Background
As the railway industry modernizes, new or reformed railway facilities have begun integrating various information or control systems to achieve a more efficient and automated environment and to improve the passenger experience. For example, Siemens Mobility announced in their press release in April 2023 that they have obtained a contract from Singapore MRT to provide integrated CBTC and PSD intelligent infrastructure for Singapore MRT stations, allowing the stations to operate automatically without any staff. Another example is ST Engineering, who also won a contract in September 2022 to provide system integration services for the Kaohsiung Metro Bureau in Taiwan. They have also set up a communications system, an automatic fare collection system, PSD (Platform Screen Doors), and a traction electrification system. ST Engineering integrated different information and control systems for their respective stations, and also innovatively used Platform Screen Doors to display train information and advertisement content. However, this process of modernization entails some foreseeable risks.
According to a report from ENISA, it was found that most cyberattacks on the global railway industry between January 2021 and October 2022 still targeted railway IT systems, such as passenger services, ticketing systems, and display boards. On its own, these systems being attacked would not lead directly to the shutdown of train operations. However these attacked systems and the train operation systems are still interconnected, and can be impacted by each other. The railway system architecture can be divided into the Onboard, Wayside, Station, and Control Center domains, with many different systems scattered throughout these domains. For example, CBTC is an advanced railway signaling system that uses electronics, communications, and automatic control technologies to enhance the accuracy of train operations. Onboard equipment wirelessly transmits train-related information to Wayside equipment, which then conveys this information to the Station and Control Center. This enables control personnel to keep track of all train dynamics in real time and automatedly control the trains. For a more in-depth understanding of the railway system architecture, you can refer to “Potential Threats to Railway Industry” and “Communication-Based Train Control Architecture and its Attack Aspects“.
Based on the trend of smart stations integrating a variety of different systems, we can easily imagine that once an attacker successfully invades a relatively easy-to-access system because the data exchange between systems is not strictly limited, they can also find openings to further affect critical systems. If the signaling system is attacked, it could not only shut down train operations but also cause train accidents.
Thus, we need to understand the structure of the railway system and the cybersecurity issues therein more deeply. In the upcoming article, we will delve into the system architecture of the station area, analyze its possible threats, and provide some cybersecurity suggestions. Through this approach, we expect to make beneficial contributions to the cybersecurity of the railway industry.
The Peril of Intelligent Infrastructure in Railway Stations
In the realm of railway signaling systems, “interlocking” refers to a particular arrangement of interconnected signaling devices. The design is such that a go-ahead signal will not appear unless the route being used by the train has been confirmed safe. You can see this depicted in Figure 1 for an interlocking station architecture.
Practical applications have demonstrated that interlocking designs have the capability to automatically monitor track conditions and train speeds, as well as control train scheduling. These systems invariably exchange data with ATP and ATO systems, as shown in the blue area of the diagram, where the ATP also connects to the track circuit on the rails to detect whether the track is currently occupied.
Moreover, interlocking designs also connect with the Positive Train Control (PTC) system, a system that manages traffic/routes based on train location and timetable information, through an Optical Fiber Cable to link different stations, as shown in the yellow area of the diagram. When a single railway operator manages multiple lines within the same area, typically all lines share a Central Control Point (CCP) room, facilitating communication between operators and handling emergencies.
Beyond this, the PTC system can also provide passengers with train information, such as distances to stations and delay times, and is connected to the Passenger Information System (PIS). The data is then relayed to passengers in an easily understandable format via the Passenger Information Display System (PIDS) or Public Address (PA) system, as shown in the green area of the diagram.
Looking further into the systems and equipment associated with interlocking, we find it can also connect with CCTV, Sign LEDs, and Platform Screen Door (PSD) controllers. Taking the PSD as an example, this design ensures environmental safety between the train and the platform before opening or closing the screen doors between them.
Figure 1. Interlocking Station Architecture
Passenger Information Display System (PIDS)
In the traditional architecture of interlocking systems, most device communication is carried out via cable data exchange. However, Siemens Mobility, the globally leading supplier, is modernizing in tandem with the rest of the world, upholding their motto of “working together to shape the progress”. Modern signaling technology is gravitating towards Ethernet communication. This technology has already been implemented in Germany and Norway, aligning with the global trend towards digitalized Operational Technology (OT) environments. As devices become network-connected, there is a corresponding increase in potential vectors for cyberattacks. We will further examine potential initial attack methods based on this modernized interlocking system context.
In stations, the Passenger Information Display System (PIDS) is located on platforms or corridors, primarily providing passengers with the next train arrival time and relevant transport information, as shown in Figure 2. In a report on the development trend of signal systems, “The Evolution of Railway Signal Systems and the Implementation Case of Taoyuan Airport MRT in Taiwan”, we found that PIDS can be connected to other systems via Ethernet TCP/IP. Within this type of network architecture, if the transmission content permitted by PIDS is not restricted, PIDS could become a conduit for an initial cyberattack.
