A track geometry vehicle owned by the Federal Railroad Administration (https://commons.wikimedia.org/wiki/File:DOTX-218.jpg)
The Emerging Cyber Threat to the American Rail Industry
In 2008, Congress passed the Rail Safety Improvement Act (RSIA), which required the installation of Positive Train Control (PTC) systems—autonomous operation of a train to correct for human error—on most of the United States’ almost 140,000 route miles.
You may have heard of PTC. Back in 2017, the Amtrak Cascades derailment—which resulted in three deaths, around 100 hospitalizations, and monetary damages of more than $25.8 million—briefly thrust the technology into the spotlight when the government concluded that the accident wouldn’t have happened with a fully installed and operational PTC system. PTC is intended to stop precisely that uncommon but uncommonly dangerous cause of rail accident: dispatcher or operator error resulting in train-to-train collisions, derailments caused by speeding, trains improperly entering work zones, and trains entering an occupied track
Between 1987 and 1997, PTC-preventable accidents resulted in an annual average of 22 injuries, 7 fatalities, and 150 people evacuated. Since the completion of the nationwide installation of PTC on over 57,000 route miles at the end of 2020, 41 railroads now use the communications and signaling system, including the seven biggest freight railroads, Amtrak, and many smaller passenger railroads. Put another way, if you’re traveling in the United States, either by train or car that crosses railroad tracks, you will likely encounter a PTC-operable train.
While the elimination of these accidents will be a great leap forward in rail safety, the technology behind PTC increases the danger of a fairly new vulnerability for the rail industry: cyber threats. The first major events have already occurred—in Iran in 2021 and Belarus in 2022—both carried out by non-state actors.
And that raises a big question: Is the implementation of PTC just trading in one deadly risk for another?
Positive Train Control
RSIA does not list specific technological requirements for PTC systems (the act is “technology neutral”) but merely describes what PTC must achieve. Namely, it must prevent train-to-train collisions, enforce speed restrictions, and prevent trains from entering work zones or an occupied siding or sidetrack. This left the 41 railroads affected by the requirement to design and implement ad hoc technological solutions that work best for each railroad.
In its most generic form, the PTC system is made up of three nodes: the locomotive or onboard computer, the wayside device or signal, and the back or central office. Connecting these together is the communications network, composed of both wireless and cabled signals. The locomotive computer communicates with transponders along the track and with wayside devices to send and receive data about the location, direction, and speed of both the host locomotive and other tenant locomotives traveling on the same track. Data about movement authority and speed restrictions is received by the locomotive computer from the back office. The locomotive computer compiles all the received information and compares it with the action of the train. If the locomotive computer determines that the train is violating a movement authority or speed restriction, or is performing some other unsafe action, the locomotive computer will then correct the action of the train—presumably slowing or stopping the locomotive.
The Potential Danger of Exploited PTC System Vulnerabilities
In combining railways with Internet of Things solutions, the U.S. rail system becomes vulnerable to cyber threats, with potential harm ranging from mischief to loss of life and serious economic damage.
Researchers have predicted that a successful attack on a locomotive’s control systems with the intent to cause harm could, in the worst case, result in over 100 deaths from a single hacked train. On a hacked network with multiple trains, casualties would be much higher. The dangerous goods freighted over American rail every year, including toxic- and poisonous-inhalation-hazardous materials, compound the danger.
Short of human casualty, a successful hack of an American railroad would be disastrous for individual U.S. companies and the American economy as a whole. The railroads that have implemented PTC move over 5 million tons of freight annually, and a disruption to this movement would have damaging ripple effects across industries, including on international trade. Rail is the second largest transborder mode of transport for freight after trucks and was responsible for $179 billion of freight in 2018 moved in both directions across the Canadian and Mexican borders. The bulk of this freight—about 60 percent—was motor vehicles and parts, mineral fuels, and plastics (in a somewhat defensive posture, the Association of American Railroads has written quite a lot about how cars would largely be unavailable in an America without trains). The example of CSX’s service disruption in 2003 also demonstrates that an affected freight system is likely to affect any passenger rail connected to it.
Besides disruption to specific industries, American consumers would certainly notice a disruption to rail freight just by going to local supermarkets: Trains freight millions of carloads of food products, lumber products, and farm products every year. A disruption to the millions of carloads of coal and fertilizers freighted by rail would also negatively affect supply chains in the United States, affecting the operation of factories and farms.
