This document discusses a presentation given by the SCADA StrangeLove team, a group of security researchers focused on industrial control systems. The presentation provides an overview of railway safety and signaling systems such as ETCS and analyzes past railway accidents like those in Santiago de Compostela and Wenzhou. It also examines train communication networks and onboard control systems from a security perspective. Throughout, it emphasizes that the views expressed are those of the researchers and not their employers.

1. *AllpicturesaretakenfromDr
StrangeLovemovieandother
Internets
Sergey Sidorov

2.  Group of security researchers focused on ICS/SCADA
to save Humanity from industrial disaster
and to keep Purity Of Essence
Alexander Timorin
Alexander Tlyapov
Alexander Zaitsev
Alexey Osipov
Andrey Medov
Artem Chaykin
Denis Baranov
Dmitry Efanov
Dmitry Nagibin
Dmitry Serebryannikov
Dmitry Sklyarov
Evgeny Ermakov
Gleb Gritsai
Ilya Karpov
Ivan Poliyanchuk
Kirill Nesterov
Roman Ilin
Roman Polushin
Sergey Bobrov
Sergey Drozdov
Sergey Gordeychik
Sergey Sidorov
Sergey Scherbel
Timur Yunusov
Valentin Shilnenkov
Vladimir Kochetkov
Vyacheslav Egoshin
Yuri Goltsev
Yuriy Dyachenko

3. Please note, that this talk is by SCADA
StrangeLove team. We don’t speak for our
employers. All the opinions and
information here are of our responsibility
(actually no one ever saw this talk before).
So, mistakes and bad jokes are all OUR
responsibilities.

4. 320
300
210
160
Km/h

5. L0 Series
Max speed: 603 km/h
Transrapid
Max speed: 550 km/h

6. Model-Based Approaches for Railway Safety, Reliability and Security: The Experience of Ansaldo STS

7.  Train Security (by Jakob Lyng Petersen)
 Trains must not collide
 Trains must not derail
 Trains must not hit person working the tracks
 Sadly, animals can’t handle the interview
 Operating rules
 Italy, Regolamento Segnali
 UK, GE/RT8000 Rule Book
 North America, GCOR and others
 Russia, Rules of technical exploitation

9. Santiago de Compostela
derailment
 The accident occurred at
the site where transition
from the ETCS L1 system
to the system ASFA
(continuous train control
system without speed
control)
 The observance of the
speed is carried out in
this mode by machinist

10. Wenzhou train
collision
 Lightning strike led to
failure of the train
protection system (first
train stopped)
 I/O fuse blown led to
wrong-side failure
 Human factor: Long-
term coordination of
further actions

11. https://en.wikipedia.org/wiki/File:Clear_track_circuit.svg

12. https://en.wikipedia.org/wiki/File:Occupied_track_circuit.svg

13. Static speed profile
Speed control curve
Fictitious stopping point
Preset speed
Permission for
movement limit
BKW – change of section identification
LZB system:
 Lineside computer
 Train computer

17. March 2016
86.000 km
 European
Railway Traffic
Management
System
 European Train
Control System
(ETCS)
 GSM-R

18.  ETCS (L1, L2, L3)
 Locomotives
 Ground devices (Radio Block Center,
Lineside Electronic Units, Balises,
Base-Station Subsystem, Base
Transceiver Station)
 GSM-R

19. ETCS level 1

20. ETCS level 2

21. ETCS level 3

22. The train's signalling, control and train protection systems include a Transmission Voie-
Machine (TVM) signalling system, Controle de Vitesse par Balises (KVB) train protection
system, Transmission Beacon Locomotive (TBL) train protection system, Runback
Protection System (RPS), European Train Control System (ETCS), Automatic train
protection (ATP) system, Reactor Protection System (RPS) and train control system.
http://www.railway-technology.com/projects/eurostar-e320-high-speed-train/
KVB - a train protection system used in France
MEMOR - Belgian railway signaling
TVM - in-cab signaling originally deployed in
France
TBL - train protection system used in Belgium
RPS - Runback Protection
ATP - Great Britain implementations of a train
protection system
ETCS - European Train Control System

23. The train's signalling, control and train protection systems include a Transmission Voie-
Machine (TVM) signalling system, Controle de Vitesse par Balises (KVB) train protection
system, Transmission Beacon Locomotive (TBL) train protection system, Runback
Protection System (RPS), European Train Control System (ETCS), Automatic train
protection (ATP) system, Reactor Protection System (RPS) and train control system.
http://www.railway-technology.com/projects/eurostar-e320-high-speed-train/
KVB - a train protection system used in France
MEMOR - Belgian railway signaling
TVM - in-cab signaling originally deployed in
France
TBL - train protection system used in Belgium
RPS - Runback Protection
ATP - Great Britain implementations of a train
protection system
ETCS - European Train Control System
Reactor
Protection
System (RPS)
Train!

