Categorie Filter

Actual Themes

Cyber Security for Railways

Railway infrastructure and cyber threats

According to the EU NIS Directive (Security and Information Systems), rail services are essential public services and are part of the national critical infrastructure; therefore, they must be protected from cyberattacks.

In recent years, railway and metro systems have suffered cyberattacks, luckily with no relevant casualties being reported. Unfortunately, it is inevitable that such cyber threats will rise, thus increasingly affecting railway safety. As train control systems are moving to open standards based on mobile communication and IP (Internet Protocol) technologies, cyber security measures are necessary to assure the on-going safety of these systems.

Technological and cultural changes

As part of essential transport systems, railway and metro networks must be resilient against cyberattacks. Digitization of the business operation – introduced in order to increase efficiency – comes with inherent cyber threats. Before, legacy infrastructure used to rely on closed proprietary systems protected by so-called 'air gaps'; that is, without any external data connection. Today we know that such air gap protected systems are also vulnerable to cyber threats. In the Polish city of Lodz, a 14-year-old boy exploited their vulnerability using a TV remote control to deviate trams. The result was 14 injured persons and 4 damaged trams.

The increasing use of open standards – like Ethernet, IP and LTE – involves not only a technological change but also a cultural one. This change affects the procedures with which operators, train builders and their providers must manage cyber risks. The approach for providing cyber security needs to be holistic, considering the entire life cycle of the railway systems. It is important to integrate cyber security measures in an early design stage, using a top-down approach – from the higher-level systems down to the train components. This security by design will effectively mitigate cyber risks.

Selectron Cyber Security Logozoom

A railway system's life cycle lasts more than 20 years. This increases complexity, because legacy systems need to work in a constantly changing environment and are becoming more vulnerable over time.

 

Cyber security is increasingly being regulated by governments due to its importance for the well-being of the society and economy. Operators are requesting mandatory protection measures from their providers to be more resilient against cyberattacks and comply with international regulations like the EU NIS Directive. Non-compliance can be punished with fines reaching up to 4% of global turnover, even if the issue is caused by a provider in the supply chain of the operator.

In 2018, the Knorr-Bremse Rail Division has created a Competence Center Product Cyber Security (CCPC) to put in place cyber security measures by design with a holistic approach: Considering technology, processes and people. The CCPC is creating a governance framework based on the IEC 62443 standard and is collaborating within CENELEC on the development of a railway-specific standard. The aim is to implement a Defense-In-Depth concept with multiple layers of protection measures.

In order to exploit synergies, the CCPC is located at Selectron Systems AG, as Selectron already has sound expertise and is currently developing TCMS products with integrated protection and recognition functions.

The CCPC is actively working on introducing key processes, including risk management and a comprehensive security life cycle for the development of new secure products. Advanced training for secure software development organized by the CCPC is enabling Knorr-Bremse developers to build in security by design.

For legacy installations, Selectron is currently creating solutions to detect intrusions and raise alerts in the event of anomalies. This allows EU-NIS-compliant modernization of existing fleets without expensive updating of the control technology.

Knorr-Bremse and Selectron are therefore at the forefront of protecting future and legacy train systems against impending cyber threats.

In future articles, we will talk in detail about cyber threats, potential attackers, standards and many more issues related to the complex cyber security world.

 

Subject to technical changes and amendments to technical specifications at any time.

 
worldwide references selectron

Selectron Systems AG - Bernstrasse 70 - 3250 Lyss/Schweiz     
T +41 32 387 61 61 - info@selectron.ch