One example of the damaging economic effect of service disruptions to a single railroad is the case of Union Pacific in 1997-1998. The railroad suffered a series of delays, crashes, and derailments over several months due to safety issues unrelated to a cyberattack. These service disruptions resulted in “direct costs of $1.093 billion and an additional $643 million in costs to consumers.”
The recent threatened railroad strike allows researchers even greater insight into what a successful large-scale or sustained cyberattack would look like. Pushed to imagine an America without Class I freight rail service, the Association of American Railroads published a report estimating that the U.S. economy would lose over $2 billion per day in the event of a nationwide shut down. Compared to the 1990s, American rail is more vital than ever to both the U.S. economy and international trade.
This isn’t an abstract concern. Rail systems in the U.S. and abroad have already fallen victim to malicious worms. See CSX in 2003, San Francisco’s Municipal Railway in 2016, and Deutsche Bahn in 2017. And between 2015 and 2016, the United Kingdom’s rail system was attacked four times by an unknown yet sophisticated actor exploring vulnerabilities in the system, without making any malicious moves. In 2017, Canada’s state-owned public transportation agency Metrolinx was the target of a thwarted North Korean cyberattack.
The first major successful cyberattacks on rail have come from non-state actors. In July 2021, a non-state group caused chaos in Iran by hacking into the display systems in train stations across the country and showing travelers false information. The hacked screens also urged citizens to call a number that was reportedly the number of the Supreme Leader. The cybersecurity group Check Point Research investigated the incident and found that the group Indra seemed to be connected to hacktivists and cybercriminals, not any nation-state. Check Point Research concluded:
We should be more worried about attacks that are entirely possible but “clearly aren’t going to happen” according to the calculus of prevailing common wisdom. … [T]his attack happened in Iran, but next month an equivalent attack could be launched by some other group targeting New York, and Berlin the month after that. Nothing prevents it, except threat actors’ limited patience, motivation, and resources, which—as we’ve clearly just seen—are sometimes not so limited after all.
Sure enough, it was only five months before a rail system was hacked again, this time in Belarus. In January and February of 2022, a “group of Belarusian politically motivated hackers” attacked and successfully disrupted Belarusian railways. The group reportedly intended to make a statement with the latter attack about the use of those railways for Russian military strategy in the February invasion of Ukraine. These hackers apparently deleted some systems, encrypted others, made it “impossible to buy tickets,” and stopped trains in Minsk, Orsha, and Osipovichi by compromising routing and switching devices. The group also claimed, but it was not independently confirmed, to have slowed the travel speed of other trains by putting them in “manual control mode.” An intelligence official speaking anonymously to Vice about the incident stated: “I can confirm there’s technical concern by both the Russians and Belarusians about this incident …. It sent a message [that] their security infrastructure both physical and cyber … can’t be properly secured.”
Three Considerations for Strengthening Railway Cybersecurity
Three important factors unique to the rail industry must be considered when securing PTC systems against cyberattacks: the longevity of the railroad infrastructure and the lifespan of some of its parts, the vastness of the American rail system and the problem of interoperability, and the inherent tension between safety and security in design and operating concepts.
Ronald L. Batory, the former administrator of the Federal Railroad Administration, testified to Congress in 2019 that PTC was “the most fundamental change in rail safety technology since … the 1920’s.” As a mechanical industry air-gapped for over a century, rail infrastructure is full of legacy assets from before the internet, and researchers have raised concerns that the industry has a false sense of security during this technological revolution. While the industry has increasingly computerized in many ways, “shockingly poor practices” were found to be “widespread” in a security assessment conducted by an independent research team and presented at a 2015 information security conference held in Hamburg, Germany. Purposefully not discussing specific railroads or precise vulnerabilities for security reasons, the team spoke generally about common problems they discovered in rail cybersecurity in European and American systems, such as lack of authentication protections and the use of hardcoded passwords for remote systems.
Perhaps most troubling, the researchers found that, in some systems, hackers would be able to access locomotive control systems directly from the in-transit entertainment systems in the passenger cabins.
Relatedly, the rail industry relies on component parts that have a long lifespan: Railroads can expect some parts to last for at least 25 years. Given the dominant mechanical culture, the rail industry has been slow to adopt information technology systems; and, as the team’s security assessment highlighted, the industry also tends to be slow in updating its software, using obsolete versions that don’t receive security patches. Furthermore, as is the case in any information technology (IT) system, the human employee still represents the weakest link when it comes to cybersecurity. As exemplified by the malware attacks on CSXT, the San Francisco Municipal Railway, and Deutsche Bahn, individuals in the rail workforce are as vulnerable as any to social engineering. Special attention must be paid to widespread IT training of the workforce, with a focus on software updates and social engineering threats.
