Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

The development of Intelligent Transportation Systems (ITS) integrating Information and Communication Technologies (ICT) leads to the increase of services and features but also the increase of the surface of various kind of attacks. For instance, in the context of European Rail Traffic Management System (ERTMS), if a vulnerability is found, that vulnerability can impact all the systems across Europe. Railway systems are moving towards more intelligent and connected systems, which offers new opportunities of attackers and cyber-criminals. The security has to be considered in the transport domain for the protection of operators, for economic aspects and for the security of citizens. New goals appear with the increase of security, such as identification of assets and threats and identification of good Cyber Security practices.

The transport domain faces many challenges. First, there is no European law on Cyber Security for transport. Furthermore, the sector is still confronted with low level of awareness. Finally, Railway stakeholders have difficulties to dedicate budget for this specific topic (no contribution in terms of services and market share).

Cyber Security remains an increasingly important topic, especially for Railways. The Railway system represents a critical infrastructure. Each Railway and/or Infrastructure Manager has to protect its own infrastructure. The use of heterogeneous technologies and software solutions leads to very varied and disparate data sets.

The protection of these data implies a complex and multidimensional protection. The ever-increasing number of devices, processes and services implies an enormous amount of data to treat. The Cyber Security process has to be integrated at all phases of the product lifecycle. The current trend is to make security-by-design, so that security is integrated into the development process since the beginning.

From an information security perspective, the main concern for Railway sector is to reduce the risk of potential data loss and ensure steady and stable rail operation. In case of problem, important consequences can appear, such as train stop (emergency braking, system failure), negative economic effects and loss of confidence and, in the worst case, the accident. Protection measures against cyber-attacks in the Railway sector are not yet fully developed. First, there is a lack of awareness of new risks. Second, the risks are not quite considered due to the high level of safety in the railway domain. The security aspects in the Railway sector are also strongly related to the safety of the system. The Cyber Security in the Railway domain consists in securing a safe system. The Cyber Security for Railways implies the protection of information systems against theft or damage, defence against attacks, external and internal risks…

The Fig. 1 illustrates a list of vulnerabilities and possible attacks of the Railway system. The different levels of attacks are highlighted, such as malwares at Operation Control Centre or interlocking, wireless attacks on wireless communications (GSM-R), password attack on Radio Block Centre, etc.

Fig. 1.
figure 1

Vulnerabilities and possible attacks on the Railway system from [1]

Full size image

The paper presents an overview of the current situation of Railways regarding Cyber Security. Some examples of cyber-attacks are presented. The legal framework is highlighted and the current initiatives and projects are detailed. A focus on the works performed in the context of the Shift2Rail initiative is presented. Finally, we conclude.

2 Examples of Cyber-Attacks in the Railway Domain

Four specific examples of cyber-attacks on Railway system can be highlighted.

In 2008, a teenager derailed four tram trains in Lodz, Poland by using an adapted TV remote. Several injuries occurred.

In 2011 in the North Western of United State, pirates attacked remote computers, stopping the train signals for two days.

In 2015, North Korea was suspected of pirating subway system in Seoul for several months. Dozens of terminals were infested with malware.

Finally, in November 2016, the ticketing system of the BART at San Francisco was attacked by a ransomware that cyphers the hard disk of the ticket vending machines. During a weekend, the public transport infrastructure was available for free until a solution was found.

In all these examples, no incidents with dramatic consequences occurred but it demonstrated the vulnerability of the Railway systems.

3 Legal Framework

3.1 Set of Standards

For a systematic approach of information security, a set of standards was developed by industry associations and standardization bodies on security, such as:

  • ISO 27001 (International Organization for Standardization), revision 2013: the most widespread worldwide, it covers aspects of information security management systems, mainly used by Railway operators;

  • NIST SP800-53 (National Institute of Standards and Technology - US): it represents a more complete and current description than ISO 27001;

  • ISA/IEC 62443 (International Society of Automation/International Electrotechnical Commission): it relies on a series of standards dealing with industrial communication networks – network and system security. It is mainly used by manufacturers;

  • APTA (American Public Transportation Association): it consists in security and resource programs that help maintain and improve the security of resources, employees and customers;

  • Network and Information Systems (NIS) Directive: it is a dedicated European regime corresponding to a directive on network and information system security. It is the main support tool for cyber-resilience in Europe with new requirements for network and information security for critical infrastructure operators;

  • In France, EBIOS is a methodology pushed by the ANSSI (National Agency for Security of Information System). It must be used by the Vital Infrastructure Operators. That methodology is only used in France.

