The recent BBC series, Nightsleeper, depicts a situation where the UK rail system is hacked, with attackers taking over the network and remotely controlling a train with passengers still onboard.
There was a recent cyber attack on TFL systems in real life in September of this year, although to a lesser extent than the events of the fictional BBC series.
In Nightsleeper the communications equipment, passenger announcements, control of the tracks and locomotion of the train itself are all compromised by the malicious actor. To what extent could this be achieved in real life and how could organisations such as UK Rail defend themselves from these types of attacks?
Haven’t seen the series? Spoiler alert, we’ll be talking key plot details…
Staged Robbery Distraction
In the opening episode of Nightsleeper, a staged robbery is used to distract security personnel long enough for hackers to plant their devices on the train.
In real life, hackers and other criminals often use a combination of “stealth and audacity” to draw attention away from their actions and compromise physical security, in order to initiate the main attack.
This method depicted by the series is quite realistic, and it should not be underestimated what actions a state-sponsored actor would take to set up a cyber attack, including physical crimes.
Single Board Computer Attached to Wiring in Floor Space
As the events of the series unfold, it transpires that the hackers have placed an SBC or single-board computer in a floor space under the train, connected to the internal wiring.
You won't find any USB plugs or ethernet adaptors in such a floor space under a British train. Armoured cables and industrial connectors are typically used instead. However, it is still theoretically possible to use such a device to connect to an existing network and run malicious codes.
The SBC’s used in the series are relatively cheap at around £30–£70 and, with the correct knowledge, can be used as a mini computer that can run almost any custom code. These devices have multiple input and output ports and can be made to interface with analogue and digital control systems, or connected via RJ45 network ports and USB ports.
Endpoint Protection Program Compromised
In the TV show the hackers target the anti-virus software used on the trains. This is quite a likely method and hackers will often target third-party applications. We have already seen with the recent Crowdstrike hack how a compromised third-party application can have catastrophic and far-reaching consequences.
Unpatched Firmware Targeted
Firmware is the low-level software that controls hardware such as train control systems and communications. This basic software is critical to the train’s operation.
In Nightsleeper, this is one of the vulnerabilities targeted by hackers and in real life, it’s critical to keep systems such as these continually updated, as explained by a former British rail employee:
“Railway operators need to establish a routine where they continuously review, update, and patch firmware. The reality is that new vulnerabilities can emerge at any time, and patches aren’t just a one-off event—they’re an ongoing process,” Lee Clough, a former train driver and cybersecurity expert who has worked on the UK rail network,
“Additionally, a system that continuously scans for vulnerabilities at both hardware and software levels can help railway operators stay ahead of potential threats. Automated scanning tools can flag vulnerabilities as soon as they are discovered, giving operators the chance to patch them before they can be exploited.”
Social Engineering
In order to trick a journalist into bringing a USB drive onboard the train, the hackers in the Nightsleeper series use social engineering tactics. This is a method commonly employed by hackers to manipulate people into giving up access to sensitive information and secure locations.
Signals Compromised
In terms of the signalling systems being compromised, a real-world example of this happened in August 2023 in Poland. State-sponsored activists hacked into the railway's radio systems and managed to bring large sections of the railway to a halt by broadcasting malicious traffic on their frequencies. This was detected by the system, triggering the fail-safes and causing large-scale disruption as trains ground to a halt across the country.
A year prior to this in August 2022, hackers in Germany managed to switch the displays in the railway station so they stopped showing the normal ticketing system and played pornographic videos on the screens instead.
As most announcement boards or digital signage are configured to display a custom webpage in kiosk mode, with the website URL updated remotely, this allows hackers to exploit this if adequate security systems are not in place.
Remotely Controlling the Train
During the course of events in the series Nightlseeper, hackers take direct control of the train, causing it to accelerate beyond its normal operating speed and preventing the driver from regaining control of the rolling stock.
To what extent would this be possible in real life?
Alarmingly, according to those who have driven trains and provided cyber security services for the British rail network, this could be relatively simple to accomplish.
On a typical British train, the driver would control the motion of the vehicle and other actions through an HMI (Human Machine Interface) which displays speed and other indicators, allowing the driver to make adjustments to traction (acceleration) and braking.
The screen providing the driver with the information and controls needed is basically linked to a custom web page that is provided by a web server onboard the train.
Surprisingly, there is no authentication between the HMI and the web server on the train. The driver’s screen does not check if it is a legitimate source and simply displays whatever web page it is told to display.
For this reason, it is very simple to interrupt the communication between the server and the screens used by the drivers and replace their control system with a different page entirely. For example, an attacker could use a DoS attack to overwhelm the network and take out communications between the cab and the server.
Something similar has in fact already been carried out as part of a penetration test of security measures on the UK rail network, with pen testers being able to replace the driver’s controls on the screen with their own web pages from a laptop brought onto the train.
This allowed cybersecurity experts posing as hackers to make their own announcements and change the head codes of the train, which dictate routes through the rail system.
