Cybersecurity agency issues warning about end-of-train device vulnerability

An end of train device is seen on the rear of a CSX intermodal train passing though Falmouth, Va. Spencer T. Whitman

WASHINGTON — The federal cybersecurity agency issued an advisory last week regarding a vulnerability in end-of-train devices that could allow an attacker to gain control of a train’s air brake system.

“Successful exploitation of this vulnerability could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure,” the Cybersecurity & Infrastructure Security Agency warned on July 10.

End-of-train devices collect brakeline pressure data and send the information via radio signal to a head-end device aboard the locomotive, allowing the engineer to monitor the braking system. EOTs also relay data about whether the rear end of a train is stopped or moving forward or backward.

The devices send regular telemetry about every 40 seconds but will immediately send a signal if it detects a change in train status.

CISA is unaware of any attempts to exploit the vulnerability in the EOT communications system.

The Association of American Railroads, which sets standards for the industry, is pursuing new technology to replace the current brake monitoring system.

“The standards committees involved in these updates are aware of the vulnerability and are investigating mitigating solutions,” CISA said. “The AAR Railroad Electronics Standards Committee (RESC) maintains this protocol which is used by multiple manufacturers across the industry, including Hitachi Rail STS USA, Wabtec, Siemens, and others. Users of EoT/HoT devices are recommended to contact their own device manufacturers with questions.”

The cybersecurity agency recommended that railroads take defensive measures to mitigate the risk of an attack on an EOT system.

The specific vulnerability, CISA said, is weak authentication. Using the Common Vulnerability Scoring System, the agency assigned a score of 8.1 to the EOT weakness, which puts it into the high severity category. The numerical scores are assigned to one of four categories: low, medium, high, and critical.

The AAR says it’s focused on making security improvements as it incorporates new technologies and equipment.

“As the railroad industry looks to the future, every operational strategy, safety protocol, and piece of equipment is viewed as an opportunity to enhance performance and safety. Accordingly, railroads have, and will continue to, put concerted effort into advancing next-generation End-of-Train devices and the technical standards that govern them,” spokeswoman Jessica Kahanek said in an email. “Next generation devices and standards have the potential to significantly improve communication between lead locomotives and the end of the train, securely enhance reliability, and streamline operations.”

More broadly, AAR has supported CISA and Department of Homeland Security initiatives that focus on identifying vulnerabilities in equipment and developing mitigation strategies to reduce risks.

“This collaboration will lead to the evaluation of a wide array of technologies and equipment and the ultimate hardening of critical infrastructure, ensuring the safe delivery of freight for customers across the network,” Kahanek said.

Note: Updated at 3:05 p.m. Central with comment from AAR.