This post was written by Christian Schlehuber & Till Voß (DB Netz AG)
Frankfurt , July 30th
Control and safety systems play a central role in the safe operation of rail networks. In the early days, circa 1900, the safety of trains was ensured by mechanical interlockings. Since then, the interlocking systems have evolved to result in complex electronic interlocking schemas. As a part of this evolution in functionality and distribution, the general architecture and behaviour of the interlockings have also changed. While in the beginning only a minimum of interaction with external systems was required, the modern electronic interlockings or operations control centers (OCC) are invariably connected to a wide variety of internal and external systems. Also, while most communication transpires on dedicated networks, the current trend, driven by functionality and costs, is to increasingly utilize public communication channels as well.
Each new interlocking design aims at improvements to the protective safety functions in response to previous incidents. This continuous improvement process has resulted in railway transportation being one of the safest public infrastructures. However, in recent years new challenges for the control and safety systems have risen from a change in societal and usage threats. Additionally, the tighter coupling of systems and diminishing error-tolerance thresholds (for economic reasons) imply higher damage consequences.
In the earlier years, the greatest threats for the railway transportation were either technical or human errors, i.e., operational errors caused by the actors of the system. Only in rare cases were the errors caused intentionally by actors external to the system. Unfortunately, modern railway systems are increasingly attacked by external adversaries. These types of deliberate attacks on control and safety systems have primarily been considered at only an incipient level. Due to the increasing attacks by external actors and the also the increasing potential for damage, these are no longer incidental issues and require be addressed comprehensively to also handle the new technological developments.
This development is also empowered by the currently ongoing digitalization and standardization of control command and signalling systems, which is driven by the aim of railway operators for a better performance and a lower price of interlocking components. Consequently, commercial off-the-shelf (COTS) components are increasingly being used to develop safety-relevant components. In addition, standard commercial network equipment, along with standard protocols are utilized, and the systems are connected through backbone networks to enable the control of several track regions by a single control center.
As public transport is essential in our everyday life, it is unambiguously categorized as a Critical Infrastructure (CI). The national and European legislation is currently establishing new laws that require operators to ensure the availability of their service even under attack scenarios. The German IT-Sicherheitsgesetz (IT Security Law) has been enacted in July 2015 and is an example for a national law on CIs. On European level, the Network and Information Security (NIS) directive entered into force in August 2016 and will also have an influence on modern interlocking architecture.
Given the changing technological and legal situation, the railway operators are required to extend their safety systems with security technologies to ensure that an attacker is not able to have any negative influence on the safety of the system.
However, simply introducing security is not as easy as it may appear. Security and safety are related, but are also very different domains with different terminologies, assumptions, processes and objectives. Safety deals with hazards inside the system due to malfunctions or hardware failures, while security addresses attackers that actively want to manipulate a system. Also, security often relies on reactive approaches, such as fast patching when a new exploit is found. In contrast, safety-related systems cannot be directly patched without a full consideration of operational and regulatory conformance implications on the overall system. If a change is introduced that could have an effect on the safety-relevant parts of the system, then a new admission by the National Safety Authority is required. This entails a comprehensive cause-effect analysis that typically takes several months.
Due to such constraints, the introduction of security elements into the domain of railway signalling has to be done carefully. Within CIPSEC DB Netz aims at finding solutions how to apply standard IT security solutions and services to their CI domain. Therefore DB Netz provides their domain knowledge to the project and evaluates the solutions and services against their requirements and also the requirements of the European railway industry.
CIPSEC project results receive funding from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement no 700378.
The opinions expressed and arguments employed in this publication do not necessarily reflect the official views of the Research Executive Agency (REA) nor the European Commission.