Widespread signalling failure in Poland

[Gag Halfrunt]

From the Guardian's Ukraine liveblog:

Railways ground to a halt in many places across Poland on Thursday, hit by a widespread traffic control system outage, operator PKP PLK said, disrupting an important means of transport for refugees fleeing Ukraine.

Infrastructure minister Andrzej Adamczyk said that railway workers were dealing with the situation and normal service would be resumed as soon as possible.

Almost 2 million people have fled to Poland from Ukraine since Russia launched its invasion on 24 February. Poland has offered free rail tickets to refugees, allowing them to travel to stay with friends and family around the country.

“Regarding the transport of refugees, which has been the key task of the railway over the past few days, we are in full coordination of the process together with the ministry of infrastructure ... so that the process is not halted and can be carried out to the extent possible,” The PKP PLK deputy chief executive, Mirosław Skubiszyński, told reporters.

The traffic control outage was nearly nationwide, affecting 820 km (510 miles) of track, he added to Reuters.

 

[Cloud Strife]

Wouldn't surprise me if this was the result of a hack.

 

[duesselmartin]

I am surprised that the system is that centralised. I would have assumed signalling would be more local.

 

[Struner]

Reuters - https://www.reuters.com/world/europ...h-railways-key-ukraine-exit-route-2022-03-17/
says it is caused by software developed by Alstom. Same or similar disruptions are said to appear in India & Singapore.

 

[riceuten]

Looked at the Polish press - they definitely think it was the Russians, but that could just be latent Russophobia

 

[furnessvale]

Wouldn't surprise me if this was the result of a hack.

A BIG mistake to connect signalling to the internet. If you are not connected, you can't be hacked. Network Rail are making the same mistake despite having a nationwide dedicated telecoms system.

 

[Fragezeichnen]

That's just not true.

An Iranian nuclear processing facility was seriously damaged by a virus that spread harmlessly and invisibly by copying itself onto any available USB storage device. Eventually one of these devices was plugged into a computer in the non-internet connected facility, where it proceeded to manipulate the industrial control system to perform unsafe operations. This same model of control system equipment is also used in some signalling systems(for level crossing sequencing, I believe).

If someone sent a USB drive to every signal box in the country along with a fake letter saying it contained an important document to be read immediately, almost certainly someone would plug it into an intensive into a Network Rail computer without thinking what they were doing.

 

[Gostav]

A BIG mistake to connect signalling to the internet. If you are not connected, you can't be hacked. Network Rail are making the same mistake despite having a nationwide dedicated telecoms system.

Don't forget in the old days even floppy disks can also spread viruses.

 

[furnessvale]

Don't forget in the old days even floppy disks can also spread viruses.

Only if you have ports on computers any Tom, Dick or Harry can stick something in!

That's just not true.

An Iranian nuclear processing facility was seriously damaged by a virus that spread harmlessly and invisibly by copying itself onto any available USB storage device. Eventually one of these devices was plugged into a computer in the non-internet connected facility, where it proceeded to manipulate the industrial control system to perform unsafe operations. This same model of control system equipment is also used in some signalling systems(for level crossing sequencing, I believe).

If someone sent a USB drive to every signal box in the country along with a fake letter saying it contained an important document to be read immediately, almost certainly someone would plug it into an intensive into a Network Rail computer without thinking what they were doing.

Please see my comment at #9. Railway signalling is far too important and safety critical to use bog standard computers that anyone could plug his games into, to while away the small hours!

 

[Dai Corner]

A BIG mistake to connect signalling to the internet. If you are not connected, you can't be hacked. Network Rail are making the same mistake despite having a nationwide dedicated telecoms system.

Although in another thread we were told

From a signalling side, no scheme I have yet been involved with has connected anything to the internet, or even in some cases not even to any external network at all.

NR's FTN (fibre transmission network) is used for connections to the lineside from signalboxes (links to remote interlockings etc.), but it is not internet connected from a data point of view (I have no ides if the FTN's own control may be internet accessible or not).
The safety critical side (interlocking to the signals/points/train detection) similarly is definitely not let near the internet, with dedicated trackside networks if not direct analogue cabling used for this depending on distances involved.

The closest to the internet you get with signalling systems normally is getting the timetable in for routesetting systems, which is nowadays done via a connection to the internal equivalent of NR's open data feeds, which is over their internal network not the internet (note older systems used to connect directly to the timetable producing system over the internet, but this is being phased out).

ALL vital safety critical signalling systems either use their own dedicated networks running on Network Rail owned and operated cables and equipment. Or use private cables and equipment (that may include infrastructure owned or operated by operators that took over parts of BRT). The public internet is not used.

It’s similar with voice communications such as signal box telephones, block bells, emergency alarms, SPTs and other operational telephones

 

[furnessvale]

Although in another thread we were told

Glad to read that. It was mooted a year or two ago that the internet would be used. I am glad they have seen sense.

 

[Annetts key]

For Network Rail systems:

Good luck finding a USB port on most signalling equipment that actually works.

The vast majority of legacy systems used for signalling use custom software, not Microsoft Windows.

Although some non-vital signalling systems do use Microsoft Windows, but these are locked away in equipment rooms or cubicles and only engineering staff (or in some cases, staff on a signalling centre/PSB/signal box operating floors) have access to them.

There are even restrictions on the office computers that limit what USB ports can do. And the OS on these are locked down, which although does not make it impossible to infect or hack, it certainly limits ordinary users ability to run executable code. The biggest risk with these, is that these ARE connected to the World Wide Web. As they are heavy integrated with various Microsoft applications and services including email, cloud storage and video conferencing.

 

[najaB]

A BIG mistake to connect signalling to the internet. If you are not connected, you can't be hacked.

No. Just no.

Air gapped systems are more secure, but no system is 100% safe from a determined hacker with sufficient resources.

 

[furnessvale]

No. Just no.

Air gapped systems are more secure, but no system is 100% safe from a determined hacker with sufficient resources.

How?

 

[Bletchleyite]

How?

Humans are the leakiest element of an IT system. In particular, they accept bribes and react to threats. The fact that we aren't acting militarily in Ukraine is evidence enough of the latter.

 

[furnessvale]

Humans are the leakiest element of an IT system. In particular, they accept bribes and react to threats. The fact that we aren't acting militarily in Ukraine is evidence enough of the latter.

Correct. On that basis even a mechanical interlocking is prey to malicious forces but that is no reason to make things easy for hackers by unnecessarily linking things to the internet.

 

[najaB]

Humans are the leakiest element of an IT system. In particular, they accept bribes and react to threats.

This. Not only bribes and threats though - social engineering generally.

 

[Fragezeichnen]

How?

As you said, safety critical systems run on specialised hardware which is secured against access by anyone except trained technicians.

However, a truly isolated system would be inconvenient because it would be impossible to get train position updates or modify configuration data, except manually.

Earlier in the thread it was said that signalling equipment connects to an timetable database either in the internal network or via the Internet, in order to have up to date automatic routesetting instructions.
You could for instance introduce a virus to the Network Rail internal network via the usual method(e-mail attachment, USB drive etc.) which inserts bogus data into the routesetting timetable database, which when loaded into the automatic routesetting system causes it to enter an error state and shutdown. The signalling equipment itself has not been directly attacked, but it's operation is nevertheless compromised.