FlippyFF
Member
Last edited by a moderator:
-
Our booking engine at tickets.railforums.co.uk (powered by TrainSplit) helps support the running of the forum with every ticket purchase! Find out more and ask any questions/give us feedback in this thread!
Claims that new signalling "could be hacked...."
- Thread starter FlippyFF
- Start date
- Status
Sponsor Post - registered members do not see these adverts; click here to register, or click here to log in
R
RailUK Forums
The Planner
Veteran Member
- Joined
- 15 Apr 2008
- Messages
- 15,927
So why hasnt anyone done it anywhere else with ERTMS already? Non story. Non seen 158s colliding on the Cambrian yet.
MCR247
Established Member
- Joined
- 7 Nov 2008
- Messages
- 9,591
I assume this is referring to the fact that ERTMS gives the driver a target speed or something IIRC? However this statement to me suggests that any hacker would have direct control of the speed of the train, which isn't the case.
Yes, how easy would it be to hook a power source up to a standard signal to get it to show an incorrect aspect?
To all intents an purposes this new signalling is much safer and if separated from any form of internet connection impossible for an outsider (without gaining access to NR property/track) to hack.
Track speed restrictions would probably be with fixed balistas with GSM-R used to regulate speeds when required to keep trains at set distances.
To all intents an purposes this new signalling is much safer and if separated from any form of internet connection impossible for an outsider (without gaining access to NR property/track) to hack.
Track speed restrictions would probably be with fixed balistas with GSM-R used to regulate speeds when required to keep trains at set distances.
Last edited:
Harpers Tate
Established Member
- Joined
- 10 May 2013
- Messages
- 1,698
It's something I have never understood about hacks to critical systems like defence, banking, whatever.
In the main, hackers are able to gain access to these systems via the Internet.
It seems one of those perverse inevitablities that someone, somewhere, will decide that these things NEED to be connected to the web, whether directly or otherwise. And that they will then proceed to surround the system with firewalls and security protocols to prevent unauthorised access. And that these precautions will be broken by an expert hacker.
Which begs, to me at least, a very simple question. Why did you feel you had to connect it to the Web at all? The best security is physical isolation.
In the main, hackers are able to gain access to these systems via the Internet.
It seems one of those perverse inevitablities that someone, somewhere, will decide that these things NEED to be connected to the web, whether directly or otherwise. And that they will then proceed to surround the system with firewalls and security protocols to prevent unauthorised access. And that these precautions will be broken by an expert hacker.
Which begs, to me at least, a very simple question. Why did you feel you had to connect it to the Web at all? The best security is physical isolation.
DarloRich
Veteran Member
:roll: what a good plan. BTW how are you finding posting on an internet forum............................
--- old post above --- --- new post below ---
Because the equipment needs to "talk" to other items in the system to make the signalling system work.
Surely the risk is not external hackers but a frustrated insider out to cause trouble.
--- old post above --- --- new post below ---
this^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Last edited:
Quite. If at any point the system has a connection to the internet, then it is vulnerable to hacking. If not, then it would need either an insider - which is no different to the present - or a group with serious technical know-how to meddle with the system.
Whilst it's sensible to make any safety-critical system as secure as possible, there will remain much easier ways to cause a train crash for the foreseeable future.
Eh? I like cats, maybe we should put them in charge of signalling?
Llanigraham
On Moderation
Strikes me Prof Stupples doesn't really know much about the system!
To quote from the article: ""The system is already used in other parts of the world and there are no reported cases of it being affected by cyber-attacks."" Any computer system could be hacked if it was connected to the internet but ERTMS isn't. The only way is internally.
Another non-story!
To quote from the article: ""The system is already used in other parts of the world and there are no reported cases of it being affected by cyber-attacks."" Any computer system could be hacked if it was connected to the internet but ERTMS isn't. The only way is internally.
Another non-story!
The problem is that the internet is there, it's (relatively) cheap to use, so the temptation to connect to it and use it as a cheap carrier to anywhere you desire is commercially irresistable. Then all it takes is lax security driven by management and staff convenience to expose internal critical systems to global attention.
Having said that the likes of Realtime Trains and Open Train Times need gateways to the operational data so their access management becomes key to the security of the critical systems.
