The BBC blindsided the railway industry last night with the release of a new show, Nightsleeper, about a coordinated national cyber-attack that targets the railway network. SPOILER ALERT: I will try being careful not to give too much away as people should watch it themselves, but there will be spoilers and plot lines discussed in context within these articles.
What I will delve into is some of the digital, technical and process elements that are used in the show. Some of these are very much realistic and achievable, and others… well let’s just say they’re really not.
For all the things I will discuss, I will reference the attack as if it was played out, and I will also make some assumptions to allow us to consider the possible vectors for attack, but I will tell you what these assumptions are when I make them.
The show can be watched on BBC iPlayer using this link: https://www.bbc.co.uk/iplayer/episodes/m002265y/nightsleeper?seriesId=m002265x
First a little about me, I am a rolling stock engineer with a decade’s experience in the industry working across multiple fleets, both new and legacy, as well as analysing, quantifying and mitigating cyber risk for multiple operating fleets, including some of the newest fleets on the British rail network.
Let’s get to it….
Distraction to Plant Device On Nightsleeper
The show starts with a multi-person robbery on the platform being thwarted by an off-duty officer. There is nothing too unusual about this per-se, but the show makes a big drama of the event. This is setup to be the distraction to allow a concealed device to be planted on the train.
Now we find out in the show, the train was 8 minutes late departing. So, the attacker had about 8 minutes to find the correct location, plant the device and leave before being detected. If we played this out as a real scenario, this would be someone who had knowledge of the train’s layout, they would know where control cabling ran, how to access it and exactly what equipment they would need. This would mean they had to have advanced access to build information, OEM documents and probably schematics etc. Consequently, there is highly likely to be an inside job element to the attack, and the group carrying out the attack is clearly organised, likely well-funded and operating very efficiently to progress to each stage of their attack. To those in the know, this will be the almost textbook definition of an Advanced Persistent Threat (APT) actor, or a ‘Nation-State Actor’. For information on what an NSA/APT is, visit: https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors#:~:text=APT%20actors%20are%20well%2Dresourced,network%2Fsystem%20disruption%20or%20destruction.
They achieve their goal and leave in place a single board computer (SBC) that is seemingly connected to multiple train systems, within a panel in the floor of the train guard’s office.
I will go into the technical side of the devices and the train control systems soon, but regarding the distraction to facilitate the attack, whilst highly improbably and certainly over dramatized for the purposes of the show, the industry would do well not to underestimate the lengths a determined, state sponsored APT would go to. We must bear in mind that the railway is critical infrastructure and all too many people in the industry, including those charged with protecting its cyber security, do not treat it as such. For all CI, you cannot underestimate the lengths a determined APT would go to to ensure they achieve their goal
The Device Left Behind (SBC)
The device left within the floor of the office was a Raspberry-Pi style Single Board Computer (SBC). These are extremely cheap (around £35 – £70 on the internet depending on specs), extremely efficient minicomputers that, with a little know-how, can be programmed to run almost any custom code.
The devices have multiple input/output (I/O) control systems on them, that could be made to interact with analogue and digital control systems, as well as various standard I/O ports such as an RJ45 network port and multiple USB ports. The SBC used in the show also has a secondary board attached to the top that contains a screen, various electrical circuitry and 2 small antennae.
Now again, if we play this out as a real scenario, there are a couple of things that would mean the attack would not work based on the way the device was deposited:
1. The device is seemingly connected to the train using USB and Ethernet connections as the main link. – There is no way of connecting these kinds of connection in the floor space of a train. Believe it or not, whilst trains do utilise industrial ethernet cabling, we don’t just have RJ45 connections in the floor space. They are point to point cables, usually armoured, that have industrial connectors on each end, not RJ45.
That would mean for the unit to be connected, the attacker would have to have broken into the correct cabling, terminated the cables into the correct jack, or in the case of usb have spliced a cable into the correct serial cables on the train (not really a thing in floor spaces) and then connected to these. This is something that would take a lot more than 8 minutes and would be immediately evident when they found it.
