Cyber-Physical Security Risk Assessment for Train

Control and Monitoring Systems

Mouna Rekik, Christophe Gransart, Marion Berbineau

To cite this version:

Mouna Rekik, Christophe Gransart, Marion Berbineau. Cyber-Physical Security Risk Assessment for
Train Control and Monitoring Systems. SSV 2018, 1st International Workshop on System Security
and Vulnerability, IEEE CNS Conference on Communications and Network Security, May 2018, Pekin,
China. 9p. �hal-01852324�

HAL Id: hal-01852324

https://hal.archives-ouvertes.fr/hal-01852324
Submitted on 1 Aug 2018

HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est

archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents
entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non,
lished or not. The documents may come from émanant des établissements d’enseignement et de
teaching and research institutions in France or recherche français ou étrangers, des laboratoires
abroad, or from public or private research centers. publics ou privés.
 Cyber-Physical Security Risk Assessment for Train
Control and Monitoring Systems
Mouna Rekik* , Christophe Gransart* and Marion Berbineau†
* Univ Lille Nord de France, IFSTTAR, COSYS, LEOST, F-59650 Villeneuve d’Ascq, France,
{mouna.rekik, christophe.gransart}@ifsttar.fr
† Univ Lille Nord de France, IFSTTAR, COSYS, F-59650 Villeneuve d’Ascq, France, [email protected]

Abstract—Future railway systems should bring convenience to transport itself. When informational systems are attacked it
people’s lives. In fact, due to the move away from bespoke stand- can lead to the unavailability of services for the passenger,
alone systems to open-platform, standardized equipments and
like being unable to buy a ticket or digitally check a ticket into
increasing use of networked control and automation systems and
connected technologies, the efficiency and the safety of railway the system. Consequently, cyber-attacks on the transportation
services are improving. However, this dependence of automation, sector create a large impact on society and people’s daily life
control and communication technologies makes railway systems varying from direct effects such as delays, accidents, injuries or
becoming increasingly vulnerable to cyber-attacks and security even deaths, to indirect effects, such as socio-economic effects.
threats which affects the overall performance. This paper deals
with cybersecurity concerns facing these systems. As such, we The work presented in this paper is conducted within the Eu-
analyse characteristics of railway threat landscape. Then, we ropean project ROLL 2R AIL under the task security for TCMS
discuss the direct impacts of the identified potential threats and that aims to identify convenient security countermeasures and
their consequences on the whole system and we evaluate resulted to define required protection levels of TCMS assets. Yet, such
risks. For space limitation, we choose to present the impact,
likelihood and risk analysis for one functionality of the system,
outcomes can be accomplished using a coherent and strate-
namely External Door control (EDC). Some good practices and gic approach that encompasses all cybersecurity aspects. In
related techniques for the development of safer, more comfortable, ROLL 2R AIL, the selected approach is defined by the standard
and more secure future railway systems are also discussed. ISA/IEC-62443 [1]. Due to space limitation, in this paper,
Index Terms—TCMS, Cyber-Physical Security, Risk Assess- we present the cyber-physical security risk assessment of one
ment, Threat, Vulnerability, ISA/IEC 62443
functionality of TCMS, namely the external door control. This
I. I NTRODUCTION analysis aims to identify system threats, quantify impacts and
The Train Control and Monitoring System (TCMS) is the expected losses. The proposed countermeasures and mitigation
main part of the control system of a train. It provides a control techniques are not presented because they are classified.
and monitoring infrastructure that enhances train operations The remainder of this paper is structured as follows. Sec-
and increases its safety and reliability. The integration of tion II shortly introduces the methodology selected to establish
Information and Communication Technologies (ICT S) into a security risk assessment for TCMS S. Then, in section III, we
the TCMS will improve efficiency of the railway rolling identify the System under Consideration (S U C) for the security
stock industry as it enables the implementation of innovative risk assessment. Next, in section IV, railway threat landscape
solutions, services and applications in the quest for smarter, is discussed through threat and vulnerability assessments. In
safer and more efficient railway transportation systems. The section V, we present an impact, likelihood and risk analysis
new generation of trains will use real-time rail information of potential threats against the S U C. Finally, in section VI, we
and online environmental data in combination with on-board review some good practices to be used in transportation system
references to achieve optimal control of the train traction in order to minimise the identified risks.
and braking while keeping with travel schedule and reducing
energy consumption. Likewise, train passengers travelling ex- II. R ISK A SSESSMENT M ETHODOLOGY
perience will be improved through services such as connected Traditional information systems security is usually based
infotainment, real-time information, etc. on CIA principle, standing for Confidentiality, Integrity and
Nevertheless, the process of increasing the incorporation Availability by priority order. However, for Industrial Au-
of ICT S into railway systems presents a growing dilemma. tomation Control System (IACS) such as TCMS, the priority
On one hand, this innovation has become an urgent need to is generally reversed depending on the specificities of the
maintain a competitive edge comparing to other transportation considered system. For railway systems, the most important
systems. On the other hand, the introduction of networked aspect is the train movement, for that, security concern is first
devices, remote access and control capabilities, especially with integrity, then availability and finally confidentiality. In fact,
the emergence of wireless communication systems as alterna- loss of integrity could lead to accidents or collisions, whereas
tives to supplant wired systems in the railway industry, all acts loss of availability would bring the railway system to a halt.
to increase the system exposure to cyber-threats. While cyber- Loss of confidentiality is less of an immediate threat, but might
technology is complex and fast evolving, cyber-attacks are result in the leak of sensitive operational information. As such,
also becoming increasingly automated and sophisticated. Their standards and methodologies developed for traditional infor-
impact on critical infrastructures in particular railway systems, mation technology systems cannot be applied directly. This
can lead to catastrophic consequences, no matter whether they issue has received attention not only from researchers, but also
are the intended target or not. Attacks on operational systems from public authorities and standard committees during the last
could lead to the disruption or the unavailability of the rail few years. Thereby, several information security standards have
been proposed to address security issues for the particular case Start of the security risk assessment
of IACS such as ISO/IEC 27000 [2], ISO/IEC 15408 Common
Criteria [3], ISA/IEC 62443 [1], EN 50159 [4], RFC 2196 [5], Step 1:
List of SuC assets
System Identification
ETSI TS 102 165 [6], German standards like DIN VDE V
0831-102 [7] and DIN VDE V 0831-104 [8], US standards List of potential

