Poland: The manufacturer allegedly programmed malfunctions into the onboard systems of its Impuls EMUs so it could receive more repair orders. Newag itself denies the allegations and plans to take legal action. The Polish antitrust and law enforcement authorities have taken over the case.
The first reports of these suspicions appeared on the Onet website in early December, and the findings were confirmed by the former Polish Minister of Digitalisation and Government Plenipotentiary for Cyber Security Janusz Cieszyński. According to Onet’s investigation, the Impuls EMUs did not start after maintenance by third parties or after travelling 1 mln km. Several trains did not start after 21 November 2022 without any reason.
This has been noticed by regional operators. One of them is Koleje Dolnoslaskie, which contracted the SPS service company for the maintenance of four trains. After the work was completed, the contractor was unable to start the trains and faced a contractual penalty of more than PLN 2 mln (€0.5 mln). The operator sent the trains back to Newag, which rectified the fault for an additional payment.
SPS sought advice from a group of ethical hackers, Dragon Sector. After two months of analysis, they managed to unlock the trains and discovered an undocumented locking code in Newag’s train software. “The system completely blocked the trains when they were in an independent repair shop. It checked various conditions and prevented the trains from moving if any of them were met”, says Dragon Sector. According to the IT experts, the blocked train had no error code, and was ready to start, but when given a start command, it only released the brakes and did not activate the traction systems.
Dragon Sector informed the government, security authorities, and the police of its discovery. The hacker group was then asked via SPS to investigate the cause of the malfunctions in 29 trains belonging to ten operators, including PolRegio, Kolej Mazowiecki, WKD, and SKM.
Newag’s point of view
Newag categorically denies the allegations, describing them as slander from competitors. The company points out that rolling stock maintenance accounts for only about 5% of its revenues, while it is the core business of SPS, which hired Dragon Sector. Newag also claims that it had no physical access to the trains as they had been delivered to the operator and that the train control software works without an internet connection.
To date, Newag has built more than 200 Impuls trains in various modifications. It was explained that the warranty of the trains delivered to Koleje Dolnoslaskie in 2017 had expired and they had been maintained by other companies for six years. In 2022, Newag detected external interference with its control systems, notified the relevant authorities, and made a public announcement. According to the company, the train control software had been hacked and modified.
Newag now believes that the trains “hacked” by Dragon Sector must be taken out of service immediately, as they might be unsafe. However, the IT experts involved insist that they have not tampered with the control system code.
The Polish train manufacturer has announced its intention to take legal action against SPS and Dragon Sector. According to the local railway industry website Rynek Kolejowy, the Polish Office of Competition and Consumer Protection opened a case on 7 December in relation to the published information, following a request from the political party Razem (Left Together). The Krakow prosecutor’s office is also investigating the situation.