The rollout of a next generation train signalling system across the UK could leave the network at greater risk of hack attacks, a university professor has claimed.
Prof David Stupples warns that plans to replace the existing (aging) signalling system with the new European Rail Traffic Management System (ERTMS) could open up the network to potential attacks, particularly from disgruntled employees or other rogue insiders.
ERTMS will manage how fast trains travel, so a hack attack might potentially cause trains to move too quickly. UK tests of the European Rail Traffic Management System have already begun ahead of the expected rollout.
By the 2020s the system will be in full control of trains on mainline routes. Other countries have already successfully rolled out the system and there are no reports, at least, of any meaningful cyber-attack to date.
Nonetheless, Prof Stupples is concerned that hacks against the system could cause "major disruption" or even a "nasty accident".
ERTMS is designed to make networks safer by safeguarding against driver mistakes, a significant factor historically in rail accidents. Yet these benefits are offset by the risk of hackers manipulating control systems, Prof Stupples, of City University London, warned.
"Clever malware could alter the way the train will respond," he explained. "So, it will perhaps tell the system the train is slowing down, when it's speeding up."
Governments are aware of the risk and building in countermeasures against this sort of attack. Prof Stupples' concern is that such countermeasures might themselves be circumvented. Although hardened against external hackers, the system might be compromised with the aid (willing or otherwise) of an insider.
"The weakness is getting malware into the system by employees. Either because they are dissatisfied or being bribed or coerced," he explained.
Malware could be introduced even onto air-gapped systems through an infected USB stick, Prof Stupples warned.
Network Rail said: “Digital in-cab signalling is used safely and effectively by dozens of countries in Europe and around the world and is similar to technology already in use on the Tube and other metro systems in this country. Britain has the safest major railway in Europe and cyber security is a key part of our plan for introducing digital train control technology."Safety is our top priority. We work closely with government, the security services, our partners and suppliers in the rail industry and security specialists to combat cyber threats."
A spokeswoman for the Department of Transport told the BBC: "We keep security arrangements under constant review to take account of the threat and any new challenges we face."