T HREAT L ANDSCAPE
Threat information sources Step 2:
threats against the
like FIPS PUB 199 [9], FIPS PUB 200 [10] and NIST Special (e.g. historical data) Threat Assessment
SuC
Publications (SP) like SP 800-37 [11], SP 800-53 rev. 4 [12],
etc. An extensive study on Security standards and guidelines previous Vulnerability Step 3:
List of vulnerabili-
assessment, databases Vulnerability
for IACS is available in [13]. From these security standards, etc. Assessment
ties of the SuC

ISA/IEC 62443 is considered as the most important one for

ROLL 2R AIL project. The ISA99 committee, which is respon- Threats, vulnerability
Step 4:
Assessment of
Consequence and
assessments impacts
sible for generating the specifications, has made great efforts to

I MPACTS , LIKELIHOOD AND RISK ANALYSIS

impact determination

bring together numerous standards and recommendations that Step 5:

Lists of threats and Assessment of
exist and then to create a comprehensive set of documents that vulnerabilities
Unmitigated likelihood
likelihoods
determination
is consistent and broadly applicable in virtually any industrial
sector. This and the fact that these specifications have now Attacks potential, likeli- Step 6: Unmitigated
hoods, impacts and risk Unmitigated security
been recognized by industry worldwide through simultaneous matrix risk calculation
security risk

adoption by the IEC give the ISA/IEC 62443 series a strong

chance to be a single definitive set of international standards risk matrix with tolerable Step 7: Unmitigated secu-
risk Risk evaluation rity risk evaluated
for IACS cybersecurity. This is also testified by the fact that
it is recognized as pivotal security standard for Industry 4.0 Step 8:
List of countermea-
project[14] and that it will be adopted by CENELEC [15]. identification of
countermeasures
sures
The standard ISA/IEC-62443 [1] provides guidance to im-
prove electronic security and help reducing the risk of com- List of applied counter-
Step 9: Updated likelihood
Likelihood and and impact assess-
promising confidential information or causing degradation or measures
impact re-evaluation ment

failure of the equipment (hardware and software) of systems

Step 10:
under control. Thereby, ISA/IEC-62443 improves the avail- Updated likelihoods,
Residual security
Residual security
impacts and risk matrix risk
ability, integrity and confidentiality of components or systems risk calculation

used for industrial automation and control, thus it enables the

implementation of secure IACS. Are all residual No
Step 11:
Application
risks bellow or at
The security risk assessment methodology proposed by tolerable level?
of additional
countermeasures
ISA/IEC-62443 is composed of 13 steps, as presented in Fig. 1.
yes
The identification of the S U C is the first step of the methodol- Step 12:
Documentation and Detailed risk
ogy. It consists of a functional and design specification phase communication assessment report
that aims to identify physical and Information Technology of the results

