Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate because the attack vector is now publicly demonstrated with documented, replicable techniques using consumer-grade SDR hardware, but requires proximity to TETRA infrastructure and some radio knowledge, constraining opportunistic exploitation; impact is high because a successful replay or spoofing event directly halts safety-critical operations, creates immediate passenger safety liability, triggers regulatory scrutiny of OT infrastructure, and generates reputational harm disproportionate to the duration of the disruption — the 48-minute THSR halt illustrates that even a brief incident carries outsized consequence in rail operations.
Treatment rationale: The vulnerability is operationally addressable through credential rotation, TETRA parameter management, and authentication hardening — avoidance would require decommissioning safety-critical communication infrastructure, and acceptance is untenable given demonstrated physical safety consequence.
Third-Party / Supply-Chain Risk
TETRA protocol implementations are supplied by a concentrated set of radio infrastructure vendors (e.g., Motorola Solutions, Hytera, Sepura, Airbus DS); organizations operating shared TETRA trunked networks or procuring managed radio services inherit the credential management posture of both the vendor implementation and the network operator. Per NIST SP 800-161, organizations should audit whether radio parameter rotation responsibilities are explicitly assigned in vendor contracts and whether shared-network operators serving multiple rail or transit customers have applied mitigations — a single unrotated parameter set on a shared trunk affects all tenants.
Loss Exposure (illustrative)
Magnitude: High — illustrative $2M–$15M per incident for a major rail operator, reflecting direct revenue loss from halted operations, passenger compensation obligations, emergency response costs, regulatory investigation costs, and reputational impact on ridership confidence; a smaller regional operator would sit toward the lower bound.
Frequency: For an organization with TETRA-dependent OT infrastructure that has not rotated radio parameters, the demonstrated replicability of this attack with off-the-shelf hardware suggests the threat is no longer theoretical — illustrative frequency of 1 significant disruption event per 3–7 years for an exposed operator in a region where the technique has been publicized, with frequency compressing as the technique diffuses.
Annualized: Illustrative ALE: $300K–$5M annually, reflecting the loss magnitude range discounted by the event-frequency framing above; the wide range reflects the difference between a brief partial disruption and a sustained or multi-site event.
Basis: Loss magnitude derived from: (1) revenue impact of halted high-capacity rail operations scaled by train-hours lost, (2) regulatory investigation and remediation cost analogues in the OT/ICS sector, (3) passenger compensation and reputational impact factored qualitatively; frequency derived from: demonstrated public replicability post-disclosure, proximity requirement as a constraint, and the historical pattern of OT exploit diffusion following proof-of-concept publication. No third-party benchmark reports cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• A service disruption causing passenger delays and potential safety incidents may trigger business interruption or contingent business interruption provisions in property or operational insurance policies — verify with broker whether OT/ICS radio spoofing events qualify under policy language.
• Regulatory bodies overseeing rail safety (e.g., national transport safety authorities) may impose mandatory incident reporting obligations following safety-system interference events — verify with counsel whether this incident pattern triggers disclosure or corrective-action mandates in your jurisdiction.
• If TETRA infrastructure is operated under a managed-service or network-sharing agreement, a failure attributable to unrotated vendor-provisioned parameters may raise contractual liability questions regarding which party bears responsibility for credential lifecycle management — verify with counsel.
