Reading Time: 5 minutes
Category: Industrial Technology
A newly confirmed vulnerability in train braking systems has resurfaced after more than two decades, and it’s finally getting some traction. In short, this vulnerability allows attackers to send unauthenticated radio signals that can trigger emergency brakes, putting public safety at risk.
While this issue is specific to rail systems, it’s part of a much broader and ongoing problem across operational technology (OT): many critical infrastructure systems rely on decades-old, insecure designs. We’ve seen the consequences before: from Stuxnet sabotaging nuclear centrifuges to attackers compromising a US water treatment facility.
The reminder is clear: many OT systems are (still) vulnerable by design.
What is OT security and why do OT vulnerabilities linger?
In short, Operational Technology (OT) refers to the hardware and software that control physical systems like factory equipment, power grids, or hospital machines.
The answer to why these vulnerabilities linger, lies in the critical nature of OT systems. They rarely get updated because they support essential services, which means that downtime or failure could have serious consequences.
Unlike legacy IT systems, which can often be updated or replaced relatively easily, updating systems that control things like train communications involves huge financial and operational risks. In short: especially in OT security, legacy remains tricky.
The unique challenges of radio-based OT
In the case of this rail system vulnerability, there’s an additional layer of complexity, as these systems are unique and purpose built.
IT systems are generally built on universal processor instruction sets, thus are compiled in similar ways, and for communication they almost all use either often-used, properly documented protocols or have (relatively) easy to understand purpose made protocols. Both are still built on the TCP/IP model (or OSI model depending on who you ask). Meaning that there is a large pool of personnel in the world that can understand, investigate and secure them.
OT systems, on the other hand, have very specific communication protocols that vary widely in how they work, how they’re built and what they’re used for.
Practically, this means that only a very small group of engineers actually understands this specific system, and their specialized knowledge is required for finding and fixing these kinds of vulnerabilities.
Why ‘common’ measures like encryption and authentication on critical wireless controls are rare
Industries haven’t widely adopted encryption and authentication for these types of controls and it’s likely that overhead plays a big role in the reason why. In IT networks, bandwidth and processing power are usually sufficient to handle encryption without much impact.
But in OT systems, even with a small increase in data size (like adding 300 bytes per message for encryption) could double or triple the communication load. This makes encryption a heavy burden that can potentially disrupt critical real-time communication.
These are issue for latency sensitive systems, however when it comes to OT in general, cost of adding additional measures also factors in. Any additional component brings with it more cost, and is also another component (whether that be physical or virtual) that can break.
OT vulnerabilities beyond the rail systems
This vulnerability may be specific to rail systems, but vulnerabilities like it exist everywhere in OT. In Zero Trust security, we assume that everything can be exploited. OT systems across utilities, manufacturing and other sectors are no exception to this rule.
OT vulnerabilities are on the rise and their consequences are often quite severe. Yet we hear about them a lot less. The reason more aren’t found? The small number of engineers qualified to audit OT systems means fewer vulnerabilities get identified. Unlike mainstream IT products that benefit from millions of users and researchers, OT systems have limited “eyes” on them.
How can we make OT more secure
The reality is that, without identifying vulnerabilities, fixing them is near impossible. And even if a fix exists, systems may be hard to update. The key here is more security-focused reviews of OT systems, as well as a cybersecurity strategy that can cope with this reality.
In IT, things like bug bounty programs help find issues, but these rarely exist in OT due to the niche expertise required and the critical nature of these systems. We must invest in specialist security assessments, ongoing monitoring, and consider working with third-party experts who understand OT’s unique challenges.
The OT security gap and the future of critical infrastructure
The train brake vulnerability is just one example of a widespread OT security gap. Many operational systems were not built with security in mind and now face increasing digital threats. Addressing these risks requires more than just patches; it calls for a shift toward secure-by-design principles, stronger industry standards, and continuous vigilance. A strategy like Zero Trust covers all these bases.
Organizations need to treat OT security as essential to protecting critical infrastructure and public safety.