The American rail system is a vast interconnected network of 140,000 miles of track, owned and operated by a tangle of hundreds of railroad companies. One of the biggest problems in PTC implementation has been the task of interoperability between the various PTC systems differently designed and operated. Security gaps may arise when two systems are designed independently from each other and must communicate. This possibility is exacerbated by the fact that each company relies on several secondary IT systems—each system providing an additional entry point for the possible introduction of malware, thus increasing the company’s and wider network’s vulnerability to cyberattacks. The sheer size of the rail system means it is not economical to physically protect every possible entrance point—either the multiple points of entry over the nation or in the huge workforce needed to maintain it—and the systems are “very vulnerable” to denial-of-service attacks. The danger posed by geography and the complicated interoperability must be offset by the strongest cyber resiliency in other areas.
The well-being of rail workers and customers depends on both the safety of the mechanical components and the security of the digital systems; however, while safety and security are interrelated, they are separate processes with different approaches, which can create tensions. As Christian Schlehuber and Dominik Renkel wrote, safety is “static, admitted and is not allowed to change over the years,” while security “has to adapt dynamically to changes in the threat landscape.” With these definitions in mind, the U.S. rail industry is safety oriented, with modern trains essentially being amalgamations of safety systems (toilets, horns, and window glazing are all systems covered in the federal regulations overseen by the Federal Railroad Administration’s (FRA’s) Office of Railroad Safety, for example).
Safety requirements in the rail industry are long-standing and well-developed. After all, the physics of a locomotive crash remain unchanged despite mechanical improvements. When mechanical changes do occur, approval processes for safety systems are lengthy and costly and must involve rounds of testing, verification, validation, and assessment. Yet as anyone with a computer knows, software updates and patches occur with a frequency that at times appears startling. A separation and lack of coordination between safety personnel and security personnel responsible for the same systems could result in work done inadvertently at cross purposes. While this tension between safety and security is unlikely to ever be fully resolved, the industry and the FRA should communicate and work to enhance integration and cooperation, understanding the basic requirements and necessities of both security and safety as they relate to the physical and digital systems.
Although railroad companies have the freedom to design and implement security practices based on their own standards, without government-imposed requirements, the FRA should ensure during approval processes that railroads are implementing best practices for cybersecurity. Examples of these best practices include penetration testing and red-teaming of PTC networks, and regular personnel training to strengthen the workforce against social engineering. With regard to the communication network that links together the nodes (the locomotive computer, the wayside device, and the back office) in the PTC system, while there is no specific level of encryption-strength required, algorithms are approved by the National Institute of Standards and Technology or “a similarly recognized and FRA approved standards body,” with the PTC Safety Plan defining the level of security they must meet. With these best practices, the FRA should work to ensure that railroads meet the highest security standards possible. In the first year of implementation, the FRA already showed that it will continue to update PTC requirements and stay on top of PTC safety issues.
Finally, in emergency plans, railroads should pay particular attention to the specific circumstances that would trigger a shutdown of a rail network. Depending on the nature of a cyberattack, the shutdown of an entire system or multiple railway systems could be necessary in order to assess all compromised assets, to allow for the update and validation of systems, and to ensure a full operational recovery from the attack. In the moment, however, it may be difficult to decide to shut down a rail network since, as already discussed, such a shutdown would have a large financial impact on the company and the wider economy. However, such a decision may be necessary to save lives.
Researchers in 2016 capped the worst-case casualty scenario for a PTC compromise at a few hundred deaths, because they believed any responsible authority would shut down the rail network before more could occur. Unlike what they theorized in 2016, the pandemic has revealed that perhaps the choice between human lives and the economy is not made so easily, and companies should put plans in place now for when and under what circumstances this last resort will be triggered.
The principle of cyber resiliency is to prepare for when, not if, an attack occurs, with the awareness and admission that some attacks will be successful. Given the risk to American lives and the U.S. economy, the greatest task and responsibility of the rail industry today is to enter the PTC age on the best possible footing by keeping in mind the unique features of the rail industry and learning from past breeches with an eye to the future and on the dynamic cyber threat landscape.
Claudia Swain is the digital strategist of Lawfare. She previously worked as a program fellow at #NatSecGirlSquad and as a bureaucrat at the Federal Railroad Administration. She holds a MA in Security Studies from Georgetown University and a BA in Government from The College of William and Mary.