Phase 1 - Input

Purpose and scope Operational environment Applicable security standards

NIS directive Critical infrastructure cybersecurity
The system under consideration (SuC) is The operational environment defined by the EN 50126-
Railway application RAMS
1,2:2017
composed by an on-ground application, hosted customer is identified in the two following
EN Railways Applications. Rolling stock applications.
in the cloud, and one or more software figures. 50657:2017 Software on Board Rolling Stock
applications, hosted in on-board devices for IEC 61375- Electronic railway equipment - Train communication
1:2012 network (TCN) - Part 1: General
each and all the trains.
IEC 61375-2- Electronic railway equipment - Train communication
The on-board software applications are 1:2012 network (TCN) - Part 2-1: Wire Train Bus (WTB)
responsible to get train run data, add the train IEC 61375-2-
Electronic railway equipment - Train communication
network (TCN) - Part 2-2: Wire Train Bus conformance
position and the measured train composition 2:2012
testing
Electronic railway equipment - Train communication
length and send these data to the on-ground IEC 61375-2-
network (TCN) - Part 2-5: Ethernet train backbone
5:2014
application. (ETB)
Electronic railway equipment - Train communication
The on-ground application use this information IEC 61375-2-
network (TCN) - Part 2-6: On-board to ground
6:2018
to notify an alarm if measured train communication
Electronic railway equipment - Train communication
composition length does not match with train IEC 61375-3-
network (TCN) - Part 3-1: Multifunction Vehicle Bus
1:2012
run data. (MVB)
Electronic railway equipment - Train communication
IEC 61375-3-
network (TCN) - Part 3-2: MVB (Multifunction Vehicle
2:2012
Bus) conformance testing
Electronic railway equipment - Train communication
IEC 61375-3-
network (TCN) - Part 3-4: Ethernet Consist Network
4:2014
(ECN)
TS 50701 Railway application cybersecurity
IEC 62443
Industrial automation cybersecurity
series
Information technology -- Security techniques --
ISO/IEC
Information security management systems –
27001:2013
Requirements

Application of FprTS 50701

ENISA-ERA Conference: Cybersecurity in Railways
16 March 2021 8
Phase 2 - Input

 SuC name: STIMS (Secure Train Integrity Monitoring System)

System boundaries  Description: STIMS is composed by at least two TID on-board devices per train and one TIS on-ground.
Initial system architecture
Logical and physical network plans  TID (Train Integrity Device): continuously acquires its position and communicates it to TIS. It shall be
installed in head-unit and in tail wagon. The TID has the following main blocks:
For the scope of our example, the first three o Localization block based on a GNSS (Global Navigation Satellite System) receiver. This receiver
inputs of this phase (System boundaries, Initial could use Galileo, GPS, Glonass or Beidou technology.
system architecture, Logical and physical o Wireless communication block based on a single or multiple Modem (Gateway). This modem
network plans) are represented by figures and could use 2G, 3G, 4G, 5G or GSM-R/GPRS-R technology.
associated descriptions. o Driver Interface block placed on the driver desk. This TID HMI could be a simple set of LED
and switches, or a touch-screen monitor.
o TID computing block. This is the elaboration unit based on a microcontroller, microprocessor,
FPGA, RAM based memory, Flash based memory and some interfaces.
o Optional Wi-Fi communication block able to allow the interaction of the TID with a laptop,
tablet or smartphone. This block could be based on Wi-Fi, BlueTooth or other wireless short-
range technology.

 TIS (Train Integrity Service): continuously collects TID data, computes train length and notifies
alarms in case of anomalies. A TIS has the following main blocks:
o TIS DCS (Train Integrity Service Data Collection Server): provides communications services to
collect and process data from on-board TID devices
o TIS WEB (Train Integrity Service Web Application): provides centralized configuration,
analysis and management services to STIMS operators

Application of FprTS 50701

ENISA-ERA Conference: Cybersecurity in Railways
16 March 2021 11
Phase 2 - Input
REQUIRED TO MAINTAIN Essential

Essential functions FUNCTION HEALTH SAFETY

ENVIR
ON.
AVAIL.