(IT) assets of the system. Step 2 and 3 address the system End of the security risk assessment
threat landscape through threat and vulnerability assessments.
Once potential threats and system vulnerabilities are identified, Fig. 1: ISA/IEC-62443 security risk assessment methodology
their direct impacts and cascading consequences on the whole
system should be studied in step 4. Then, the likelihood of
each identified threat should be determined in step 5. Step
6 consists of the calculation of the unmitigated risk in a network, determining train topology and configuration, pro-
risk matrix using determined likelihood and impact levels. In viding orientation information for coupled elements, manag-
step 7, the risk created by each identified threat should be ing leading vehicle information, distributing train topology
evaluated based on the risk matrix. In step 8, countermeasures and configuration, confirming train configuration, managing
should be identified to mitigate risks evaluated unacceptable. train network operation, managing train network access and
Then, likelihoods and risks should be re-evaluated in order transmitting data. Nevertheless, with the integration of ad-
to measure the effectiveness of proposed solutions. In case vanced ICT in the railway industry, the TCMS is expected
some risks are still evaluated unacceptable, a set of additional to manage a set of sophisticated applications not only for
countermeasures should be proposed and then step 9 and a more reliable train control, but also for operator oriented
10 should be repeated until all risks become acceptable. At services and customer comfort purposes. For operational and
the end, the security risk assessment should be closed by a security purposes, control system ICT should be separated
documentation phase. from comfort ICT, as such the TCMS is clustered into 3
In this paper, we present the security risk assessment of functional domains [16][17][18][19]:
EDC functionality based on the IEC 62443 methodology. ∙ Train Control and Monitoring System (TCMS) domain
III. S YSTEM I DENTIFICATION includes both safety related and non-safety related TCMS
In this section, we present the system under consideration functions. The functions of this domain are mandatory to
for the security risk assessment. ensure safe train movement and to ensure carrying the payload,
such as : main control, train radio, air conditioning, propulsion,
A. Train Control and Monitoring System (TCMS) brakes, electricity, lavatories, lighting, supporting systems,
The TCMS of a train is mainly responsible for providing passenger announcement system, external doors and internal
basic train control functions, such as inaugurating the train doors, European Train Control System (ETCS), Automatic
 remotely control processes.

TCMS
E XTERNAL ACTORS

D OOR C ONTROL S YSTEM

TTDB
managment DMI Driver
device

O N -B OARD C OMMUNICATION N ETWORK

TDCU Crew
Train DCU Train Crew
interface

Consist CDCU Crew

Train Crew
DCU interface
Fig. 2: S U C functional domains based model[16]

DCU Crew
Train Protection (ATP), On-board Driving Data Recording DCU
interface
Train Crew

System (ODDRS), passenger alarm system and Closed-circuit

television (CCTV) for rear view purposes.
∙ Operator Oriented Services (OOS) domain is where all
auxiliary services for proper train operation are considered,
such as : priority logic, CCTV for video surveillance purposes,
infotainment in train embedded devices, mobile phone am-
Passenger
plifiers, automatic passenger counting,vehicle positioning, fare
management or ticketing, driver assistance system, E-schedule, local door
diagnostics and Condition Based Maintenance (CBM) systems handle

