Photograph: Mark Dries
Few of us think about cyber security until it fails. Even when it does in a spectacular way—as in the recent theft of nearly 80 million healthcare records from Anthem, contact information from 76 million JPMorgan Chase investors, and 5 million sets of fingerprints from the federal government—we tend not to notice unless the consequences are both direct and dramatic. (Think of the would-be adulterers outed by the Ashley Madison hackers.) This benefits not only the perpetrators, but also their corporate victims, who often opt to deal discreetly, or not at all, with their vulnerabilities.
Among the less glamorous targets of hacking are American railways. But nearly 40 percent of U.S. freight is transported by rail—vastly more than any other mode of transportation. It is efficient and also one of the safest ways to move heavy loads, thanks in part to the 2008 Rail Safety Improvement Act (RSIA), which required all rail companies to overhaul their safety regulations by the end of 2015. One of the act’s requirements is that all rail companies adopt positive train control (PTC), a series of installations and enhancements that allows trains to be operated and monitored remotely via wireless network.
If PTC mitigates potential human errors (speeding through turns, falling asleep in transit, failing to lock brakes), it also creates new dangers by opening up avenues to hackers—vulnerabilities shared by all Web-enabled electronics, payment methods, and vehicles. Neil Smith, a San Francisco–based independent security researcher who has been working with the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) since 2012 to assess railway network vulnerabilities, says that the chances of a breach are dangerously high.
In 2008 a teenager in Lodz, Poland, hacked his town’s rail network with only a TV remote and a library computer, taking control of nearby trains and causing multiple derailments. And just because we haven’t heard of serious train hacking in the United States doesn’t mean it hasn’t happened. The watchdog website Nextgov obtained a summary of a Transportation Security Administration (TSA) meeting in which government officials admitted that hackers had “disrupted the railway signals” of an unnamed northwestern rail company on two occasions in December 2011. Industry representatives quickly dismissed the memo as inaccurate.
Despite increasing confidence that railways are being hacked, researchers’ hands are tied without the permission of rail companies.
This seems to be the rail industry’s modus operandi. Because vulnerabilities make for bad PR and potentially cost a lot of money to fix, it is best to avoid disclosing the sources of accidents. In 2012 Smith, also an avid ham radio hobbyist, noticed an antenna on a passing BNSF Railway train while he was waiting at a rail crossing and decided on a whim to record the train’s telemetry data. Stricken by how easy it was for him to access the train’s automated status and control signals, he reported suspicions of network vulnerabilities to ICS-CERT. Until that point, few—if any—professionals in the industry had publicly suggested that cyber attacks on trains were possible. When ICS-CERT consulted with the train’s network developer in hopes of getting Smith the green light to run more definitive tests, they responded cryptically, then shut down communication with both Smith and ICS-CERT.
• • •
Smith heard nothing else about his data until 2014. Within a few months of the massive derailment in Lac-Mégantic, Quebec, which killed dozens and leveled several city blocks, a TSA-Surface inspector found Smith’s report and emailed him about a similar derailment in Michigan. To him, Smith’s research suggested that it was possible that someone had hacked this train’s network, but the theory ultimately lost traction once it moved up to the regional supervisor. Smith heard nothing more about it and was never able to find public reportage on the derailment, noting that the TSA-Surface inspector and his team likely had too little expertise with cyber issues to pursue it further.
According to Smith, though he and other researchers are increasingly confident that North American railways are being hacked, their hands are tied. “Without the manufacturers and rail companies becoming involved,” Smith explains, “we can’t do live tests to be 100 percent sure that something is a ‘for sure’ vulnerability. I can run simulations all day long that back up all of my suspicions, but it’s not like I can walk over to a train track and test it out—that would be a literal act of terrorism.”
Because network vulnerabilities are hard to anticipate, some companies that offer security products—electronics manufacturers and online shopping platforms, for example—hire security research companies such as Rapid7 or Synack to pry into their systems in order to identify holes and advise on how to patch them before they can be exploited. This practice only makes rail companies’ resistance to independent vulnerability testing more disconcerting: it is reasonable for a company with a product so dependent on wireless access to pursue independent testing, all the more so given the industry’s incredibly complex overhaul of systems and protocol over a short span of time and its newness to network security. As a result, Smith adds, rail companies are rarely equipped with necessary defenses because there were no industry-wide, industry-specific security standards to guide their network developers when the RSIA was passed: “The developers woke up and got a memo saying, ‘You need to have X, Y, and Z done by December 31, 2015,’ and so they addressed X, Y, and Z, meanwhile leaving off the other twenty-three characters in the alphabet.”