- On board
o Get application specific essential train run
X X YES
Essential functions data from TCMS: EVN, Composition.

o Get positions of train head and of train tail X X YES

An essential function is defined as “function or o Calculate train length X X YES

capability that is required to maintain health, o Send data to ground X X YES

safety, the environment and availability for the o Send diagnostics info to TCMS NO
equipment under control”.
o Send alert to driver (HMI) X X YES
If the essential functions are compromised,
this normally means loss of protection, loss of - On ground YES
control or loss of view. o Receive data from on-board applications X X YES

o Store received data X X YES

If not directly available in system design,
essential function can be derived from overall o Validate received data X X YES
functional description with the simple process o Check for train length anomalies X X YES
(illustrated by the table aside):
1) list all function; o Notify position of train to external systems NO

2) if a function is required to maintain at least o Record excessive delays in order to raise

NO
fines
one of the four properties health, safety,
o Send real-time status to the maintenance
environment and availability, then it is system to permit drone recognition over the X YES
essential. tracks

o Notify alarms in case anomalies are detected X X YES

o Web User Interface X YES

Application of FprTS 50701

ENISA-ERA Conference: Cybersecurity in Railways
16 March 2021 12
Phase 2 – Output: Initial Risk Evaluation

Initial Risk evaluation for assets Classification in Zones and Conduits

Acceptable
Asset Impact Likelihood Risk N°
? Type Including Risk
zone/conduit
TID HMI B 3 Significant NO
Z1 Zone Head TID, Head GNSS Loc Significant
Head TID B 3 Significant NO Z2 Zone Tail TID, Tail GNSS Loc High
Head GNSS Loc C 4 Significant NO Z3 Zone TID HMI Significant
Tail to Head
B 2 Medium YES Z4 Zone TIS DCS Low
Communication
Tail TID B 5 High NO
Z5 Zone TIS WEB Medium
Tail GNSS Loc C 5 High NO
Train to Ground C1 Conduit Tail to Head Comm. Medium
B 3 Significant NO
Communication
TIS DCS B 1 Low YES C2 Conduit Train to Ground Comm. Significant
TIS WEB D 4 Medium YES
External System C3 Conduit External System Comm. Significant
C 4 Significant NO
Communication

Application of FprTS 50701

ENISA-ERA Conference: Cybersecurity in Railways
16 March 2021 13
Phase 2 – Zones and conduits
GROUND SYSTEM
ZONES
External System
CONDUITS TIS WEB
TIS DCS Communication
Z4 Z5 C3

Train to Ground
Communication
C2
ON-BOARD SYSTEM

HEAD TID Tail to Head TAIL TID

TID HMI HEAD GNSS Loc TAIL GNSS Loc
Communication
Z3
C1 Z2
Z1

Application of FprTS 50701

ENISA-ERA Conference: Cybersecurity in Railways
16 March 2021 14
Phase 3 - Output Capability or
Possible threat Potentially Vulnerabilities
Threat skills or
Threat name scenarios and affected of the SuC
source motivation
actions assets (if known)
of threat source

Initial Threat Log T.PhysicalAttacks External

Demonstration, Intentional
Z1, Z2, Z3
Perimeter
protection
Theft damage, theft
vulnerabilities

For each threat at least, the following information

shall be documented in the threat log: T.UnintentionalDama Wrong Account
Internal Knowledge of target Z1, Z2, Z3
ge installation Management
a) the threat sources

b) the capability or skills or motivation of the Internal Unpatched

T.FailuresAndOutages Hacking Denial Of Service Z1, Z2, Z3,C3
components
threat source External

c) the possible threat scenarios and actions

Clear text comm.,
d) the potentially affected assets (as identified in T.EavesdroppingInterc Network
External Hacking Data exfiltration C2,C3
the initial risk assessment) eptionHijacking addressing
vulnerabilities
e) the vulnerabilities of the SuC (if known)

Poor auth.,
Command and
T.MaliciousActivity External Cybercrime
Control
Z1, Z2, Z3 Unpatched
components

T.Legal External - - - -

Application of FprTS 50701

ENISA-ERA Conference: Cybersecurity in Railways
16 March 2021 16
Phase 3 - Output

SL-T vectors in our example

IAC UC SI DC RDF TRE RA

Z1 SL-T (Head TID) = {3 3 3 3 2 3 3 }

Z2 SL-T (Tail TID) = {3 3 3 3 2 3 3 }
Z3 SL-T (TID HMI) = {2 2 2 3 2 2 2 }
C2 SL-T (Train to Ground Comm. ) = {0 0 0 3 3 0 0 }
C3 SL-T (External System Comm. ) = {3 3 3 3 3 3 3 }

Application of FprTS 50701

ENISA-ERA Conference: Cybersecurity in Railways
16 March 2021 18
Phase 2 – C, I, A Impact Rating Table

FprTS 50701 - Table E.5: Impact assessment matrix – Example 2

Category Availability Integrity (Safety) Confidentiality Integrity (Business)
Major interruption of operation Catastrophic accident, typically affecting a large Loss of security related information. e. g. Catastrophic business impact possibly
affecting a network or a fleet or number of people and leading to multiple credentials, giving direct access to the system leading to bankruptcy or loss of license of
A loss of service more than 500.000 fatalities and leading to catastrophic safety, availability operator
people for a long time1 or business impacts.
Major interruption of operation Critical accident, typically affecting a small Loss of security related information, no direct Critical business impact possibly leading to
affecting a network or a fleet or number of people and leading to a single access to the system is possible (physical severe impact in revenue or earnings (>10%
loss of service to more than fatality protection), attacker could perform on annual basis)
B 500.000 people for a significant commands leading to at least critical
time1 or of a line or station or few availability, safety and business impacts.
vehicles for a long time
Significant interruption of safety implications, typically leading to injuries Loss of security related information, no direct Significant business impact possibly leading
operation affection a network or requiring hospitalization access to the system is possible (physical to substantial impact on revenue or
fleet or more than 500.000 people protection), attacker cannot perform any earnings (on annual basis)
for a short time1 OR of a line or critical safety-related commands; for
C station or few vehicles for a example: only read access to diagnostic data
significant time is possible; loss of data under data protection
law or commercially sensitive data

Significant interruption of minor safety implications, typically leading to Loss of non-security relevant data, data are Marginal business impact
operation of a line or station or a injuries without hospitalization not under data protection; attacker can make
D few vehicles for a significant time commercial use of the data by combing with
other information
typically, no influence typically, no safety implications Loss of non-security relevant data, data are Negligible business impact
E not under data protection

Application of FprTS 50701

ENISA-ERA Conference: Cybersecurity in Railways
16 March 2021 24
Phase 2 - Exposure and Vulnerability Rating Table

Rating Exposure (EXP) Vulnerability (VUL)

Highly restricted logical or physical access for - Successful attack is only possible for a small group of
attacker, e.g. attackers with high hacking skills (high capabilities needed)
1 - highly restricted network and physical access, or - Vulnerability is only exploitable with high effort, and if
- product or components cannot be acquired by strong technical difficulties can be solved, non-public
attacker or only with high effort information about inner workings of system is required
- State of the art security measures to counter the threat
- High chance for attacker to be traced and prosecuted L=EXP+VUL-1
Restricted logical or physical access for attacker, e.g. - Successful attack is feasible for an attacker with average
- internal network access required, or hacking skills (medium capabilities needed)
2 - restricted physical access, or - Vulnerability is exploitable with medium effort, requiring FprTS 50701 - 6.3.2
- product or components can be acquired by special technology, domain or tool knowledge
attacker with medium effort - Some security measures to counter the threat The likelihood function
- Medium chance for attacker to be traced and prosecuted
Easy logical or physical access for attacker, e.g. - Successful attack is easy to perform, even for an unskilled
- Internet access sufficient, or attacker (little capabilities needed)
3 - public physical access, or - Vulnerability can be exploited easily with low effort, since
- attacker has access as part of daily work, no tools are required, or suitable attack tools freely exist.
operation, or maintenance activities, or - No or only weak security measures to counter the attack
- product or components can be acquired by caused by the threat
attacker with low effort - Low chance for attacker to be traced and prosecuted

FprTS 50701 - Table 4: Likelihood assessment matrix – Example

Application of FprTS 50701

ENISA-ERA Conference: Cybersecurity in Railways
16 March 2021 26
Phase 3 – derivation of SL-T by estimation of the attacker properties

Violation Means Resources Skills Motivation

SL 0

SL 1 casual or
coincidental

SL 2 simple few generic low

SL 3 intentional moderate moderate

sophisticated specific
SL 4 extended high

FprTS 50701 - 7.2.5

More explanations of Security Levels in:

IEC 62443-3-3:2019
Annex A.3.2, level definitions
Application of FprTS 50701
ENISA-ERA Conference: Cybersecurity in Railways
16 March 2021 32
Phase 4 – Selection of countermeasures

