A simple train trip to the airport turned out to be a mess – thanks to a cyber-attack

November 11, 2019 at 09:58

My first-hand experience of being a victim of a cyber-attack created concerns and got me thinking.

It was a beautiful, sunny day in Stockholm a couple of years ago. As I was on my way to the airport from a partner meeting, I decided to take the speed train. Arlanda Express would take me from the central railway station to the airport in 15 minutes. I had made it to the central rail station roughly five minutes before the train departure and sat down to browse some news on my phone. After browsing through all the news and social media feeds, I had noticed that we were not moving. A quick check on the time, and it turned out that we were over ten minutes late from departure. I looked out the window and saw an interesting message on the information screen next to the track, indicating that there is a technical issue. “Well, stuff happens, let’s hope nothing serious,” – I thought. 

Cyber-attack on a train station in Stockholm turned the traffic into a mess.
A cyber-attack on a train station in Stockholm turned the traffic into a mess.

After another five minutes or so, I noticed people leaving the train and followed the crowd. Once out, I noticed that every peer was packed with people, and every info screen showed the same message, indicating that there’s a technical issue. 

Teary eyes and people yelling

So here I am, in Stockholm Central Railway Station during rush hour, where no train had arrived nor left for over 20 minutes. Almost everyone was on a cellphone; some people were yelling, some people’s eyes were in tears, and some people were literally stunned. I saw staff members calming people down and explaining the situation: The entire railroad is off. Trains are stopped due to safety reasons, as the connection to the train control system is down. At this stage, I’m getting concerned about missing my flight. To alternative then: Taxi! Oh, but the taxi line is around 100 meters long, as I’m not the only wise one here. Luckily folks at Arlanda Express came up with an alternative. They had set up a separate line with taxis, taking passengers to Arlanda airport. In a couple minutes, I was sitting in a cab, confident to be on time at the airport. 

There was only one issue. As people decided to use alternative transportation during rush hour, it soon became chaos on the road. The driving culture turned aggressive. Some cars took short cuts through pedestrian roads; some were aggressively trying to fit into lanes, while others wouldn’t let them through. It was a mess until police took over and started guiding the traffic. 

Luckily, I managed to get just-in-time to the airport, but all in all, it was a very interesting trip.

What if…

 In retrospect, I started to think about how it would feel if, during that chaos, I would be already running late from picking up my child from daycare or school. What if I had an emergency and would need medical assistance? How can a situation this big be possible in the first place, and how widely a mere 30-minute disruption in a massive transportation service during rush hour can affect the entire city’s traffic? What would’ve happened if this thing would last for a day? 

And what would happen if the same, 30-minute disruption would occur in our power grid, during a cold winter day, as it happened in Ukraine several years back (although the power outage they experience was much longer)? Not cool. Horrifying even. 

It turned out that the train control system had suffered a Denial of Service (DoS) attack, cutting all connection to trains.

What can we learn from this?

Preparation is key

I must raise a hat to Arlanda Express, as they’ve done a great job by providing an alternative transportation solution. In the central part of Stockholm, police were visible and capable of handling the traffic. The central railway station staff was openly stating the issue and its impact, which is, in my opinion, was better than nothing. Not sure how much of all that I’ve seen was preparedness versus improvisation, still I think all went well. Rehearsing major incidents, even if they are theoretical, makes sense as there is no time for rehearsal during a crisis. For government agencies, this practice is standard, and it’s great to see that companies are taking this practice into use as well, even when it comes to recovering from cyberattacks.

Know your weaknesses

A good rule of thumb is that almost every system is vulnerable, given enough time and resources, thus knowing when your software becomes susceptible is critical. There’re multiple ways to achieve this, none of which is too complex to deploy.

During deployment, whenever human interaction is involved, the probability of a mistake that leads to vulnerability increases significantly. Having continuous threat modeling sessions and requiring vendors for zero-touch-deployment is paramount, especially for complex systems like train control.


Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.

Related blogs