Hackers Manipulated Railway Computers, TSA Memo Says

← Back to Stories (view on slashdot.org)

Hackers Manipulated Railway Computers, TSA Memo Says

Posted by Soulskill on Monday January 23, 2012 @03:10PM from the so-nobody-was-affected dept.

An anonymous reader sends this excerpt from Nextgov: "Hackers, possibly from abroad, executed an attack on a Northwest rail company's computers that disrupted railway signals for two days in December, according to a government memo recapping outreach with the transportation sector during the emergency. ... While government and critical industry sectors have made strides in sharing threat intelligence, less attention has been paid to translating those analyses into usable information for the people in the trenches, who are running the subways, highways and other transit systems, some former federal officials say. The recent TSA outreach was unique in that officials told operators how the breach interrupted the railway's normal activities, said Steve Carver, a retired Federal Aviation Administration information security manager, now an aviation industry consultant, who reviewed the memo."

36 of 116 comments (clear)

Min score:

Reason:

Sort:

Why... by errandum · 2012-01-23 15:12 · Score: 5, Insightful

Is a computer that controls anything like this connected to the exterior instead of it's own private network?
Why?!
1. Re:Why... by Troke · 2012-01-23 15:13 · Score: 2
  
  So they can work from home of course!
2. Re:Why... by Kenja · 2012-01-23 15:17 · Score: 4, Insightful
  
  So you want to roll out a private network along each mile of rail?
  Why not? In most cases that's where the major fiber cables run any how.
  
  --
  
  "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
3. Re:Why... by siddesu · 2012-01-23 15:21 · Score: 4, Insightful
  
  Because when the work is contracted, the work is done in a piecemeal manner in order to show a lower budget to the committee that will be approving funds. Since the budget as a rule is never enough to allow for a proper, safe design, deployment and operation, things are done haphazardly, staff is overworked and/or under-qualified and the requirements change daily and need to be completed yesterday. As a result, you get holes, and holes get exploited.
  Then some politician exploits the news to create yet another committee to investigate and countermeasure the "attacks", leaving even less money for planning and deployment, and creating more opportunities for attacks and for position for his cronies, while maintaining an image of staunch defender of National Security.
  Business as usual.
4. Re:Why... by F34nor · 2012-01-23 15:33 · Score: 3, Interesting
  
  Here here! In addition they have their own swath of wireless bandwidth for their radios that could be reapportioned for this by going to digital radios.
5. Re:Why... by currently_awake · 2012-01-23 15:34 · Score: 5, Interesting
  
  I don't think it was. They clearly tried to blow this thing up as a major terrorist attack, but they never claimed risk to life. I'm guessing the "attacks" were a virus on the windows boxes used for selling tickets.
6. Re:Why... by Fastolfe · 2012-01-23 15:38 · Score: 2
  
  "Why not?" Cost, of course. It's far cheaper to connect remote nodes like this to public networks than it is to lay your own data connections down along every length of track. Just because other people lay down lines near some tracks does not mean it's cheap or free for the rail operators to lay down their own lines along all tracks.
7. Re:Why... by Anonymous Coward · 2012-01-23 15:54 · Score: 2, Insightful
  
  Wouldn't be easier to just setup a VPN and secure the damm thing? I would think that should suffice provided strong security measures are in place.
8. Re:Why... by garyebickford · 2012-01-23 16:02 · Score: 2
  
  good luck with that, running your own fiber all over the country. Interesting side note, but probably not relevant - the Sprint network was originally the SPC - Southern Pacific Communications company which started out as a set of microwave links along the railroad rights-of-way to support Southern Pacific Railway railroad operations, before the Internet existed. According to Wikipedia, when the long distance market was deregulated they started selling capacity to others, and one thing led to another. Also according to W, the SPRINT name was the winner of a contest for a new name appropriate to the new business when MCI bought the company: "Switched PRIvate Network Telecommunications".
  It's worth noting that the Military also uses the public switched network for some things. In one sense, this may be advantageous if done right. If the secret messages are merely one amongst the literally billions of packets going through a fiber per second, they are harder to find than just tapping into the correct dedicated fiber that carries nothing but secret messages. And, since any physical manifestation (fiber) that is strung across thousands of miles of countryside, a dedicated fiber is going to be just as vulnerable (given the same level of message encryption) as the packets in the public network.
  The military can't know in advance where it is going to need telecom capability, so it has to be able to ship data over the public network in such a way that it is secure even if intercepted. That's a tall order, but there's no choice. Having a physically separate physical wire just doesn't give you that much extra.
  
