DHS disputes memo on purported railway computer breach

The Department of Homeland Security is disputing a government memo obtained by Nextgov.com that said a targeted attack on the computer network of a railway company in the Northwest disrupted train service in early December.

"Following more in-depth analysis, it appears that the potential cyber incident did not in fact target a transportation entity," a senior DHS official told CNET today. "DHS worked with the affected entity, the FBI, and the Transportation Information Sharing and Analysis Center (ISAC) to resolve the issue and send alerts to notify the community of the anomalous activity as it was occurring."

The official, who asked to remain unidentified, declined to provide additional details.

Government and transportation industry representatives met on December 20 to discuss their response to an alleged December 1 incident at an unnamed railway company and someone at the Transportation Security Administration summarized the meeting in a memo reported on by Nextgov.com on Monday. Nextgov.com did not name the railway company involved.

The memo said that train service was "slowed for a short while" and schedules delayed about 15 minutes after the incident, and the following day "a second event occurred" that did not affect service, Nextgov.com reported. "The conclusion that rail was affect [sic] by a cyberattack is very serious," the memo said.

"Some of the possible causes lead to consideration of an overseas cyberattack," Nextgov.com quoted from the memo. "Investigators discovered two Internet access locations, or IP addresses, for the intruders on Dec. 1 and a third on Dec. 2, the document noted, but it does not say in which country they were located," the report said, adding that "information stating the incidents were a targeted attack was not sent out" until Dec. 5.

DHS spokesman Peter Boogaard said the report was not accurate but said he could not comment beyond providing this statement:

"On December 1, a Pacific Northwest transportation entity reported that a potential cyber incident could affect train service. The Department of Homeland Security (DHS), the FBI and our federal partners remained in communication with representatives from the transportation entity in support of their mitigation activities and with state and local government officials to send alerts to notify the transportation community of the anomalous activity as it was occurring."

Meanwhile, a spokeswoman for the Association of American Railroads (AAR), which also was represented at the meeting, said the memo was inaccurate. "There was no targeted computer-based attack on a railroad," AAR spokeswoman Holly Arthur told Nextgov.com.

"Railroads closely monitor cyber security as a fully integrated part of both the industry's overall security plan, as well as individual company plans. Continuous coordination on cyber security occurs across the industry and with the federal government," she said. "In addition to security measures, railroads like other high tech industries have multiple backup capabilities and ultimately manual operation procedures to address virtually any type of disruption."

In addition to TSA and AAR, representatives from DHS' cybersecurity divisions, the Transportation Department, U.S. Coast Guard, Boeing and information technology provider Indus were also at the meeting, according to Nextgov.com. Those agencies and companies could not be reached for comment this afternoon.

This is the second report of a purported cyber security-related incident that DHS has denied in the past two months. A state government report on a "cyber intrusion" at a water utility in Illinois that surfaced in November was dismissed by the DHS and FBI and turned out to have been a false alarm attributed to a vacationing contract worker remotely accessing the system from Russia.