Simply not being connected to the Internet really isn't enough.
Of course it isn't and I never said it was. Encryption is used in the hardwired trackside data links as well, and even if you managed to defeat that and could read the raw data in messages, unless you knew the full engineering configuration of the specific site you were attacking you would be able to make little sense of it.
Nope. As long as you can socially engineer someone to stick that pen drive in, you still don't need to ever go near the railway.
Signalling, since its inception, has always incorporated a core safety layer in it's architecture, the interlocking. This is where most effort is made to ensure unsafe combinations of output signal states cannot occur. ETCS does not change this.
For original SSI installations, the interlocking logic that interprets control centre requests and issues trackside commands to moves points and clear signals is run on triplicated majority voting custom hardware housed at secure sites using programs and site-specific data burned in EPROMs that cannot be changed in service without first shutting the system down which means all signals at red or the ETCS equivalent. Official reconfiguration is tightly controlled and can only be carried out under a possession shutdown with rigourous handover and handback procedures and lots of paperwork. There simply is no way an external drive could be inserted containing malwar. Newer interlocking hardware products are based to a greater extent on generic industrial process control components, but they certainly are not 'off the shelf' PLCs. In approval of such systems for railway signalling use, manufacturers have had to prove that the system and its configuration procedures are at least as secure as older systems and conform to SIL4, the highest safety integrity level possible. That process requires exhaustive risk analysis of all failures and attacks known and envisaged. Specialists and consultants are employed widely for their particular fields of expertise, in EMI and security for instance, and there are constant independent reviews at all stages. A very complex and expensive but neccessary process when so many lives depend on it.
In its unending pursuit to fail safe, signalling technology is and always has been quite vulnerable to 'denial of service' incidents. System performance is often balanced on a knife edge between sensitivity and reliability. Theft of cable in old relay technology areas invariably results in signals reverting to red on loss of control, if not complete power disconnection. In modern systems with their greater centralisation, reliability has become a major preoccupation and there are safety implications as well because a system that fails frequently (albeit safely) leaves the operating railway full of passengers under the manual control of signallers and drivers exchanging verbal commands and confirmations. That is very slow compared to normal operations and much more open to human error. Using the fibre FTN assists providing instantly switchable diverse routing for remote links in the case of cable damage.
Also, these systems are connected to the Internet somewhere along the way - how else would the Open Data sites get details about realtime running? How would the berth data get to OpenTrainTimes so Poggs can produce his maps, if not from the signalling centre or another part of the signalling system?
Interlocking computers can only accept certain kinds of commands on specific hardware configured ports from the control centre. These are route or point movement requests, and engineering disconnections which can lock certain parts of the track layout or specific routes or points out of use. No other instructions can be interpreted by the interlocking successfully. The real-time states of all signals, points and tracks circuits are exported continuously via another output port to the control centre, and it is there that the steps are interpreted and linked to the headcodes for the Train Describer functionality and the results exported to other systems.
Encryption in GSM was hacked many, many years ago. The particular cipher in question (A5/1) continues to be used for basic GSM (i.e. 2G) communications.
http://en.wikipedia.org/wiki/A5/1
New ciphers were of course introduced as 3G and LTE came along, but for backwards compatibility reasons they weren't introduced onto 2G.
I can't find anything stating which ciphers are used in GSM-R specifically, but it's interesting that the following document notes, on page 7, that GSM-R should be considered basically open from a safety standpoint.
http://www.bane.dk/db/filarkiv/5589/Boundaries between ETCS and the GSM-R network.pdf
Happily, they do seem to have taken security into account in designing ETCS, and as you note - they are running their own encryption on top (diagram on page 6).
That has always been the case. In designing digital systems to respond safely to environmental interference and hardware malfunction much of the work to protect against maliciuos attack has already been done. The continuing challenge in the future is to harden the systems further to create greater resilience to denial of service attacks as part of the reliability effort.
The ETCS concept is not fundamentally reliant on using GSM-based radio specifically, and might adapt plausibly to offer alternative open radio standards in the future like other communications based control systems.
For its (admittedly non-ETCS) urban SELTRAC system Thales now offers a variant which dispenses with the unloved continuous leaky feeder cable between the rails (as used in London for Jubilee, Northern and Docklands lines) in favour of closely spaced overlapping radio transceivers using IEEE 802.11 standards.
https://www.thalesgroup.com/sites/default/files/asset/document/SelTracBrochure_CBTCSolutions_eng.pdf.
TfL intends to use SELTRAC for extensively upcoming TfL schemes covering the entire 'subsurface' network (Circle, Metropolitan, District, Hammersmith & City) and the Piccadilly Line. Perhaps these will incorporate the 802.11 solution.