Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

IT Firm Baits Hackers with Online Model Train Set

Somewhere on Earth a computer hacker types a malicious command and hits enter. Half a world away, an urban commuter train speeds out of control, derails and crashes into a building.

Somewhere on Earth a computer hacker types a malicious command and hits enter. Half a world away, an urban commuter train speeds out of control, derails and crashes into a building.

Happily the kind of scenario that makes for Hollywood blockbusters and keeps public security officials awake at night would, in this case, only damage a model train set at a German IT industry fair.

Internet security experts have set up “Project Honey Train” with an online railway control system as bait, hoping to “get inside the heads of cyber criminals” — but without the real-life casualties.

“The goal is to provide an environment where we can study how people may try to attack public infrastructure projects where they could put public safety at risk,” said Chester Wisniewski, of security company Sophos. “

I suspect that this is a pretty good copy of some of the worst of public security that we see in real life… systems that were designed in a simpler time when people weren’t trying to attack them, which is what makes them vulnerable.”

Their miniature rail system at the CeBIT IT business fair in Hanover is built on a scale of 1:87 and set in a fictitious German city, with street names chosen from the board game Monopoly.

To an online attacker it’s all meant to look real, with original software components and inbuilt vulnerabilities which are advertised in known hackers’ chatrooms.

Critical infrastructure

Advertisement. Scroll to continue reading.

Online users have long been exposed to risks from ID theft, “phishing” and scams by mafia groups, to mass data collection by social media giants and snooping by secret services.

But some fear we haven’t seen the worst of it yet, in an age when urban transport systems, chemical plants and power stations are considered potentially vulnerable to digital sabotage.

“I’m surprised that not more has happened already,” said Christoph Meinel, head of German IT university the Hasso Plattner Institute.

“It’s urgently necessary to do something about this. Some say ‘don’t worry, it won’t happen’, but that’s the wrong approach. Once someone has done it successfully, you can quickly expect to see copycats.”

Security experts have warned of vulnerabilities in the systems that run, for example, factories, oil pipelines and water networks — the so-called supervisory control and data acquisition or SCADA systems.

A real-life example is the computer worm Stuxnet, which was used to clandestinely attack Iran’s nuclear program in 2010 by ordering centrifuges to speed up and spin out of control until they ripped apart.

In his 2012 best-selling novel “Blackout”, journalist Mark Elsberg describes how hackers attack European power grids, sparking the collapse of transport, communication and food distribution and even triggering a nuclear reactor meltdown.

Marco di Filippo, of Sophos, said he considers the book’s premise and technical explanations “very valid”.

“The greatest vulnerability is that automation now speaks TCP/IP and has ended up online, unprotected,” he said, referring to the communication standard Transmission Control Protocol/Internet Protocol.

“This includes everything, be it power grids, power stations, wind farms, dams but also traffic management systems.”

‘Bad guys’

Andrey Nikishin, head of future technologies at Moscow-based software security group Kaspersky Lab, agreed there were theoretical risks but said a successful attack was difficult.

“If something is connected to the Internet it is theoretically possible to hack it,” he said.

But he stressed that governments are aware of risks to critical national infrastructure, take steps to protect it and that many systems have a manual backup.

“And you can’t hack the manual switch, fortunately,” he said.

Kaspersky Lab has identified four main types of attackers — teenager hackers showing off, cyber criminals out for money, extremists seeking to sabotage, and state actors whose main goal is espionage.

While operating on the same technical basis, the big difference is the resources they have to hand, Nikishin said.

He added that potential threats would multiply in the era of the “Internet of Things”, when not just PCs, laptops and phones but also houses, cars and appliances have IP addresses.

“The world is changing,” he said, predicting however that one thing would stay the same — “The actor, the bad guy… they have existed, they do exist, and they will exist.”

Learn More at the 2015 ICS Cyber Security Conference

Written By

AFP 2023

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.