Security Requirements Engineering in Safety-Critical Railway Signalling Networks

Markus Heinrich,Maria Zhdanova,Andreas Fuchs,Sergey Tverdyshev,Don Kuzhiyelil,Tolga Arul,Neeraj Suri,Christian Schlehuber,Stefan Katzenbeisser,Tsvetoslava Vateva-Gurova,Henk Birkholz,Christoph Krauß

doi:10.1155/2019/8348925

Abstract

Securing a safety-critical system is a challenging task, because safety requirements have to be considered alongside security controls. We report on our experience to develop a security architecture for railway signalling systems starting from the bare safety-critical system that requires protection. We use a threat-based approach to determine security risk acceptance criteria and derive security requirements. We discuss the executed process and make suggestions for improvements. Based on the security requirements, we develop a security architecture. The architecture is based on a hardware platform that provides the resources required for safety as well as security applications and is able to run these applications of mixed-criticality (safety-critical applications and other applications run on the same device). To achieve this, we apply the MILS approach, a separation-based high-assurance security architecture to simplify the safety case and security case of our approach. We describe the assurance requirements of the separation kernel subcomponent, which represents the key component of the MILS architecture. We further discuss the security measures of our architecture that are included to protect the safety-critical application from cyberattacks.

Highlights

The integration of commercial off-the-shelf (COTS) hardware and software into industrial control systems such as railway command and control systems (CCSs) is in progress
We execute a railway domain-specific requirements engineering process that has been proposed for German railways [2] but can be used as a template for international railway operation. The output of this process provides the foundation of a security architecture, which we propose for railway CCS
We report our practical experience obtained while executing a security requirements engineering process for railway signalling systems in a real-world scenario

Summary

Introduction

The integration of commercial off-the-shelf (COTS) hardware and software into industrial control systems such as railway command and control systems (CCSs) is in progress. The interplay between safety and security is an active research area, where many questions are yet to be answered. Our study of the safety-security interplay is motivated by the lack of a security architecture for railway signalling. Current train control is centralized in a signal box, called interlocking system (ILS), that controls a defined area of the tracks comprising of multiple track switches (points) and signals. If a train needs to move on the tracks, the ILS sets the points according to the desired route. If the movement of the train is considered safe, the ILS sets the signal for the route to clear. A route is considered safe for a train, if it is not occupied by or reserved for another train, precluding collisions

Objectives

Discussion

Conclusion