The other problem is that the technology the rail industry relies on is created by a company owned by Class 1 railroads—those that earn at least $433.2 million, accounting for nearly 70 percent of U.S. freighting in terms of mileage. The U.S. freight rail network as a whole is a $60 billion private industry, heavily invested in its shareholders, customers, and profits. This, Smith believes, is likely why companies don’t want to work with independent researchers or even the Department of Homeland Security: “If these companies agree to investigate their own networks, they’re admitting that there could be vulnerabilities that would require huge amounts of money to overhaul. That could hurt sales and stock prices and scare off their shareholders.” From a financial standpoint, there’s no incentive to rock the boat by admitting to potential security failings, and so publicity and reliable media coverage of railway vulnerabilities are fairly hard to find in America.
As long as companies value our security according to cost and optics, the technologies that facilitate modern life will present untold liabilities.
What media coverage does exist often comes in the form of conspiracy theory and niche websites. (An exception was Newsweek’s 2015 article “The Future of Hacking: Your Planes, Trains and Automobiles Aren’t Safe.”) By contrast reporting on theories and predictions about railway cyber security in Europe is much easier to find, spanning major publications and organizations ranging from the BBC to the UK’s Financial Times to the RT news outlet. Additionally there seems to be increasing attention to rail security in European cyber security conferences, including a recent panel at the Chaos Communication Congress in Hamburg (covered in Popular Science) and Industrial Control Cyber Security Europe, which is affiliated with the Rail Cyber Security Summit held in London this March. Rod Diridon, Sr., emeritus executive director of the Mineta Transportation Institute, attributes the difference in media treatment to the fact that “most European countries are somewhat socialistic, and their railways are owned by the government and not publicly traded.”
Indeed the U.S. government has little control over the security practices of private rail companies; still one might expect government-funded passenger lines such as Amtrak to be in complete compliance with RSIA. But just weeks before the major Amtrak derailment outside of Philadelphia in May last year, Congress moved to delay mandatory installation of PTC by five years. The derailed train was not equipped with PTC, and officials at the National Transportation Safety Board explicitly stated that the mandated autocontrol technology would have prevented the disaster entirely. Amtrak posted an official blog post days later, noting, “Amtrak leads all other large railroads (Class 1) in the railroad industry in the installation of PTC systems, having spent $110.7 million dollars since 2008 to install PTC.” Though only “certain segments of the American rail network” fall under that mandate, Philadelphia’s Northeast Corridor is one of them.
• • •
Even though PTC has troubling faults, it is a strong step forward in railway safety. Establishing safer railways isn’t a matter of getting rid of it, but of making a concerted national effort to test and secure it. But the intersection of government regulation and private business in the rail industry is complex. The federal testing facility responsible for assessing PTC integration, Technology Transportation Center, Inc., is owned by the Federal Railroad Administration (FRA) but operated by the American Association of Railroads (AAR). “Even though the FRA is doing the testing,” Smith explains, “ultimately it’s up to the AAR to decide what gets tested. With the amount of power they have, it’s like we’re still dealing with the train barons of the 1800s.”
The private companies responsible for making improvements to their networks are also the ones who get to decide whether they need to make changes, and when and whether to engage third-party security experts. Of course, they already have IT teams working to keep their networks secure, but, according to Smith, these efforts have been perilously fragmented during the hasty scramble for compliance; the seven Class 1 train companies’ developers are isolated from each other, from PTC developers, and from third-party security companies. “So you’ve got separate teams across many different rail companies, integrators, and contractors who, if they were just one cohesive unit, might have resolved many security issues,” Smith explains. “But since each one has their own legal teams, PR execs, etc., they don’t want to report that something is wrong if it might mean making them or their business partners look bad.”
Given how new and tenuous PTC is, it seems foolhardy to dismiss independent researchers who have identified existing weaknesses. Certainly there is a lot at stake: one derailment can cost a rail company millions of dollars, so it would seem that protecting their networks is in their best interest. But since RSIA was passed, these companies have invested billions of dollars collectively in compliance upgrades and are now looking at the prospect of investing billions more to fix it. If avoiding that investment means overlooking a theoretical hacking vulnerability that hasn’t proven to do any damage so far, then, at least for a few more years, they seem more than willing to take their chances.
In October Congress voted to push back the RSIA deadline to 2018. In the interim, there may be two possible solutions: either the FRA takes back control of its testing facilities and runs unbiased testing to shape further legislation, or Congress pressures these companies to pursue independent analysis and testing beyond their own internal testing, which so far has proven insufficient. If independent researchers such as Smith can still see the holes they have left in their defenses, then independent testing needs to be a central component of their security protocol, no matter what the cost.
As long as for-profit companies calculate the value of our security according to cost and PR optics, the technologies that facilitate modern life will present untold liabilities. A profit-motivated company has little to gain from transparency if it may alarm investors and consumers and require greater investment with no promise of return. To see the business is to alter it, and publicly traded companies prefer not to open themselves to independent scrutiny, even if doing so would make us safer.