As public transport operators leverage more digital technologies to enhance operational efficiency, Communication-Based Train Control (CBTC) systems have become a new target for cyber-attacks
Jun 10, 2021
Public transport operators are leveraging more digital technologies to enhance their operational efficiency. Communication-Based Train Control (CBTC) systems are a key element of this strategy, using moving block principles to reduce the headway, enabling a drastic increase in metro network capacity.
With fewer field-connected elements and transport flow optimization software, the newer CBTC generations not only increase transport availability and punctuality but reduce maintenance and operational costs. Many on there benefits are achieved through system interoperability and use of IoT technologies. However, this greater efficiency comes at a price.
CBTC systems are no longer isolated from the outside world and their attack surface is widening. Hence, they are becoming a more accessible target for cyber-attacks from external networks and more prone to attacks from within the network, as well as more susceptible to exporting risks to other business systems.
Top Threats to CBTC Systems
The top cybersecurity threats to urban transportation systems using Communication-Based Train Controls (CBTC) systems:
1. CBTC Train-to-Ground wireless communication is prone to cyber-attacks that can result in train hijacking and serve as an attack vector to the operator’s network.
Description: CBTC Train-to-Ground communication is often based on WLAN technology to perform train control. WLAN is exposed to high vulnerabilities in key technologies such as authentication, encryption, and transmission. Furthermore, older CBTC implementations employ old Wi-Fi technologies (802.11X) with very weak cyber protection, and may suffer from attacks such as sniffing, rogue AP, man-in-the-middle, Evil Twin Attacks and Denial of Service (DoS).
Impact: A threat actor can exploit weak wireless protocols to hijack trains, potentially transmitting emergency commands or penetrating the operator’s network. An additional challenge is the handling of jamming which can lead to loss of availability by moving to a degraded operational mode.
2. CBTSs are insecurely connected to OT and IT networks.
Description: CBTC systems are increasingly interconnected to systems with different safety levels to unleash the full potential of digitalization. Traffic optimization requiring connections between Traffic Management and Interlocking systems, or real time information display justifying links between the Operational systems and the Passenger Information Systems, are two examples. Often these connections are implemented without proper security measures that are able to inspect the application traffic.
Impact: Leaving the CBTC to potential penetration from the lesser critical networks. Such penetration can result in safety and availability affecting impact.
3. CBTC Systems are hard or impossible to patch due to safety constraints, exposing the network to known vulnerabilities.
Description: CBTC systems are subject to lengthy and complex safety approval processes. Yet, such systems have off-the-shelf software components and operating systems in wide use. OS and other firmware can be exposed to known vulnerabilities, which are difficult and costly to patch in a safety-critical environment.
Impact: By using vulnerability exploitation, the attacker can gain system privileges, crash systems, and perform remote code execution.
4. IT Security measures are not capable of “understanding” CBTC traffic, thus they are ineffective in stopping attacks on a CBTC system.
Description: Most IT cyber solutions can protect against North-South traffic (in and out of a datacenter or internal segments) attacks on exposed IT vulnerabilities. Integrating such conventional peripheral protection within the safety-critical network would add latency without really being able to pick up East-West traffic (traffic between or within segments and components) attack vectors.
Impact: Many CBTC systems are only protected against IT exposed vulnerabilities and are de facto completely unsecured for East-West attacks.
5. CBTC proprietary protocols running on the application layers, can be abused by threat actors to harm the safety of the railway system.
Description: All CBTC vendors develop their own specific solutions, but they are missing cybersecurity by design.
Impact: The most dangerous attacks are semantic-based, as they can change the message content, creating unsafe conditions that can cause accidents.
6. CBTC often include “hidden” applications for maintenance, built to provide suppliers with real-time enhanced troubleshooting capabilities, but without protecting the network access.
Description: Many maintenance monitoring systems are added after the installation. To get access to the CBTC network, the maintenance team will create unstandardized interfaces with debug ports, debug messages or “hidden” features that can serve as an attack vector to operational devices. Because some of the maintenance activities are by nature intermittent, they create randomness that is difficult to pick up and may cause false positives.
Impact: Through pin sweep attacks, hackers can identify and use these unprotected channels, compromising the railway operational system. Furthermore, genuine maintenance activities to access failure logs may trigger false positives, affecting the system’s availability.
7. CBTC commands are often unauthenticated nor encrypted, which expose them to spoofing safety affecting attacks
Description: Authentication and encryption is usually not part of the requirements of CBTC’s safety protocols, as traditionally the systems were considered as isolated islands. In addition, sometimes safety constraints related to latency prevented implementing authentication or encryption on the application layers.
Impact: Current CBTC technology doesn’t provide end-to-end data encryption. Hence, threat actors can easily spoof operational commands to harm the safety of the network.
Cylus helps metro and tramway operators protect their networks from cyber threats and risks, while ensuring safety and service availability. Cylus helps to detect malicious and abnormal activities that increase the risk to railway-specific, OT and IT assets, with real-time alerts and actionable insights, for better response. Cylus addresses the full spectrum of cybersecurity needs, including support for compliance requirements according to the new railway standard TS-50701 and professional services. Cylus is 100% railway and PTO-focused and its solutions are designed to be operated by security or rail professionals.