UK Rail Signals Can Be Hacked To Cause Crashes

Uploaded on 2015-05-06 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Rogue employee could hack the new UK rail system and cause a crash. Prof. David Stupples told the BBC that plans to replace ageing signal lights with new computers could leave the rail network exposed to cyber-attacks. UK tests of the European Rail Traffic Management System are under way.

Network Rail, which is in charge of the upgrade, acknowledges the threat. "We know that the risk [of a cyber-attack] will increase as we continue to roll out digital technology across the network," a spokesman told the BBC.
"We work closely with government, the security services, our partners and suppliers in the rail industry and external cybersecurity specialists to understand the threat to our systems and make sure we have the right controls in place."

Once the ERTMS is up and running, computers will dictate critical safety information including how fast the trains should go and how long they will take to stop. It is scheduled to take command of trains on some of the UK's busy intercity routes by the 2020s.

The system is already used in other parts of the world and there are no reported cases of it being affected by cyber attacks.

In fact, it is designed to make networks safer by reducing the risk of driver mistakes. But Prof Stupples - an expert in networked electronic and radio systems at City University in London - said if someone hacked into the system they could cause a "nasty accident" or "major disruption". "It's the clever malware [malicious software] that actually alters the way the train will respond," he explained. He added that he had spoken up to raise awareness of the threat.

According to the professor, the system is well protected against outside attack, but he says danger could come from a rogue insider. Hundreds of signal boxes are being replaced as part of the upgrade. "The weakness is getting malware into the system by employees. Either because they are dissatisfied or being bribed or coerced," he explained. He added that part of the reason that transport systems had not already been hacked as frequently as financial institutions, and media organisations was that much of the technology involved was currently too old to be vulnerable.

All of that will change in the coming years, as aircraft, cars and trains become progressively more computerised and connected.

Prof. Stupples said he was working with Cranfield University to develop a security system that would tell when a train or other mode of transport was acting oddly. "It would take it back into a safe state," he explained.

BBC:     SAGE /Stupples:   ORR

« Locked Shields: NATO Holds Major Cyber-Security Drill
Anonymous Hackers Taking On the Kremlin »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Magnet Forensics

Magnet Forensics

Magnet Forensics' family of digital forensics products are used globally by thousands of law enforcement, military, government and corporate customers.

National Cyber Directorate Israel

National Cyber Directorate Israel

The Israeli National Cyber Directorate provides incident handling services for civilian entities and critical infrastructures and works to increase national resilience against cyber threats.

VisionWare

VisionWare

VisionWare provide consulting services and solutions in areas covering both physical and digital security.

Focal Point Data Risk

Focal Point Data Risk

Focal Point is a pure-play data risk management provider capable of offering end-to-end consulting, implementation, and training services.

Destel

Destel

Destel is a system integrator and provider of IT services focused on Advanced Network & Security Solutions.

SenseOn

SenseOn

SenseOn’s multiple threat-detection senses work together to detect malicious activity across an organisation’s entire digital estate, covering the gaps that single point solutions create.

Naoris Protocol

Naoris Protocol

Naoris is the world’s first holistic blockchain-based cybersecurity ecosystem, bringing a game-changing solution to address 35 years of industry similar practice.

OurCrowd

OurCrowd

OurCrowd is a leading equity crowdfunding platform for investing in global startups.

Conference on Applied Machine Learning in Information Security (CAMLIS)

Conference on Applied Machine Learning in Information Security (CAMLIS)

CAMLIS is a venue for discussing applied research on machine learning, deep learning and data science in information security.

Shearwater Group

Shearwater Group

Shearwater Group is an award-winning organisational resilience group that provides cyber security, advisory and managed security services to help secure businesses in a connected global economy.

Dynamic Quest

Dynamic Quest

Dynamic Quest is a managed IT, cloud and security services companies, providing a comprehensive range of technology services including cybersecurity, backup and disaster recovery.

Dataships

Dataships

We help companies automate their privacy compliance while building healthy, transparent data relationships with their customers.

DataPatrol

DataPatrol

DataPatrol is a software company, specialized in providing Security and Privacy of company’s data and information in an evolved way.

Omnex

Omnex

Omnex provides consulting and training services in Quality, Environmental, and Health and Safety standards-based management systems including Automotive Cybersecurity.

CloudBees

CloudBees

CloudBees is building the world’s first end-to-end automated software delivery system, enabling companies to balance governance and developer freedom.

Luxembourg House of Cybersecurity (LHC)

Luxembourg House of Cybersecurity (LHC)

Luxembourg House of Cybersecurity (formerly SecurityMadeIn.lu) is the backbone of leading-edge cyber resilience in Luxembourg.