...We suggest using the methodology borrowed from rail traffic safety (industrial security), functional safety, and IT security, in order to use existing research and methodology tools, as none of these disciplines alone can address the issues. For example, functional safety is concerned with random system failures rather than targeted threats, while IT security provides the integrity, availability and confidentiality of information, not directly connected with railway safety.
The main advantages of this approach include the ability to integrate cyber security into existing signalling CBCS design, development and implementation without having to give up proven approaches and solutions....
... From a cyber security viewpoint, there are three main classes of threats to signalling CBCS:
breaches of train traffic safety
reduced efficiency due to factors affecting track and carrying capacity, and other economic efficiency parameters, and
other breaches of functional safety and reliability that indirectly affect railway safety and operation.
This enables an aggregated threat model to be built based on the railway and functional safety requirements. For example, consider an aggregated threat model for a computer-based interlocking (CBI) system using the requirements set out in railway operating rules...
To be successful, an attacker must bypass the CBI's functional safety mechanisms. If object controllers cannot be manipulated directly, for example by using the radio channel's vulnerabilities, such attacks require modifying the operating logic of the main CBI modules concerning switch and signal interlocking and compliance with traffic safety requirements, which is complicated. However, if it is possible, an attacker can:
set a signal to a less-restrictive aspect such as green for a section with track divergence on switches
change a signal aspect to green for an inadmissible route which has blocked sections or incorrect switch positions
operate a switch with a train passing over it, and
set conflicting routes.
Threats aimed at disrupting rail transport do not usually require the attackers to be highly professional and can be put into practice using standard malware. Such threats include putting non-redundant components out of operation, spoofing or blocking network interaction between the yardmaster's workstation and CBI components, thereby blocking the system's ability to send commands. Such an attack requires a switch to manual operation, which reduces efficiency.
Signalling cyber security: the need for a mission-centric approach
Written by Valentin Gapanovich, Efim Rozenberg and Sergey Gordeychik