, but now....

  12. Anonymous Coward
    Anonymous Coward

    Given the ease with which you can hack the current system and cause mass-deaths

    Complex tools, such as a sledge hammer and such advance skills as "swinging" are required, safe in the knowledge that there's no possible way to monitor all the infrastructure.Even a well placed red bike light would cause a certain amount of chaos. The sooner we sort ERMTS the better, whilst I agree security needs thought it's far from the systems soft under belly.

    1. david bates

      Re: Given the ease with which you can hack the current system and cause mass-deaths

      I once got told off on Crewe station for forgetting to switch the tail light of my bike off. I did point out if this was an issue they should have a sign up because how the hell am I supposed to know its a problem?

    2. Blitterbug
      Happy

      Re: mass-deaths

      Interesting use of a hyphen there. Or were you referring to some kind of Einsteinian mass-to-energy conversion gizmo for use on the 6:35 to Victoria? I am intrigued.

  13. Borg.King

    There's a reason that levers, metal rods and trackside indicators work so well

    No electrical power needed. One small molotov cocktail into a power station could plunge this whole new network into standstill.

    1. Cynic_999

      Re: There's a reason that levers, metal rods and trackside indicators work so well

      "

      No electrical power needed. One small molotov cocktail into a power station could plunge this whole new network into standstill.

      "

      No more than the effect the same device would have on a mechanical system if thrown into a signal box ...

      1. Chloe Cresswell Silver badge

        Re: There's a reason that levers, metal rods and trackside indicators work so well

        To be fair, if you have an interlocked mechanical system, throwing cans of beer into a signal box would probably cause as much chaos with no damage to the box.. but maybe to the signaller's liver!

  14. montyburns56

    The Great Train Robbery

    The Great Train Robbers "hacked" some train signals over fifty years ago so it's nothing new.

    1. Alan Brown Silver badge

      Re: The Great Train Robbery

      The GTR brings up that there are dangers associated with "Fail to stationary" as well as with other failure modes.

      Railway systems are complex and interlocking with failsafes built in at a number of positions which will shut the whole system down if there's an error. That's regarded as far safer than letting things continue to roll.

      Similarly, traffic light controllers used to be (and maybe still are) wired so that conflicting greens would trigger a crowbar and blow the supply fuse (dark lights are safer than conflicting greens).

  15. Stevie

    Bah!

    a hack attack might potentially cause trains to move too quickly.

    Or indeed, at all.

    I think the British Railway Commuter is safe. Studies show the train drivers rarely look at the signals anyway.

    Though we probably need a new incident code: SPAWTF

  16. Dave Bell

    Railways are the original for all modern safety cultures.

    I hope nobody has forgotten the lessons learned at such cost in life. But even in the 1930s the trains were faster than standard block working could handle, and high-speed expresses needed special procedures.

    If the bean counters have subverted the railways, we're in trouble.

  17. Richard 45

    "UK tests of the European Rail Traffic Management System have already begun ahead of the expected rollout."

    Yes, since nearly 5 years, and it still doesn't work properly. It was commissioned on October 2010 between Harlech and Pwllheli, and in March 2011 for the rest of the Cambrian (between Sutton Bridge Junction, Shrewsbury, and Harlech/Aberystwyth). Failures of axle counters were common, as were GSM-R failure (the whole system is reliant on a constant data connection back to ERTMS control in Machynlleth over GSM-R). Even now, GSM-R issues still exist when trying to send a loco down to Aberystwyth, so they try to avoid it if they can. When GSM-R goes down (which it does, famously due to a power outage at Swindon of all places), the entire Cambrian grinds to a complete halt, and nothing can move until GSM-R comes back up again.

    AFAIK the ERTMS kit inside the train is still FPGA. I do have some tasty photos of the ERTMS equipment racks inside one of the locos, but I can't make them public, I'm afraid.

    I've been following the roll-out and testing of the project here:

    http://www.mylordz.com/index.php?/category/4

    http://www.blurb.co.uk/b/4531371-the-21st-century-cambrian-railway

    The fitting of the equipment into the passenger trains can be seen here: http://www.mylordz.com/index.php?/category/45

    (Shameless plugs, I know, but it gives a comprehensive background to what's been taking place around here.)

  18. imanidiot Silver badge

    air gap beat by USB?

    I would bloody well think the airgapped PC doesn't just mount any ol' USB drive. Or has free USB ports at all. And has the mouse and keyboard hard soldered in.

  19. sean.fr

    Signalling

    Signalling attacks occur. I know of three main motives. Stealing copper, or in an attempt to get to England via the tunnel, the Great Train Robbery . All cause the same thing. The trains stop. The systems are designed to fail safe. With enough knowledge and physical access you could get around the safety features. You need quite a bit of site specfic knowledge and phyical access. Wireshark, Ettercap or Kali is not going to be enough as this is not simple IPv4 in clear. 5eyes + Government cyber security auditors may be up to it. Your average state sponsered terrorist might just find it easier to recable the track side signalling. In cab signalling requires you to get in the cab, and do a mod that does not get spotted when the driver tries to leave the yard.

    In short if you are terroist attack the trails, go for the rails or suicide bombe. If you are a state, ground attack planes worked in WW2. These have actually worked in the past. But if you look at real deaths on the rails, It's humans cocking up not attack as been the issue. Modern systems make cock ups harder. Thats the risk to prioritize.

    If have the money to up the encryption on GSMr, forget it, spend the money on railway crossing where you will see results.

    1. Anonymous Coward
      Anonymous Coward

      Re: Signalling

      Want to so some real damage to scheduling? Buy a bunch of jumpleads, gather up some mates and clamp those jumpleads between the tracks of every line running out of a major station. For bonus points dig them into the ballast so their harder to spot. For even more bonuspoints to it only near gated road crossings so the gates all stay closed. Guaranteed to shut down all train traffic (And probably a lot of road traffic in case of crossings staying closed. Cocking up the systems doesn't really require access to the signalling system itself.

  20. sean.fr

    Other signalling

    Why would you worry about train signalling rather the say road signalling? Why worry abouts your flights rather than drive to the airport. In a plane or a train, it is out of your hands. In a RoR ship or cruise ship, you imagine you could get out through your own actions. You do not image the water is so cold, that getting out is not enough. In you car, you imagine you are good driver and would slow down in time to avoid the pile-up at the faulty traffic lights.

    When bet your life on a complex system or machine,you have no control. People do not weight up risks on the basis or stats, they use emotion. Trusting systems and machines is harder than trusting people. Humans are experts on human behavour. Systems and machines do generally prove safer than the humans they replace. However it is just more acceptable to be killed by a human.

    1. Steven Burn

      Re: Other signalling

      Humans aren't experts on anything - they just like to think they are ;o)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like