Monday, February 28, 2022

Off Brand Signals on TexRail

 A couple years ago I did a post on various off brand signals in the North American market.  You know, cCompanies not named US&S, GRS or Safetran like L&W or Harmon. While I was sure I didn't have every last signal supplier listed, I had most of the second tier.  Well, it seems that the new TexRail project in Fort Worth has managed to dig up a new supplier...and one old one, to supply some of its signals.

Eastbound track 1 signal at 6th St Interlocking

In the dwarf capacity TexRail chose to use LED searchlights, replacing Safetran Unilens and stacked cube signals in the Fort Worth terminal area that is shared with TRE

Westbound Track 2 dwarf at Nancy Interlocking

Now, while L&W has an LED searchlight product that is used by Amtrak and Metra, TexRail decided to go with Lindsay Industries, who are best known for making central pivot irrigation systems.  Go figure. These LED searchlight dwarfs were also employed as single lamp varieties at a number of locations along the line.

Westbound Track 1 stick dwarf at Nancy Interlocking

The second oddball supplier was technically covered in that Harmon Industries was purchased by GE in 2001 and that was kind of the last I heard of them, with whatever product lines likely being included in the same of GE Transportation to Wabtec. 

EDIT: According to some comments, Lindsay Industries appear to have inherited the GE / Harmon signaling business, which would explain the GE branded lamp housings.

Westbound Track 1 stick dwarf at Nancy Interlocking

Well to my surprise TRE dug up some literally GE branded signal heads that were made sometime after 2001 when someone bothered to wind down the Harmon brand and change the casting molds.  I am not sure if these were purchased new or used.  Please let me know in the comments ;-)


Saturday, February 19, 2022

Painted Ladies - North American Signal Paint Schemes

In the age of steel and iron, paint was primarily used to protect the metal from corrosion, however in the world of railway signaling other factors, both aesthetic and practical, played a role. What follows is a brief summary of signal paint schemes over the years.

The simplest is the all black scheme that puts literal emphasis on the signal lamps themselves.  Cheap and available, black paint over the entire signal structure (as opposed to just the signal heads) was popular with northeastern roads like the Pennsylvania and New York Central for use on mast and dwarf signals. Today, all black signal paint schemes are primarily used by PRR-successors Amtrak and the Long Island Rail Road.


Although slightly more complex, the silver scheme was just as popular as all black.  Generally seen on mast signals out west and some signal bridges and cantilevers in the east, a silver paint scheme would reflect sunlight and prevent the signal structure from heating up (an issue that is salient out west and on riveted signal structures).  Of course the backing around the signal lamps remained painted black. 

Championed by Conrail and earlier iterations of CSX, the two tone black and silver paint scheme represented the apex of signal paint design. This scheme keeps the all black paint anywhere in the general eye line of the signal heads, but paints the lower part of the mast silver so that it stands out perhaps in case of power failure. This scheme was used on some CSX and NS controlled lines up through the 90's, however Conrail was its biggest proponent.  Conrail not only applied the black backing paint on otherwise unpainted aluminum structures, but maintained the practice under the auspices of Conrail Shared Assets up until the present day.

 I suspect the primary reason this type of paint scheme was abandoned was because the paint tends to flake off aluminum structures after a decade or two.

The switch to corrosion free aluminum signal structures largely eliminated the need for painted signal equipment.  Aluminum signal heads and targets still needed to be colored black for visibility reasons and turned to factory applied anodized coatings.  This new black-on-unpainted scheme has largely become the standard, however BNSF has broke from the back with silver backed signal heads instead of black.  This has seen intermittent use on Union Pacific and some other small railroads. 

 


Finally we have the odd duck of the lot in the form of the Western Pacific railroad that painted its signal structures a pleasing mint green.  At a quick glance the paint may appear silver or gray, closer inspection reveals it to be a very light green.  This unique color scheme faded with the demise of the WP and it is not clear if there are any remaining mint painted WP signals in service.

That's all of the paint schemes I can think up at the moment.  Please let me know if the comments if I missed any.

Saturday, February 12, 2022

Interlockings vs Cyberattacks

 With the use of cyber attacks and physical sabotage increasingly likely, I thought I should take the time to discuss the vulnerability space of good old fashioned railroad interlockings.  I say old fashioned because at this time I do not want to re-hash the security issues associated with CBTC and PTC.  Today I am just going to look at the logic that controls the switches, signals and related interlocking appliances and ways they could be directed to disrupt normal operations, specifically through the creation of unsafe situations.

Railway signaling is implemented by two separate yet equally important parts.  The safety critical logic that detects and prevents unsafe situations, and the control systems that display information to rail controllers and transmit that information to/from field locations. In the same vein, one can attack the interlocking logic or one can attack the control systems and in each of those cases one can try to make the system non-functional or one can try to make the system unsafe.  So before even getting into the various types of technology we can sort the threats and vulnerabilities into those four bins.

Skipping over mechanical or electro-mechanical plants where the interlocking logic and the user interface are united and a human is on site to monitor things, relay based signaling is going to be the most resistant to malicious change.  Relay logic is literally hard wired and extensively tested for safety meaning that there is little an attacker could do, even if they had full control over the communications link and human interface. In terms of physical attacks and sabotage operations on the other hand, relay logic can be modified with only basic tools.  Although the mess of wires in a relay hut or room is very complicated, the concepts are straightforward and can be determined using the documentation that is often left in each location.  North American style logic is a bit simpler to modify as it relies in high reliability components whereas European style logic uses lower quality components with additional validation logic to check the result.