  --
  It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
9. Re:Why... by Anonymous Coward · 2012-01-23 16:13 · Score: 5, Informative
  
  Sweet, a topic that I know something about for once!
  I am an S&C technician for a railway in Canada, and can tell you, the opposite is in fact true. A fibre conduit running coast to (almost) coast is a valuable thing. A few years back (before I started with them) they plowed a conduit underneath the rail bed. I hear they used multiple locomotives to pull a massive plow burying the conduit 10' under the rail bed. Sounded pretty sweet. The fiber is now leased to Rogers (may they rot in... er... never mind). I believe we have exclusive use of 4 fibers in the bundle, but I don't know too much about that end of it.
  The network of fiber is connected to strategically located radio towers. Another profitable venue is leasing space on a tower to the cell companies.
  Intermediate bungalows connect to the radio towers and relay control to switch machines and signal mechs. Our truck radios also communicate to the towers, and through the fiber to either RTC (Rail Traffic Control) or to another tower and another technician anywhere along the railway.
  I'm not sure about other railways, but I feel our system is pretty robust.
10. Re:Why... by siddesu · 2012-01-23 16:25 · Score: 3, Interesting
  
  The corporate politics isn't all that different inside the Socialist enterprise, the difference is that everything else is much worse.
11. Re:Why... by davester666 · 2012-01-23 16:45 · Score: 2
  
  Not from home. From a strip club...in Hawaii!
  
  --
  Sleep your way to a whiter smile...date a dentist!
12. Re:Why... by Anonymous Coward · 2012-01-23 17:46 · Score: 5, Informative
  
  Railway signalling usually consists of two pieces - vital logic and control logic. Vital logic is the sort of thing that prevents showing two trains signals that would make them crash, or would allow the points on a switch to throw under a train, or other safety-related functionality. It's designed to be failsafe, and the design methodology is usually very rigorous because of the huge liabilities involved. This stuff is usually (these days) carried on the rails themselves by what are known as coded track circuits - basically on/off values via carrier frequencies placed on the rails themselves. In some areas and in prior eras, this was carried by signal lines paralleling the railway, either open wire or buried. Regardless, all this stuff is designed such that if pieces fail or communication is lost, everything goes red and train traffic stops.
  Control logic is the other half. It's the part of the system that communicates from a dispatcher hundreds or thousands of miles to the local control points. It communicates instructions that can be roughly translated as "allow a westbound past this control point" or "throw the switch to the siding and permit an eastbound through". This is then shot across somebody's network to the control point, where it's handed off to the vital logic. Commands from the dispatcher are really more like requests to the vital logic to perform that function when it's safe to do so. As a dispatcher, even if you'd send commands that would direct a pair of trains to proceed at each other, the vital logic will keep the appropriate signals red and never allow a collision to happen.
  So, given the hype-riddled press release, I'm guessing one of two things happened.
  1) There's a link between the dispatching computers and the field endpoints that travels over the public network, likely via VPN. Somebody found a way to interfere with that link and prevented commands from getting through (a stupid DDoS could work here, as rail signalling is extremely low bandwidth). Worst case impact - dispatchers can't issue requests for things to happen in the field. That said, I've never seen such a system that connected to an IP network. The ones I've seen are serial and go via modem, frame relay or leased line. There's also a dedicated railway signal control standard that travels over dedicated radio frequencies that's often used from a common radio base to a number of signal installations along a line.
  2) Somebody found a way to compromise the dispatching computers themselves and mess with them. Unlikely, but it wouldn't be the first time somebody had compromised a corporate firewall and found the cool toys inside. That said, they'd really have to know what these machines did and how commands were sent in order to do anything beyond send random crap or again, just prevent commands from being sent. The other possibility is that they got between the dispatch machines and the outbound serial links inside the corporate network.
  3) The scary but horribly unlikely one - somebody put a vital logic processor where it could be reached via the network. I've never heard of a vital logic processor with an ethernet port, but most of them just have a bunch of serial, one of which is a configuration/communication port through which the unit is programmed. Typically these are only accessible by a dude in the field plugged into the logic unit, but it's remotely possible some bonehead connected it to a network-accessible terminal server or something.
  1&2 are possibly crippling to a rail network, but not unsafe. Things stop and nothing moves, but nobody gets hurt. 3 is much more frightening, but I can't see any sane engineer (particularly in the signal department at a railroad, as these guys tend to be risk averse to a fault for good reason) ever signing off on this design. I would
  Most of this is just theorizing based on what I know from my association with the industry almost a decade ago, but because of that I'm posting as an A/C.
13. Re:Why... by Alioth · 2012-01-23 23:55 · Score: 3, Informative
  
