The advisory effects EoT and HoT remote linking protocol, CISA reported July 10. The vulnerability is “Weak Authentication.”
CISA said “[s]uccessful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train, which may lead to a disruption of operations, or induce brake failure.”
CISA provided the following vulnerability overview: “The protocol used for remote linking over RF for End-of-Train and Head-of-Train (also known as a FRED) relies on a BCH checksum for packet creation. It is possible to create these EoT and HoT packets with a software defined radio and issue brake control commands to the EoT device, disrupting operations or potentially overwhelming the brake systems.”
The Association of American Railroads (AAR) “is pursuing new equipment and protocols, which should replace traditional End-of-Train and Head-of-Train devices,” CISA reported. “The standards committees involved in these updates are aware of the vulnerability and are investigating mitigating solutions. The AAR Railroad Electronics Standards Committee (RESC) maintains this protocol, which is used by multiple manufacturers across the industry, including Hitachi Rail STS USA, Wabtec, Siemens, and others.”
CISA recommended that EoT/HoT device users contact their own device manufacturers with questions.
CISA also recommended that users “take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
- “Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- “Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- “When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.”
According to CISA, organizations should perform “proper impact analysis and risk assessment prior to deploying defensive measures.”
“Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents,” CISA said. “No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.”
AAR on July 15 provided the following statement to Railway Age: “As the railroad industry looks to the future, every operational strategy, safety protocol, and piece of equipment is viewed as an opportunity to enhance performance and safety. Accordingly, railroads have, and will continue to, put concerted effort into advancing next-generation End-of-Train devices and the technical standards that govern them. Next-generation devices and standards have the potential to significantly improve communication between lead locomotives and the end of the train, securely enhance reliability, and streamline operations. Further to these efforts by the railroads, AAR recently provided support to Project CHARIOT, an initiative by the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS) focused on identifying vulnerabilities in equipment and developing robust mitigation strategies to reduce cyber risks. This collaboration will lead to the evaluation of a wide array of technologies and equipment and the ultimate hardening of critical infrastructure, ensuring the safe delivery of freight for customers across the network.”
CISA has a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Additionally, several CISA products detailing cyber defense best practices are available, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA said it encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. More mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