24.  TCN (Train Communication Network)
 WTB + MVB
 ETB in future - Ethernet Train Backbone (IEC 61375-2-5)
 WTB (Wire Train Bus)
 Each coach, loco
 MVB (Multifunction Vehicle Bus)
 Links WTBs
 MVB ~= FlexRay
 CANopen
 etc.

25. http://uic.org/cdrom/2006/wcrr2006/pdf/292.pdf

34. “Abusing the Train Communication Network or What could have derailed the Northeast Regional
#188?” by Moshe Zioni
 no authentication
 traffic is not
encrypted

35. http://cordis.europa.eu/pub/t
elematics/docs/tap_transport/r
osin_d1.3.pdf
The same?
 no authentication
 traffic is not
encrypted

37.  MVB + MVB+ ... =
WTB(Train)
 Elections by largest
number of nodes
 Set LocStr to 256
 If equal, first
Detect_Request wins
IEC61375

38.  Loco’s internals
 Traction control
 Braking system
 Cab signaling
 Train protection system
 Passenger Information and Entertainment
 Software is not available in public
 True for the all railroad software
 Btw, hardware available in public, but as a part of Public Transportation
System

39.  SIBAS 32
 Eurostar e320 high-speed trains
 class 120.1 locomotive of German Rail
 S 252 of Spanish National Railways (RENFE)
 LE 5600 of Portuguese Railways (CP)
 EG 3100 in Sweden, Germany and Denmark
 Velaro
 class 182 2nd gene EuroSprinter
 SIBAS PN
 New DB ICE trains

40.  SIBAS 32 updates to SIBAS PN
 Proprietary SIBAS OS on VxWorks + WinAC RTX
 WTB (Wire Train Bus) to ETB (Ethernet Train Bus)
 And PROFINET
 Goodbye weird executable formats and IS. Hello
ELF/PE and x86/ppc
 S7 controllers to PC-based controllers with WinAC RTX
software
 “configured and programmed with STEP 7 in exactly the same
way as a normal S7 controller”

41.  SIBAS 32 updates to SIBAS PN
 Proprietary SIBAS OS to VxWorks + WinAC RTX
 WTB (Wire Train Bus) to ETB (Ethernet Train Bus)
 And PROFINET
 Goodbye weird executable formats and IS. Hello
ELF/PE and x86/ppc
 S7 controllers to PC-based controllers with WinAC RTX
software
 “configured and programmed with STEP 7 in exactly the same
way as a normal S7 controller”

42.  Hardcodes
 No, they are for the authentication
 Known protocols
 XML over HTTP, S7
 Secure network facing services
 Self-written web server
 Self-written xml parser
 Heavily based on WinCC code
 2012-2015: 41 vuln
 Runs on Windows x86
 Vulnerabilities?
 Probably

43. How to access PC-based
controllers (WinAC RTX)?
 We don’t know
 We don’t want to know
 We will never know
 Yet to not know
 Yet to don’t know
 Not yet to know

44.  Driver Information Systems
 Track profile, loco speed and location
(non-military GPS, GLONASS)
 Interfaces
 Server infrastructure for processing
 External data feed
 CAN to acquire data in loco
 On the bus with whole train
 Mobile operator to push data to the server
 Data plan on Customer SIM card detected
 Why build additional channels for other
systems?

45.  Gateways
 Diagnostic
 Diagnostic of diagnostic
 Services
 Web, telnet, ftp, etc.
 Proprietary service to rule
them all
 Interfaces
 GSM-R
 And more when GSM-R is
too slow
 At least no Wi-Fi, right?