  I worked for British Rail just before it was privatized, they had their own private national telephone system and computer network. I suspect it still exists and is probably run these days by Network Rail. The signalling system was completely independent of this network, too.
  
  --
  Oolite: Elite-like game. For Mac, Linux and Windows
14. Re:Why... by Pope · 2012-01-24 02:28 · Score: 2
  
  There there!
  
  --
  It doesn't mean much now, it's built for the future.
Of course! by Alan+Shutko · 2012-01-23 15:16 · Score: 4, Funny

Hackers have been involved in railroads since the very beginning!
Well, looks like the TSA got their wish by Scutter · 2012-01-23 15:18 · Score: 4, Insightful

Now they'll have the excuse they need to do to the rails what they've done to the airlines.

--

"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
1. Re:Well, looks like the TSA got their wish by raydobbs · 2012-01-23 15:22 · Score: 4, Insightful
  
  +1 to this - wishful thinking given form, they are just creaming their shorts over this. It means we can be violently sexually assaulted while trying to board trains, board airlines. Now all we need is them at every bus depot, every subway terminal, all border crossings. We'll be a police state in fear of our government overlords in no time.
2. Re:Well, looks like the TSA got their wish by ajpuciat · 2012-01-23 15:25 · Score: 3, Insightful
  
  Just what we need. I am guessing this isn't going to be limited to the rails either. Any mode of transportation utilizing computers will be "under attack," and we're going to stand around and get molested by the TSA. Awesome!
3. Re:Well, looks like the TSA got their wish by wbr1 · 2012-01-23 15:56 · Score: 2
  
  What logic is there in body scans and pat downs to protect against hackers?
  
  'Sorry ma'am, please take of your shoes so we can check for a flash drive with root kits on it."
  
  --
  Silence is a state of mime.
4. Re:Well, looks like the TSA got their wish by c0lo · 2012-01-23 17:00 · Score: 2
  
  Now they'll have the excuse they need to do to the rails what they've done to the airlines.
  Eh... should I understand the public is that stupid to accept that scanners and patting-down will prevent crackers remoting into unprotected systems?
  
  --
  Questions raise, answers kill. Raise questions to stay alive.
Shenanigans! by Kenja · 2012-01-23 15:27 · Score: 4, Insightful

To me this sounds like some contractor introduced a bug to the system and is attributing the issues it caused to "hackers". If the system is really open to attacks of this nature, then it is fundamentally flawed.

--

"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
1. Re:Shenanigans! by Samantha+Wright · 2012-01-23 15:35 · Score: 5, Informative
  
  What are you talking about? The hackers are "possibly from abroad"! This is serious! Why would the article author use such a blatantly sensationalist subclause if it weren't serious?! Especially when the last time this was claimed turned out to be exactly what you're describing!
  
  --
  Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
You never know... by MrEricSir · 2012-01-23 15:27 · Score: 3, Funny

...when someone might hijack a train and crash it into a skyscraper.

--
There's no -1 for "I don't get it."
1. Re:You never know... by ajpuciat · 2012-01-23 15:33 · Score: 5, Interesting
  
  "Amagasaki, Japan 26 April 2005 A seven-car train with 580 passengers derailed and slammed into an apartment building of nine floors. 73 people were killed and nearly 450 injured"
  
  Trains, in my buildings?
  
  It's more likely than you think.
2. Re:You never know... by macshit · 2012-01-23 18:05 · Score: 2
  
  "Amagasaki, Japan 26 April 2005 A seven-car train with 580 passengers derailed and slammed into an apartment building of nine floors. 73 people were killed and nearly 450 injured"
  Note that the line in question was one of the few passenger lines in Japan without ATC/ATS ("automatic train-control/train-stop") installed, and it's pretty likely that had it been installed (it was "on the list" to be upgraded at the time...), the accident would have been prevented, as the system automatically applies brakes in an overspeed condition.
  [One interesting question is whether the driver can disable it or not...]
  
