Security Engineering in Safety-critical Railway Signalling

Abstract

Public transportation provides a major contribution to the mobility of modern societies. Passengers and customers of railway transportation expect a safe, timely, and comfortable service. To meet this demand, safety engineers have established strategies over decades to remove risks and increase safety that become manifest in railway signalling systems which are fundamental to today's safe train operation. Over the recent years, digitalisation found its way into the signalling systems but unfortunately at the cost of making them vulnerable to cybersecurity threats. The vulnerabilities can as well affect the safety of train operation and eventually be the root cause for train accidents with potentially severe and tragic consequences. Hence, scientists, engineers, and practitioners dealing with railway signalling unequivocally agree that a system that is not secure can not be safe. However, how the cybersecurity protection of safety systems in the railway domain should be shaped is subject of current discussion between domain experts. System architectures are being proposed and tested, risk assessment methods are discussed, security controls are selected and integrated, national and international standards are written, and the interplay and integration of safety and security measures is studied. Fortunately, railway transportation has so far been spared from major cyberattacks. But more and more incidents in other critical infrastructures become public and combining the potential harm, the importance for the society and ongoing digitalisation, railway transportation is becoming an attractive goal for adversaries of various kinds. The dissertation at hand contributes to the research in safety and security co-engineering. We begin to analyse the security requirements of the safety-critical railway signalling system and building on that propose a new security architecture. The security architecture has the advantage that it serves as the platform of safety and security functionality at the same time. The necessary separation between safety and security is moved from the physical world to a virtual environment such that the available attack surface is reduced. We proceed to investigate the interplay of safety and security examining security controls that can be deployed in the architecture. First, we analyse a safe transport protocol and enhance it to provide cryptographically secure message authenticity. Then, we propose two intrusion detection and prevention schemes to protect railway signalling against semantic attacks. Semantic attacks are typically executed by sophisticated adversaries who exploit detailed knowledge of the controlled system's behaviour to provoke respectively serious damage and consequences. Therefore, it is inevitable to combine the security defence strategies with the safety principles of railway signalling. For the first scheme we encode the principles in a way that enables the actuators to distributedly validate their actions themselves and couple security with safety by allowing it to intervene in the safety communication within a controlled framework. In the second proposed scheme, we consult artificial neural networks and train them on normal, incident free command and control communication to implicitly learn a model of the safety principles. Similarly, we allow the scheme to intervene in the safety communication to make the signalling system more resilient against semantic attacks. Finally, from the experience we gathered, we develop a methodology to deploy security controls in the immediate proximity of safety systems generalised as sensor-actuator cyber-physical systems and not limited to railway signalling. Core of the methodology is the active transformation of a security incident to a safety hazard by the detecting security control. The methodology is as well suitable to be applied to the security architecture we present in the beginning and in this way contributes towards making safety-critical systems more secure and hence more safe.