3.2 Zoom on NIST Framework

The NIST framework corresponds to the Framework for Improving Critical Infrastructure Cybersecurity. It represents a set of standards and best practices to help organizations managing Cyber Security risks in a cost-effective way. The standards is divided into 5 core functions presented in Table 1.

Table 1. Core functions of the NIST framework
Full size table

The other standards have more or less the same notions using sometime the same vocabulary but with different meanings. For instance, several methods are using the words like “threat”, “consequence”, “top event” but these words are similar but with different meanings for each standard. Mapping from one standard to another one is a difficult task. Moreover, each stakeholder has its own internal process to make security assessment so that sharing experience is difficult (when it is possible). Train manufacturers are also dependent of the requirements in terms of methodologies/standards required by their customers.

4 Research Projects Dedicated to Cyber Security for Railways

Previous and current projects already treated the topic of Cyber Security for Railways. This section is dedicated to the presentation of the main ones.

ERTMS/ETCS project

Some previous security studies were performed in the context of ERTMS/ETCS. The Cyber Security system should provide communication services also for signalling system and it is obvious that the security breaches can have serious safety consequences.

PROTECTRAIL project

PROTECTRAIL [2] objective was to integrate the growing influx of security technologies into rail operations and make them interoperable to improve security. For this reason, PROTECTRAIL designed an interoperability framework built on a system-of-systems approach. This interoperability framework is a modular architectural framework into which asset-specific and interoperable security solutions can be “plugged”, giving operators and infrastructure managers the possibility to continuously adapt their security systems to the changing security.

SECUR-ED project

The SECUR-ED [3] project was a demonstration project with an objective to provide a set of tools to improve urban transport security. Based on best practices, the SECUR-ED project integrated an interoperable mix of technologies and processes, covering different aspects; from risk assessment to complete training packages. These solutions also reflected the very diverse environment of mass transportation and also considered societal and legacy concerns.

CARONTE project

The aim of the CARONTE [4] project is to Create an Agenda for Research ON Transportation sEcurity. The objective of the project is then to define a future research agenda for security in land transport that focuses on core gaps caused by emerging risks while avoiding any doubling-up of research elsewhere.

SECRET project

The SECRET [5] project aims to assess the risks and consequences of intentional electromagnetic (EM) attacks on the rail infrastructure, to identify preventive and recovery measures and to develop protection solutions to ensure the security of the rail network, subject to intentional EM interferences, which can disturb many command-control, communication or signalling systems.

CIPSEC project

The objective of the CIPSEC project is to enhance Critical Infrastructure Protection with innovative SECurity framework. CIPSEC aims to develop a Security ecosystem through additional services including vulnerability testing, recommendations, training modules, standardization, protection against cascading effects, etc. The solutions and services will be evaluated in three environments: transport, health and environment.

5 Zoom on Shift2Rail Initiative

5.1 Introduction on the Joint Undertaking

Shift2Rail [6] is the first European rail joint technology initiative to seek focused research and innovation (R&I) and market-driven solutions by accelerating the integration of new and advanced technologies into innovative rail product solutions. Shift2Rail will promote the competitiveness of the European Rail Industry and will meet the changing EU transport needs. Through the R&I carried out within this Horizon2020 initiative, the necessary technology will be created to complete the Single European Railway Area (SERA).

The Joint Undertaking (JU) Shift2Rail is composed with 5 Innovation Programmes (IP) whose IP2 on Advanced Traffic Management and Control Systems.

The activities on IP2 started on September 2016, through the X2Rail-1 project, which involves 19 partners from the Railway sector coming from 9 countries (France, Germany, Belgium, Austria, Britain, Sweden, Spain, Italy, and the Czech Republic). The project covers various topics supported by 6 technical workpackages (WP).

5.2 Cyber Security in the Shift2Rail Context

One of the WPs of the X2Rail-1 project deal with Cyber Security for railways.

The main objectives of the WP dealing with Cyber Security are to define a Cyber Security system dedicated to railway and to define a security-by-design standard applicable to railway application.

