Government officials initially believed railway signal disruptions in December were tied to a cyber-attack against a Northwest rail company in December, Nextgov reported. But government and railway officials later denied that a U.S. railroad had actually been hit by a cyber-attack.
“There was no targeted computer-based attack on a railroad,” said Holly Arthur, a spokeswoman for the Association of American Railroads.
While an attack has been ruled out, the incident highlights the dangers of industrial control systems controlling critical infrastructure.
Train service on the unnamed railway was “slowed for a short while” and schedules delayed for 15 minutes on Dec. 1, according to a Transportation Security Administration memo obtained by Nextgov. A “second event” occurred just before rush hour the next day, but it did not affect schedules, according to the Dec. 20 memo, which summarized the agency’s outreach efforts to share threat intelligence with the transportation sector.
“Amtrak and the freight rails needed to have context regarding their information technical centers,” the memo said, adding that rail operators were not focused on cyber-threats.
TSA investigators discovered two IP addresses for the intruders associated with the Dec. 1 incident and another for Dec. 2. Investigators considered the possibility of the attackers being based overseas, but did not specify the suspected country, Nextgov reported. Alerts listing the three IP addresses were sent to several hundred railroad firms and public transportation agencies.
Officials at the Department of Homeland Security, which oversees the TSA, told Nextgov on Jan. 23 that further investigation showed it may not have been a targeted attack, but did not explain what may have caused the “anomalous activity.”
The railway incident is similar to what happened at an Illinois utility last fall. A government fusion center claimed Russian attackers had remotely destroyed the facility’s water pump, but the DHS on further investigation claimed it was not an attack. It later turned out the intrusion had been an American contractor remotely logging in to perform some maintenance tasks.
However, the TSA’s railway memo highlights how vulnerable the railways are to an attack on supervisory control and data acquisition (SCADA) systems, according to experts from Casaba Security, a security analysis and consulting company. Just about anything in the railway infrastructure could be controlled by SCADA systems, including track switches, signal and crossing lights, transformers, weather and track sensors, engine monitors, railway car sensors, electronic signs and even turnstiles, said Samuel Bucholtz, Casaba’s co-founder. Most of these systems are connected to the network so that they can obtain data collected by the sensors.
“A sensor that can detect the position of a track switch is not helpful unless it can pass that data to an operations center hundreds of miles away,” Bucholtz said.
Connecting SCADA systems to the Internet puts the infrastructure at risk because it opens up the possibility of intruders finding a way into the network. However, many organizations take that risk to save money, simplify the infrastructure and ease maintenance. It is usually cheaper to transmit data over the Internet instead of investing in dedicated lines or wireless frequency space, according to Bucholtz.
“The benefit of SCADA being ‘online’ is that the Internet is cheap, robust, standardized and easily accessible,” Bucholtz said.
The downside is that without proper protections, the infrastructure is wide open to anyone looking. Cambridge University researcher Eireann Leverett developed a tool that mapped more than 10,000 industrial control systems accessible from the Internet, including water and sewage plants. While some of the systems could have been demo systems or used in places that wouldn’t count as critical infrastructure, such as the heating system in office buildings, some were active systems in water facilities in Ireland and sewage facilities in California.
Only 17 percent of the systems mapped asked for authorization to connect, suggesting that administrators either weren’t aware the systems were online or had not installed secure gateways, Leverett said. Leverett, a computer science doctoral student at Cambridge, presented the findings at the S4 conference in Miami.
Administrators need to set up secure and isolated networks and use Secure Sockets Layer or a virtual private network to restrict who can talk to the controllers, according to John Michener, chief scientist at Casaba. Since SCADA systems will likely be Internet-accessible, administrators should focus on putting them behind a secure gateway. “Increasingly all the communications are over the Net, so being on the Net is all but inescapable,” Michener said.