If you are here, reading this article now, you have no doubt either read my first article analysing the first episode of Nightsleeper, available here, or you have seen the series and are interested to know how much of it is actually achievable, and how much is creative license.
For those who don’t fall into either of those categories, Nightsleeper is a new TV Drama on BBC that depicts a coordinated, national cyber-attack against the UK rail network.
You can read my analysis of episode 1 here: Nightsleeper – Episode 1 – Analysing BBC’s New TV Show
Well without further ado, lets get into it….
Hacked Station Displays
Let us start with the information screens at Victoria Station being taken over and displaying text from the attackers and making announcements. As covered in the first article, whilst it would be quite a complex undertaking to seize all displays as they have in the show, this is technically possible.
These displays are just large LED matrix displays with control units that display webpages in kiosk mode. These webpages are loaded from a web server within the stations control network so if that network is compromised (perhaps by way of a compromised third party anti-virus software?), then controlling the display webpages to show custom feeds and make custom announcements is definitely possible.
Access to Victoria Station Control Room
Whilst the acting technical director from the National Cyber Security Centre (NCSC) is on the station forecourt, she approaches a member of station staff, tells them she works for the NCSC and, during a very visible, very disruptive cyber-attack, is successful in gaining access to the security control room without showing ID or validating her credentials at all.
On the surface, this seems absurd and entirely unrealistic, but sadly, my own experience within the railway is that physical security at stations, depots and other pieces of infrastructure is incredibly laxed. Whilst I stress this is by no means all depots, in my capacity as an engineer within the railway I have visited depots for the first time, with nobody on that site knowing who I am, and have gained unrestricted, unquestioned access to rolling stock.
This was possible because I turned up at the gatehouse, wearing an orange vest, and asking for someone by a name that could, if needed, be found with a simple LinkedIn search. For some locations, it gets worse than that and you don’t even need to stop at the gatehouse, you could just walk straight in. – Just imagine what a malicious actor could do with that level of access.
Remotely Driving The Nightsleeper Train.
As an engineer familiar with how trains really work… this mistake is a doosie.
Once the Nightsleeper train arrives at Motherwell, the driver brings the train to a stop, moves brakes to emergency, selects off with the direction selector – disabling the cab desk, and then shuts the locomotive down which drops the pantograph and removes the key from the desk.
After a few minutes stopped, the cab desk then re-enables on its own (presumably being controlled by the remote assailant), cycles the doors, raises the pantograph, successfully raises the pantograph and then moves off without a driver in the cab.
I have chosen my words and level of detail in that paragraph on purpose. If you read the analysis I did of the first episode, you will be familiar with the extensive steps you need to go through to prep a dead cab and ready a train for service. Let’s look at some reasons why the remote activation of a cab is not possible (we will cover some other issues a little later):
- Drivers Key – While it may be possible on certain newer fleets to ‘aux on’ a train without any physical interaction on the train (that is to start ancilliary power systems. Sort of like switching the ignition on in your car). All cab desks require a key to activated and actually manipulate any of the driving controls. The switch this key interfaces with prevents the cab being energised. It also interlocks the direction switch and prevents a direction being selected on a train that has not been fully shut down. This cannot be manipulated remotely, therefore the desk cannot be activated remotely, so the condition the driver left the train in when he left the cab, it could not be remotely started.
- On the subject of remote driving, throughout the episode, Nightsleeper is being driven remotely by an assailant. If we play the scenario out and assume that the driver left the train with the cab enabled, a direction selected, the brakes out of emergency and the TPWS acknowledged, there is the small matter of the DSD pedal / Drivers vigilance device not being depressed.
The DSD is usually a pedal, often referred to as a deadmans pedal, or deadmans switch, that must be depressed for the train to allow traction to be taken. It is used to ensure the driver is alert and paying attention and stop the train in the event the driver becomes incapacitated.
Periodically, the driver will hear a bell in the cab and they will be required to lift and then press back down the pedal to reset the vigilance countdown. If this is not achieved within a set time limit, then the system drops the trains emergency stop system out and the emergency brakes apply immediately. This system is usually entirely analogue electrics, with little to no digital involvement at all. It is simply wires and switches connected to timer relays and sounders. This system cannot be remotely disabled.
Consequently, even if the train was in a condition where the attacker had been able to gain traction (unlikely given nothing is depressing the DSD), it would only last for a couple of minutes tops before the vigilance fails to reset and the DSD device brings the train to a stop.
Nightsleeper Burning Through Red Lights
During the episode, there are a few times when Nightsleeper makes it past red lights without coming to a stop. The staff at the NCSC even comment that ‘The failsafe has failed”.
There is a critical piece of information that has been portrayed incorrectly here. The system they are discussing is Train Protection and Warning System (TPWS). This system uses magnets positioned in the track, ahead of signals, to protect trains from running a signal at danger.
