Towards an IT Security Risk Assessment Framework for Railway Automation

📝 Abstract

Some recent incidents have shown that possibly the vulnerability of IT systems in railway automation has been underestimated. Fortunately, so far, almost only denial-of-service attacks were successful, but due to several trends, such as the use of commercial IT and communication systems or privatization, the threat potential could increase in the near future. However, up to now, no harmonized IT security risk assessment framework for railway automation exists. This paper defines an IT security risk assessment framework which aims to separate IT security and safety requirements as well as certification processes as far as possible. It builds on the well-known safety and approval processes from IEC 62425 and integrates IT security requirements based on the ISA99/IEC62443 standard series. While the detailed results are related to railway automation the general concepts are also applicable to other safety-critical application areas.

💡 Analysis

Some recent incidents have shown that possibly the vulnerability of IT systems in railway automation has been underestimated. Fortunately, so far, almost only denial-of-service attacks were successful, but due to several trends, such as the use of commercial IT and communication systems or privatization, the threat potential could increase in the near future. However, up to now, no harmonized IT security risk assessment framework for railway automation exists. This paper defines an IT security risk assessment framework which aims to separate IT security and safety requirements as well as certification processes as far as possible. It builds on the well-known safety and approval processes from IEC 62425 and integrates IT security requirements based on the ISA99/IEC62443 standard series. While the detailed results are related to railway automation the general concepts are also applicable to other safety-critical application areas.

📄 Content

Preprint Towards an IT Security Risk Assessment Framework for Railway Automation Jens Braband Siemens AG, Braunschweig, Germany jens.braband@siemens.com Abstract. Some recent incidents have shown that possibly the vulnerability of IT sys- tems in railway automation has been underestimated. Fortunately, so far, almost only denial-of-service attacks were successful, but due to several trends, such as the use of commercial IT and communication systems or privatization, the threat potential could increase in the near future. However, up to now, no harmonized IT security risk as- sessment framework for railway automation exists. This paper defines an IT security risk assessment framework which aims to separate IT security and safety requirements as well as certification processes as far as possible. It builds on the well-known safety and approval processes from IEC 62425 and integrates IT security requirements based on the ISA99/IEC62443 standard series. While the detailed results are related to rail- way automation the general concepts are also applicable to other safety-critical appli- cation areas. Keywords. Railway, IT Security, Safety, Risk Assessment, IT Security Requirements. 1 Introduction Over the last years, reports on IT security incidents related to railways have increased as well as public awareness. For example, it was reported that, on December 1, 2011, “hack- ers, possibly from abroad, executed an attack on a Northwest rail company’s computers that disrupted railway signals for two days” [1]. Although the details of the attack and also its consequences remain unclear, this episode clearly shows the threats to which railways are exposed when they rely on modern commercial-off-the-shelf (COTS) communication and computing technology. However, in most cases, the attacks are denial-of-service attacks leading to service interruptions, but so far not to safety-critical incidents. But also other services, such as satellite positioning systems, have been shown to be susceptible to IT security attacks, leading to a recommendation that GNSS services should not be used as standalone positioning services for safety-related applications [2]. What distinguishes railway systems from many other systems is their inherently distrib- uted and networked nature with tens of thousands of kilometer track length for large opera- tors. Thus, it is not economical to provide complete protection against physical access to this infrastructure and, as a consequence, railways are very vulnerable to physical denial-of- service attacks leading to service interruptions. Another feature of railways distinguishing them from most other systems is the long lifespan of their systems and components. Current contracts usually demand support for Preprint over 25 years and history has shown that many systems, e.g. mechanical or relay interlockings, last much longer. IT security analyses have to take into account such a long lifespan. Nevertheless, it should also be noted that at least some of the technical problems are not railway-specific, but are shared by other sectors such as Air Traffic Management [3]. Concerning IT security another difference to many other application sectors is that rail- way automation is a highly safety-critical field, which has a rather strict approval regime similar to civil aviation. It seems that so far many IT security considerations have been made without this background. While in railway automation harmonized safety standards were elaborated almost two decades ago, up to now no harmonized IT security require- ments for railway automation exist. This paper starts with a discussion of the normative and legal background. A short over- view of the basic concepts of ISA99/IEC62443 [4] is given. Then several approaches to- wards IT security risk assessment are discussed with particular focus on their applicability to safety-critical systems. Then an IT security risk assessment framework is defined which aims to separate IT security and safety requirements as well as certification processes as far as possible. It is finally discussed how these concepts can be applied effectively to railway automation as well as other safety-critical domains. 2 Normative Background In railway automation, there exists an established standard for safety-related communica- tion, IEC 62280 [5]. The first version of the standard was elaborated in 2001. It has proven quite successful and is also used in other application areas, e.g. industry automation. This standard defines threats and countermeasures to ensure safe communication in railway sys- tems. So, at an early stage, the standard established methods to build a safe channel (in security, called “tunnel” or “conduit”) through an unsafe environment. However, the threats considered in IEC 62280 arise from technical sources or the environment rather than from humans. The methods described in the standard are partially able to protect the railway system also from intentional attacks, b

This content is AI-processed based on ArXiv data.