Modern urban railways extensively use computerizedsensing and control technologies to achieve safe, reliable, and well-timed operations. However, the use of these technologies may provide a convenient leverage to cyber-attackers who have bypassed the air gaps and aim at causing safety incidents and service disruptions. In this paper, we study false data injection (FDI) attacks against railways' traction powersystems (TPSes). Specifically, we analyze two types of FDIattacks on the train-borne voltage, current, and position sensormeasurements -- which we call efficiency attack and safety attack -- that (i) maximize the system's total power consumption and(ii) mislead trains' local voltages to exceed given safety-criticalthresholds, respectively. To counteract, we develop a globalattack detection system that serializes a bad data detector anda novel secondary attack detector designed based on uniqueTPS characteristics. With intact position data of trains, ourdetection system can effectively detect the FDI attacks ontrains' voltage and current measurements even if the attackerhas full and accurate knowledge of the TPS, attack detection, and real-time system state. Extensive simulations driven byrealistic running profiles of trains verify that a TPS setup isvulnerable to the FDI attacks, but these attacks can be detectedeffectively by the proposed global monitoring.