IT-Security in Railway Signalling Systems

  • Christian SchlehuberEmail author
  • Erik Tews
  • Stefan Katzenbeisser
Conference paper


Control and safety systems play a central role in the safe operation of trains in European rail networks since a long time. Up to now, they have primarily been designed according to safety considerations. Nevertheless, due to the emerging use of commercial off-the-shelf hardware and software components as well as the use of open communication infrastructures such as the Internet, IT security plays an ever increasing role in this critical infrastructure. In this area only few applicable IT security standards have been proposed. Lately the IEC 62443 standard has been established, which addresses industrial automation systems in general, but lacks important elements for the transportation sector.

In this paper we describe the current draft of a VDE standard for IT security in railway signalling applications, which is currently under review and introduces a thorough security engineering process for secure railway signalling. The standard builds on the IEC 62443 and addresses key requirements stemming from the railway domain. The novel security engineering process covers all phases of the system lifecycle, starting with requirements and risk analysis, a design phase, and finally covers implementation, validation and maintenance of the system as well as secure decommissioning.


Security Requirement Security Level Security Standard Safety Critical System Rail Infrastructure 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [DBAG12] Deutsche Bahn AG: Geschäftsbericht 2011, 2012.Google Scholar
  2. [InSA13] ISA99 Committee on Industrial Automation and Control System Security: Security for Industrial Automation and Control Systems, System Security Requirements and Security Levels (ISA-62443-3-3), 2013.Google Scholar
  3. [STBU12] Statistisches Bundesamt: Verkehr – Eisenbahnverkehr – Betriebsdaten des Schienenverkehrs 2011, 2012.Google Scholar
  4. [BudI13] Bundesministerium des Inneren: Entwurf eines Gesetzes zur Erhöhung der Sicherheit informationstechnischer Systeme, 2013.Google Scholar
  5. [DeKE14] DKE: Elektrische Bahn-Signalanlagen – Teil 104: Leitfaden für die IT-Sicherheit auf Grundlage der IEC 62443 (DIN VDE V 0831-104), 2014.Google Scholar
  6. [InEC13] International Electrotechnical Commission: Industrial communication networks – Network and system security (IEC 62443), 2013.Google Scholar
  7. [TeSc14] Erik Tews and Christian Schlehuber: Quantitative Ansätze zur IT-Risikoanalyse, In: Proceedings of GI-Sicherheit 2014, 2014.Google Scholar
  8. [InOS11] International Organization for Standardization: Information security risk management (ISO/ IEC 27005:2011), 2011.Google Scholar
  9. [InOS05] International Organization for Standardization: Information security management systems – Requirements (ISO/IEC 27001:2005), 2005.Google Scholar
  10. [BuSI08] Bundesamt für Sicherheit in der Informationstechnik: IT-Grundschutz (Standard 100-1 to 100- 3), 2008.Google Scholar

Copyright information

© Springer Fachmedien Wiesbaden 2014

Authors and Affiliations

  • Christian Schlehuber
    • 1
    Email author
  • Erik Tews
    • 1
  • Stefan Katzenbeisser
    • 1
  1. 1.Security Engineering GroupTechnische Universität DarmstadtDarmstadtGermany

Personalised recommendations