In the BBC's recent six-part drama series Nightsleeper, a train is ‘hackjacked’ while travelling from Glasgow to London, and suddenly finds itself on an uncertain journey with an even less certain destination. It was a drama of course, but it got us thinking: could this actually happen?

In the show, the storyline follows a real-time, fast-moving, heart-in-the-mouth action-adventure/whodunnit over six episodes. It’s a roller coaster ride set across a single night where no-one is ever quite who they seem to be.

Leading the fight are Joe Roag (played by Joe Cole of Gangs of London fame), an off-duty police officer who is a passenger on the train, and Abby Aysgarth (Alexandra Roach, best known for her role in the foreboding 2022 thriller, The Light in the Hall), who plays the acting technical director at the National Cyber Security Centre (NCSC).

To stop the train, they have to work out exactly who’s behind the hack. But are they fighting a hostile state, a terrorist organisation, or organised crime? Who is the self-styled ‘Driver’ who seems to be one step ahead of their every solution?

It's captivating TV, and it got us thinking whether or not a scenario like it could actually happen...and the answer, alarmingly, is yes!

What is ‘Hackjacking’?

In the show a character refers to the train as being hijacked, but they are corrected by another passenger who quips, “actually, it’s a 'hackjacking'...hijacks are so 20th century”. ‘Hackjacking’ a train, often referred to as "train hacking" or "cyber hijacking," is a concept that has gained attention due to the increasing digitisation of transportation systems.

While it's not a common threat today, it is a realistic possibility, especially as trains and rail networks rely more on complex software, automated systems, and the Internet of Things (IoT).

Let's break down the potential risks and see how realistic they are...

How modern trains are controlled

Modern trains are highly dependent on digital technologies for various operations, such as:

• Signal and Traffic Control: Systems like Positive Train Control (PTC), the European Train Control System (ETCS), or centralised traffic control (CTC) manage train movements to prevent collisions and maintain safe distances between trains.

• Communication-Based Train Control (CBTC): Used in metro systems and automated trains, CBTC allows real-time communication between the train and control centres to adjust speeds and manage operations more efficiently.

• Automated Train Control (ATC): Many high-speed and metro systems are moving toward fully autonomous trains, which use sensors, GPS, and computer networks to operate.

• IoT and Cloud-Based Systems: Increasingly, trains and their infrastructure are connected to the internet for real-time monitoring, predictive maintenance, and system updates.

Hacking a train: possible attack vectors

With such heavy reliance on digital systems, trains and rail networks face several vulnerabilities that malicious actors could exploit.

1. Cyberattacks on signaling systems

Train control systems (like PTC or CBTC) that rely on communication networks are vulnerable to man-in-the-middle (MitM) attacks, data spoofing, or denial-of-service (DoS) attacks. A hacker could theoretically disrupt signals, falsify data to cause traffic mismanagement, or overload systems to create confusion and delays.

2. Accessing the train’s internal systems

Many trains use onboard control units for operations such as braking, speed control, and navigation. If a hacker gains access to these systems - especially through unsecured wireless networks or weakly protected software - they could take control of vital functions. For instance, a remote attacker could disrupt the train’s braking system, manipulate acceleration, or cause emergency shutdowns.

3. Ransomware attacks

Just as ransomware has been used to attack hospitals, municipalities, and corporations, trains and their control systems could also be targeted. A cybercriminal could lock up a rail system’s control network, preventing operators from coordinating train movements unless a ransom is paid.

4. Insider threats

Employees with access to the system could either knowingly or unknowingly introduce malware or provide access to external hackers. This kind of threat is more challenging to detect but is a realistic possibility for disrupting train operations.

5. Over-the-Air (OTA) software updates

Some trains and signaling systems receive remote software updates over the air (OTA). If an attacker is able to intercept and manipulate these updates, they could introduce malware or compromise the system. Poorly secured OTA updates are a common cybersecurity weakness in many industries.

6. IoT devices

As more rail systems adopt IoT devices for predictive maintenance and operational efficiency, these devices become potential entry points for hackers. Poorly secured IoT devices, if compromised, could lead to system-wide disruptions or even control failures. 

How realistic is the threat?

While hacking a train was the plot of the BBC’s recent drama, it’s not actually that far-fetched in the current technological landscape. Here are some reasons why this threat is realistic, but also why it’s difficult to carry out (and why you shouldn’t put off your next train journey):

• Increasing digitisation: As trains become more connected and automated, they become more vulnerable to cyberattacks. Rail systems in advanced countries, particularly those using automation, are the most at risk.

• Previous attacks and research: Security researchers have demonstrated vulnerabilities in some transportation systems. In 2016, cybersecurity researcher Ruben Santamarta revealed vulnerabilities in train control systems that could allow hackers to influence signals and traffic. Although no major incidents of train hacking have been reported, these theoretical weaknesses show that the threat is real.

• Complexity and access barriers: The infrastructure for hacking a train is highly complex. It would require significant knowledge of the train's internal systems, signaling protocols, and communication networks. Gaining access to these systems might not be easy unless the hacker can bypass robust security measures or target weak points like IoT devices, employee credentials, or poorly secured networks.

• Increased cyber security focus: Rail operators and governments are increasingly aware of the risks and are implementing stronger cyber security measures. Many rail systems employ encryption, firewalls, intrusion detection systems (IDS), and network segmentation to protect against potential attacks. Regulations and guidelines, like the NIS Directive in Europe or the NIST Cybersecurity Framework in the U.S., are being applied to critical infrastructure like railways.

Real-world incidents

Although no train has been "hackjacked" through hacking in the way the BBC depicted, cyberattacks on transportation infrastructure have occurred. For example:

• In 2021, CNA Financial, one of the largest U.S. insurance companies, reported ransomware attacks disrupting the operations of several services, including railroads.

• In 2017, the WannaCry ransomware attack affected the German national railway system, Deutsche Bahn, causing delays and disruption.

These incidents indicate that the rail industry is a viable target, even if no catastrophic train hackjacking has occurred so far.

Mitigation measures

To reduce the risk of train hijacking through cyberattacks, several measures can be implemented:

• Strong encryption: Ensuring that all communication between trains, control centres, and IoT devices is encrypted to prevent unauthorised access.

• Network segmentation: Separating operational networks (such as train controls) from external networks to minimise the impact of a breach.

• Patch management: Ensuring that all software is updated with the latest security patches to avoid vulnerabilities being exploited.

• Multi-Factor Authentication (MFA): Requiring multiple layers of authentication for access to critical systems.

• Security audits: Regular penetration testing and audits to find and fix security flaws before they are exploited by malicious actors

• Incident Response Plans: Preparing for the worst by developing comprehensive response strategies to minimise damage from cyberattacks.

Conclusion

While hacking a train might not be an everyday occurrence, and the show’s writers used highly OTT dramatisation techniques to make the show more sensational for the viewer, it is actually a realistic threat in today’s digitised world.

With trains becoming more connected and reliant on automated systems, vulnerabilities in cyber security can - and will - be exploited if not properly addressed.

However, rail operators, governments, and technology companies are increasingly focusing on cybersecurity to prevent such scenarios.

The threat is real, but with proper safeguards in place, the risks can be significantly mitigated, and there’s no need to cancel your 13:18 - Glasgow Central to London Euston ticket just yet.

Missed the show? See the trailer below and catch up with all six episodes on the BBC iPlayer.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).