and Passenger Information System (PIS) (including automatic

announcements).
Door
∙ Customer Oriented Services (COS) domain includes the
functions executed by passenger devices such as: access for Fig. 3: Door Control System
the passenger’s devices (e.g. Wi-Fi access points), Access to
the public internet and passenger info-portal. ∙ one Function Leader (FL) which is responsible to control
This three-level modelization, presented in Fig. 2, aims to the function by stimulation of the Function Followers (FFs)
increase the system flexibility, scalability, and adaptability for (sending commands) and to receive the reactions from the FFs
future evolutions. (receiving status);
To accomplish all functionalities mentioned above, system ∙ one or more Function Follower(s) (FF), at most one per
actors and devices need to exchange data and commands using consist network, which is responsible to receive the commands
communication networks in different communication schemes from the FL and to stimulate the Function Devices (FDs). The
such as intra-train, train-to-train and train-to-ground commu- received reactions from the FDs are cumulated by the FF and
nications. Communication networks for future railway systems provided as function status of the consist to the FL;
are expected to be heterogeneous composed of a mixture of ∙ one or more Function Device(s) (FD), which are receiving
several networks and radio access technologies that can be the commands from the FF, execute the function operations
simultaneously accessed by different system actors and devices and report the results to the FF.
in order to improve the capacity for communications. For These parts of the application are distributed over the consists
instance, ROLL 2R AIL proposes the use of an heterogeneous of the train. Different parts of the application in different
network architecture combining wireless technologies, such consists can communicate only via the Train Control Network
cellular network like LTE, IEEE 802.11, RFID and wired (TCN).
networks where the advantages and specificities of each access Likewise, EDC, being a distributed train application, has the
network can be taken into consideration [17]. For safety and same architecture defined above. As presented in Figure 3, the
security purposes, access between different domains will be EDC system is controlled by the TCMS through interfaces
limited. Indeed, as shown in Figure 2, the proposed architecture provided by the Train Door Control Unit (DCU). The Train
includes also additional network protection devices between DCU is then the function leader, it is the controlling part for all
different functional domains. doors in the train. The Consist DCU is the function follower,
it is the agent for one consist. The DCU is the function device,
B. External Door control function it is responsible for the physical door. The Door is the physical
Due to space limitation, in this paper, we focus on presenting device dedicated to the DCU. In addition to automatic control
impact, likelihood and risk evaluation (from step 4 to step 7 in interfaces, EDC system parts can be manipulated manually
the risk assessment methodology) only for EDC system from using crew interfaces for maintenance purposes or in case of
TCMS domain. As such, in this section, we provide a detailed malfunctioning problems.
IV. R AILWAY THREAT LANDSCAPE
description of EDC system.
Based on IEC-61375 Standard [20], a distributed train A. Threat Assessment
functionality is accomplished using several function interfaces In this section, we study potential threats against TCMS and
installed within the train in an hierarchical way aiming to their characteristics. As such, we present a threat taxonomy that
covers mainly cybersecurity threats; which are threats directly amount of knowledge that allows them to place effective
applied to ICT assets and thus affecting TCMS operations. We attacks against sensitive parts of the system.
also present non-IT threats to cover threats to TCMS physical ∙ Hacktivists who are attackers, in many cases with limited
assets that are necessary for the system operation. Based on technical skills, but rely on ready-to-use attack kits and ser-
several recent studies published by European Union Agency vices, or even third-party botnets, to cause damage to a system
for Network and Information Security (ENISA) [21][22][23], e.g., denial of service, defacement as a means of protest. Their
we identify potential threats against TCMS. These threats can protests are often politically motivated.
be classified into the following categories: ∙ Business-oriented attackers interested in performing abu-
∙ Physical attacks. This type of threats is caused by intentional sive activities against competitor-controlled cyber-physical sys-
offensive actions aiming to achieve maximum distraction, dis- tems in order to cause concrete damage and gain business
ruption, destruction, exposure, alteration, theft or unauthorized advantages.
accessing of assets such as hardware or ICT connections. ∙ Casual cyber-attackers with little or no technical skills,
∙ Unintentional damages. These are caused by accidental launching attacks against connected systems and causing seri-
insider actions[24] including human errors[25]. Unintentional ous damage, especially when it comes to connected control
mistakes can be made by authorized employees, users, devel- systems. It is important to note that individual non state
opers, and testers during data entry, operations, or application attackers (such as hacktivists, business-oriented attackers and
development. Such errors can affect the system integrity and casual attackers) could also be considered by nation states as
stability . allies in a low intensity warfare against an opponent nation.
∙ Outages and disasters. This category contains unexpected The aforementioned actors are driven by several categories
disruption of services due to outages and disasters including of motivations. We identify two main motivations:
natural and environmental disasters not triggered by human. ∙ Political purposes. Since railway systems are part of a
∙ Failure and malfunctions. This category covers unexpected nation critical infrastructure, attacking them is considered as a
