top of page

Polish rail disruptions show crucial need for robust cybersecurity systems


Disruption to the Polish national rail system is being seen as evidence of the critical need for robust cybersecurity protection for global railways.

While there is debate over categorising the Polish attacks – using radio frequencies – as “cyber-attacks”,  experts are warning they could be used as a ‘test’ by the threat actors as the precursor to more serious incidents.

It has been reported the threat actors attempted to send rogue emergency stop commands to trains along with the playing of the Russian national anthem and Russian president Vladimir Putin speech excerpts. Poland’s rail system plays a key role in the NATO support of Ukraine its war with Russia.

Official statistics from Poland show that from January 1st to August 24ththis year, a total of 28 successful intrusions into information systems were recorded, along with 72 attempted attacks classified as incidents.  The Polish state railway operator is investigating the derailment of two trains and a collision of another two recently - no one was injured in these incidents.

Last month Poland’s State Railways (PKP) reported “threat actors” spoofed radio commands to create an emergency stop of 20 trains. The most serious incident occurred in Olsztyn, where the intelligent traffic control system and the metropolitan ticket sales system were non-operational for several weeks.

The intrusions are made over a radio system designed with an ‘emergency stop function’ which uses specific radio tones to trigger the emergency stop of all trains using that designated radio frequency.

Yaniv Mallet, lead cybersecurity architect at rail cybersecurity company Cylus told Industrial Cyber said: “Many legacy rail systems were designed for safety, with fail-safe mechanisms and train stoppage was not seen as a concern. But intentional rail stoppage at scale was not planned and that’s what we’re seeing here. In fact, the technical specification detailing this radio system in use by PKP, including the emergency stop function, was publicly available online for interoperability purposes.

“The VHF transmission equipment necessary for this attack is relatively simple, but the equipment would need to have been relatively close to the receiving train system. This attack does illustrate that threat actors are motivated and setting their sights on disruption of operational railway systems.

“The debate about whether this attack should be considered a ‘cyber-attack’ is irrelevant. Electronic warfare is merged with cyber warfare in military domains, and in the railway context, RF jamming and hacking are in fact risks that railway CISOs will need to consider and manage. In cases like this, real-time security monitoring can help to quickly identify a root cause of an attack and to plan the necessary mitigations and future protections.

Recent reports have confirmed that Polish intelligence services are investigating a hacking attack on the country’s rail network system. About 20 trains were brought to a standstill, but services were restored within hours.

Poland’s Internal Security Agency (ABW) and police are probing an unauthorised use of the system involved in rail traffic management.  Stanisław Zaryn, deputy coordinator of special services, told the Reuters news agency: “Such attempts are being made by the Russian Federation in cooperation with Belarus, and also for this reason we do not underestimate any signals that come to the ABW.”

Andrzej Bartosiewicz, CEO of CISO #Poland, an association of over 200 CISOs in Poland, said “We do not treat this incident as a ‘cyberattack.’ It is incorrect to refer to the disruption of the ‘radiostop’ system as a malicious action in the cyber sphere. Recent events involving the use of the ‘radiostop’ signal, categorized for many years as acts of hooliganism, do not exceed the standard number of several hundred cases per year recorded by PKP PLK – Polish national railway infrastructure operator.”

He explained the ‘radiostop’ events cannot be detected by Cyber Security Operations Centre as they do not involve signalling systems or any computer network adding: “The radio signal reaches over the air the locomotive, where the breaking system is activated.”

Piotr Combik, chairman of CISO #Poland Transport Working Group gave his verdict on the incidents stating: “The Radiostop signal cannot change semaphore indications or change train routes. It is not in any way linked to railway traffic control devices. It cannot derail trains; its sole function is to trigger the emergency brakes of a train within the range (up to several kilometres) of the broadcasting radio station transmitting the signal.

“Operating the system will require heightened efforts in the realm of cybersecurity and physical infrastructure security. Technically outdated, the system has known vulnerabilities, including susceptibility to Denial of Service (DoS) attacks.”

As a result of the Polish incidents, rail operators across the globe are being urged to upgrade their counter measures in the face of these attacks to ensure their cybersecurity systems can deal with a range of intrusions.

W Denis Europe arranges comprehensive insurance for EEA based businesses, large and small, including, Data Protection Infringement Cover, Cyber, Errors & Omissions, Directors & Officers Liability and much more. For more information, or a quotation, please contact W Denis Europe:

Eastern Europe

Southern Europe

Western Europe &/or elsewhere worldwide

bottom of page