Before we start

How do we make digitally connected trains hacker-proof?

08. July 2021

With its sweeping digitalisation measures, Deutsche Bahn is seeking to roll out trains which are more punctual and reliable and can carry considerably more people and goods on the same routes at shorter intervals. But digital connectivity also opens up completely new possibilities for hackers. Gernot Krage, software and hardware expert in the railway technology division at TÜV NORD, explains where the risks of digitalisation lie in rail traffic and how they can be countered.

#explore: How has digitalisation changed the railway system?

Gernot Krage: Technically speaking, rail transport used to be a closed system – the electronics used were specially developed for the railway sector. This made them virtually invulnerable to external attacks. Hackers would first have to have developed this very specific expertise. Moreover, any attacks could only be local in scope. Today you can use digital networks to access any place in the world. Not only that, but the components being used in the railway sector are increasingly being produced for the mass market. The role of the tech companies is limited to installing, configuring and programming them. However, these components may contain vulnerabilities that can become a gateway for hackers or malware. The software also often has a variety of functionalities which aren’t necessary for the specific application. But if they are used, this opens up new vulnerable flanks for the hackers. It’s true that there are also components which have been certified for IT security. But they are of course a bit more expensive – a cost factor which makes some railway technology companies wary of them. That passengers also have access to the Internet in trains also has a downside, because, in terms of the network technology used, this system isn’t always completely separate from the control technology. This increases the risk of security-relevant systems being disrupted or manipulated via these channels.

What exactly might cybercriminals actually do?

A prime example is the Trojan known as “WannaCry", which paralysed a lot of digital display boards and ticket machines at German train stations in 2017. This was in itself a comparatively harmless attack which only impacted on operations at the affected stations. It would be much more dangerous if hackers were to succeed in directly manipulating safety-relevant systems like the brakes. This isn’t easy, because, as well as knowing how to get into the system, once there you also have to know exactly what you need to do to trigger specific driving functions. But hackers are learning all the time, and everything is becoming ever more connected. This is why we also need appropriate protective measures to ward off possible attacks.

„Sooner or later, rains will run automatically. If, at the same time, train control technology should become increasingly digitally connected, you have to think about how it can reliably be secured against external interference.”

Gernot Krage, software and hardware expert at TÜV NORD

Trains will be highly automated in the future – will this exacerbate the problem?

That’s absolutely right. If a technical issue arises today, the train driver will intervene. For example, if there’s a problem with the electronic brake control system, they can manually open the brake line – the pressure will drop, and the train will stop. This is a redundant protection system that should always work, even in the event of a technical breakdown. Driverless systems are currently mostly found in underground trains – in Nuremberg, for instance. After all, underground railways are closed systems without level crossings where the drivers don’t have to keep an eye on the line ahead. This explains why fully automatic operation was introduced there first. But sooner or later, other trains will also run automatically. If, at the same time, train control technology should become increasingly digitally connected, you have to think about how it can reliably be secured against external interference. The problem is complicated by the fact that, in the event of a detected attack, especially on a self-driving train, not all communication paths can simply be switched off or all vehicle functions be brought into a safe ground state, because this ground state doesn’t always exist: For example, in an emergency, a train preferably shouldn’t come to a stop in the tunnel or on a bridge, and emergency call functions and other systems must be not only malfunction-proof, but also available.

The European IT security authority, ENISA, has attested to the rail transport sector’s lack of awareness of cybersecurity. Would you agree with this finding?

It’s not possible to generalise here. Overall, however, IT security is progressing only very slowly. In recent years, the applicable standards have evolved to make it a prerequisite for the approval of new trains. If you carry out a risk analysis for your system, you must also take IT security into account. So, it’s necessary to examine which dangers can arise and which defensive measures are required to mitigate them. But exactly how IT security should be implemented and proven is not precisely defined in the relevant railway technology standards. There’s a great deal of room for interpretation here. And, in cases of doubt, this can lead some manufacturers to opt for the cost-effective and, therefore, comparatively non-secure solution.

Do things need to tighten up on the regulatory side?

It’s certainly the case that the present regulations are often overly general. When testing control technology components, I don’t usually see the entire train. I just test individual controls for the drive system, the brakes and the doors for functional safety and, increasingly, IT security. Although I take into account the intended operating environment in my tests, I don’t see the actual interaction of all the components in the overall system. If the IT security requirements are not precisely defined further along the inspection chain en route to the approval of the vehicle – by which I mean when testing the control technology from the point of view of the overall system and considering the vehicle as a whole – and are therefore not fully implemented, gaps can arise.

In your opinion, what are the most important steps and measures to ensure the most comprehensive IT security possible in the rail sector?

First of all, it’s important to restrict access to the system in such a way that malware or hackers don’t get access in the first place. Such firewall functions, like those used by every private household, company and authority, are of course only the absolute minimum required measure. These work more like a sieve than a hermetic seal. It’s a bit like a passport check at the border: just because someone shows a valid ID, it doesn’t mean that there’s no contraband in their luggage. Alongside these filtering security functions that allow or prohibit access, other functions are needed which make it possible to separate “good from evil”. In other words, every single device which comes from the manufacturers must have its own protective measures to shield it from malware – in the event that cyber criminals launch this kind of software in a targeted way or maintenance personnel accidentally install it during an update. At the same time, these devices in the network must not be linked to non-secure components that can be used to bypass their IT security “through the back door”. At the end of the day, it’s the totality of the individual measures that makes for IT security. This makes the topic very complex and, if you really want to get it right, costly too.



Gernot Krage is a software and hardware expert in the railway technology division of TÜV NORD.