UK rail infrastructure operator Network Rail is in the preliminary stages of a plan to replace the old, analogue train signals with the European Rail Traffic Management System (ERTMS), a digitalised, more effective system that is rapidly becoming the norm internationally.
But recently, an expert in networked electronic and radio systems raised concerns that the switch could leave trains vulnerable to security breaches and cyber attacks, potentially with deadly consequences.
Talking to the BBC in April, Professor David Stupples from City University in London said the government and rail operators are well aware of the risks of hackers infiltrating the system to cause disruptions or even derailments.
The ERTMS is a European train control system that uses wireless technology and computerised in-cabin signals to control the speed of trains across the entire network. Tracks and trains receive instructions from a control centre, which dictates speed and braking distances, while drivers can also input their own data to control speed. Already widespread throughout Europe, the system is designed to increase interoperability, capacity and safety, while operating at higher speeds and with lower costs.
After a successful trial in 2010 along the Cambrian line, ERTMS will be progressively introduced throughout the UK over the next 30 years, starting in 2018.
But turning the railway network fully digital opens it up to a host of possible cyber attacks that could infiltrate and affect the entire system.
The risks: fear of insider attacks
One of the main benefits associated with ERTMS is drastically reducing human error that occurs if drivers misinterpret the current lineside signals. But speaking about the biggest dangers of the electronic system, Stupples was most concerned about rogue employees: "I think the biggest threat comes from insiders," he says.
"My point was to raise awareness of the threat and not to quantify it. But I have quantified it from the point of view of the access to the system, and the rogue or coerced employees are the biggest threat."
Recent statistics reveal that four of the top ten UK crime hot spots are major railway stations.
While the risks of technological malfunctions are minimal due to fail-proof measures, rogue software or malware could be uploaded into the system as an update or a generic modification.
"Due to trialling and testing, the software issues associated with safety-critical items will be at a minimum," Stupples says. "What I'm worried about of course is [if] there is rogue software loaded."
The industry is certainly taking these warnings seriously. Network Rail and the Department for Transportation are aware of these risks and various procedures are currently underway to address them.
A Network Rail spokesperson said in a statement: "Digital in-cab signalling is used safely and effectively by dozens of countries in Europe and around the world and is similar to technology already in use on the Tube and other metro systems in this country."
"Britain has the safest major railway in Europe and cyber security is a key part of our plan for introducing digital train control technology."
"Safety is our top priority. We work closely with government, the security services, our partners and suppliers in the rail industry and security specialists to combat cyber threats."
So far, ERTMS has operated without any major faults throughout Europe and no cyber attacks have been reported. However, rogue employees infiltrating the system is a "distinct possibility", according to Stupples.
Identifying the cyber threat
The warnings don't come as a surprise to industry experts. According to Tom Lee, deputy director of standards and head of control, command and signalling at the Rail Safety and Standards Board (RSSB), "one of the things we do know in the wider world of cyber security is that the capability of those with ill intent does increase significantly year on year."
"With any system, there are a number of potential threats to that system and rogue employees is just one of those threats and systems are designed to take that into account," Lee adds.
"There are a number of different ways of theoretically attacking systems. The consequences of those can vary significantly, they can be localised or they can be distributed. The types of attacks I think are fairly well understood and the systems are designed to be as resilient as possible to these types of attacks. So the industry is aware of these things and has control arrangements in place to deal with the identified threats."
So how would the risk of rogue employees aiming to alter the system increase with the introduction of ERTMS?
"At the moment, if it's a rogue employee, either if they are doing it because they are paid to do it or because they are just dissatisfied, they wouldn't get maximum impact because the system is very sparsely used," Stupples explains.
"But as it becomes a national infrastructure, then the impact will be much higher. As the system gets broader and broader used [...] throughout Europe, then [it] is much more liable to be attacked by terrorist or criminal organisations because they have maximum impact."
ERTMS is currently at various stages of development in 21 EU member states, including the UK. Statistics from 2014 by the European Rail Industry (UNIFE) show that ERTMS investments have been made for 41% of trackside kilometres across the continent.
Building a firewall
A range of initiatives and studies are currently underway to address the fairly new risks that a fully digitalised railway system is bound to encounter. The EU has been funding a three-year study called the Security of Railways against Electromagnetic Attacks (SECRET) that is due to be completed in August 2015.
Xerox has entered the smart transport market with its new Mobility Analytics Platform.
According to periodic results of the study released by the European Commission this year, "this homogeneity of the technologies employed in Europe also conducts to the homogenization of the vulnerability points to the EM [electromagnetic] interferences."
The preliminary report reads: "When a malicious person has an intentional EM emissions device capable of disrupting the rail network in Berlin, for instance, the same device will have the same attack capacity in all European cities. This will cause at least immediate economic consequences and possibly more. Harmonization thus facilitates the implementation of organized and simultaneous EM attacks."
In the UK, a wide-reaching program involving Network Rail, RSSB, the Department for Transportation and the Centre for the Protection of National Infrastructure, along with a cohort of academics, cyber security professionals and European organisations, is currently in its initial stages of preparation.
Lee explains that while the plan focuses entirely on cyber security measures, it does not include ERTMS: "There is already an established programme of work which is being led by Network Rail before rolling out ERTMS nationally and a significant piece of that work does include cyber security. So there's no point duplicating what is being done elsewhere."
However, the study could potentially have much more wide-ranging applications and could work in retail and ticketing technologies, customer information, traction and rolling stock systems.
"There is no room for complacency here, because there are potential risks of cyber security," says Lee. "But what we need to do is actually to have an effective and proportionate response to that and to invest money wisely. It's kind of like an insurance policy."
Currently in the planning stages and with "extremely positive" indications from significant players in the industry, a full strategy is hoped to be implemented three months from now, Lee notes.
"Subject to general agreement with a well-defined scope, we will then look to deliver this strategy. We are hoping that we can deliver this strategy soon after the plan and ideally deliver substantial elements of this strategy within this calendar year."
Stupples is working on his own research in parallel. As part of a co-operative research project with Cranfield University, he is working to develop a cyber safety device that would enable the control system to return to a normal state of operation even after it has been corrupted.
"Systems have patterns when they operate," he explains. "If the system recognises that it's being pulled into a pattern of operation which it doesn't recognise, then it would take the system back to a safe operating condition. So if malware is being put in there to do something which causes the system to go outside the boundaries, the system should recognise it."
The study, which Stupples expects will be finished within two years, is currently being developed for aircraft but "there is no reason why it shouldn't be used for the train system", he says. The research is being carried out both in the US and at other universities in the UK.
"First of all, there is a great deal going on at the moment to look at the risks associated with malware, and secondly, there will be a lot more awareness of the employees and bringing software in from third parties," Stupples says, looking to the future.
"So I think that as the safety features are increased, we are going to be much, much more aware of the insider attack and put in place procedures and safeguards to reduce that."