The railway infrastructure constitutes a type of operational technology (OT)-based critical infrastructure, which is expected to work 24x7, 365 days a year, and where the life expectancy of operational equipment often exceeds 30 years. In this domain, an operational anomaly compromising the OT system can cause a train accident or interrupt traffic, with potentially significant impact in terms of business as well as for passenger safety. Due to their relevance, railways are strategic assets of national interest and, consequently, targets of interest for cybercriminals and cyberwarfare activities. For instance, service interruptions may trigger ripple effects resulting in product shortages and widespread supply chain disruptions, with severe impacts for both the economy and national security. In a bid to optimise and streamline operations. the railway industry has recently started taking a series of significant steps towards digitization, with infrastructures experiencing a significant paradigm shift which, for instance, makes it possible to have centralised interlockings and Radio Block Centre (RBC) for an entire country, with geographical redundancy, ensuring the utmost availability and punctuality by moving the control logic to the cloud. Nevertheless, these developments must always be carried on within the scope of established cybersecurity standards and frameworks. This paper presents an analysis of the state of the art on railway cybersecurity, focused on the existing solutions based on the application of the CENELEC “Technical specification 50701 - Railway Application – Cybersecurity”, which is currently the latest European specification addressing railways, being designed to help suppliers, integrators, and operators to implement a cybersecurity risk assessment plan, the necessary controls, and the management of the complete system life cycle. Special attention will be paid to the conduit between the rail signal interlocking system, that controls the line signalling, and the Automatic Train Supervision (ATS) that runs in the Operational Control Centre (OCC), as this has been identified by the European Union Agency for Cybersecurity (ENISA) as one of the most critical systems identified by the operators of essential services.
Read full abstract