In 2015 in Hanover, Germany, a railway system experienced almost 3 million attacks in six weeks. Attackers would return over and over again, rigorously studying the system and improving their methods with each attempt. In roughly a tenth of these attacks, intruders were able to gain a measure of control within the system. Fortunately, this railway system was a simulation put online as a honeypot – a kind of bait system that waits for hackers to attack so that their methods can be studied, which was set up at the 2015 CeBIT Hanover Fair.
This experiment foreshadowed 2020’s increases in the sophistication and frequency of railway-focused cyber attacks:
- January 2020 – U.S.-based Railworks Corporation’s servers and systems encrypted by ransomware and archived personal information of contractors, personnel, and personnel’s family members stolen
- March 2020 – attackers compromise C3UK wi-fi in train stations exposing travel details and e-mail addresses of about 10,000 passengers online and allowing individuals’ travel patterns to be tracked
- April 2020 – Amtrak guest rewards system breached by “an unknown third party” who may have stolen personal information and log-ins
- May 2020 – Swiss international railway vehicle manufacturer Stadler had data stolen and systems disrupted followed by attempted extortion of payments by attackers leveraging exfiltrated data
- July 2020 – Spanish state-owned company ADIF responsible for most of Spain’s railway infrastructure attacked with REvil ransomware, with the attackers attempting to leverage 800GB of stolen sensitive data to extort a hefty ransom
- July 2020 – Israeli infrastructure suffers a cyber attack on 28 railway stations, attackers claim “severe damage to equipment and infrastructure” and the ability to cause large-scale train collisions
- October 2020 – Montreal’s public transportation system attacked with RansomExx ransomware circumventing defenses to cause “major computer failure” and disrupt “IT systems, website and customer support”
- December 2020 – TransLink, public transportation system for Vancouver, Canada, attacked with Egregor ransomware, resulting in inability to accept payments and disabled Trip Planner tool
Cyber attacks such as these can be significantly weakened or completely stopped with modernized defenses and training. Our security researchers can recommend five defensive measures to mitigate cyber attacks, protecting infrastructure organizations from attackers’ attempts at disrupting and extorting money from essential services.
- Network segmentation breaks the network up into easily-defensible zones based on which assets need to communicate with each other, preventing attackers and malware from moving between systems or subsystems.
- Virtual patching is a network-based behavior that puts a “shield” around vulnerable assets, requiring no adjustment to the asset itself.
- Routine scans of all stand-alone assets to detect and remove malware before it launches.
- Lockdown of fixed-use assets like speed gates and ticketing kiosks prevents all non-trust list approved applications from running on the system, allowing
- Security awareness education (SAE) for team members, particularly on the dangers of phishing – a simple 30-minute training course sent out to personnel once a year works wonders for preventing attacks before they happen.
Segment your network and apply virtual patching to vulnerable assets with the next-generation firewall, EdgeFire.
Perform routine scans on stand-alone equipment (such as rolling stock) with Trend Micro Portable Security 3, a handheld portable scanning solution.
Lock down fixed-use assets and manage locked down assets with StellarEnforce and manage locked down assets from the centralized StellarOne console.