IT-Security in Railway Signalling Systems
Control and safety systems play a central role in the safe operation of trains in European rail networks since a long time. Up to now, they have primarily been designed according to safety considerations. Nevertheless, due to the emerging use of commercial off-the-shelf hardware and software components as well as the use of open communication infrastructures such as the Internet, IT security plays an ever increasing role in this critical infrastructure. In this area only few applicable IT security standards have been proposed. Lately the IEC 62443 standard has been established, which addresses industrial automation systems in general, but lacks important elements for the transportation sector.
In this paper we describe the current draft of a VDE standard for IT security in railway signalling applications, which is currently under review and introduces a thorough security engineering process for secure railway signalling. The standard builds on the IEC 62443 and addresses key requirements stemming from the railway domain. The novel security engineering process covers all phases of the system lifecycle, starting with requirements and risk analysis, a design phase, and finally covers implementation, validation and maintenance of the system as well as secure decommissioning.
KeywordsSecurity Requirement Security Level Security Standard Safety Critical System Rail Infrastructure
Unable to display preview. Download preview PDF.
- [DBAG12] Deutsche Bahn AG: Geschäftsbericht 2011, 2012.Google Scholar
- [InSA13] ISA99 Committee on Industrial Automation and Control System Security: Security for Industrial Automation and Control Systems, System Security Requirements and Security Levels (ISA-62443-3-3), 2013.Google Scholar
- [STBU12] Statistisches Bundesamt: Verkehr – Eisenbahnverkehr – Betriebsdaten des Schienenverkehrs 2011, 2012.Google Scholar
- [BudI13] Bundesministerium des Inneren: Entwurf eines Gesetzes zur Erhöhung der Sicherheit informationstechnischer Systeme, 2013.Google Scholar
- [DeKE14] DKE: Elektrische Bahn-Signalanlagen – Teil 104: Leitfaden für die IT-Sicherheit auf Grundlage der IEC 62443 (DIN VDE V 0831-104), 2014.Google Scholar
- [InEC13] International Electrotechnical Commission: Industrial communication networks – Network and system security (IEC 62443), 2013.Google Scholar
- [TeSc14] Erik Tews and Christian Schlehuber: Quantitative Ansätze zur IT-Risikoanalyse, In: Proceedings of GI-Sicherheit 2014, 2014.Google Scholar
- [InOS11] International Organization for Standardization: Information security risk management (ISO/ IEC 27005:2011), 2011.Google Scholar
- [InOS05] International Organization for Standardization: Information security management systems – Requirements (ISO/IEC 27001:2005), 2005.Google Scholar
- [BuSI08] Bundesamt für Sicherheit in der Informationstechnik: IT-Grundschutz (Standard 100-1 to 100- 3), 2008.Google Scholar