46. Google for Airlink (c)

47. http://www.hollysys.com.sg/me
dia/com_download/3.%20HollyS
ys-HighSpeed.pdf

50. 32C3: Sergey Gordeychik, Gleb Gritsai, Aleksandr Timorin: “The Great Train Cyber Robbery”

53. RLC
circuit

56. Notation in a chart
RDA-RT Remote Data Access Train
Router
MSC Mobile Switching Center
RBC Radio Block Center
YW Yardmaster’s workstation
IG Integration gateway
TCC Train Control Center
CTC Centralized traffic control
CBI Computer-based
interlocking

57. Notation in a chart
RDA-RT Remote Data Access Train
Router
MSC Mobile Switching Center
RBC Radio Block Center
YW Yardmaster’s workstation
IG Integration gateway
TCC Train Control Center
CTC Centralized traffic control
CBI Computer-based
interlocking

58. Notation in a chart
RDA-RT Remote Data Access Train
Router
MSC Mobile Switching Center
RBC Radio Block Center
YW Yardmaster’s workstation
IG Integration gateway
TCC Train Control Center
CTC Centralized traffic control
CBI Computer-based
interlocking

59. Notation in a chart
RDA-RT Remote Data Access Train
Router
MSC Mobile Switching Center
RBC Radio Block Center
YW Yardmaster’s workstation
IG Integration gateway
TCC Train Control Center
CTC Centralized traffic control
CBI Computer-based
interlocking

60. Notation in a chart
RDA-RT Remote Data Access Train
Router
MSC Mobile Switching Center
RBC Radio Block Center
YW Yardmaster’s workstation
IG Integration gateway
TCC Train Control Center
CTC Centralized traffic control
CBI Computer-based
interlocking

61. Notation in a chart
RDA-RT Remote Data Access Train
Router
MSC Mobile Switching Center
RBC Radio Block Center
YW Yardmaster’s workstation
IG Integration gateway
TCC Train Control Center
CTC Centralized traffic control
CBI Computer-based
interlocking

62. Notation in a chart
RDA-RT Remote Data Access Train
Router
MSC Mobile Switching Center
RBC Radio Block Center
YW Yardmaster’s workstation
IG Integration gateway
TCC Train Control Center
CTC Centralized traffic control
CBI Computer-based
interlocking

63. 28C3: Stefan Katzenbeisser: Can trains be hacked?
 Multiple trains make
use of the same
KMAC for a long
time
 Using weak random
number generators
during the KSMAC
derivation

64. In areas where the European Train Control System (ETCS) Level 2 or
3 is used, the train maintains a circuit switched digital modem
connection to the train control centre at all times. … If the modem
connection is lost, the train will automatically stop.

65. moving "really fast and passed three stations without
stopping" …
"due to a fault on the train's antenna that ensures
trains stop accurately at each station"...
"The train was hence not able to pick up the signal to
stop at the next three stations”…

67. http://www.era.europa.eu/Document-Register/Documents/P38T9001%204.2%20FFFIS%20for%20GSM-R%20SIM-CARD.pdf

68. ― Remote data recovery (Kc, TIMSI)
• Chanel decryption (including A5/3)
• «Clone» the SIM and mobile station
― SIM “malware”
― Block SIM via PIN/PUK brute
― Extended OTA features (FOTA)
Karsten Nohl, https://srlabs.de/rooting-sim-cards/
Alexander Zaitsev, Sergey Gordeychik , Alexey Osipov, PacSec, Tokyo, Japan, 2014

71. Attack host

72. Control

74. Control
Attack the ATC

76. … not exactly
https://railway-news.com/global-cyber-attack-hits-deutsche-bahn/
https://www.hackread.com/russian-postal-service-hit-by-wannacry-ransomware/

86. Attacking
System
Train Control
System
Defending
System
Intellectual Technologies on Transport No 1

87. *Allpicturesaretakenfrom
googleandotherInternets
Alexander Timorin
Alexander Tlyapov
Alexander Zaitsev
Alexey Osipov
Andrey Medov
Artem Chaykin
Denis Baranov
Dmitry Efanov
Dmitry Nagibin
Dmitry Serebryannikov
Dmitry Sklyarov
Evgeny Ermakov
Gleb Gritsai
Ilya Karpov
Ivan Poliyanchuk
Kirill Nesterov
Roman Ilin
Sergey Bobrov
Sergey Drozdov
Sergey Gordeychik
Sergey Scherbel
Sergey Sidorov
Timur Yunusov
Valentin Shilnenkov
Vladimir Kochetkov
Vyacheslav Egoshin
Yuri Goltsev
Yuriy Dyachenko

88. *Allpicturesaretakenfrom
googleandotherInternets

90. …We explore... and you call us criminals. We seek
after knowledge... and you call us criminals. We exist
without skin color, without nationality, without
religious bias... and you call us criminals. You build
atomic bombs, you wage wars, you murder, cheat,
and lie to us and try to make us believe it's for our
own good, yet we're the criminals.
Yes, I am a criminal. My crime is that of curiosity…