The definition of a Cyber Security system consists in the specification of standardised interfaces, monitoring functions, protocol stacks and architectures for secure networks based, among others, on a security assessment of existing railway solutions and of railway networks. Efficiency and robustness of the standardised solution has to be demonstrated through a technical demonstrator. Security assessment, identification of the threat detection, prevention and response processes will be completed. A draft of the Cyber Security system specification will be provided at the end of the project.

The definition of a security-by-design standard applicable to railway application consists in specifying protection profiles and cyber security standards applicable to railway application and in demonstrating their applicability in a technical demonstrator. The definition of protection profiles and the identification of the cyber-secure development process will be completed. A draft of the security-by-design standard will be provided at the end of the project.

Railenium is involved in the Cyber Security activities of the Shift2Rail JU. Railenium aims at working on three specific topics.

The first one deals with the wireless part of the railway communication system: electromagnetic attacks on the system (declination of SECRET’s work on LTE technologies, Wi-Fi), zoom on the detection part of attacks, development of a system based on SDR and protocol analysis.

The second topic will focus on the decision part. For a better identification of the attacks and performances, machine learning algorithms could also be used for the detection task. It would allow to: (1) Detect unknown (new) internal and external threats and intrusions, (2) Build models with incomplete knowledge about the normal behaviour, (3) Adapt the built models to changes used by the attackers to trick the security rules.

Finally, a last topic will work on human factors. The idea is to assess the professional human driver and central control station supervisor abilities to react to simulated cyber-attacks, or their consequences, in a realistic simulated environment.

5.3 Current Actions to Manage Cyber Security

In the project, we started a High-Level Security Assessment (HLSA) based on the IEC 62443 standard. We started to work on a common shared generic architecture which is representative of a real railway system based on ERTMS and using GSM-R communication system. According to the IEC 62443 standard, we defined the zones and conduits with their different security levels.

We are currently working on the Detailed Security Assessment which consists to list the assets, the threats, the impacts of the threats on the assets and the consequences on the system. For instance, on a Wi-Fi network for passengers we identified several threats concerning the jamming, deauthentication attacks to eject customers outside of the customer oriented network, fake access point to steal privacy information from passenger,… Some mitigation rules are proposed. A similar research has been done for GSM-R in the EU FP7 SECRET project (http://www.secret-project.eu/) [7]. We plan to conduct such a research for LTE based network too.

More generally, for all the kinds of threats, we are building a software framework, named Open Pluggable Framework (OPF), which is based on the concepts of autonomic systems. This framework (Fig. 2) monitors the environment using hardware and software probes. Then some algorithms detect abnormal behaviour using the data sent by the probes. Next, OPF decides how to react (with algorithms using machine learning methods) and finally applies several actions (e.g. an alarm or a reconfiguration).

Fig. 2.
figure 2

The Open Pluggable Framework

Full size image

Another action just started into the project concerns the security-by-design. In this action, the partners want to setup a set of rules concerning the development process of components with security properties. Finally, a reflection is carried out to create a Computer Emergency Response Team (CERT) dedicated to the railway environment, but currently we are just at the beginning of that process.

6 Conclusions and Perspectives

The objective of Cyber Security for railways is to move towards a Cyber Security standard for railways, equivalent to safety with EN 50126 [8], EN 50128 [9], EN 50129 [10], etc.

Safety is well managed by the railway industry through the lifecycle process of the development even if an upgrade of the system take several months to be certified. Once a train is certified, it can run for 30 years without any modification. The close link between “safety” and “security” has to be established. However, it is quite difficult to reconcile safety and security, which are antagonists on certain points. For instance, adding a security mechanism (ex. data encryption) can reach the safety because the system spends more time decoding messages and is therefore less reactive (with respect to real time). However, Cyber Security cannot follow the safety process based on certification. It will take too much time. For instance, a zero-day vulnerability must be solved as soon as possible. If not, the complete traffic of a country could be impacted or stopped. The impact on the economy/people of the country would be dramatic.

Several tools and practices have to be developed for securing the railway system, such as monitoring tool to detect, analyse and respond to threats and vulnerabilities, training of people, strongly linked to these monitoring tools, joint risk assessments, security-by-design, penetration testing, resilience, operation in degraded mode, information security policy, separation of critical and non-critical systems…