“Those are questions that have been raised at the highest level to the lowest levels,” says Jim McKenney, technical director at United Kingdom-based NCC Group’s Transportation Assurance Practice.
“Those are continuously being audited and addressed every single day and will be as long as there are people on trains and they’re going through areas where people live.”
Unlike other critical infrastructure, such as energy or water management systems, rail networks have avoided regulations as lawmakers have focused recent efforts on safety due to high profile crashes, says Jesus Molina, director of business development, for Waterfall Security Solutions.
“There is no question that a PTC rollout without managing the cybersecurity risk will open new attack vectors due to increased connectivity and new software added to the networks and onboard train,” Molina says. “In these cases, PTC may actually decrease the safety of passengers due to an unacceptable increased risk of cyberattacks that may lead to accidents.”
Railroads are installing PTC on nearly 57,848 route miles and on 19,912 locomotives, according to numbers from federal agencies.
“The use of IT-focused security tools, in particular, software tools such as firewalls to protect control critical networks is a huge mistake, and with increasingly connected rail networks, it is becoming a dangerous trend,” Molina says. “The focus of critical control networks is to be reliable and safe, and IT tools meant to protect data and confidentiality are not suitable to defend them.
“The most secure rail sites are not concerned with the steadily increasing sophistication of cyber-attacks, nor with the steadily increasing rate of disclosure of new attack vulnerabilities in control systems, network, firewalls and other security software,” Molina says. “This is because the most secure sites protect their automation systems from cyber-attacks physically, with hardware-based solutions such as unidirectional security gateways.”
Experts seem to agree that cybersecurity concerns around PTC are part of a larger discussion, says Allan Rutter, a former administrator of the Federal Railroad Administration.
“The railroads’ cybersecurity challenge isn’t unique to PTC,” Rutter says. “It has to do more with the expansion of technology and wayside measurement and train control system and vehicle tracking. Their concerns about cybersecurity cover the entire waterfront of everything they do. And PTC is a subsystem, but I think their cybersecurity concerns are broader and wider than that.”
The topic has caught the attention of lawmakers, who broached the subject during a May hearing on state-owned enterprises in public transit and freight rail.
“Any disruption or corruption to these functions or to our transportation network as a whole would have a debilitating effect,” U.S. Rep. Sam Graves, R-Mo., ranking member on the Committee on Transportation and Infrastructure, said in prepared remarks.
“Bad actors” have successfully compromised rail networks in Denmark, the United Kingdom, Germany, Poland, and the United States, Molina says.
“The targets for most of these breaches was to install malware and ransomware for financial gain, but once a system has been breached, more sophisticated targets, including cyber-physical, rather than pure IT, are possible,” Molina says.
“New targets will start appearing once these actors find a reason to go beyond the IT system, and the new payloads after a successful network breach may include modifying signaling systems to cause collisions, or forcing a malfunction in the software at the control center to impair service,” Molina added. “The question is not if payloads threatening safety will appear, but when.”
And, what happens when a bad actor hacks into a railroad’s PTC system?
Retired U.S. Army Brig. Gen. John Adams, president of Guardian Six, said in prepared testimony to the House Committee on Transportation and Infrastructure, that since PTC does not allow for driving a train, hacking the system might merely bring trains to a halt.
“A malicious cyber breach of PTC or underlying existing rail signaling systems could wreak havoc and cause accidents or derailments on the highly interdependent freight railway network,” Adams says.
Mr Cook, have you ever been to a wreck site where a train derailed at 25MPH?
Even at that low speed it is a nasty piece of carnage.
Therefore, I would not recommend derails as the first line of defense.
It is obvious that anything man made can be hacked.
What to do? As everyone has written, keep a crew in the cab.
Whether human greed will overcome practicality remains to be seen.
I still would like to know what was wrong with ASC or Automatic Speed Control or the trip arm system on the New York City Subways, PATH and others?
I have been using this argument since before remote control began. Anything cyber connected can , and will be, hacked.When remote control was being implemented in a terminal I worked at, I was discussing Remote Control with an engineer buddy. Both of us agreed that it was not a matter of “if” but “whnn” would a serious incident would happen. This is a continuing argument for human crews on trains. Even if PTC is hacked there is a human capable of taking some sort of action to override or counter the hack.The latest argument posed by the AAR and the Feds are that current results of crewless operation does not show evidence of it being more dangerous.than crewed operation. However that does not prove or even indicate that crewless operation is safer. If you want to show black and white in your picture, you don’t use a gray crayon to do it. Tell the truth…,cyber/crewless operation is a catastrophe biding its time.
I might respectfully mention that the problem isn’t confined to railroads. As more and more systems are connected to the internet — whether they are the stoplights in a city, the valves and pumps on a water supply system, the valves and pumps on a gas pipeline, or whatever, (never mind your home — Alexa, blow up the house) it should be obvious — but apparently isn’t — that sooner or later someone — from a teenager in a basement to a State actor — will figure out a way to take control of the system in question.
Also, with all due respect to Mr. Coleman, the possibility of such hacking causing a collision (railroads, traffic light, aircraft) or an explosion (gas and oil) or a shut off of water or whatever is hardly far fetched. It is very real indeed.
It is not a question of whether a disaster can take place, it is only a question of when and how a disaster will take place.
PTC can and will fail, just as any other system can and will fail — whether it is a state of the art computer system or a can opener. Hopefully it is designed to be at least fail safe — in the context of railroading that would be bringing every train on the system to a stop — which would be a major inconvenience. It would be nice if it could be fail operational, but that is unlikely at best.
PTC will make the politicians happy,– a useful outcome — but not much else.
For railroads, the best defence against a problem will — as it has been for decades — the vigilance and care of the men and women running the trains.
Mr. Gerald McFarlane
And the reason for your post? To try to diminish a wreck of the train which was crewless and a runaway? Its not very smart trying to defend a wreck, intentional or not, which was still a crewless train, out of control. The size of the end result, is of little importance compared to what might have happened. What different does it make if it was intentionally wrecked in the sand dunes or it wrecked on it own projection?
Crewless freight trains will never be rolling through towns and cities or farmland in America, so just stop wasting money on programs trying to do that. I’m a major stockholder and I object to the expense of PTC. It would have been considerably cheaper to build switch point derails beyond every end of double track switch and signal and for every drawbridge or rail crossing. That derail worked very well stopping a Washington State Talgo train at the unusual lift bridge on Puget sound. If you run through a stop signal, you get derailed and stopped. No head-on collision that way.
PTC is an overlay system on top of the vital logic that actually controls switches and signals, so the idea a bad actor can cause a collision is a bit far-fetched. Bringing trains to a halt and making for a miserable day? Maybe.
W Cook,
The crewless train in Australia was INTENTIONALLY derailed because it was a runaway, it did not derail on it’s own, they had to route it so that it would derail, and it wasn’t a giant wreck, yes, it derailed but it wasn’t a jumbled smashed up pile of junk as if two trains had collided.
Uh — duh! Also vulnerable to solar storms too!
The underlying existing rail signaling systems are still there and that is not digitalized. But possible cyber-attack is why you will not see crewless trains. Even the crewless train in Australia ran away till it ended in a giant wreck.
Is it too late to go back to timetables and train orders?
Really? Hmm, just Billions more it will take, that’s all.