Light Dark
January 12, 2016 By Douglas Bonderud 3 min read
Advanced Threats

It’s hard to argue with efficiency in tech or transportation. Despite the availability of air freight and commercial trucking services, trains stand out as both efficient and cost-effective when it comes to moving large quantities of material goods.

According to SecurityWeek, however, the supervisory control and data acquisition network (SCADA) systems used by many rail companies are vulnerable to hacker attacks, paving the way for a kind of cyber train robbery. But are cybercriminals really motivated to follow this track? And if so, what’s the impact for SCADA solutions at large?

Scary SCADA?

SCADA systems are an integral part of many enterprise systems, primarily in the energy generation and manufacturing sector. Historically, these systems have been good enough to secure critical components since money-motivated hacking groups had very little to gain by messing with power grids or impacting oil production.

The rise of nation-sponsored and ideologue-based hacktivism, however, has changed the game. Now, malicious actors may target these facilities in an attempt to drive political change or because they’re being paid by groups with specific global or national agendas. As noted by BizTech, the energy sector now faces the legacy of poorly secured SCADA systems and is playing catch-up as it hunts down specific — and often critical — vulnerabilities.

But energy companies aren’t the only ones using SCADA. Manufacturing firms often leverage these systems to keep track of production timelines and maintenance issues, while rail companies use SCADA to manage traffic control, crossing protection and switching yard automation. Just like their energy counterparts, these systems are vulnerable to hacker attacks under the right conditions.

Digital Divide Leads to Hacker Attacks

The basic principles of train operation haven’t changed. Steel wheels still roll on tracks, driven by enormous engines with a single purpose: pull. As noted by the SecurityWeek piece, however, the back-end infrastructure supporting this aim has evolved significantly. Digitally controlled signals have replaced human-operated points, while electronic passenger protection and information systems have made both occupying and operating trains a much safer, more enjoyable experience.

According to Popular Science, however, a team of researchers from German security firm SCADA Strangelove has spent the last three years working with train companies across the globe to assess SCADA flaws. The results? These systems are not OK.

At the 32nd Chaos Communications Conference (32C3), the research team rolled out a new paper titled “The Great Train Cyber Robbery.” It found a number of high-level security and safety issues: For example, some digital train switches need constant Internet access. If the signal is lost, trains automatically stop. A few systems also use default passwords on admin accounts even for high-level functions.

SCADA Strangelove went into more detail. Consider the use of WinAC RTX controllers as part of train protection systems by many European companies. It’s possible to control these devices without authentication or to use XML over HTTP to create malicious modification tools for the device. Hacking computer-based interlocking (CBI) systems, meanwhile, gives malicious actors the ability to control train routes and schedules, in turn allowing them to ransom back control or attempt to force a crash.

There’s also the problem of passwords. In addition to keeping admin passwords intact, the research team found that password data was often publicly available. One U.K. documentary about the country’s rail system included a shot that captured login details written on a post-it note. Even in cases where technology is secure, such as SIM cards, it’s possible for hacker attacks to take place using a GSM jammer, which would disrupt communications between trains and their control stations.

Real-World Problems?

The SCADA Strangelove researchers admit that in many cases, these hacks would require intimate knowledge of the SCADA system or the help of someone on the inside, either as a malicious accomplice or an inadvertent insider through the use of social engineering.

As noted by Fortune, however, the idea of hacked trains isn’t exactly far-fetched. In early December 2015, a Massachusetts Bay Transportation Authority (MBTA) train departed without an operator and coasted through four stations before coming to a stop. While no details have been released on exactly what caused the issue, the specter of hacking has already emerged, and with thousands of commuters riding the MBTA each day, digital vulnerabilities could have serious physical impact.

Bottom line? Hacker motives are changing. It’s no longer about the quick smash-and-grab; many malicious actors are looking for ways to wreak real havoc or acting on the instructions of a politically motivated nation-state. And what motivates governments and large corporations to change their ways? Infrastructure threats. With SCADA systems acting as an integral part of everything from energy to manufacturing and transportation, it’s no surprise that cybercriminals are learning to leverage vulnerabilities and discover just what kind of damage they can cause.

This isn’t a runaway freight train situation just yet. With proper monitoring, better detection and a realization that most existing systems aren’t up to the challenge, it’s possible to get SCADA back on track.

Learn more: Read the IBM Research Report on Critical Infrastructure

 |  |  |  | 
Douglas Bonderud
Freelance Writer

More from Advanced Threats
May 24, 2024

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

May 16, 2024

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

May 2, 2024

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature