Taiwan Incident Highlights Cybersecurity Gaps in Rail Systems

ICS/OT SECURITY CYBER RISK CYBERSECURITY OPERATIONS VULNERABILITIES & THREATS NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Taiwan Incident Highlights Cybersecurity Gaps in Rail Systems A Taiwanese student experimenting with software-defined radio technology shut down three bullet trains for nearly an hour, leading to an anti-terrorism response. Robert Lemos,Contributing Writer May 14, 2026 5 Min Read SOURCE ERIC107CVB VIA SHUTTERSTOCK The communications and monitoring platforms for rail networks has come under scrutiny following the recent "hacking" of a Taiwanese railway operators' radio system, which led to the emergency stoppage of three high-speed bullet trains for nearly an hour. On April 5, a 23-year-old train enthusiast used a software-defined radio set up and hardware bought online to spoof a general alarm, or GA, alert to the operations center of Taiwan High Speed Rail (THSR). The company issued orders for emergency braking to the three high-speed trains in the vicinity of the signal, resulting in a 48-minute delay in service. While few details have been reported, the compromise may have been simple — a voice or text that announced an emergency situation, says Wouter Bokslag, a founding partner of Dutch cybersecurity consultancy Midnight Blue, which has studied vulnerabilities in emergency radio systems. THSR reportedly used the emergency radio protocol known as Terrestrial Trunked Radio (TETRA), which can be secure, if set up correctly and maintained assiduously, but is also easy to leave in an insecure configuration, he says. Related:AI-Driven Cyberattack on Mexico Couldn't Breach OT Systems "These technologies — the core of it definitely is old stuff, but it's reliable," he says. "The TETRA Network, under certain conditions, can definitely be secure and could be a suitable solution here, but I suspect they were not running the strongest of configurations for their network." Rail systems have increasingly come under scrutiny by cybersecurity researchers and cyberattackers. For two days in August 2023, hackers in Poland — which have a history of targeting trains — used a simple three-tone radio signal to order trains to stop, disrupting transportation in three different regions of the country. A month later, the pro-Iranian hacktivist group Cyber Avengers claimed that it had disrupted trains in Israel, although Israeli officials and cybersecurity firms refuted the claims. The Taiwan incidents appear to be a more sophisticated version of the Poland Radio-Stop incidents, says Lukasz Olejnik, a cybersecurity consultant who studied the Poland incidents. For Poland, the hackers duplicated legacy analog tones that indicated an emergency, he says. "For Taiwan, it apparently required understanding the environment and extracting or cloning the necessary parameters to inject them to cause an alarm," Olejnik says. "The lesson is that communication protocols add resilience only if deployed well and that everything — authentication, key rotation, terminal control, anomaly detection, et cetera —  are actually enforced." Related:Serial-to-IP Devices Hide Thousands of Old & New Bugs From End-of-Train to TETRA Many facets of railway operations are open to cyberattacks and electronic spoofing. In July 2025, for example, the Cybersecurity and Infrastructure Security Agency (CISA) warned that US rail systems had a vulnerability that could allow the easy spoofing of communications to the end-of-train and head-of-train devices, leading to sudden train stoppage or even derailment. The TETRA communications protocol is widely used by emergency responders, police, military, industrial applications, and of course, in rail systems. In 2023, and again in 2025, researchers at Midnight Blue discovered significant vulnerabilities in how the TETRA protocol was implemented, essentially leaving a low-security backdoor accessible to attackers. Following those revelations, the European Telecommunications Standards Institute (ETSI) followed through on a pledge two years ago to publish the security algorithms for TETRA. While allowing public scrutiny of TETRA encryption is good, their accessibility allows attackers to analyze the security, while defenders have the more onerous job of upgrading and maintaining their network, says Midnight Blue's Bokslag. "We have provided the public with all the information that's needed to be able to identify that [a network is insecure], but acting upon that is a complicated process," he says. "What probably exacerbates this is that we've had multiple reports of the system integrators, or even the vendors and equipment manufacturers, giving incorrect recommendations to their clients." Related:Empty Attestations: OT Lacks the Tools for Cryptographic Readiness Rail systems have to deal with the fundamental problem that they have large attack surface areas, are geographically spread out, rely on decades-old legacy systems, and have many remote and hard-to-protect digital communications points, says Sean Tufts, field chief technology officer (CTO) for operational-technology security firm Claroty. "Getting to that last switching station in the middle of a rail line and having the right communications with it and having cybersecurity bolted around it — that is a challenge for every single rail operator in the world," he says. To protect their far-flung assets, rail companies need secure and reliable communications and the ability to collect telemetry from across their network, he says. Drive-By Attacks, For Now ... For the most part, rail disruption has been caused by hobbyist radio hackers and train enthusiasts, rather than by serious cybercriminals or nation-state actors. If that changes and rail systems come under sophisticated attacks, national economies cold be impacted, as demonstrated by the impact of the Strait of Hormuz and the 20% drop in oil flows, Tufts says. "If we had that in the United States — a 20% degradation in rail service — that would have cascading impacts into manufacturing, into goods, into food and beverage," he says. "That one singular pinch point can cause some massive disruptions." Both the Taiwan and Poland rail-stop incidents highlight that attacks on transportation can have significant impact, even when the cause is simple, says consultant Olejnik. Rail operators need to put a greater focus on not only adopting secure technologies, but making sure they are securely deployed. "Railways should migrate away from unauthenticated systems," he says. "Any safety-relevant radio command should be cryptographically and secured against replay and injection attacks." Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now! Read more about: DR Global Asia Pacific About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems Anatomy of a Data Breach: What to Do if it Happens to You More Webinars You May Also Like ICS/OT SECURITY Vehicle Tire Pressure Sensors Enable Silent Tracking by Jai Vijayan MAR 03, 2026 ICS/OT SECURITY Trio of Critical Bugs Spotted in Delta Industrial PLCs by Nate Nelson, Contributing Writer JAN 15, 2026 ICS/OT SECURITY AI in OT Sparks Cascade of Complex Challenges by Arielle Waldman DEC 11, 2025 ICS/OT SECURITY Critical Railway Braking Systems Open to Tampering by Nate Nelson, Contributing Writer NOV 19, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? WED, JUNE 3, 2026 AT 1PM EST The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace WED, JUNE 24,2026 AT 1PM EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems TUES, MAY 26, 2026, AT 1PM EST Anatomy of a Data Breach: What to Do if it Happens to You JUNE 18TH, 2026 | 11:00AM -5:00PM ET | DOORS OPEN AT 10:30AM ET More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS