An approach to the analysis of railway cybersecurity from the point of view of railway safety

Introduction

Railway cybersecurity is the order of the day. Due to the technological evolution of the railway industry with its strong digitization in recent years (considering how slow the introduction of technology is in this sector), the appearance of cyber attacks on various railway administrations in different parts of the world and, the standardization of railway cybersecurity with the appearance of the technical specification CLC/TS 50701 , has made cybersecurity one of the new technological challenges of the players of the sector, both railway administrations, technology companies, service providers, etc.

Beyond the headaches that Spanish speakers entail for us not having two words to differentiate between safety and security (both are translated into Spanish as security), in this article Leedeo Engineering presents an analysis of railway cybersecurity as a starting point for railway safety . What differences do they have? How they relate? When does it penalize or favor one over the other?

As we will see in this article, we will conclude that security and cybersecurity are different and cannot be easily coupled. Furthermore, cybersecurity cannot be considered simply as a complement to safety or vice versa .

Safety and cybersecurity have different but complementary objectives: safety mainly seeks to protect people, assets or ecosystem those around them from malfunctions in railway systems, while security (and therefore cybersecurity), aims to protect railway technical systems from attacks from their environment or surrounding ecosystem.

A very important particularity that will mark the future of both technologies, RAMS Engineering and Cybersecurity Engineering , is the origin of their reference or regulatory authorities. For example, safety is regulated by the European Union Railway Agency (ERA), while safety is regulated by the European Union cybersecurity Information and Network Security Agency (ENISA). As well we are faced with different standardization committees and different separate standards. For example , the EN 50126 series for Railway RAMS Engineering and the ISO 27000 or IEC 62443 series for cybersecurity.

Safety by definition generates immobility and little evolution of the designs of systems and products, since the demonstration of compliance with safety regulations is tedious, complex and long-lived. On the other hand , in cybersecurity, the ability to adapt to the environment is an added value.

Another particularity that we will find is that in safety , frequent changes should be avoided due to the cost of showing safety . In other words, by definition, safety generates immobility due to certification processes or homologation products or systems: all of us who have suffered them know that they are complex, hard and economically and temporarily costly . On the other hand, in cybersecurity , the update must be easy to be able to patch the system in a timely and agile manner. The most basic theory of cybersecurity concludes that every system is vulnerable, it is only a matter of applying time and resources to achieve it. The constant evolution of the systems leads to constantly moving away, the theoretical time until a system becomes vulnerable again. Therefore, by definition, cybersecurity will be, contrary to safety, tremendously immobile.

The requirements between safety and cybersecurity , as we have seen, will often be contradictory. Take as a simple example an emergency message (for example, to shut down a system that has been detected to be malfunctioning). From the safety's perspective, the message must be transmitted as quickly as possible and the reaction must be executed immediately.

cybersecurity perspective , the message must be authenticated (a time-consuming process) to avoid executing a message that could come from an attacker whose objective is to affect the availability of the system.

Therefore, the integration of safety and cybersecurity does not make much sense, but their coordination should.

Due to the many differences, it is not reasonable, in most cases , to integrate safety and cybersecurity within the same engineering processes. However, the processes and life cycles must be coordinated, run in parallel, and the appropriate interfaces must be established. In particular, in safety risk analysis, hazards resulting from cybersecurity issues need to be identified and these are treated as threats in cybersecurity risk assessment. In this case, the safety engineer must provide support to assess the safety implications during the cybersecurity assessment, but the definition of the appropriate cybersecurity countermeasures is the responsibility of the cybersecurity engineers according to the standards and best practices . practices that govern this technology

Therefore, in our experience, the best decision is to separate safety and cybersecurity as much as possible, but coordinate them effectively.

If safety and cybersecurity were tightly integrated, any change in cybersecurity functions could invalidate the expensive safety case study.

Safety -related cybersecurity issues occur due to threats to system integrity, arising from attackers exploiting vulnerabilities in the cybersecurity environment. Attackers (hackers) act intentionally, using all the information about the system they can get, according to a certain state of the art in hacking. Thus, unlike safety , there is no probability or attack rate, like the probabilistic failure rate of the RAMS and safety analyses .

The similarity with safety is that the causes of cybersecurity threats are similar to systematic failures in safety. Vulnerabilities often originate from bugs in cybersecurity functionality , primarily software, which is similar to systematic software flaws in safety . Therefore, it is neither feasible nor makes sense to assess security risk probabilistically.

The main difference is that in cybersecurity an attacker is needed to exploit the vulnerability, while in security , certain conditions in the operating environment trigger the failure, resulting in a system crash. Therefore, safety requirements should be established in a similar way to safety integrity requirements, that is, a scheme of target levels similar to Safety Integrity Levels (SILs). According to IEC 62443, SL 1 represents unintentional errors or foreseeable misuse only, while SL 2, SL 3 and SL 4 refer to intentional attacks in which the attacker possesses increasing levels of knowledge, motivation and resources.

Many successful attacks show a similar pattern: First, the attacker gains access to the system (network). The attacker then scans the system, often trying to gain higher privileges, until the attacker finally carries out the attack. Superior access or privileges can be gained by exploiting vulnerabilities (for example, weak passwords) or through social means such as phishing . Often, the attacker cannot achieve his goals without operators or employees who violate security rules or are unaware of the consequences of their actions. That is why it is very important that cybersecurity awareness be promoted and trained as part of the company culture, in the same way that the culture of security (of safety) has been promoted in organizations in recent years. .

Leedeo Engineering , specialists in rail systems, RAMS engineering and railway regulations. Also those related to cybersecurity in the railway industry.