Since the railway industry is meant to serve public interests, stations can be built in areas with low foot traffic. In those areas, individuals carrying devices in and out of stations do not face scrutiny or stringent restrictions. Attackers can take advantage of this lax security to begin different types of attacks. For example, threat actors could copy malicious software onto removable media, then rely on an unwitting trusted third party (such as a vendor or contractor with access permissions) to introduce the malicious removable media. Once the infected removable media is introduced into the target environment, the threat actors could carry out cyberattacks on the PIDS system with the aim of data or system compromise (e.g., the 2016 Conficker incident). Another type of attack is one where the threat actors might initially target the PIDS supplier’s software update environment, then legally download malicious software through the software update process to infiltrate a specific environment (similar to the Havex attack tactics).
Figure 2. PIDS Example
Platform Screen Doors (PSD)
The Platform Screen Doors (PSD) at the station are located on the platform, primarily to ensure passenger safety when getting on and off the train, or to reduce energy costs caused by air conditioning losses, as shown in Figure 3. We have found that some PSDs also incorporate a Passenger Information System (PIS). In addition to displaying train information, they can also display advertisements, providing an additional source of income for railway operators.
Figure 3. PSD Example
A PSD system should have appropriate control and monitoring panels, as shown in Figure 4. There is a Central Interface Panel within the equipment room that can control all PSD functions and communicate with the signaling system and other SCADA systems. The station office would also have a Monitor and Control PC, which, apart from monitoring and alerting the PSD status, can control the platform doors individually or in groups. Consequently, the security of equipment brought into the equipment room and station office by personnel is of utmost importance. In some rail operator policies, internal staff are allowed to bring their own computers into the station office, but they are only allowed to connect to the internal network using IPs assigned by the operator. However, we cannot always ensure that staff adhere to good network usage habits, so the security of brought-in equipment is a significant issue. Similar to other industries’ OT environments, equipment rooms in stations also need to allow third-party maintenance suppliers access. If an attacker manages to penetrate supplier or employee computer equipment, and then these compromised devices are brought into the equipment room and station office, the PSDs could be put under external control, and the signaling system could be compromised.
Figure 4. PSD Architecture
Conclusion
The interconnectivity that is characteristic of various subsystems in the railway industry provides opportunities for attackers to infiltrate critical systems through more accessible subsystems. Hence, appropriate network segmentation and data transmission content control are essential cybersecurity measures.
As previously discussed, with the modernization of the rail industry, an increasing number of railway facilities are gradually integrating different information or control systems to achieve a more efficient and automated environment. Yet, as we embrace a more intelligent environment, it inevitably broadens the avenues for attackers to launch cyberattacks. Apart from the opportunity for attackers to infiltrate critical railway systems by attacking PIDS, threat modeling in real railway industry environments presented in white papers highlights that, without proper network segmentation and data transmission content control, attackers could even exploit passenger-provided WiFi as an initial attack entry point, leading to potential property damage and threats to public safety.
Therefore, we recommend that railway operators adopt network defense solutions specifically designed for OT environments to seamlessly integrate into your network without any operational interruptions. Additionally, we suggest using network segmentation to isolate and protect different network segments to limit the potential spread of threats. EdgeFire supports network segmentation and isolation, dividing the network into different control zones, even down to the unit level. EdgeIPS analyzes traffic and blocks malicious packets with its built-in deep OT protocol filtering. This enables administrators to easily manage micro-segmentation in complex environments, with features such as TXOne One-Pass DPI for Industry (TXODI™), which gives you the ability to create and edit allow lists, allowing for interoperability between key nodes and deep analysis of L2-L7 network traffic.
On the other hand, the equipment rooms and offices in railway industry stations pose a challenge for equipment management. Aside from the assets brought in by third-party maintenance personnel and engineers, some stationed staff also have the opportunity to move between different station offices. Therefore, it’s crucial to conduct cybersecurity checks on Transient Cyber Assets in equipment rooms and offices that house important systems, ensuring that the assets brought in don’t become stepping stones for attackers.
In most cases, critical equipment is stored in the equipment rooms and offices of railway stations. If an attacker compromises the assets brought in by third-party personnel and connects said assets to the internal network, this could seriously threaten critical systems. Thus, we recommend that rail operators always conduct cybersecurity checks on assets by using the Portable Inspector solution, which allows for endpoint security checks without the need for software installation. Through the use of portable scanning tools, automated scanning and system configuration checks can be performed without a network connection. The Portable Inspector solution can be used to ensure supply chain security before devices enter the facility.
1) Minimize the impact of antivirus software on machinery or avoid violating machine warranty terms.
2) Suitable for network-free environments, allowing offline virus and configuration checks even in air-gapped environments.
3) Quickly verify whether personnel and supplier electronic devices carry malicious software, then execute cleanup or isolation accordingly.
4) Record asset information collected during each scan and send it to a central management console for viewing and archiving.
5) In addition to scanning for malicious software during data transfers, AES-256 hardware encryption is employed to protect files, ensuring data integrity during transfers.
For a more comprehensive understanding of OT Zero Trust, you can refer to TXOne OT-Native All-Terrain Solutions, or reach out to our team to learn more. We’re standing by to help you avoid these costly consequences.
