USA: The Cybersecurity & Infrastructure Security Agency has issued an advisory notice warning of a cybersecurity vulnerability which could in theory allow malicious actors to control a train’s brakes.
The protocol for radio communications between end-of-train and head-of-train devices has weak authentication. If exploited, an attacker could send their own brake control commands to the end-of-train device, causing a sudden stop which may disrupt operations or induce brake failure by overwhelming the braking systems.
The vulnerability was reported by Neil Smith in 2012 and independently by Eric Reuter in 2018. Posting on X after the CISA notice was issued on July 10, Smith said ‘you could remotely take control over a train’s brake controller from a very long distance away, using hardware that costs sub $500. You could induce brake failure leading to derailments or you could shutdown the entire national railway system.’
CISA said no known public exploitation specifically targeting the vulnerability has been reported, and it is not exploitable remotely.
The protocol is maintained by the Association of American Railroads’ Railroad Electronics Standards Committee and used by multiple manufacturers. Users of EoT/HoT devices are recommended to contact their device suppliers with any questions.
The standards committee is aware of the vulnerability, which is being taken into account during the ongoing development of new equipment and protocols.
AAR told Railway Gazette International that it recently supported the CISA and Department of Homeland Security’s Project Chariot initiative to identify vulnerabilities and develop robust mitigation strategies for the hardening of critical infrastructure.
AAR said ‘railroads have, and will continue to, put concerted effort into advancing next-generation End-of-Train devices and the technical standards that govern them. Next generation devices and standards have the potential to significantly improve communication between lead locomotives and the end of the train, securely enhance reliability, and streamline operations.’
Commenting on the advisory notice, Anna Collard, of IT security firm KnowBe4, said ‘the discovery of a 20-year-old vulnerability that could allow attackers to remotely manipulate train brakes is a reminder about the technical debt in critical infrastructure. As digital systems are layered onto legacy operational technology environments, vulnerabilities that were once obscure might become high-impact threats.’
