Cybersecurity & Infrastructure Security Agency Issues Warning About End-of-Train Device Vulnerability

File photo

WASHINGTON, D.C. –– The federal Cybersecurity & Infrastructure Security Agency has warned that end-of-train devices (EOTs) are vulnerable to cyber breaches that could affect the train's brake control system.

Editor’s Note: Although train operation is not within the normal purview of RT&S news coverage, we do cover cybersecurity and information technology, so we believe this important story is worthy of our attention.

Considering the history of the train caboose and it’s prevalence in “railroad lore,” it’s hard to believe that they disappeared from the railroad scene around 30 years ago. Replaced by electronic devices typically known as the “end-of-train” device, the caboose has faded into history.

The end-of-train device has evolved over the last three decades, from consisting of a simple red light to provide visibility and warning to other railroaders, to a sophisticated piece of technology that monitors various in-train forces, and integrates with some functions, such as the air brake system and PTC.

The federal government cybersecurity agency has issued a warning that the EOT could be vulnerable to computer hackers, especially those seeking to take control of the train’s air brake system. The report says “Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations or induce brake failure.”

Anyone who works with a computer system knows that the ability to authenticate one’s identify is a major part of the software build. There are usually multiple layers of authorization necessary to log into large systems with sensitive information to ensure the person gaining access is authorized to do so. The cybersecurity agency said that the particular vulnerability of EOT devices lies in the degree of authentication that is required to gain access, which the agency said is “weak.”

The cybersecurity agency says that the Association of American Railroads is addressing the issue. “The standards committees involved in these updates are aware of the vulnerability and are investigating mitigating solutions. The AAR Railroad Electronics Standards Committee (RESC) maintains this protocol which is used by multiple manufacturers throughout the industry, including Hitachi Rail STS USA, Wabtec, Siemens, and others. Users of EOT/HOT devices are recommended to contact their own device manufacturers with questions.”

Jessica Kahanek, a spokeswoman for the AAR, said “As the railroad industry looks to the future, every operational strategy, safety protocol, and piece of equipment is viewed as an opportunity to enhance performance and safety. Accordingly, railroads have, and will continue to, put concerted effort into advancing next-generation End-of-Train devices and the technical standards that govern them. Next generation devices and standards have the potential to significantly improve communication between lead locomotives and the end of the train, securely enhancing reliability, and streamline operations.”