AAR denies US connected train cyber vulnerabilities
January 27th 2016
The American Association of Railroads has denied claims by a Department of Homeland Security (DHS) specialist that its connected train technologies pose a security threat, and that the US railway industry does not take cybersecurity seriously. The researcher, a consultant for the DHS, alleges that US railways have been hacked on a number of occasions, and that a number of serious accidents causing fatalites could have been caused by hackers, a suspicion he says is shared by officials within the US Transportation Security Administration (TSA).
The controversy arises just three months after Congress delayed the implementation of the Positive Train Control system at the request of railway operators, who argued that the scale of the task made it impossible to meet the 2016 deadline. Positive Train Control is a connected train and signalling technology that is designed to be safer and more secure than existing train communications systems. In October, Congress gave the railway companies another five years to complete the upgrades.
The accusations by security specialist Neil Smith were contained in an article in the Boston Review. The article argues that US rail industry wireless communications are easily hacked, with telemetry and other control data easy to obtain from passing trains. The article also claims that the US rail industry has a culture of secrecy, and potential hackings identified by the Transportation Security Administration are not followed up or investigated.
Smith claims that when a working group on railway security within the Department of Homeland Security alerted railway operators to their concerns about how easy it might be to hack connected train systems, the response of the railway company was to shut down communications with the department and withdraw cooperation.
According to Smith, connected train systems have been vulnerable to hacking. He highlights the case of the teenager in Lodz in Poland who hacked his town's urban rail system in 2008, equipped with nothing more than a TV remote and a public library computer. He was able to change signals and take control of nearby trains. In the process, he caused derailments and mayhem.
Smith believes that similar events have happened in the United States, but the role of hackers in causing the accidents have been suppressed.
The watchdog website Nextgov obtained a Transportation Security Authority report that revealed that US Government officials admitted that hackers had taken over and disrupted railway signals on at least two occasions in the north west of the United States in 2011. Rail industry representatives dismissed the report as inaccurate.
Smith alleges that TSA officials believe that recent derailments have been caused by hacking events. However, he says, the lack of cooperation from US railway companies have made it difficult for security specialists even within the TSA and DHS to pursue enquiries.
In response, Tom Farmer, assistant vice president of the Association of American Railroads, described the Boston Review article as "based on a lot of inaccuracies". Farmer denied that there had been any derailments in the United States caused by network hacks. He said that the industry was committed to working with Federal agencies, and took security and safety very seriously.