Last edited:
DarloRich
Veteran Member
The point that you seem to be missing is that you use the internet everyday. In fact you are using the internet to moan about the internet!
Systems can be hacked and your data stolen and misused yet you accept that risk. You accept that your online bank account is secure, you accept Amazon is secure but think a signalling system wont be!
The key is to maintain security of the system to reduce the risk as much as possible. Simply saying there is a risk so we shouldn't do it is stupid!
Last edited:
NSEFAN
Established Member
Indeed. Most security problems on the internet are down to user stupidity/complacency rather than actual hacking!AM9 said:
I don't understand why this report has been published really, as it is just stating the obvious. "The system itself can be made pretty secure but I guess an insider could always bugger it up if they really wanted to." It's no different from the current situation, it just involves software rather than shorting wires together.
So air gaps (technical term for physical isolation) are great (although, recently, it's been shown to be feasible to breach an air gap). However, if you really wanted to, it's possible to gain access to air-gapped systems, by knowing where the cables are, by gaining access to secure terminals etc.
Most "hacking" is done by social engineering attack. This handy comic explains it in 2 easy panels.
The rest is done (mostly) using some form of script injection/browser hijacking, which unless Network Rail have decided on a browser-based/http solution to their signalling system and have written incredibly lazy back-end code, makes most hacks pretty unlikely.
Largely, this all stems from the fact that people don't understand hacking, so they're scared of it. They see it as pretty unlikely that someone will hook up a car battery to a fixed signal, but see kids typing really fast in films as bash commands flash up on screen and think it's happening all the time. In fact, both are equally likely.
gazthomas
Established Member
As with all security threats, yes it may be possible but you also need people wi a motive. In the case of the latter there are easier options such as leaving objects on the track or cutting cables if you want to cause havoc.
carriageline
Established Member
- Joined
- 11 Jan 2012
- Messages
- 1,897
Precisely. Even then, hacking the signalling system won't allow an 'unsafe' movement to be executed im sure (unless you could dial into a points module and tell it to move at exactly the right time, but I'm not sure if that's even possible!!)
It's nothing really new, SSI equipment has been attached to the "internet" for a while now. Gaining access to somewhere, or doing damage on the ground is probably far easier than this hacking business
scott118
Member
I know you mean balises but bravo on a quality typo. I also think speed restrictions should be enforced by Roman seige equipment!
bring on 'The Onager'.....
The Iranian uranium centrifuges weren't connected to the Internet but were still infected with the Stuxnet worm via USB flash drives. Not sure how they managed that - maybe you just need to let loose a really addictive game or some porn and have the virus on there too.
What I was objecting to was that, to me, your response came across as dismissing concerns about security of a safety-critical system with a flippant comment that the poster finds the internet acceptable for trivial chit-chat.
I agree that "don't do it then" is a knee-jerk response, but there obviously is a valid question to ask. The academic in TFA has done just that and concluded that it is well secured from external hacking.
I didn't say I think ERTMS won't be secure. Equally I hope it's a damn sight more secure than Amazon!
You need in-depth technical knowhow about the systems being used, and some way of bridging the airgap. Stuxnet IIRC spread using vulnerabilities in Windows, infecting PCs worldwide and spreading to unconnected computers via USB sticks. It avoided detection as it does nothing except where specific bits of hardware are used, whereupon it reprogrammed the centrifuge controllers.
Possible for cyberwarfare units with the financial and intelligence backing of a state, unlikey for terrorists. Driving a petrol tanker onto the tracks would be much cheaper and easier.
Geezertronic
Established Member
There's always talk of this sort of thing whether it is planes or trains, next will be the auto drive automobiles 
martynbristow
Member
Targeting the rail infrastructure wouldn't come cheap and I fail to see the end point.
As the system becomes more electronic the risk of cyber attack becomes greater.
Offline systems are far more secure and unless it needs to be online it shouldn't!
At work we have an IP 3 strikes policy which actually works fairly well. Linux performs better than Windows systems.
So get a decent firewall and security software.
Its key he states an "inside job" being the problem, but that exists already!
