While technological innovations in devices connectivity and software engineering keep growing, transportation systems are undergoing large scale upgrades to better benefit from the high-tech advance. In railways, the combination of sophisticated software and communication equipment is the hallmark of new performant systems, including those critical to safety such as Automatic Train Control (ATC) and Computer Based Interlocking (CBI), which need extensive security engineering in order to cope with the new cyber risks introduced by the digitalization.
According to the European standard EN 50129, when a safety related system comprises information exchange via a transmission system (TX), the latter system is considered to be a part of the former and communication security must be demonstrated. Another main European standard which covers cyber security is the EN 50159: Railway application – Communication, signalling and processing systems. The standard defines security requirements aiming to guarantee secure communications between safety critical equipment through an open or a closed transmission system. Although these requirements strongly depend on the system’s features, the standard distinguishes between three types of transmission systems to simplify security demonstrations. The classification criteria include the precise definition of equipment’s parts willing to connect to the transmission system, the knowledge of the latter’s characteristics during the equipment life cycle and the risk of non-authorized access to this transmission system.
A number of root causes targeting transmission systems in railway signalling were identified by the EU standard and comprise loss of connection, wiring errors, performance loss, electromagnetic interference (EMI), human errors, TX system overload, fading effects, cross-talk, implementation errors… These threats could urge the system toward a generic message error such as repetition, deletion, masquerade, insertion, incorrect sequence and inconsistency.
In order to reduce the risks corresponding to the previous threats, the system design shall consider basic defence methods such as the following:
- Sequence number
- Time stamp
- Source and destination identifier
- Feedback message
- Identification procedure
- Safety code
- Cryptographic techniques
- Prioritization of messages
Finally, security requirements must appear in the system’s functional specification as well as the system’s safety specification. Furthermore, these requirements are integrated in the final safety case.