In the past couple of days, my Mastodon feed has been full of astonishment about how three Polish IT specialists discovered digital sabotage attempts in trains built by manufacturer NEWAG. The original Mastodon toot is here, and there is more detail about the case in Polish, German and English. Read any of those stories for the technical background as to what NEWAG did, and how they did it, technically.
The question I want to pose here however is a different one. Why did NEWAG want to engage in this digital sabotage, and what might the railway industry learn from it?
The crucial point is the division of responsibilities between companies that manufacture trains – NEWAG being the builder of the Impuls 45WE EMUs in this case – and the companies that carry out mid-life maintenance of trains, Serwis Pojazdów Szynowych (SPS) in this case. SPS does not manufacture trains, but only services them. However this mid-life maintenance of trains can also be carried out by the company that build the trains in the first place, and NEWAG bid for the contract to do this mid-life work, but lost out to SPS.
To see how this works, look at the most recent manufacturing contract that NEWAG was awarded – to build at least 30 and possibly as many as 80 freight locomotives for the leasing company Akiem. “The contract also includes locomotive maintenance services for an eight‑year period starting from the date the 30 locomotives are delivered” the Akiem press release states. But trains are normally designed to be able to operate for at least thirty years, here too leaving the option open for Akiem to give a contract for later life maintenance to someone other than NEWAG.
That not all workshops can maintain all types of train poses problems from time to time. No workshop in France could maintain Trenitalia’s Hitachi built Frecciarossa 1000 trains. These had to return to Milano for repair, but once a landslide blocked the line between Chambéry and Bardonecchia, Trenitalia was forced to limit its services even on the routes that remained open – because it could not get its trains to where they needed to be serviced. Spanish manufacturer Talgo is especially susceptible to this lack of workshops problem – its unusual train design with short carriages and single axels means few facilities can maintain its trains, so the company regularly signs manufacture and 30 years (i.e. whole life) maintenance agreements, like this with Le Train in France.
But back then to NEWAG. It looks like – by coding the geo-coordinates of rival maintenance workshops into the trains’ on board systems and forcing trains to not be able to re-start if serviced at one of those – NEWAG was trying to force operators to use them for maintenance as well. As the news story in English alludes, Dolny Śląsk was on the point of breaking the maintenance contract with SPS just prior to the IT problems being discovered. One presumes that had Koleje Dolnośląskie broken off with SPS, the trains would have been towed to NEWAG’s workshops, would mysteriously have been fixed and we would be none the wiser, and SPS’s reputation for maintaining NEWAG trains would have been trashed.
In other words what NEWAG was doing here was not planned obsolescence of the trains themselves, but a kind of digital sabotage of rival maintenance firms. The trains would not have been obsolescent, but SPS might have been out of business.
Thanks to the amazing work of Michał Kowalczyk, Sergiusz Bazański, and Kuba Stępniewicz it is NEWAG’s reputation that is trashed, rather than SPS’s, and we are all a lot wiser as a result of what these guys discovered. Other railway manufacturers ought to also be aware of trying any such tricks in the future.
This has also brought the challenges for independent maintenance companies to light – with the manufacture of trains being concentrated in the hands of fewer and fewer firms, a de facto if not de jure trend towards the same concentration for mid-life maintenance would have competition implications. Public authorities may also have a thing or two to learn as well – they will now better be able to write contracts that guard against such behaviour by manufacturers in future.
[UPDATE 8.12.2023, 12:30]
Siège à vue on Mastodon pointed me towards an article from The Register that has some further details, and importantly links to Newag’s response to the allegations – the PDF in Polish is here. A few parts of it, translated with Deepl:
Statement on unfounded and unauthorised slander disseminated about NEWAG S.A.
We have not, do not and will not introduce into the software of our trains any solutions that lead to intentional failures.
[…]
This is a slander from our competitors, who are conducting an illegal black PR campaign against us.
The Register also mentions former minister Janusz Cieszyński who seems to rather confirm the SPS take on the story, rather than Newag’s rebuttal.
If it now does turn out that Newag was indeed at fault here, their statement accusing everyone else of irresponsibility is going to look like a very bad decision!
Isn’t this already unlawful? If so, why does it need to be in contracts? If not, why isn’t competition law being strengthened once, rather rely on every contract forever getting new robust words to prevent it?
I don’t know Polish law, so I don’t know. I assume it is illegal, but as this has only recently been discovered it has definitely not been tested in a court yet.
This should set the fate of NEWAG as a rolling stock manufacturer. Such a childish behaviour is inacceptable.
Very often, rolling stock orders do come with a service pack (xx years of spares and (heavy) maintenance). Beyond that time, maintenance is often provided by the owner (through their own workshops), or an independent provider. In any case, the needed documentation has to be provided, and games as mentioned here are simply a no-no. In some cases, this time frame corresponds more or less to the moment for a mid-life overhaul, which may end up as a serious rebuild.
The linked English story states there is a 20000 page documentation manual, but none of these restrictions was mentioned. Unsurprisingly!
NEWAG is a POLISH company. The railway doesn’t even need to go through international channels, just to the cops (assuming sabotage of the railways is a crime in Poland – I’m not finding any law on it).
The polish government & the “Law and Justice Party” in particular should be utterly ruthless here, taking action against the relevant NEWAG management personally along with imposing ruinous fines upon the company.
Pingback: Podcast RSI – Story: Hacker scoprono il Dieselgate dei treni – Bluermes Comunicazione Integrata
The entire sordid affair is laid out in it full shameful glory in this blow-by-blow talk by the team that uncovered this conspiracy and got the trains running again. https://youtu.be/XrlrbfGZo2k
Pingback: Climate: imagine Europe in 2040 – Paris Telegraph
As a computer repair professional who sees first hand how OEMS like Apple, HP, Dell, Sony and others have been making computer hardware harder to repair, I have been keep a close eye on this incident because its the perfect reason to have right to repair legislation adopted in all countries around the world.
I’m trying to find out of there is going to be some kind of result from a government inquiry or the like and wondered if anyone has any information on the progression of what could/shout happen to Newag at this point?
I have not heard anything new in the past month or so, sorry! But I admit following this has not been my main focus.