Industry and Science encountering railway security together
This post has been written by Markus Heinrich (Technische Universität Darmstadt).
The number of threats to information and communication technology systems worldwide is steadily increasing. The media is constantly reporting data leakage and attacks on the IT infrastructures of large companies. This situation does not stop at the operators of critical infrastructures. In particular, in railway signalling, the use of commercial off-the-shelf products and public networks is becoming more and more prevalent. The advantages are apparent. Standardization can reduce costs and simplify maintenance and operation. At the same time, however, cyber-attacks are becoming more likely: the use of public networks makes it easier for an attacker to access safety-critical systems. In addition, the use of standardized industrial components carries the risk of importing known vulnerability into industrial control systems and railway command and control systems (CCS) in particular. A major threat stems from cyber-attacks that exploit known vulnerabilities to do the most damage possible. In a railway system, this can quickly lead to significant damage to property or even to danger to life and limb. The task of cybersecurity is to protect critical infrastructures for railway operations in the best possible way against such attacks. Railway signalling technology faces IT security and functional safety. On the one hand, a high level of safety has been developed and established over decades and all generations of interlocking systems, but this cannot provide security against cyber-attacks. On the other hand, there is an increasing need to protect networked security against IT attacks. However, safety and IT security cannot always be combined without problems. For example, the regular and short-term updates to software in order to close security vulnerabilities that are customary in IT security are difficult to implement because it is important to exclude any interference with safety.
In order to encounter the security threats to railway CCS, the Cybersecurity for Safety-Critical Infrastructure Working Group (AG CYSIS) was founded in January 2016 by Deutsche Bahn (DB) and Darmstadt Technical University, to facilitate a comprehensive exchange of information between industry and science on cyber security issues in the field of railway control and security technology. As a first result of this intensive discussion, a white paper with recommendations on the design of "Resilient Architectures in Railway Signalling" was presented at a symposium of AG CYSIS in 2016. A resilient architecture provides the best possible protection against cyber attacks. Future generations of railway CCS should be prepared for attacks from outside in this way. In addition, a resilient system should be able to react to these attacks and maintain its most essential functions - if necessary with restrictions. Third, the railway CCS should be able to return to a defined system state in a timely manner after an attack has been averted.
AG CYSIS formulated a total of 18 suggestions on how the required resilience can be achieved. The requirements include all sections in the IT security lifecycle of railway CCS. Systems should be hardened before commissioning and provided with technical safeguards against cyberattacks. However, these measures will not generally prevent all attacks. Therefore, future railway CCS technology must offer the operator possibilities to detect an attack during operation and to initiate corresponding countermeasures. In general, the white paper calls for greater flexibility and modularity of the systems. On the one hand, this enables the isolation of a compromised subsystem, to limit the effects of an attack. On the other hand, hardware and software can be more easily replaced by improved versions. One of the central requirements of the white paper concerns the end-to-end security of communication. Because in the future it can no longer be assumed that railway command and control systems communicate only over closed networks, the communication must be protected against tampering by an attacker in order to guarantee the authenticity of the messages. However, unlike other areas of IT security, confidentiality of messages is not a primary goal. The required state of the art for end-to-end security are the well-known encryption and digital signature techniques. This implies additional requirements for resilient architectures, such as the secure generation and revocation of cryptographic keys or the implementation of secure key exchange procedures. In the future, a key role will be played by the discovery of manipulations of the software used in the components utilized. In safety-critical systems, it is already ensured by tests that the software and the configuration correspond to a planned nominal state. In order to ensure that this check is possible in the future, even in the presence of an attacker, the systems should be able to verify their integrity and attest it to third parties. There are already many concepts in IT security research to achieve this. These should find their way into future safety systems. Software runtime testing is one of many ways to place sensors on the network to quickly detect and respond to cyber-attacks. In the future, such and messages from other sensors will have to be aggregated centrally in a "Security Operations Center" in order to be able to make an informed assessment of the IT security situation by experts. On this basis, it can be decided whether safe operation of the railway infrastructure is possible despite cyber-attacks.
AG CYSIS has finished its work on the resilient architectures and continues to embellish the 18 recommendations in several subgroups. The work on business continuity management and a closer look to the co-existence of safety and security (subgroup "Security for Safety"), has recently been completed. Currently, subgroups are dealing with security aspects of the European Train Control System (ETCS), the Internet of Railway Things (IoRT), and a security review that tries to be comprehensive by covering railway signalling, rolling stock, and fixed installations.