Given the capability of the group carrying out the attack, a far more realistic scenario would have been to have gained access to a train at the woefully under-secured depots and planted the device within a maintenance cupboard where there may well be serial and RJ45 connections available, and the device would have been undetected for a lot longer.
2. The device uses very small antennae for presumably remote connections. Now during the show, everyone’s phone service is blocked, and the on-board passenger Wi-Fi and cab-cab communications systems stop working. The only way to communicate externally was by Sat-Phone.
Whilst it is physically possible to ‘block’ wireless signals, such as those used by phone carriers, it needs much more computing power, and physical power, than can be provided by a Raspberry Pi as you need to provide a lot of noise, at a signal strength stronger than the mobile providers are pumping out, across the whole 2G-5G GSM frequency range to achieve it. – Not something that would happen with a little device on a train.
If we assume that the attacker found an ethernet connection to compromise on the train, and that the network in question was a train network, and not the completely separate passenger WIFI network, then taking out the on-board communications between the cab and train manager is fairly simply achieved.
This would be most easily achieved by using something akin to a SYN flood or other DoS attack to overwhelm the network that the communication system runs on. (that said, the driver would almost certainly get a notification because his Passenger Information System Server would be unresponsive). – We know however that this is not the case, as part way through the episode, we find out that the driver has been talking with the attacker unknowingly. This means the comms server and network are running, but that certain devices have been disabled (namely the non-cab handsets).
Again, to play that out as a real incident, the attackers would need prior knowledge of the system architecture of that particular train (or be able to footprint it extremely quickly), to be able to disrupt the connection from a remote handset to the server.
The Emergency Stop Button
Ok, now this is a major faux pas by the show. Emergency Stops (which outside of a cab are not plunger buttons) are hardwired, analogue systems that interface directly with the trains core electrical system. These cannot be overridden using digital means.
Long story short, they are simple, normally-closed switches, which when pushed (or in the case of a passenger communication handle near doors, pulled), break the emergency stop circuit. This break in the circuit will result in a relay somewhere losing power and dropping out, and within that relay will run the traction interlock at the very least, removing traction capability, and often the brake continuity circuit will run through it too.
On most fleets, this will bring the emergency brakes in immediately, with the driver being able to hold the brakes off using a holdover button for a set period to allow them to move the train to a position of safety (for example, to prevent coming to a stop in a tunnel or on a viaduct etc).
This system could not be disabled by a hacker remotely. The only way to do this would be to physically attack the wiring to bypass the switches/circuits.
Direct Dialling the NCSC from Nightsleeper
When the train manager discovers the device, the officer who thwarted the robbery at the start, is asked to assist. Once they get passed the lack of mobile phone signal and obtain the sat phone, the officer rings the National Cyber Security Centre (NCSC) directly. Whilst it is possible that in a previous role, the former Detective Inspector (DI) on the train worked for Counter-Terror-Command (CTC) or within a Cyber Protect team, and so would certainly have interfaced with the NCSC, the chances of them just knowing the number off hand in that scenario is unlikely.
Further to that, the officer seems not to be tech savy in any way, indicating that they don’t have a background in Cyber in any way, making it even more unlikely.
Finally, as a police officer myself, our first, and most important, duty is protection of life and property. If this was a real attack, the officers first job once being involved is to get the train stopped safely and get everyone off. That means either calling the signaller (a number that the train guard will have access to) or calling 999 to speak to the Police Scotland control room so they can coordinate the response.
Even if he did call the NCSC directly in real life, what is he expecting them to be able to do over the phone with extremely limited details of what is happening? – this was the shows second silliest mistake.
“It’s a Hacking Device”
During the show, the DI asks the NCSC Technical Director if the device could detonate. This is not an unreasonable question to raise for an officer whose first thought may be whether this is a traditional terror incident involving an explosive device.
Now the first problem I have here is that the officer approaches the device, with an active wireless communication device. This is a big no-no if you even suspect the device could be linked to something explosive. You leave the area and move to a safe distance before making any wireless communications.
The NCSC technical director then tells the DI that it won’t detonate, it is a ‘hacking device’. At the point the director passes this information, she does not possess enough information to decide whether there is a detonation risk from the device.
