CZ/SK verze

Hacker Intervention Saves Polish Trains: A Cybersecurity Drama Unfolds

Hacker Intervention Saves Polish Trains: A Cybersecurity Drama Unfolds
photo: Wikimedia Commons / Public domain / CC BY-SA 3.0/Newag Impuls
23 / 05 / 2024

After an overhaul, Polish Newag Impuls trains ground to a halt, and the manufacturer refused to help. The situation had to be resolved by a hacker group, which uncovered a secret security system. However, Newag claims it was a conspiracy. A legal battle ensued. This scandal underscores the urgency of addressing cybersecurity issues.

As a reminder, a bit of the recent past is important to understand the context. In the spring of 2022, the first of eleven Newag Impuls trains ceased to operate, and the operator—the regional Lower Silesian Regional Railway—issued a tender for an overhaul to be carried out on a mandatory basis after 1 million kilometers. The company Serwis Pojazdów Szynowych (SPS Mieczkowski Bydgoszcz) won the tender over the train manufacturer itself, Newag, which submitted a higher bid.

SPS repaired according to a manual (of about 20,000 pages) provided by Newag. Surprisingly, however, the train did not start after the overhaul, although all the instruments reported that everything was fine. In the meantime, according to the contractual schedule, SPS started work on the repair of the second of the eleven trains, and the result was the same. The train did not start, and the manufacturer, Newag, refused to help.

So, there are two trains in the workshops. A third misses the inspection due to a battery failure, so a fourth train is sent to the shop instead. SPS wants to use it first to tow away one of those taking up space in the workshop. When the fourth (moving) train is attached to one of the standing ones, the moving one stops as well. In the next workshop in Szczecin, another Impulse stops in very similar circumstances and cannot be started.

In fact, more than half of the trains out of service means that the Lower Silesian Railway has to change the timetable and procure replacement trains. However, Newag said that the trains are blocked by a "safety system", but there was no mention of it in the 20,000 pages of production documentation. As the train shutdown meant a contractual penalty of several thousand PLN per day for SPS, it turned to the hacker group Dragon Sector and signed a contract with them.

The hackers managed to get the first train running just before the contract allowed Lower Silesian Railways to terminate its contract with SPS. They then spent several months investigating why the trains were stopping in the first place. They managed to find the numerical codes that identified the GPS coordinates assigned to the stations of the railway manufacturers and repairers that could repair and maintain the trains in Poland. And the repair shops were apparently divided into two groups: if the code communicating the GPS reported the presence of a train for more than 10 days in an "undesirable repair shop", the train was completely disabled. The hackers also reportedly discovered other software installations that were supposed to stop the train if any system part was unauthorizedly replaced. Other functionality was supposed to stop the train automatically after 1 million kilometers.

RAILTARGET editors then discovered an interesting fact. After the media coverage of the case, other users of Newag products, mostly regional railway companies, came forward with similar experiences. And subsequently, there was also a flare-up between the two companies. SPS and Newag filed lawsuits against each other, which will not be easy to resolve.

SPS accuses Newag of deliberately storing locations, data, and situations in the software when trains should not have been running. Newag denies the hackers' findings but instead claims in its lawsuit that the hackers made unauthorized interventions on orders and also violated company copyrights.

The service company SPS was allegedly unable to carry out repairs and therefore created a conspiracy theory about manufacturer interference with the vehicle with the help of the hackers. According to Newag, it was third-party software interference that caused the problems. Newag, which otherwise acts as an advocate for improving security standards in Poland and a leader in rail cybersecurity, believes that such interference by carriers in vehicles is unthinkable, even in other transport sectors, such as any interference in avionics in aviation.

According to Newag's findings and assessment, users of railway vehicles in Poland are driven primarily or exclusively by price and, as a result of this approach, they increasingly entrust the maintenance of railway vehicles to entities that do not have the appropriate competence and know-how. A policy that is unthinkable in Western European countries may one day lead to a human tragedy in the form of a railway accident.

The Polish billionaire Zbigniew Jakubas, the owner of Newag, who otherwise makes minimal public appearances, also made a rare appearance. He told Business Insider that the very method of disclosure is damaging to the listed company and has a manipulative effect on the share price. It should be dealt with by all responsible government bodies, including the intelligence services. The case was dealt with during Poland's parliamentary elections in late 2023.

It was discussed by the Polish Sejm, and it was not clear for a long time whether the case should be dealt with by the UTK Railway Authority, or the Ministry of Infrastructure (and Transport) or the Ministry of Digitisation. It is also being dealt with by the Central Anti-Corruption Authority (CBA). Newag came to prominence in Poland in the run-up to the elections in connection with the visits of then Prime Minister Morawiecki and the signing of a memorandum of cooperation with Korea's Hyundai Rotem in the development and production of high-speed trains. The whole case may therefore take on an additional, commercial dimension. The Polish state-owned company for the preparation of high-speed lines, CPK, foresees operational use for up to 120 train sets in Poland.

Another level is the battle for real liberalization of access to services, which has been opened up by the gradually shaped interpretation of the ERA regulations.

But most importantly. Whoever is at fault in this case, the rail industry cannot avoid a thorough discussion on the specific parameters of cybersecurity. Will the responsibility for the end product, but also for the entire supply chain, lie solely with the suppliers of railway locomotives, passenger cars, and, in the future, thanks to the DAC coupling, digitized freight rail cars? What will be the nature of the service and modernization arrangements with carriers or vehicle owners? Who will actually be able to intervene in control and information systems in rail transport and on the basis of what authorizations?