I'm sure the railway have enough procedures in place to mitigate such incidents and the railwaymen themselves I'm sure have a great deal of pride and passion.
Although the system won't be secure perfectly appropriate checks can be put in place.
And as stated above theres a cheaper way that using a hacker.
Maybe some has been watching "The Taking of Pelham 123" and going to far.
--- old post above --- --- new post below ---
Well the *cough* CIA devised a creative plan but it wouldn't go cheap.
Basically they used malware that cascaded through machines infecting pen drives using brute force to infect the Iranian centrifuges. It was looking for siemens logic controllers. Given the resources of the CIA they will have had access to the devices and learned how to trigger them remotely like this. It only offset them slightly but they are precise instruments.
On secured systems you should NEVER insert unauthorised removable media. It was a lapse in understanding. USB has security threats because you can boot to it and it can be tampered with.
http://www.bbc.co.uk/news/technology-29475566
Most criminals are after money so attacking there railway wouldn't appeal to them. It would most likely be state sponsored.
As the system becomes more electronic the risk of cyber attack becomes greater.
Offline systems are far more secure and unless it needs to be online it shouldn't!
At work we have an IP 3 strikes policy which actually works fairly well. Linux performs better than Windows systems.
So get a decent firewall and security software.
Its key he states an "inside job" being the problem, but that exists already!
I'm sure the railway have enough procedures in place to mitigate such incidents and the railwaymen themselves I'm sure have a great deal of pride and passion.
Although the system won't be secure perfectly appropriate checks can be put in place.
And as stated above theres a cheaper way that using a hacker.
Maybe some has been watching "The Taking of Pelham 123" and going to far.
--- old post above --- --- new post below ---
Well the *cough* CIA devised a creative plan but it wouldn't go cheap.
Basically they used malware that cascaded through machines infecting pen drives using brute force to infect the Iranian centrifuges. It was looking for siemens logic controllers. Given the resources of the CIA they will have had access to the devices and learned how to trigger them remotely like this. It only offset them slightly but they are precise instruments.
On secured systems you should NEVER insert unauthorised removable media. It was a lapse in understanding. USB has security threats because you can boot to it and it can be tampered with.
http://www.bbc.co.uk/news/technology-29475566
Most criminals are after money so attacking there railway wouldn't appeal to them. It would most likely be state sponsored.
QueensCurve
Established Member
- Joined
- 22 Dec 2014
- Messages
- 1,912
Whilst perhaps true, this is fearmongering of the sort that politicians use to justify the need for more security and more intrusion into our daily lives.
I dare say my Amazon account being hacked , whilst being annoying for me, won't have quite the same impact as a signalling system being hacked. My banking though .... no still not anywhere near as bad.
I won't die/ be seriously injured (bar financially) if my Amazon/bank account was hacked. I probably would be if the signals were though?
Last edited:
LateThanNever
Member
- Joined
- 18 Jul 2013
- Messages
- 1,027
Weren't the signalling systems diverted via the internet when the Dawlish breach occured?
No they weren't.
--- old post above --- --- new post below ---
Anything containing software can be hacked. The variable is how hard it is to do. The popular Hollywood image that anything can be hacked from anywhere in the world by someone with a laptop is nonsense. Granted there are many systems that can be hacked that way but there are many that can't. That doesn't mean those systems are immune to the risk of hacking though.
There was some concern raised a few years ago about denial of service attacks with GSM-R. In ETCS2, where the radio system is used to issue and maintain movement authorities for the on-board ATP functionality, that could result in train equipment becoming swamped and being unable to process the legitimate messages from the trackside properly. The on-board systems would fail safely in that scenario, cutting traction and applying brakes to stop trains that had lost communications, so such an attack could result in widespread disruption, and there is a safety concern there if during such an occurance train movements were then made under verbal authority, which is always riskier than running under the full protection of the signalling.
Spoofing movement authority messages continuously to fool a particular train into taking a dangerous course of action would be extraordinarily difficult with all the continuously varying positional data and the encryption provided. The system has been designed and certified to SIL4, the highest safety integrity level under European regulations and such risks are definitely analysed as part of this process.
