January 12, 2016 By Douglas Bonderud 3 min read

It’s hard to argue with efficiency in tech or transportation. Despite the availability of air freight and commercial trucking services, trains stand out as both efficient and cost-effective when it comes to moving large quantities of material goods.

According to SecurityWeek, however, the supervisory control and data acquisition network (SCADA) systems used by many rail companies are vulnerable to hacker attacks, paving the way for a kind of cyber train robbery. But are cybercriminals really motivated to follow this track? And if so, what’s the impact for SCADA solutions at large?

Scary SCADA?

SCADA systems are an integral part of many enterprise systems, primarily in the energy generation and manufacturing sector. Historically, these systems have been good enough to secure critical components since money-motivated hacking groups had very little to gain by messing with power grids or impacting oil production.

The rise of nation-sponsored and ideologue-based hacktivism, however, has changed the game. Now, malicious actors may target these facilities in an attempt to drive political change or because they’re being paid by groups with specific global or national agendas. As noted by BizTech, the energy sector now faces the legacy of poorly secured SCADA systems and is playing catch-up as it hunts down specific — and often critical — vulnerabilities.

But energy companies aren’t the only ones using SCADA. Manufacturing firms often leverage these systems to keep track of production timelines and maintenance issues, while rail companies use SCADA to manage traffic control, crossing protection and switching yard automation. Just like their energy counterparts, these systems are vulnerable to hacker attacks under the right conditions.

Digital Divide Leads to Hacker Attacks

The basic principles of train operation haven’t changed. Steel wheels still roll on tracks, driven by enormous engines with a single purpose: pull. As noted by the SecurityWeek piece, however, the back-end infrastructure supporting this aim has evolved significantly. Digitally controlled signals have replaced human-operated points, while electronic passenger protection and information systems have made both occupying and operating trains a much safer, more enjoyable experience.

According to Popular Science, however, a team of researchers from German security firm SCADA Strangelove has spent the last three years working with train companies across the globe to assess SCADA flaws. The results? These systems are not OK.

At the 32nd Chaos Communications Conference (32C3), the research team rolled out a new paper titled “The Great Train Cyber Robbery.” It found a number of high-level security and safety issues: For example, some digital train switches need constant Internet access. If the signal is lost, trains automatically stop. A few systems also use default passwords on admin accounts even for high-level functions.

SCADA Strangelove went into more detail. Consider the use of WinAC RTX controllers as part of train protection systems by many European companies. It’s possible to control these devices without authentication or to use XML over HTTP to create malicious modification tools for the device. Hacking computer-based interlocking (CBI) systems, meanwhile, gives malicious actors the ability to control train routes and schedules, in turn allowing them to ransom back control or attempt to force a crash.

There’s also the problem of passwords. In addition to keeping admin passwords intact, the research team found that password data was often publicly available. One U.K. documentary about the country’s rail system included a shot that captured login details written on a post-it note. Even in cases where technology is secure, such as SIM cards, it’s possible for hacker attacks to take place using a GSM jammer, which would disrupt communications between trains and their control stations.

Real-World Problems?

The SCADA Strangelove researchers admit that in many cases, these hacks would require intimate knowledge of the SCADA system or the help of someone on the inside, either as a malicious accomplice or an inadvertent insider through the use of social engineering.

As noted by Fortune, however, the idea of hacked trains isn’t exactly far-fetched. In early December 2015, a Massachusetts Bay Transportation Authority (MBTA) train departed without an operator and coasted through four stations before coming to a stop. While no details have been released on exactly what caused the issue, the specter of hacking has already emerged, and with thousands of commuters riding the MBTA each day, digital vulnerabilities could have serious physical impact.

Bottom line? Hacker motives are changing. It’s no longer about the quick smash-and-grab; many malicious actors are looking for ways to wreak real havoc or acting on the instructions of a politically motivated nation-state. And what motivates governments and large corporations to change their ways? Infrastructure threats. With SCADA systems acting as an integral part of everything from energy to manufacturing and transportation, it’s no surprise that cybercriminals are learning to leverage vulnerabilities and discover just what kind of damage they can cause.

This isn’t a runaway freight train situation just yet. With proper monitoring, better detection and a realization that most existing systems aren’t up to the challenge, it’s possible to get SCADA back on track.

Learn more: Read the IBM Research Report on Critical Infrastructure

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today