Computers; what if the railway was attacked?

[Crossover]

And indeed you'll be well overdue an upgrade by that time! I reckon on getting about five years out of a laptop before mixture of physical wear and tear and hardware obsolescence mean that a new one is required. Which fits in nicely with Microsoft's release schedule usually. I'll probably be in the market for a new laptop around 2019 all things being equal and no doubt by that time whatever is going to succeed Windows 10 will probably be out by then.

My 10 year old (in July) laptop is doing alright really :P

 

[najaB]

My 10 year old (in July) laptop is doing alright really :P

I hope you knocked on wood after you posted that.

 

[fireftrm]

In the old days, when the TOPS system failed, they used BOTTOMS instead!

Back Over To The Old Manual System!!

But seriously, yeah, if computer systems fail, or get hacked, nobody's going anywhere. Whole system could grind to a halt

This is why the scariest movie I have ever seen is Die Hard 4, because stuff like that could actually happen, and anything and everything could get shut down.

Just checking mrcheek - is your profile post line of Supporting Trump and Breitbart honest?

 

[D365]

Just checking mrcheek - is your profile post line of Supporting Trump and Breitbart honest?

With that number of explanation marks, I'd sincerely hope it be a joke.

 

[paddington]

I know an accountant who uses Windows and Office 95 and has done so since 1995. He does not connect that machine to the internet. About 5 years ago it stopped working. He paid me £20 to see what the problem was - the power supply had failed so I replaced it and it still works nearly as well as it always has.

 

[Bantamzen]

If you really want to support the evil empire... www.apple.com (I'm typing this on a MacBook Pro but won't buy another Mac as they are now taking the mickey with their prices which are beyond premium now)

Its been a while since I've looked at iPrices, so excuse me for shouting here....

HOW MUCH????? (In my broadest Yorkshire accent )

You can see why most businesses do not opt for Apple solutions, nearly £1.5K for their cheapest laptop, that's nuts. They have already had to drop the Mac itself due to falling sales, I can see the time in the near future when the MacBook heads south too.

Keeping the thread on-topic, I honestly believe that this latest (and it is only the latest in a long string of recent attacks) attack shows the vulnerability of off-the-shelf operating systems for large enterprises. I know from my own work the UK government have been tentatively dipping their toes into the world of custom Linux builds, and it is probably long overdue. The same should go for other large organisations, especially where there are critical networked applications. The fact that the ransomware made it through to DB's CIS shows that nowhere is completely safe, and so bespoke custom builds are going to have to be the way forward. There will be a financial commitment required of course, nothing like the Apple costs mind you, but nonetheless organisations are going have to look for better ways to secure key systems in the future, and locked-down customs are more likely to deliver than trying to slot in applications into generic operating systems.

 

[U-Bahnfreund]

DB is now using analog train displays on those stations, that are still affected.

https://twitter.com/BahnAnsagen/status/863759137024421888

https://twitter.com/BahnAnsagen/status/863796863467761664

 

[cjmillsnun]

I know an accountant who uses Windows and Office 95 and has done so since 1995. He does not connect that machine to the internet. About 5 years ago it stopped working. He paid me £20 to see what the problem was - the power supply had failed so I replaced it and it still works nearly as well as it always has.

And as it is not networked it is 100% safe. His big problem will be replacing the hard drive when it dies as the motherboard's IO will be IDE and not SATA and he may not even have USB (and I he does it will be USB 1.0)

 

[najaB]

And as it is not networked it is 100% safe.

No such thing.

 

[al78]

No such thing.

Surely if it is not networked, it can't be victim to an online cyber attack?

 

[GusB]

Surely if it is not networked, it can't be victim to an online cyber attack?

It's still vulnerable if files are being transferred between computers using something like a USB flash drive, or floppy disk as is highly likely with a machine of 1995 vintage.

 

[najaB]

It's still vulnerable if files are being transferred between computers using something like a USB flash drive, or floppy disk as is highly likely with a machine of 1995 vintage.

Indeed. If it's being used to do useful work then I'd assume that data is transferred to it somehow.

 

[Ediswan]

Indeed. If it's being used to do useful work then I'd assume that data is transferred to it somehow.

On a system that old, it could be keyboard in, hard copy out.

 

[najaB]

On a system that old, it could be keyboard in, hard copy out.

Okay then, 99% safe.

 

[ainsworth74]

Okay then, 99% safe.

You just not quite willing to stop hedging your bets to go for that extra 1%?

 

[rectoryroad]

I'm sure that because they don't run on windows XP it would have a bit of a better security

 

[najaB]

You just not quite willing to stop hedging your bets to go for that extra 1%?

I can't remember which hacker it was, it was probably Kevin Mitnick, who said something along the lines of "The only computer I couldn't hack is turned off, in a box, six feet underground. And even then..."

 

[Crossover]

I can't remember which hacker it was, it was probably Kevin Mitnick, who said something along the lines of "The only computer I couldn't hack is turned off, in a box, six feet underground. And even then..."

I was at one of his seminars the other week - a very interesting speaker. And yes, he pretty much alluded to being able to have a go at anything (he duplicated an audience members' 'RFID' access card as part of th demo!)

 

[SpacePhoenix]

And as it is not networked it is 100% safe. His big problem will be replacing the hard drive when it dies as the motherboard's IO will be IDE and not SATA and he may not even have USB (and I he does it will be USB 1.0)

You can get SATA->IDE conversion kits. Don't know if there is such as thing as a ISA slot USB expansion card, would PCI expansion slots have existed in 95? My gut feeling is that PCI expansion slots were introduced a few years later.

Any time a computer has a disk or USB stick plugged in/inserted that has come from someone else there's always the risk of a virus/malware infection.

Does XP get used in depots, control rooms and other "back office" places?

 

[JamesT]

You can get SATA->IDE conversion kits. Don't know if there is such as thing as a ISA slot USB expansion card, would PCI expansion slots have existed in 95? My gut feeling is that PCI expansion slots were introduced a few years later.

PCI came out in 1992. But mostly took off with the second-generation Pentiums which came out in 1994.
Of course if he's running Windows 95, it probably doesn't support USB anyway. Only the latest service releases had any support and they needed a special driver installed.

 

[maniacmartin]

I hope your Windows 95 friend has backups that can be restored...

 

[D365]

Surely IDE hard drives are still available to purchase?

And my advice would be to get him off Windows and onto Linux (any kind of lightweight distro) as soon as you can.

 

[najaB]

And my advice would be to get him off Windows and onto Linux (any kind of lightweight distro) as soon as you can.

This is someone who has stuck with Windows 95 because it 'does what they need it to do' - do you really think they have the tech savvy to deal with a switch to the Linux way of doing things?

 

[Tim M]

If the railways became subject to cyber-attack, what would be the immediate and long-term effects? Ticketing (online and in stations) would obviously be down, but what about signalling and communication? Would trains have to be halted? Would some lines still run and others shut down? Is there a back-up system?
Would red lights used to stop trains still work (ie be switched on/off) and if not, how would you get a train to stop?

Can we get back to the original question, I'm not sure that the long rambling discussion about Microsoft, Linux etc. etc. etc. is relevant to this forum.

For other systems you have to consider the operating systems being used, the knowledge of the hackers and what would give them a quick win. In some ways the recent Ransomware attack might have backfired on the hackers as going for big organisations is unlikely to reap much monetary benefit. Unless of course they are terrorists out for disruption which is what we saw in the NHS. It's also worth remembering that hackers will have much greater knowledge of operating systems with significant worldwide populations.

So let's look at signalling systems. Mechanical, the operating system includes the signaller, no hacking possible there. Relay interlocking (try hacking that!) often has a TDM control and indication system to the Signalling Centre, probably a bespoke operating system that hackers will ignore as not worth touching, probably all behind a firewall anyway. Computer Based Interlocking, very bespoke operating system, again no money in hacking into that even if they could understand the software code. You can't display a message saying 'pay up or else' on a signal.

Control Centres using a PC front end and servers might be an issue but as soon as such systems might be connected to the outside world firewalls etc. again come into play. Oh and as for specifics on security, probably restricted information.

So to answer the original question, worst case is signals at red, trains stop. It may not be 100% possible to prevent hacking but bespoke operating systems, firewalls and other security methods are likely to make hacking very difficult and probably not worth it anyway.

As for systems such as ticketing etc., others might provide an answer.

 

[gsnedders]

Can we get back to the original question, I'm not sure that the long rambling discussion about Microsoft, Linux etc. etc. etc. is relevant to this forum.

For other systems you have to consider the operating systems being used, the knowledge of the hackers and what would give them a quick win. In some ways the recent Ransomware attack might have backfired on the hackers as going for big organisations is unlikely to reap much monetary benefit. Unless of course they are terrorists out for disruption which is what we saw in the NHS. It's also worth remembering that hackers will have much greater knowledge of operating systems with significant worldwide populations.