Perhaps the riskiest area remaining is the fixed data about the railway infastructure itself and how that is stored and updated. In order to calculate its safe speed at any time, a train computer needs a detailed digital map of the infrastructure ahead in addition to an accurate positional fix and a valid recently refreshed movement authority. The static data about the railway (speed restrictions, gradients, electrification etc) can be obtained from an on-board database covering a wide area (as used for the legacy GW pilot scheme ATP), or alternatively in ETCS more local chunks of track characteristic data might be encoded in the passive balises along the route, otherwise used for positional updates in conjunction with odometry. Either system has its challenges. For the wide area database carried on board, the latest map including temporary and emergency speed restrictions etc must be distributed and updated to all traction units before they go into service, perhaps using removable media (!). In the case of balises, the data in those specific transponders must be updated locally. Unless managed properly there is a danger that a mis-typed emergency speed restriction entry in a daily data update or a missed balise update, whether carried out malicious or not, could result in a train not being given sufficient advanced warning of an upcoming restriction. This, to some extent, mirrors the risk of TSR and ESR advance warning boards and their AWS inductors being positioned incorrectly or not at all today.
Rest assured that computer based failsafe (SIL4) interlockings such as SSI and its successors continue to act as the 'safety brokers' in ETCS based installations for route settting, junction conflict and point movement, just as they do today in traditional color light areas. Their operation is governed by a fixed generic programme and bespoke local geographic configuration data constructs encoding the track layout and permitted routes. Neither programme nor geograhical data can be changed remotely during normal operations via ANY means, and the initial commissioning of a site is governed by many many stages of independant checking, testing and audit. Whilst some quite serious mistakes have occurred depite all this, the risk of a deliberate malicious act slipping through is in reality vanishingly small.
Spoofing movement authority messages continuously to fool a particular train into taking a dangerous course of action would be extraordinarily difficult with all the continuously varying positional data and the encryption provided. The system has been designed and certified to SIL4, the highest safety integrity level under European regulations and such risks are definitely analysed as part of this process.
Perhaps the riskiest area remaining is the fixed data about the railway infastructure itself and how that is stored and updated. In order to calculate its safe speed at any time, a train computer needs a detailed digital map of the infrastructure ahead in addition to an accurate positional fix and a valid recently refreshed movement authority. The static data about the railway (speed restrictions, gradients, electrification etc) can be obtained from an on-board database covering a wide area (as used for the legacy GW pilot scheme ATP), or alternatively in ETCS more local chunks of track characteristic data might be encoded in the passive balises along the route, otherwise used for positional updates in conjunction with odometry. Either system has its challenges. For the wide area database carried on board, the latest map including temporary and emergency speed restrictions etc must be distributed and updated to all traction units before they go into service, perhaps using removable media (!). In the case of balises, the data in those specific transponders must be updated locally. Unless managed properly there is a danger that a mis-typed emergency speed restriction entry in a daily data update or a missed balise update, whether carried out malicious or not, could result in a train not being given sufficient advanced warning of an upcoming restriction. This, to some extent, mirrors the risk of TSR and ESR advance warning boards and their AWS inductors being positioned incorrectly or not at all today.
Rest assured that computer based failsafe (SIL4) interlockings such as SSI and its successors continue to act as the 'safety brokers' in ETCS based installations for route settting, junction conflict and point movement, just as they do today in traditional color light areas. Their operation is governed by a fixed generic programme and bespoke local geographic configuration data constructs encoding the track layout and permitted routes. Neither programme nor geograhical data can be changed remotely during normal operations via ANY means, and the initial commissioning of a site is governed by many many stages of independant checking, testing and audit. Whilst some quite serious mistakes have occurred depite all this, the risk of a deliberate malicious act slipping through is in reality vanishingly small.
Signalling systems are already connected to the web, how else would the maps at opentraintimes work?
I'd take a guess that it somebody armed with nothing more than cable and crocodile clips could cause a lot of disruption in track circuit areas anyway...
I'd take a guess that it somebody armed with nothing more than cable and crocodile clips could cause a lot of disruption in track circuit areas anyway...
Llanigraham
On Moderation
No they aren't!!
Unless you can explain how a lower quadrant semaphore signal can do that.
- Status