Imagine.
A rainy Tuesday, between 8 a.m. and 9 a.m.
Suddenly, all subways and trains in Ile-de-France stop.
Some in the middle of a tunnel or a bridge.
Worse, an RER fails to brake and rushes into the one it follows at 100 km / h.
This scene is the work of one or more malicious hackers whose sole motivation is to unleash chaos.
And paralyze Paris.
Although unlikely, this disaster scenario is not entirely impossible.
Because cyberthreats are growing.
According to the specialist magazine MagIt, the month of September 2020 saw a record number of cyber attacks.
And the transport sector is one of the prime targets.
“For several reasons,” says Jean-Nicolas Piotrowski, president of ITrust, a cybersecurity company.
You can disrupt a nation by blocking its transport (air traffic control, trains, highways, automobile network, etc.).
And if current trains still have closed and partitioned on-board systems, which limits the possibilities of intrusion, future connected trains must guard against the risk of cyber attacks ”.
READ ALSO>
Ransoms, cyber attacks… the threat does not spare businesses in Ile-de-France
A sign that this silent war is calling on transport operators, SNCF has just signed a one-year contract with ITrust.
The goal of the cybersecurity company will be to protect trains by anticipating and preventing possible future attacks that could impact the company and its equipment.
"And if the use of artificial intelligence in this mission is successful, we will sign a contract to better protect them", further details Jean-Nicolas Piotrowski.
“A research and development contract, nothing more,” we respond to SNCF, which reminds us that safety is its number one priority, even before getting the trains to arrive on time.
Connected and therefore more fragile transport
Because, to increase their performance, public transport is smarter and more connected than it was ten years ago.
In July 2019, SNCF thus managed to remotely pilot a “drone train”.
At RATP, buses can now park on their own, and automatic metro lines are multiplying (after lines 1 and 14, 4 will in turn become automatic).
Technological advances which at the same time represent possible new breaches in which hackers could interfere.
As for the RATP, we want to be reassuring.
The management recalls that "the control and operating assistance systems are" by default "isolated from all the other systems, in particular all that is connected to the Internet".
But the threat can exist even if the network is not connected on the outside.
Thus, one of the biggest known attacks, which targeted Iranian nuclear power plants in 2010, started… from a USB key inserted into a computer at the site.
Threats from all walks of life
There are many potential perpetrators of cyber attacks.
A report entitled “Risk management related to cybersecurity and rail safety aspects”, published at the end of a congress two years ago and co-written by two experts from the RATP, thus classifies the risks for a transport system.
According to this report, the worst threat to a network would come, for example, from a "dictatorial state" which would decide to attack transport for the purpose of "destruction or subversion of society" or for "financial gain" .
Because it would have a strike force such that it could "usurp and take control of the control / command systems" of the trains ...
Newsletter - Most of the news
Every morning, the news seen by Le Parisien
I'm registering
Your email address is collected by Le Parisien to enable you to receive our news and commercial offers.
Learn more
But the hackers could just as easily be a competitor or a supplier, a former employee with whom the break-up went badly, or even political associations or organizations or unions which would seek to steal information.
In all, the report identifies around 70 threats of varying degrees to marginal, strategic or vital interests from dozens of potential “hostiles”.
That is more than 900 different scenarios to anticipate.
RATP confirms that it "assesses the risks relating to its information systems" and deduces "several treatment plans aimed in particular at perfecting (its) defense strategy".
READ ALSO>
Insecurity: Pécresse pleads for facial recognition in transport
And the potential damage obviously depends on the attackers.
"The scenario of a mad train controlled remotely and used as a weapon is impossible today", affirms Jean-François Beaudoin, senior vice-president of
Digital Mobility
at Alstom.
That of a group which decides to stop all the trains, on the other hand, "is a little less impossible".
But we can also imagine a takeover of display screens, to include a humorous message or, more serious, a threat, a demand for ransom.
2 million attacks in five weeks
However, it is impossible to obtain statistics on the number of attacks that companies suffer each year.
Daily, weekly, monthly attacks?
The data remains ultra-confidential.
No doubt so as not to encourage malicious spirits to get started.
And because the image of pirated companies would quickly be tarnished.
To get an idea of the number of intrusion attempts that transport operators are subjected to, it is necessary to refer to a simulation of a network which was carried out online.
The experiment lasted five weeks and the fictitious network suffered over this period nearly… 2 million attacks!
Because an attack is not necessarily visible.
It can be more insidious than hijacking a train.
"If they detect a vulnerability, they wonder if it is appropriate to attack"
“Before even thinking of attacking, the groups first come knocking on the door, sticking their heads out to see if there is a fault in our lines of defense,” continues at Alstom.
Their job is to do recognition.
If they detect a vulnerability, then they wonder if it is appropriate to attack ”.
To protect themselves, transport networks must be equipped with increasingly sophisticated protections: “Our systems have several lines of defense, some including for example strong ciphers that no one today is able to quickly decipher, adds the constructor.
This gives us time to close doors temporarily, to prevent attackers from accessing vital systems - train control, for example - and changing the lock ”.
The attacks will therefore take longer and leave the possibility for IT specialists to find a solution.
But now, the transport sector is no more immune than other sectors.
"If someone has the will, it's always possible"
Lilian Planche, an
expert in transport cybersecurity for the Egis firm, notably conducted a study on the future metro line 18: "The Grand Paris Express is the first means of transport to take cybersecurity into account from its conception".
It details what the risks of hacking in transport can be.
Has public transport ever been the target of computer attacks?
Lilian Planche.
I often cite in my training the railway company CSX infected in 2003 by a virus which interrupted traffic and caused delays of several hours during a day for all trains in the eastern United States.
Another impressive example is the accident of a tram that even injured people in Lodz, Poland, in 2009. There, it's almost a caricature: a young student has taken control of a switch remotely, as the tram passed.
The communication system did not use authentication or encryption.
More recently, in 2017, the entire San Francisco public transportation ticketing system was blocked because of an IT administrator who downloaded pirate software that carried ransomware.
Could hackers today take control of a train or a metro?
In absolute terms, yes.
If anyone has the will, it is always possible.
Rolling stock is more and more connected so this widens the attack surface.
If a malicious organization has sufficient means and resources, it will succeed.
But that's not a very likely risk.
The question is, what are the difficulties in getting there?
Currently, it is still easier to plant a bomb in a metro station than to attack the control system of a train.
Is public transport sufficiently secure?
There has clearly been an awareness on the part of operators and manufacturers.
The 2014 law and especially its 2016 implementing decrees have gone through this.
Before, it was the least of their concerns, but since then they have made up for lost time.
It is also linked to the digitization of the means of communication.
Today, computer protocols for controlling a train are based on the same basic technologies as consumer networks.
This creates new risks, but it has also resulted in better protection.
The exchanges are encrypted, we monitor who has access to what.
Before, there was only one barrier, today, ramparts are erected at each level.
The overall level of cybersecurity is improving.