  --
  We live, as we dream -- alone....
because they are FSCKING IDIOTS! by swschrad · 2012-01-23 15:32 · Score: 2

or else the outsourced IT department overseas has senior staff with, ahhh, alternate loyalties... .

--
if this is supposed to be a new economy, how come they still want my old fashioned money?
Dizzy from the Spin by JoeRandomHacker · 2012-01-23 15:46 · Score: 4, Insightful

I'm sure that it is coincidence that this sort of story gets publicity now. Nothing to do with countering the bad press the TSA has gotten today. And I'm sure there is no way this sort of thing could be prevented in the future without an all-seeing, all-knowing, all-powerful TSA keeping watch on everyone who decides not to stay in one place all the time. Nothing to see here. Move along. Except for you, and you over there. We'll need you to step over here for a moment...
Re:False dichotomy + criminal negligence by Quick+Reply · 2012-01-23 16:09 · Score: 2

Because private networks with entry points all over town can not be hacked, right.
Re:I can see how this could happen by nirgle · 2012-01-23 16:14 · Score: 2

Did you notice that quite a few of your sentences .
Sounds awfully simliar to... by b5bartender · 2012-01-23 16:44 · Score: 4, Interesting

...the well-publicized "attack" on an Illinois water system by Russian Hackers that, unsurprisingly, never actually happened.
Train control has gone Linux/Ethernet/IP by Animats · 2012-01-23 17:23 · Score: 4, Interesting

Railroad signalling used to be all special purpose hardware. Not any more. Here's the "VitalNetâ Wayside Message Server". Runs Red Hat Linux. Talks "Interoperable Train Control Messaging" protocol.
It gets worse. Here's a General DataComm unit for railroad signal control. "SC-ADT ports configured for Telnet/ SSH sessions, for bypass transport (port forwarding), and to convert async PPP data to IP for transport over a cellular data network. SC-ADT managed via Telnet, SSH, SNMP, FTP, TFTP and HTTP from the Dispatch Facility. "
TFTP? FTP? Telnet? What's wrong with this picture?
There's even a hobbyist program for listening in on signal control traffic, some of which is passed around on unencrypted radio links.
Simple solution: by Issarlk · 2012-01-23 20:43 · Score: 3, Funny

Make the ethernet cables run through an X-Ray machine, or pat down the IP packets. It'll be as efficient as in airports to prevent future breaches.
I worked on these too by Anonymous Coward · 2012-01-23 22:26 · Score: 2, Insightful

When I worked on these, we had dedicated links (X25 serial in those days).
There simply is NO EXCUSE for routing stuff like this over the public internet, VPN or not. Even a DDOS on those communications is unacceptable. If the railway techs sent that data across a public network, their employment should immediately be terminated and the railway company liable.
Sounder Train or Westside Express Service? by McGruber · 2012-01-24 01:00 · Score: 3, Interesting

The article tells us that this event happened to a railroad that (1) is in the Northwest, (2) runs scheduled trains during the workweek (Dec 1 was a Thursday) and (3) has frequent enough service that a 15 minute delay would be noticed.
It appears to me that the railroad described is either Washington State's Sounder Train (en.wikipedia.org/wiki/Sounder_commuter_rail) or Oregon's Westside Express Service (WES) (http://en.wikipedia.org/wiki/Westside_Express_Service).
Business idea by GameboyRMH · 2012-01-24 03:00 · Score: 2

I should start a service selling "industrial control system security retrofits." Between the Internet and the PLC, I'll set up a simple Linux box, with cryptknock and brute-force protection that only allows SSH logins with passphrased keyfiles. Then I'll give the operators a nice script (in .bat form and shellscripts) that puts them to the login prompt in one click and sets up a tunnel between their localhost and the PLC or whatever. Then they connect to the control client to localhost and work as usual. Because the places that do this shit usually have NO IT STAFF, I'll put together a simple interface for managing the keyfiles (some GUI on the box itself would be safest - really stripped down of course, ncurses-based ideally).
For each installation I will charge $3k, maybe with a support option if they want me to manage their keyfiles remotely, very affordable to them but I am actually taxing them out the ass for stupidity >:)

--
"When information is power, privacy is freedom" - Jah-Wren Ryel