A set of 100 FR> IAC UC SI DC RDF TRE RA tot

cybersecurity requirements
is given in IEC 62443-3-3.
They are grouped by FR and SL 1 10 8 5 2 4 1 7 37
classified with their SL value.
SL 2 6 4 5 2 2 1 3 23
The SL vector is a key SL 3 6 9 6 1 4 1 3 30
to enter the table
and select a subset SL 4 2 3 3 1 1 0 0 10
of these requirements.
tot 24 24 19 6 11 3 13 100

Number of system requirements

given in IEC 62443-3-3:2019,
per FR groups and SL values

Application of FprTS 50701

ENISA-ERA Conference: Cybersecurity in Railways
16 March 2021 33
Phase 4 – Selection of countermeasures

A set of 100 FR> IAC UC SI DC RDF TRE RA tot

cybersecurity requirements
is given in IEC 62443-3-3. { 2, 2, 0, 1, 3, 1, 3 }
They are grouped by FR and SL 1 10 8 5 2 4 1 7 37
classified with their SL value.
SL 2 6 4 5 2 2 1 3 23
The SL vector is a key SL 3 6 9 6 1 4 1 3 30
to enter the table
and select a subset SL 4 2 3 3 1 1 0 0 10
of these requirements.
tot 24 24 19 6 11 3 13 100
For instance:
SL-T (Zonej) = { 2, 2, 0, 1, 3, 1, 3 } Number of system requirements
selects the upper 54 requirements given in IEC 62443-3-3:2019,
per FR groups and SL values

Application of FprTS 50701

ENISA-ERA Conference: Cybersecurity in Railways
16 March 2021 34
Phase 4 – Selection of countermeasures
FprTS 50701 - Table 5: System Security Requirements and Foundational Classes
(derived from IEC 62443-3-3:2019)

Relevant design Stake-

Req SL Title Railway notes (informative) Type
principles holder
FR 1 Identification and authentication control (IAC)
This includes application interfaces such as web server, file
transfer protocol (FTP) server, OPC, and remote desktop
interfaces that provide network access to human users and
Human user 4 - Grant least privilege Op
that do not securely convey the authenticated IACS user Tech
SR 1.1 1 identification and
identity to the application during connection.
6 - Authenticate requests Sys
Proc
authentication 7 - Control access Sup
It is acceptable to implement this requirement in
combination with other external authentication solutions
including physical security measures in railways.
SR 1.1 Unique
6 - Authenticate requests Sys
2 identification and -
13 - Precautionary principle Sup
Tech
RE(1) authentication
The feasible multifactor authentication solutions outside
Multifactor
SR 1.1 authentication for
the IT system in railways are generally external and could
6 - Authenticate requests Sys
3 untrusted
comprise a badge or a physical recognition of presence for
12 - Proportionality principle Sup
Tech
RE(2) networks
the human user e.g. by a phone call. This could equally
apply to regularly planned maintenance activities.

FR = Foundational Requirement
SR = System Requirement
RE = Requirement Enhancement
Application of FprTS 50701
ENISA-ERA Conference: Cybersecurity in Railways
16 March 2021 35
Phase 4 – Selection of countermeasures
FprTS 50701 - Table 5: System Security Requirements and Foundational Classes
(derived from IEC 62443-3-3:2019)

Relevant design Stake-

Req SL Title Railway notes (informative) Type
principles holder
FR 1 Identification and authentication control (IAC)
This includes application interfaces such as web server, file
transfer protocol (FTP) server, OPC, and remote desktop
interfaces that provide network access to human users and
Human user 4 - Grant least privilege Op
that do not securely convey the authenticated IACS user Tech
SR 1.1 1 identification and
identity to the application during connection.
6 - Authenticate requests Sys
Proc
authentication 7 - Control access Sup
It is acceptable to implement this requirement in
combination with other external authentication solutions
including physical security measures in railways.
SR 1.1 Unique
6 - Authenticate requests Sys
2 identification and -
13 - Precautionary principle Sup
Tech
RE(1) authentication
The feasible multifactor authentication solutions outside
Multifactor
SR 1.1 authentication for
the IT system in railways are generally external and could
6 - Authenticate requests Sys
3 untrusted
comprise a badge or a physical recognition of presence for
12 - Proportionality principle Sup
Tech
RE(2) networks
the human user e.g. by a phone call. This could equally
apply to regularly planned maintenance activities.

FR = Foundational Requirement
SR = System Requirement
RE = Requirement Enhancement
Application of FprTS 50701
ENISA-ERA Conference: Cybersecurity in Railways
16 March 2021 36