Attacks and Vulnerabilities
Critical infrastructure
News
Threat Landscape
Transportation
Vulnerabilities

Cyber hackers target Polish rail network, cause operational disruptions

August 29, 2023
Cyber hackers target Polish rail network, cause operational disruptions

(Article updated to add comments from Andrzej Bartosiewicz and Piotr Combik)

Recent reports have confirmed that Polish intelligence services are investigating a hacking attack on the country’s rail network system. The Polish Press Agency (PAP) stated on Saturday that hackers broke into railway frequencies to disrupt traffic in the country’s northwest region during the course of the night.

According to the allegation, recordings of the Russian national anthem and a speech by President Vladimir Putin were intermingled with the signals. About 20 trains were brought to a standstill, but services were restored within hours.

Additionally, Poland’s Internal Security Agency (ABW) and police are probing an unauthorized use of the system involved in rail traffic management, Stanisław Zaryn, deputy coordinator of special services, told the Reuters news agency.

Zaryn said any such interference was treated seriously given recent attempts by Russia to destabilize Poland. “Such attempts are being made by the Russian Federation in cooperation with Belarus, and also for this reason we do not underestimate any signals that come to the ABW,” he added.

Separately, the state railway operator is investigating the derailment of two trains and a collision of another two on Thursday. No one was injured in these incidents.

Commenting on the incident, Andrzej Bartosiewicz, CEO of CISO #Poland, an association of over 200 CISOs in Poland, said “We do not treat this incident as a ‘cyberattack.’ It is incorrect to refer to the disruption of the ‘radiostop’ system as a malicious action in the cyber sphere. Recent events involving the use of the ‘radiostop’ signal, categorized for many years as acts of hooliganism, do not exceed the standard number of several hundred cases per year recorded by PKP PLK – Polish national railway infrastructure operator.”

Bartosiewicz added that it is also worth mentioning, that ‘radiostop’ events simply can not be detected by Cyber Security Operations Center(s) due to the fact that they are neither involving signaling systems nor any computer network. “The radio signal reaches over the air the locomotive, where the breaking system is activated.”

“The Radiostop signal cannot change semaphore indications or change train routes. It is not in any way linked to railway traffic control devices. It cannot derail trains; its sole function is to trigger the emergency brakes of a train within the range (up to several kilometers) of the broadcasting radio station transmitting the signal,” said Piotr Combik, chairman of CISO #Poland Transport Working Group. “It is essential to remember that GSM-R may not be a panacea for the mentioned incidents. Operating the system will require heightened efforts in the realm of cybersecurity and physical infrastructure security. Technically outdated, the system has known vulnerabilities, including susceptibility to Denial of Service (DoS) attacks.” 

Combik added that the loss of GSM-R communication also triggers emergency vehicle braking. “The impact of a DoS attack on GSM-R is much more significant due to the fact that a single point (RCB) services a much larger number of trains compared to the range of the Radiostop signal. The consequences of a single attack on the GSM-R service were demonstrated by the fiber optic cable damage incident in Germany in 2022.”

Official statistics from CERT Poland identified that in the whole transport sector in Poland, from January 1st to August 24th, a total of 28 successful intrusions into information systems were recorded, along with 72 attempted attacks classified as incidents. The most serious incident in terms of consequences occurred in Olsztyn, where for several weeks, the intelligent traffic control system and the metropolitan ticket sales system were non-operational.

Highlighting that the attack on Poland’s State Railways (PKP) through its operational infrastructure demonstrates threat actors’ growing motivation to target and to impose disruption on rail infrastructure, rail cybersecurity company Cylus told Industrial Cyber. Additionally, the threat actors in this case spoofed a radio command to create an emergency stop of 20 trains, both freight and passenger, in the PKP network on the evening of Friday, August 25th, and an emergency stop of a single train the following day.

The Tel Aviv, Israel-headquartered company said that it appears the root of the attack was through a legacy radio system designed with an ‘emergency stop function’. “This stop function is activated when a specific sequence of radio tones is received resulting in the emergency stop of all trains using the specific radio frequency.”

“Many legacy rail systems were designed for safety, with fail-safe mechanisms,” according to Yaniv Mallet, lead cybersecurity architect at Cylus. “And train stoppage was not seen as a concern. But intentional rail stoppage at scale was not planned and that’s what we’re seeing here. In fact, the technical specification detailing this radio system in use by PKP, including the emergency stop function, was publicly available online for interoperability purposes.”

Mallet added that the complexity of this attack was not high, but it did take some planning. “The VHF transmission equipment necessary for this attack is relatively simple, but the equipment would need to have been relatively close to the receiving train system. This attack does illustrate that threat actors are motivated and setting their sights on disruption of operational railway systems.”

“The threat actors also attempted to send a message by interspersing the emergency stop commands with playing of the Russian national anthem and Russian president Vladimir Putin speech excerpts,” according to Mallet. “The debate about whether this attack should be considered a ‘cyber-attack’ is irrelevant. Electronic warfare is merged with cyber warfare in military domains, and in the railway context, RF jamming and hacking are in fact risks that railway CISOs will need to consider and manage. In cases like this, real-time security monitoring can help to quickly identify a root cause of an attack and to plan the necessary mitigations and future protections.”

“This incident only highlights the critical need for cybersecurity protection for global railways,” Roark Pollock, vice president of marketing at Cylus, said. “The concern is that these types of malicious attacks are rarely a one-off. Often the initial attack is simply a ‘test’ by the threat actors.”

Upholding cybersecurity within the rail transportation sector has gained paramount significance due to the escalating prevalence of cyber adversarial attacks, accelerating wave of digital transformation, and growing imperative to protect legacy cyber systems that constitute a vulnerability to the operational landscape. It is largely this confluence of factors that has compelled rail operators to heighten their emphasis on cybersecurity, necessitating the implementation of robust measures to counter threats.

Additionally, the mounting geopolitical tensions, exemplified by conflicts such as the Russia/Ukraine situation, cast a palpable shadow over rail cybersecurity. The surging prevalence of nation-state-sponsored cyber warfare compounds the susceptibility of rail systems to malicious cyber offensives. In light of these dynamics, rail operators are compelled to cultivate a keen awareness of the evolving landscape and to bolster their cybersecurity fortifications. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation