Railroad Association Denies Smart Train Cyber Vulnerabilities
Railroad industry representatives are disputing a recent claim that its network security practices are inadequate.
In the Boston Review last week, writer Bryce Emley argued that the rail industry hasn’t sufficiently opened its systems to independent review, that railways’ IT engineers have been opaque in their dealings with regulators, and that derailments possibly caused by hacking may not have been completely reported or investigated. The claims were largely based on conversations with security researcher and Department of Homeland Security contractor Neil Smith.
Cybersecurity on the rails is increasingly important with the advent of Positive Train Control, a safety system that connects train controls to wireless networks. Successful hackers could theoretically gain control of such systems and cause a derailment similar to last year’s Amtrak disaster or the 2013 explosion of an oil train that killed 47 in Lac-Mégantic, Quebec. The possibility of causing mayhem remotely could make train hacking an attractive priority for terrorists.
But Tom Farmer, assistant vice president for security for the Association of American Railroads, characterized the article as “based on a lot of inaccuracies and mischaracterizations” and emphasized the industry’s commitment of resources to security.
Farmer disputed Smith’s claims that an unspecified derailment in Michigan may have been caused by hacking but that supervisors failed to investigate the theory. “We have not had, in the freight rail industry, a cyber-driven derailment because of compromise of the network,” Farmer said.
For more on rail safety and security, watch:
Smith also told Emley that in at least one case, a network developer working for a railroad cut off communication with the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in the face of requests to test their network. Emley more broadly characterized a lack of transparency as “the rail industry’s modus operandi.”
Farmer said he was not aware of the incident referenced by Smith, but that AAR and the industry have liaisons and share information with agencies including the FBI, TSA, and ICS-CERT. “We work very hard to sustain communication, and if government has questions or concerns, we don’t shut them off.”
Farmer also said that, contrary to the claims attributed to Smith, the railroads do allow independent security researchers to test PTC networks. “We’ve been involved with a national laboratory that specializes in the protection of industrial control systems for a period of almost five years,” Farmer said, declining to name the laboratory.
Farmer did confirm one of Emley’s assertions—the lack of formal, industrywide network security standards. Each railway, Farmer said, has its own cybersecurity teams and practices, though they share information through a body called the Rail Information Security Committee. That committee has been in place since 1999, which Farmer says shows the industry’s longstanding commitment to security.
Get Data Sheet, Fortune’s technology newsletter.
A federal deadline for PTC implementation by 2016 has now been delayed, after the industry argued that the scale of the task made it impossible to meet the original deadline. New rules give railroads up to five years to complete the upgrades. However, the system is currently implemented in 31% of locomotives owned by AAR members.
“Cybersecurity … is not an area that the railroads are in any way neglecting,” Farmer said. “Quite the opposite.”