Railroads have historically focused on safety, from ensuring tracks and trains are properly maintained to making sure pedestrians and drivers stay out of harm’s way, but lately they’ve also emphasized a new type of protection: cybersecurity.
“The rail industry has prioritized cyber security for more than twenty years, supporting enhanced safety and security throughout the North American railroad network,” said Thomas Farmer, assistant vice president for security at the Association of American Railroads, in a statement emailed to Fast Company. “America’s major railroads have implemented multi-faceted plans and measures to detect, prevent, and respond to cyber threats.”
Experts say digital threats to railroads can come in the form of malware outbreaks and hacks that disrupt back-office systems, like those that handle scheduling and billing. Potentially more seriously, attacks could be specifically designed to disrupt or even derail trains in motion.
“Over the last 200 years, rail companies are very focused on safety,” says Amir Levintal, CEO and cofounder of Tel Aviv-based Cylus, which focuses on digital security for the rail industry. “Today they understand that security is related to safety.”
The risk isn’t just theoretical: Early last year, the Toronto-area transit agency Metrolinx reported that some of its systems had been targeted by a malware attack believed to originate in North Korea, though Metrolinx said the attack didn’t affect safety-critical systems or customer privacy. In March, the security firm Sixgill said that its researchers had found someone on a “top-tier dark web forum” selling administrative access to a Chinese rail control system. And as early as 2011, the Transportation Security Administration reported a railroad in the Northwest saw some delays after a digital attack, although experts have said the train system wasn’t deliberately targeted in the incident.
Train ticketing and billing systems can also be affected by cyberattacks: In 2016 San Francisco’s Muni Metro system was forced to let passengers ride for free after a ransomware outbreak struck its ticketing machines. Other forms of transportation have seen digital threats as well: British Airways announced last year that hackers had stolen information about 380,000 of the airline’s customers, and researchers have repeatedly probed how future self-driving cars could be vulnerable to hacks.
Railroads, aware of the potential risks, have increasingly required that their vendors meet industry cybersecurity standards, says Oz Ural, digital innovation and product development manager at the transportation equipment maker Bombardier, which works with Cylus on security issues.
“If you do not comply with the norms, there is no chance you can either win an order or if you do win an order, you will end up building the train but not selling the train, and this train will end up in your inventory, and this is the last thing you want to do,” he says.
Since so much railroad equipment is expected to last for many years, there’s a particular push to make sure the right security protections are in place before it’s ever deployed.
“Once you put a track somewhere it needs to last for many, many years,” he says. “You don’t really have the chance to upgrade your components to make sure that you’re on top of the security layer and the security grid.”
In the U.S., the American Public Transportation Association, an industry group, has worked with the TSA to develop security standards for the sector, host workshops on cybersecurity, and to publicize general security tips for the industry. Basic security advice like using secure passwords and not clicking suspicious links online are as important in transportation, with increasingly digital equipment, as in any other industry, says Polly Hanson, APTA’s director for security risk and emergency management.
“That’s a concern because bus and rail vehicles are just computers on rail and wheels,” she says.