A cyber-physical system (CPS) is an entanglement of physical and computing systems by real-time information exchange through networking, which can be considered as realtime IoT because of end-to-end real-time performance guarantee. Most societal infrastructures, such as transportation systems, smart power grid, smart factory, and smart buildings, are key application domains of CPS. Though there have been extensive studies on infrastructures from the perspective of cyber security, insufficient research has been conducted from a practical viewpoint of cyber-physical security. In this paper, we focus on train control systems as one of the critical infrastructures. We fully investigate the emerging de facto standard of train control systems, communication-based train control (CBTC). We analyze the cyber-physical vulnerability of CBTC and discover that a man-in-the-middle attack combined with knowledge on train signaling can cause train collisions in CBTC. To resolve the issue, we propose a countermeasure for resiliency of CBTC. By implementing a realistic CBTC testbed, we validate our analysis. To the best of our knowledge, this is the first in-depth empirical study on cyber-physical vulnerability of CBTC systems.