So let's look at signalling systems. Mechanical, the operating system includes the signaller, no hacking possible there. Relay interlocking (try hacking that!) often has a TDM control and indication system to the Signalling Centre, probably a bespoke operating system that hackers will ignore as not worth touching, probably all behind a firewall anyway. Computer Based Interlocking, very bespoke operating system, again no money in hacking into that even if they could understand the software code. You can't display a message saying 'pay up or else' on a signal.

Control Centres using a PC front end and servers might be an issue but as soon as such systems might be connected to the outside world firewalls etc. again come into play. Oh and as for specifics on security, probably restricted information.

So to answer the original question, worst case is signals at red, trains stop. It may not be 100% possible to prevent hacking but bespoke operating systems, firewalls and other security methods are likely to make hacking very difficult and probably not worth it anyway.

As for systems such as ticketing etc., others might provide an answer.

I know I keep mentioning it, but Stuxnet attacked a specific model of Siemens centrifuge—I doubt there'd have been money in that! Being bespoke or different doesn't actually stop much if there's someone determined to; with most of the railway infrastructure I'd be most concerned about state-level actors who are those most capable of pulling something like that off: the combination of shutting down the railway along with starting a military campaign could be pretty dramatic, taking out a large part of logistics and potential supply lines.

 

[Olaf]

But no more than they would have made if the customers had upgraded when they 'should' have. And in that case they wouldn't have been able to sell those lucrative support extension contracts. So MS isn't really a winner in this.

Prices are much higher these days; there is the potential bulk discounts, but the episode will lead to a healthy boost to income, and will serve to support company's drive to get users onto Windows 10.

Where they can. It's unlikely that organisations that didn't have the skill/will/money to upgrade Windows version will have the skill/will/money to move to a completely different OS overnight. So they'll likely stick with what they've got for at least a full upgrade cycle.

Yes, the lack of in-house skills is always a problem, but most businesses have service contracts covering migration work.

 

[Olaf]

A lot of people have a very simplistic view of what it takes to upgrade the OS in a major business.

I could write an essay on upgrade issues, as could anybody who has worked in IT in a major national business but it all comes down to money. Being out of support simply isn't an arguement, you have to be able to put a positive cost benefit on the upgrade. (I never liked that approach but I was just the poor devil who had to nursemaid the old software).

Getting justification for renews and replacements usually takes into account other additional factors such as risk exposures, business requirements, and operational initiatives. It is businesses that do not take the full set of factors into account that will be disrupted by any of a number of problems. Perhaps this will be a wake-up call to some, and used as such by others to get more robust practices in place.

 

[Olaf]

No: it s government cost cutting. They cut budgets and forced IT outsourcing then failed to fund new systems.




What if train stations are? What is the worst that can happen? The ticket machines don't work, the screens go bananas and the tannoy plays Britany Spears.



they best start with No.10 & the Dept for Health. Perhaps Mr Hunt could explain the issue of funding cuts.............



Then you are blind and/or naive. The cuts to NHS funding and the forced outsourcing of IT services in most trusts are large contributory factors. The government knew the system needed an upgrade but did nothing. As they have "devolved responsibility" or some such rubbish to the trusts they have spent the weekend blaming the skint trusts. The government are to blame. They have failed to secure and protect "critical national infrastructure"





If you simply wrote please let me have X£m because Y is going out of support on your authority paper you would fail.

If you wrote Y going out of support means ABC become more likely and if ABC occur that will cause XYZ and cost us XXX£M compared to the x£m needed to invest in a new system people will sit up and take notice - at least from my experience

The NHS is renowned for ineptness and the mismanagement of it's Technical Services; has wasted millions on failed projects - that is where a large chunk of the IT budget has gone.

 

[Olaf]

I'd be surprised if the signalling systems were internet enabled. The admin computers might be (train planning etc), but the actual tech that switches points and signals is likely to be closed-circuit.

A big problem in a lot of business in recent years has been the Phishing attacks targeted at any member business's of IT Services from Directors down to Ops;

These attacks are not yet fully appreciated in many places and are the biggest risk, along with that of deliberately destructive activities by staff, to businesses - these targeted attacks can effectively by-pass all safeguards if well structured.

 

[najaB]

Yes, the lack of in-house skills is always a problem, but most businesses have service contracts covering migration work.

Thanks for the really good laugh. My week wouldn't have been nearly as busy as it was if even 10% of MSPs actually knew what they were doing.