Call the UK Rail Cybersecurity Team—Check if They Exist First
As part of the show’s narrative, we are informed that UK Rail has its own cybersecurity defence team. This would seem pretty obvious given the critical nature of the infrastructure and the level of threat from external sources.
The UK Rail network itself has no such dedicated cybersecurity defence team, although companies that manage the infrastructure such as Network Rail will have their own cyber security personnel.
Rather than any central department that would handle the security of the network as a whole, it is left to the individual organisations and operators within the rail network to be responsible for their own security.
With no centralised cybersecurity solution in place, this could mean that mitigating the effects of a cyber attack across multiple departments and organisations is a much more complicated and difficult process.
How can Organisations Such as UK Rail Defend Themselves Against the Types of Cyber Attacks Seen in the Nightsleeper Series?
Having looked at the specific hacking methods employed in the BBC series and finding that for the most part, this could be achievable in real life, let’s take a look at an alternative storyline for Nightsleeper, where the UK Rail network is protected by a cybersecurity provider such as Lyon Tech.
This may not make for an entertaining blockbuster with all the thrills and spills of the original series—
however, in terms of securing critical infrastructure and ensuring passenger safety, it is important to see how organisations such as UK Rail could defend themselves from these types of attacks and which simple measures could be used to stop cyber hackers in their tracks.
Live Infrastructure Monitoring and Intrusion Detection Systems
Through a combination of automated systems and highly trained professional operators, at Lyon Tech we help organisations defend their critical data and network access from all manner of external threats.
With live infrastructure monitoring and intrusion detection systems in place, as soon as the SBC—the hacker’s computer device—was attached to the internal wiring of the train this would trigger an alert that the system had been compromised and unauthorised access was being attempted.
This would prompt a range of actions depending on the options selected by the customer. For example, a warning could be sent to the driver and train operator allowing them to bring the train to a stop safely to assess the situation.
Alternatively, the detection of unauthorised access could trigger a response in the train’s controls and automatically initiate the fail-safes and stop the train immediately, preventing any further harm to passengers and crew.
The source of the breach would also be identified and pinpointed, allowing security personnel to take swift action and contain the threat, with rapid response teams deployed to investigate the incident.
Vulnerability Scanning and Management
As the show progresses, it turns out that the hackers may have exploited certain vulnerabilities in the system. This includes the firmware in the logic control board and the anti-virus software that was used to protect the train. This gives the hackers a back door into the rail systems and allows them to cause havoc.
At Lyon Tech we provide businesses with automatic vulnerability scanning and management. Long before the hackers had even set foot on the train, these systems would have correctly identified any vulnerabilities such as the firmware that needed patching or out-of-date anti-virus or third-party applications that could pose a threat
With the highest risk threats being clearly prioritised and identified, along with recommended steps to resolve the issue or even automatic updating of software, this means that the vulnerabilities exploited within the show would never be found by the hackers and they would be instead presented with an impenetrable brick wall of cyber defence.
In this instance, the hackers may have given up on this attack, gone to look for another easier target, or simply abandoned their hacking attempts for the day.
This may not produce the most entertaining show you could find on TV but this would certainly be a better outcome for the fictional passengers and railway staff members onboard the train.
Restricted Access Controls and Privilege Levels
*Spoiler alert*
Finally, as the series draws to a close, we learn that the cyber attack had not in fact been initiated by an Iranian hacking group as previously suspected.
The NCSC has been compromised from within and one of their former employees “Pev” has used the code developed by their own agent Abby to initiate the attack on the train.
So how would Lyon Tech spoil this shock ending along with the remainder of the show's narrative?
Through restricted access controls and limited privilege levels for users, organisations such as UK Rail can ensure that the files being accessed are only available to those specific users who need them.
So in this example, Abby's Project Mashaad code would have a strictly limited number of people who could see and access this data. This list of personnel may include Abby herself, the supervisor who would review the work and the junior assistants and technical staff working on the project.
Furthermore, access to the project could be restricted to the limited section of code that each staff member was working on.
If it was not required for their specific job role, they would not be given access to a fully usable form of the hacking script that could be misused or cause criminal damage.
With these simple measures in place, the bad guys would never get access to the tools used to launch the attack, the vulnerability or back door would be sealed up tight and offer no way in, and any attempt to interfere with the train's systems would have been immediately recognised and dealt with.
Secure Your Business Today
Whilst the events in the BBC series may have been purely fictional, the methods used by the hackers are commonplace, and protecting against these types of attacks is highly important for businesses of any kind.
At Lyon Tech we provide a range of cyber security solutions for our clients including automatic vulnerability scanning and management, live infrastructure monitoring, intrusion detection systems, 24/7 rapid response teams, and ongoing help desk support.
These systems could have reliably stopped the hackers in the BBC series, and helped protect businesses from any number of real-world threats.
We also work closely with businesses to help them develop their own unique cybersecurity framework and corporate cybersecurity policy for their team to understand what is required of them in terms of data privacy and what steps they should take in the event of an incident.
