Positive Train Control (PTC) Expands Cyber Attack Surface for Rail Systems
The North American rail system is an understated pillar of the Industrial Control System environment; not only is rail itself considered an Industrial Control Systems (ICS) sector under Transportation, but several other ICS sectors depend heavily on rail to conduct operations. Rail remains the second most common form of transportation of freight in the United States, with more than 140,000 route miles transporting over $174.1 billion dollars’ worth of goods, or 15.3% of the total transport of freight annually.
While individual rail companies may leverage proprietary technology for the bulk of operations, all North American Class 1 Freight railroads must implement the government mandated safety overlay known as Positive Train Control (PTC). PTC technology is designed to prevent train-to-train collisions, derailments caused by unauthorized train movement onto sections of track where maintenance activities are taking place, and the movement of a train through a track switch left in the wrong position.
Freight rail operators must consider the cybersecurity implications of this communications technology because PTC creates an expanded cyber attack surface, providing an opportunity for adversaries to cause extensive disruption that touches multiple critical infrastructure sectors.
What is Positive Train Control (PTC)?
Positive Train Control (PTC) technology is designed to prevent damaging and dangerous consequences of rail engineer error. To function correctly, PTC systems must be able to determine the precise location, direction, and speed of trains; compare this information with similar details of other trains or other types of restrictions on track use; warn operators of potential changes in operating conditions or conflicts; and bring a train to a stop should the engineer fail to act appropriately.
The communications infrastructure is fundamental to the success of positive train control as it relays critical PTC information between several thousand components. One key communications link between back office and train management computer (TMC) systems is the proprietary radio system developed by Meteorcomm, which is wholly owned by four Class 1 railroads: Burlington North Santa Fe, Union Pacific, Norfolk Southern, and CSX. Meteorcomm is the primary supplier of the 220MHz Software Defined Radio (SDR) frequencies used by freight rail for locomotive, wayside, and back office communication.
Potential Vulnerabilities of PTC
Because Meteorcomm is the single supplier across most PTC installations in the U.S., a vulnerability in the design of Meteorcomm PTC radios would likely impact rail infrastructure across the country. In the event a vulnerability allowed a man-in-the-middle attack, an adversary could potentially disrupt communications between locomotives, wayside radios, and back office servers, effectively intervening in the most critical network segment of PTC which could lead to costly delays, collisions, or derailments.
Man in-the-middle attacks occur when an adversary intercepts communications between two parties, potentially allowing the adversary to modify or disrupt communication. Additionally, a Distributed Denial of Service (DDoS) attack against these communication components would deny the ability for the locomotive and engineer to communicate in full capacity with the back office, potentially causing train operations to fail or act inappropriately.
Potential ICS Impact from a Successful Attack on PTC
A disruption to the rail system through a compromise of PTC or other means would immediately impact other elements of the transportation industry – including cargo ships, ports, and trucking – through a disruption of intermodal transport. Dragos assesses with moderate confidence widespread delays would likely cause an interruption to the national rail system including downstream and upstream delays of transport, effectively crippling the movement of goods throughout the continent. For example:
- This type of disruption could prevent coal from reaching key energy plants. This would likely impact the ability of energy companies to provide electricity to customers at scale, as coal represented 19% of the fuel that electric utilities used to generate electricity in the U.S. in 2020.
- With chemicals representing $10.3 billion dollars of freight transported via rail as of 2017, the disruption of PTC would likely not only impact the ability of the North American chemical industry to conduct operations, but also increase the likelihood of a toxic chemical spill in the event of a derailment or collision.
- Additionally, the critical manufacturing and food & agriculture sectors would face significant impacts in the event of disruption of freight rail, which would very likely impact both the transport of raw and finished materials. Ostensibly, an impact to the manufacturing sector would likely touch operations of other key ICS sectors, from the financial services sector to the healthcare & public health sectors.
Though state-sponsored actors likely have the capability to compromise PTC technology, such adversaries are unlikely to cause disruptive operations absent a large-scale conflict. However, skilled adversaries may leverage PTC vulnerabilities to pivot to other sections of rail infrastructure that may be valuable for espionage or intellectual property theft operations.
Cybercriminal groups, including those conducting ransomware operations, may attempt to compromise freight rail through other means to extort payments by disrupting operations; however, such threat actors are not likely to use PTC as a method to conduct criminal campaigns.
Recommended Mitigations to Protect Railroads Using PTC
Rail companies using PTC should ensure any devices connected to PTC systems, including Wi-Fi and cellular modems as well as locomotive and back office technology, are appropriately hardened to prevent initial compromise as well as the ability for adversaries to use PTC systems to move laterally, including to back office dispatch systems, to cause further disruption to freight rail operations.
Additionally, defenders should proactively monitor rail networks for anomalous activity, a function provided by the Dragos platform.
Dragos Customers can download a full technical report on Positive Train Control, TR-2021-09, on the Dragos Customer Portal.
Not yet a customer? Learn more about Dragos industrial cybersecurity products and services at dragos.com or feel free to contact us directly.
Read next blog post
Ready to put your insights into action?
Take the next steps and contact our team today.