When a signal displays danger (a red light), the magnets ahead of the signal will be energised. These prompt a response from the train when the signal is received to automatically activate the emergency brakes if the train will not stop in time for the red signal.
The system only works when the magnets are energised and ,as such, they do not fails safe. In the event of a cyber attack that compromised the nations signalling network, it would potentially be feasible to disable the power to the TPWS system and render it useless, which would allow a train to pass the signal without automatically applying the brakes.
For more information on TPWS, see this document from the Office of Rail and Road (ORR): https://www.orr.gov.uk/sites/default/files/om/314.pdf
ROSCOS, TOCs, FOCs, VOCs and ECMs
During the show, they throw out a lot of acronyms. So much so, at times it’s like they’re playing buzzword bingo. The overwhelming majority of these are accurate, but they don’t do a great job of explaining what they are. So for everyones benefit, here is a little explainer of the key ones used in the show:
- TOC – Train Operating Company – An organisation that operates passenger trains.
- FOC – Freight Operating Company – Similar to a TOC, but they only operate non-passenger trains.
- ROSCO – Rolling Stock Owning Company – These organisations own the trains, and lease them to the TOCs and FOCs.
- VOC – Vehicle On-board Computer – Another term for TCS, the trains control system.
- ECM – Entity in Charge of Maintenance – The organisation responsible for maintaining the train.
As accurate as the show seems to be with their use of these acronyms, indicating they have had consultation from someone who at least has a sense of what they’re talking about, the portrayal of these organisations, and who owns them, is woefully off base.
- TOC is French – in the show, they depict the TOC as French. In reality, this is not the case with any rolling stock operator in the UK. Whilst it is possible that the TOCs owning brand may be non-british, the organisation that runs the operations will always be registered in Britain, with offices and staff in Britain to run the business.
- ROSCO is German – In the show, the ROSCO is depicted as German. Again, in reality, within the UK there are only a handful of rolling stock owning companies. These may be financed by off-shore investors, but the organisations are all registered and run within Britain. They also all recruit engineers and technical staff, albeit cyber security knowledge can be extremely limited.
It is critically important with shows like this that we do not paint a picture of the railway that is not accurate. Misconceptions from shows such as this could lead to significant public backlash when it is not justified.
Contingency Plan
There is very little discussion in the show about what they will do if they cannot stop the train hack – other than a very brief mention that the military are gearing up to get involved and it may get “messy”.
One has to surmise that this involves a deliberate derailment of the train in an unpopulated area to prevent a worse disaster. It would be worth noting that for this to play out in reality, so much would have to align and be compromised all at the same time to have an unstoppable train, that this would not be a realistic outcome. Likewise, there are a number of other avenues that can be followed that do not include derailing a train with passengers on board… that said, they wouldn’t make good telly comparably.
Phone Jammer On Nightsleeper
Throughout the whole episode, phone signal continues to be out on Nightsleeper. This means there is still a secondary device concealed on the train that is blocking networks. For this to be the case across all carriers and GSM frequencies, this device would have to be large, with multiple antennae, in an ideal location to interfere over the whole length of the train, and be hooked up to a decent enough power supply to run that equipment.
Despite all those reasons making this object very difficult to hide. There is little to no discussion about it, and no attempt to actually find the device. Likewise, there has been nothing in the way of discussion around how the remote assailant is maintaining a connection to the SBC.
Traditionally, connections like this are facilitated using either third party Wi-Fi, or with a dedicated GSM backhaul. We know, however, that this is not the case here, as Wi-Fi is down and GSM is being blocked, so the attacker must either be close enough to the device to maintain a peer-to-peer connection directly, or must have another communication device on the train to act as an intermediary – likely another satellite device.
Ministerial Presence And Cyber Terror.
It becomes clear during the show that the minister for transport on Nightsleeper, and the speech she was due to make in the near future, has something to do with the necessity of the attack.
This further affirms the notion of this being a Nation-State Actor who is extremely well funded. These organisations have near limitless funds, do not have a moral compass or care about laws or being caught, will use all information they can lay their hands on to facilitate the attack, and will stop at nothing, including targeting staff and people, to achieve their goal.
This notion, with the emerging digitalisation and connectivity of new fleets, brings about an issue that the railway just has not thought about. – Document Security.
Suddenly now, security of all our maintenance documentation is critically important as, in the hands of a rogue actor, these could be a playbook on exactly how to compromise a vehicles network, and tell attackers exactly what can be achieved by attacking systems.
Despite this seeming straight forwards and obvious, the unique way the railway is structured means nobody would be able to tell if maintenance documentation had been exfiltrated and sent to a rogue actor. That is, until they act on it at least, and it is too late by then.
If you found this content engaging, and would like to get in touch, please visit the website, or get in touch with me directly at [email protected].