Solid state or microprocessor based interlocking became all the rage starting in the 1980's and continues to command an increasing share of the market.  This type of technology unfortunately imports all of the problems associated with industrial control systems and Internet of Things from a security point of view.  The good news is that these components undergo rigorous safety and regulatory compliance testing, the downside is that tends not to include security testing.  Unfortunately I can't just say "this is good because" or "this is bad because" as there are simply multiple ways that any specific vendor may have implemented its technology.  Still, there are some general conclusions that can be reached.



Microprocessors run on code and code modification and/or code injection forms the basis for most types of malicious exploitation.  Under North American practice, the code is stored on Read Only Memory type modules (likely EEPROMs) and is a regulated item in that no official changes can be made without going through a regulated test procedure. The $64,000 question is if, if any case, the processor accepts data, or if it accepts state.  Accepting state means that to request a route the only thing the interlocking logic "sees" is a voltage on a line in the same way a direct wire unit lever relay interlocking machine puts a voltage on a coil to lift a relay.  Accepting state only generally precludes modifying the code.  On the other hand if the interlocking processor accepts bytes of data, it is almost certain that flaws exist within the code that would allow an attacker to take full control of the interlocking process given sufficient knowledge and preparation. The fact that many of these  product lines have been around since the 80's or 90's imply that they use older types of processor that have little in the way of hardware based defenses against this type of attack.

Larger issues appear outside of North American practice where interlocking functions are more centralized and therefore have less obvious separation between the safety critical parts and the control system.  Under North American practice interlockings and signal locations in general have to be transferable to new owners.  This means that not only does each location need to be atomic, but forwards and backwards compatible with any control system.  (That pretty much makes it impossible for the signaling hardware to require data.)  Under European practice, centralized interlocking/signaling systems lack the guardrails against plugging the human interface directly into the safety critical processing elements.  I believe that 2 of 3 voting systems are used to gain the desired fail safety performance, but since Europe often considers the human interface as a safety critical system, I would not be surprised if the signaling processors themselves are handling state requests and changes directly. This creates a massive vulnerability for exploitation.

This brings us to the control systems.  Here we need to look at both what is being sent and how its being sent.  If one is only sending state or state commands, as in the North American system, the signaling control network is pretty much irreverent.  Over the air or over the internet there is nothing an advisory can do except make the system unavailable (which is a problem, just not a safety problem).  Even if state updates are suppressed, North American dispatchers worked successfully for years in that fashion given the limitations of early wide area CTC systems. European style area signaling schemes run into a different set of problems when signaling logic is centralized.  In this case field equipment such as switches and signals act as dumb terminals and simply do whatever they are commanded to do.  This is where the serious risk lies as it is highly unlikely that a 1980's or 90's grade computing system would have much in the way of "securing" its safety critical messages beyond a parity or other redundancy check. Anyone with access to the communication link would be able to make arbitrary commands including the setting of conflicting routes and display of false clear signals.  Granted many of these area schemes are not wide area and use dedicated lines that can be considered equivalent to some of the longer direct wire control situations in North America, but in an era of IT efficiencies how tempting would it be to replace a bespoke wayside cable link with a VPN running over the internet.

In terms of direct sabotage, card based microprocessor systems are somewhat harder to modify than relay ones as they require special reprogramming tools ranging from EEPROM programmers, link cables and the almost certainly proprietary software used by the C&M maintainers.  It's entirely possible that the available tools would themselves would not allow for the creation of unsafe situations, thus requiring further reverse engineering.  Nevertheless, cyber-physical systems still have a physical component and it is still possible to move output wires around to create the desired result.   

I hope this provides a little insight into how train control and interlocking systems can be attacked by either remote or local actors.  In the grand scheme of things, physical sabotage is generally considered to be beyond the scope of technical security beyond the presence of robust locks and an alarm system. However, during some sort of armed conflict or occupation the possibility of such attacks would increase.


Saturday, February 5, 2022

Approach, Three Ways

 About a year ago I stopped by a local interlocking in the depths of Camden, NJ with a rich Pennsylvania-Reading Seashore Lines history.  CP-BROWN, formerly BROWN tower, is located at the junction of the former West Jersey and Seashore line to Vineland and other points south and the former Atlantic City Railroad Line to Ocean City and Cape May. In 2002 CP-BROWN and the adjacent CP-MILL were changed from position light to Conrail style color light.  15 years later as rail traffic to various South Jersey port facilities increased, Conrail Shared Assets re-signaled CP-BROWN again, adding a new interlocked switch to the former Bulson St yard, but in the process they also modified the northbound signals to reflect new conditions at CP-MILL, specifically the end of signaled track northbound.  

Under NORAC, the signal before a Restricting indication is an Approach type indication and CP-BROWN just happens to have the complete set of NORAC Approach type indications spread across three masts that can display only that and Restricting.  

Main track northbound signal 2N-1 offers up a straight Approach indication with an upper head yellow lamp and Restricting with a lower head yellow lamp.

Signal 2N-2 off the Beesley's Point secondary offers a single yellow lamp on the lower head that is used for both R/Y Restricting and R/*Y* Medium Approach.

 Finally the signal off the Bulson St track offers a single yellow lamp on the lowest head for R/R/Y Restricting and R/R/*Y* Slow Approach.  Note, aside from red, all the lamps on the upper two heads are blank. For whatever reason each head has the complete package of triangular mounted SafeTrain CL-20s and sun visor. 

So there you go.  Three masts, three Approach-type type indications in each of the three speeds (Full, Medium and Slow) with Restricting the only other option.  Pretty neat!