Hacks are a pain, and that’s the truth.
A recent CISA warning on a train vulnerability based on remote-control linking got the railway industry to work on resolving a problem that had existed for years. Attackers could, hypothetically, infiltrate a packet that links the head and end of the train, and then control the brakes.
While the Association of American Railroads (AAR) was made aware of the vulnerability as early as 2012, the organization more or less ignored the danger for years, researcher Neil Smith claimed in a thread on X on July 11. According to Smith, who was working closely with the federal government’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the time, AAR declined to take action because the danger of the exploit had not been sufficiently proven.
Sounds bad. But hold on, said Hussain Virani, Dragos response command lead and principal incident responder. The danger might not be quite as dire as it sounds.
“Is this something which we can kind of put off to the side and not pay attention to? Certainly not,” Virani said. “It is important. After all, it involves the safety system. Does it deserve full-out panic? No, it doesn’t.”
In an emailed comment, AAR spokesperson Jessica Kahanek said that “every operational strategy, safety protocol, and piece of equipment is viewed as an opportunity to enhance performance and safety.”
“Accordingly, railroads have, and will continue to, put concerted effort into advancing next-generation end-of-train devices and the technical standards that govern them,” Kahanek wrote. “Next generation devices and standards have the potential to significantly improve communication between lead locomotives and the end of the train, securely enhance reliability, and streamline operations.”
North Central Positronics. Any unexpected braking would be noticed and acted upon by the conductor, Virani continued, so while there is a danger the actual effects are unlikely to be life-threatening. The human element is helpful, putting people in the process. Plus trains have a system called Positive Train Control, a technology that prevents accidents.
“There’s this overarching safety system in place to mitigate against a system like an end-of-train device failing,” Virani said.
Impacts of the potential exploit go further than the trains and the AAR. Houbing Herbert Song, an Institute of Electrical and Electronics Engineers fellow, told IT Brew that he sees the AAR’s inaction as symptomatic of the way the transportation industry as a whole addresses security concerns.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“The infrastructure is very old, so a lot of people don’t care about the cybersecurity issues here,” Song said. “This problem, this issue, is one vulnerability that has existed for many years.”
Time takes all. A patch for the problem is expected in 2027, Smith said, when AAR implements the IEEE 802.16t. That’s a slow fix that could appear to indicate the flaw isn’t a major priority—but, Fortinet Head of Cyber Policy and Global Field CISO Jim Richberg said, the reality is more that in the OT space, security is often a distant third, after safety and reliability. IT security considerations and processes are simply not the first priority for this space, and transportation is no different.
“We’re always going to be playing catch-up,” Richberg said.
In order to manage the threat going forward, Song said, defenders will need to adjust how they approach security as a whole. Transportation isn’t fundamentally different from other sectors of the tech space, though it’s often treated as such; understanding it as a part of the IT security framework—something that experts have called on IoT to do in the past—is a key part of the change.
“The perspective is to treat transportation infrastructure as a cyber, physical, human system—a social, technical ecosystem,” Song said.
Hey, Jude. Like most OT-capable infrastructure, the transportation industry moves slowly and solutions are cost-dependent. Virani said that the hard realities of specific maintenance windows and mitigated controls allow for repair, but not on an accelerated schedule.
“If we know this system is prone to a certain vulnerability, then we can put additional measures in place in order to prevent anything from happening, or at least to reduce the consequences,” Virani said.
The fix might not come for a few years, and it’s unlikely that security will become one of the top two priorities for the OT space. But for the train vulnerability, the fact there’s a patch at all is a sign of a positive change that Richberg hopes continues.
“At this point, something like 95% of organizations have got OT reporting up to the corporate CISO,” Richberg said. “They’re starting to say OT affects more than just the OT operating environment, it’s part of the whole business.”