She does not know whether the cables coming from the device travel to an explosive device concealed under the floor, and whether interference with the device could lead to detonation. This is extremely poor show writing and playing this scenario out more accurately could have led to more dramatic scenes within the show too.
Hacking of Signals and Station Displays
As the episode progresses, it becomes clear that this is a significant, coordinated attack that involves multiple railway systems such as signalling, station displays and public announcements as well as the on-train attack. The attack seems to follow the failure/compromise of a third party Endpoint Protection Platform (EPP) or an anti-virus as the show incorrectly refers to it as. First things first… all of this is possible and, individually, has already been either achieved, or proven to be possible.
In terms of the EPP being the root vector for the wider attack, we only need look at the recent CrowdStrike attack to see the wide reaching impact compromised third party platforms can have, and how organisations need to ensure that their systems are resilient to a third party system being compromised or failing.
Regarding the compromising of signals, in August 2023, Poland suffered a significant failure of their signalling system. State sponsored activists attacked the railways radio systems and broadcast malicious traffic on the frequencies. This brought large sections of the nation’s railways to an immediate halt as systems that relied on that traffic detected a problem and failed safe. Whilst nobody was injured, any attack that can disrupt signalling and communication capabilities, has the ability to cause safety issues and hamper the emergency response, potentially facilitating a much wider, much more serious incident.
Finally with respect to passenger information systems being disrupted, in August 2022, a German railway station had their screens compromised remotely and they were re-programmed to display pornography, rather than the normal ticketing system. Most passenger display devices (or most digital signage for that matter), are configured to display a custom webpage in kiosk mode. The webpage URL displayed is often updated remotely, therefore the device usually communicates back to a Content Management Server via the network. If it communicates on the network, there are vectors to try and attack it.
UK Rail Cyber Defence Team
As the episode rolls on, and the NCSC realise the breadth of the attack, they state that UK Rail has its own cyber defence team. Whilst this may make for great viewing as far as the story line goes (no doubt opening avenues for conflict between organisations in later episodes), in reality there is no such thing.
Currently there is no central cyber security team for the railway. Each operator and organisation within the railway is responsible for managing their own security. There isn’t even a complete set of railway specific standards yet. There are ISO and IEC standards that have been adapted to work with the industry to a degree, and there is a Railway Group Standard (RIS 27000) on the horizon that will go some way to providing a framework to work to, but in general, it is everyone for themselves.
Remote control of Nightsleeper train
Now this is an interesting one. On some fleets of trains, this is entirely possible… to varying degrees of success, and for a very short period… Let’s talk about how modern trains work when demanding traction or braking.
To take traction, the following core systems must be in the correct state and, because of their very nature as safety critical systems, they cannot be manipulated remotely:
- AWS – this must be cleared by the driver once energising their cab and setting a direction. Failure to acknowledge AWS horns in service will prevent traction being taken at the very least and bring in the brakes in most units.
- TPWS – This system is designed to look for magnets in the track and, if they are approaching a signal at danger (red light), or they are travelling too fast towards a hazard, they will automatically bring the brakes in.
- DSD/vigilance device – this is the pedal that the driver must keep his foot on, or a trigger they must keep pulled in on the power brake controller to be able to take traction. Release it for more than a couple of seconds and the emergency brakes come in automatically.
- Power Brake Controller – this must not be in Emergency position as this is a hardwired step that drops out the relays that hold the brakes off. The only way to bypass any of the emergency brake systems is to either short the various microswitches to provide a constant interlock signal, or to provide false feed to relays.
- Direction Selected – Within the active cab, there will be a switch (usually rotary) for the driver to select forward, neutral, or reverse. This must be set to allow other relays to pull in and allow the train to release brakes and take traction.
- DRA – this is a little button or switch that was introduced to reduce the likelihood of drivers taking traction when in a platform, against a signal set to danger. When the train guards close and arm the doors, they use a buzzer to inform the driver that they have completed the dwell and the train is ready to move. There were several incidents of the driver responding to this buzz, and then immediately taking traction, only to find their platform signal set to danger and running the red. – Most drivers will set this as soon as they come to a stop to remind them to check for signal compliance before moving off.
- Door Interlock – To gain traction, the doors (all those in the interlock circuit anyway) must all be closed and disarmed. Whilst the low speed relay is out, the loss of door interlock will only cut traction, it will not necessarily bring the brakes in, but if the train is at a stop, you will not get brake release and traction demand without door interlock.
All the above are hardwired safety systems that are designed to fail safe. There are no OT device manipulations over the network that could be done to set these to the correct state for taking traction. So, if the driver has not set these to the correct state, then the train will not move. Likewise, if the driver had set them all and his train misbehaved, altering the state of any of the above would bring the train to a controlled stop, irrespective of digital demands.
Now let’s look at some ways the train could be remotely controlled. If we assume that the driver has set all his safety systems correctly, could the train be remotely controlled in a way that affects safety? The long and short of it is – yes – it can – Sort of….
Most modern trains are controlled by the on board Train Control System (TCS) via canbus, ethernet and other bus technologies controlling relays, solenoids and other Operational Technology (OT) devices. There are digital systems on board the train, that can can take a digital command and provide a physical response to a circuit or system.
This may range from controlling physical systems such as HVACs, lights, doors, passenger announcements, traction demand, brake demand and fire systems, to deciding what information is provided to the driver via the HMI’s.
That doesn’t mean all of them are capable of being compromised in a way that impacts safety though – and of those that are, not all will be in an unsafe condition for long. That is because, for many of these systems to change state, there must be a corresponding change to a physical device too.
For example, whilst brake demand can be controlled by OT control systems, for the brake demand to change, the brake controller would also have to be in a corresponding position. That means, if the TCS was compromised, and saw a malicious request to move from brake step 4 (full brake) to coast (full release), but the brake handle was still in step 4, the TCS would ignore the digital request to change and remain in the safe state.
However, some systems can be compromised in a manner that affects safety, and that is harder to guard against. Take passenger doors for example. Whilst the driver/train manager would usually control these, the control systems they use to achieve that are actually just computers that are interfacing with TCS and control modules. If the train has Automatic Selective Door Operation (ASDO), these systems use stored data and beacons in the track to decide how many doors to arm, on what side of the train and when. With the right compromise, in the hands of the right attacker, it is entirely possible to manipulate this data to arm and release doors without a solicited demand, potentially affecting passenger safety if this is done when the train is in motion or by opening the wrong doors at the wrong time.
Likewise, the HMI displays in the cab, that the driver uses to understand the condition of the train and inform their driving actions, are effectively screens that run a lightweight version of Linux and display a pre-defined webpage in kiosk mode. To control the functions on these displays, the driver is interfacing with a webpage that has been provided by a web server on the train. These web pages allow the driver to carry out actions like entering head codes (used for all sorts of systems on the train such as GSMR, OTDR and timings), setting speed limiters, making announcements, and much more.
If this is just a simple web server, providing access to web applications with no authentication taking place between the HMI and the web server (trust me, there is no authentication, I have been part of a pen test on real British rolling stock where we were able to see and take control the HMI web pages from a laptop, allowing us to make announcements and change head codes etc.), then it is entirely possible to manipulate these controls from a remote location if there is a remote path back to the attacker.
Conclusion
There are probably more items to sit and discuss and interrogate, but the long and short of this article is – yes there are very real mechanisms whereby railway systems, both on platforms and on vehicles, can be compromised and yes, some of those mechanisms have the very real ability to affect safety.
But that doesn’t mean that the way in which the mechanisms in Nightsleeper are portrayed are possible… they flat out aren’t in the way they’re achieved in the show. Further to that, it doesn’t in any way mean that these items have not been thought about. There are very many holes in the industry that need addressing to begin to improve both physical and cyber security, but safety is front and centre for all railway organisations and the systems on a train are always designed to fail safe.
Finally, whilst the show has taken creative license with a lot of their approach, there are critical messages within the show that the railway MUST take on board, understand and act on as there are also vectors available to attackers that are both simpler to execute and wilder in impact than the show, and the railway industry, can even begin to think of and the industry is woefully underprepared for it.