failure or disruptions of devices or systems including hardware, strategical warfare weapon that may cause severe consequences
software and ICT connexions failure or malfunctioning. varying from endangering people lives to financial loss and
∙ Eavesdropping/Interception/Hijacking. This type of threats economical impacts. As these systems become increasingly
contains cyber-attacks and intentional malicious activities or reliant on ICT, they merge as a important target for political
abuse targeting digital assets of a system. Threats from this cat- motivated cyber attacks. These warefare strategies are already
egory consists of altering communication between two parties. used and they have been multiplied in the few past years.
These attacks do not have to install additional tools/software They can be used to cause physical damage or exfiltrating
on a victim’s site. intelligence or secret information. Some well-publicized ex-
∙ Nefarious activities. This category also contains cyber- ample is the attack conducted on Iranian Nuclear Facilities by
attacks and intentional malicious activities or abuse targeting using the worm Stuxnet[26]. According to [27], Stuxnet was
digital assets of a system. However, attacks belonging to this launched by the US and Israel several years ago, in an attempt
category usually require the use of tools by the attacker. As to sabotage Iran’s nuclear program. Actors such as nation states
such, the threat is accomplished through the installation of and hacktivists fall in this category.
additional tools/software or performing additional steps on the ∙ Financial purposes. Transportation systems, including rail-
victim’s IT infrastructure/ software. way systems, are the backbone of national economies, pro-
The identified threats can be conducted by several types of viding connections for people and goods, access to jobs and
actors with different motivations. They can be : services, and enabling trade and economic growth. Attacking
∙ Nation states targeting other nations critical infrastructures, such systems results in financial loss to the service providers,
including railway systems. In fact, these systems provide es- but also cascading consequences on other domains. At railway
sential services for a nation’s society and serve as the backbone operator level, attacks can be financially motivated in order
of its economy, security, and health. As such, they become a to cause business disruption and sales loss. This can cause
significant target in modern cyber-warfare. Attacks performed significant long-term economic impact when reputation of the
by such actors can be politically or economically motivated. operators and trust of customers are impacted[28]. Financial
∙ Non-state organized threat groups including cyber- motivated attacks are usually performed by business-oriented
terrorists, cyber-fighters and cyber-criminals. Common to all actors, but also by nation states actors driven by economic
these threat actors is that they can be organized on local, reasons. This category of motivation also existed before critical
national or international level. However, their motivations and infrastructures became an appealing and sensitive target.
skill level vary. Cyber-terrorists have political or religious mo-
tivations and their capability varies from low to high. Whereas, B. Vulnerability Assessment
cyber-fighters are patriotic motivated groups of citizens with The integration of cyber-physical systems into critical in-
strong feelings when their political, national or religious values frastructures brings not only benefits but also a new set of
seem to be threatened by another group and are capable of vulnerabilities for the whole system. The exploitation of such
launching cyber-attack to protest and . Cyber-criminals are cyber-vulnerabilities can lead to physical consequences. Based
organized groups with quite high skill level that attack systems on [23], we identify vulnerabilities of railway systems. These
for financial gain. vulnerabilities are divided in two categories:
∙ Insider threat agents including employees (staff, contrac- 1- General vulnerabilities for IACS
tors, operational staff) and third party (vendors, system integra- ∙ Wireless and cellular communications. Although such com-
tors, and other third party service and product providers) are munication technologies brings several advantages to the sys-
considered as dangerous threat actors since they have insider tem, they introduce typical vulnerabilities because communi-
access to private facilities and resources and a significant cations take place ’through the air’ using radio frequencies and
thus it is difficult to prevent physical access to them, especially we used the method presented in [31] with some modifications.
in open and accessible areas like public railway infrastructure. According to [31], the consequences in each of category are
Risk of attacks such as interception and intrusion is greater ranked, as shown in Table II, according to their severity level.
than with wired networks. Decimal power scaling was used for the rating of the severity of
∙ Increasing system automation. Although automation control consequences assigning them the impact value to distinguish
improves safety and global system operations by removing between the severity of consequences both within each area
possibility of human error, it introduces new vulnerabilities and between areas.
since the surface of attacks increases and therefore risk of
attacks increases.
2- Specific vulnerabilities for railway use case The total impact is calculated as follows:
∙ Scale and complexity of railway systems. Railway infras- 𝐼𝑚𝑝𝑎𝑐𝑡 = 𝐼𝑚𝑝𝑎𝑐𝑡𝑆𝑎𝑓 𝑒𝑡𝑦 + 𝐼𝑚𝑝𝑎𝑐𝑡𝐹 𝑖𝑛𝑎𝑛𝑐𝑖𝑎𝑙 + 𝐼𝑚𝑝𝑎𝑐𝑡𝑂𝑝𝑒𝑟𝑎𝑡𝑖𝑜𝑛𝑎𝑙
tructure is a large-scale international infrastructure. Applying (1)

networked technologies across large railway systems increases For evaluating the impact, we use a qualitative scale, presented
number of access points to the system, and thus increases in Table III, taken from [31].
the difficulty and cost. Thereby, securing communications
and connectivity between mobile devices on large area is a B. Unmitigated likelihood determination
complicated task. The calculation of the likelihood is a major challenge, it is
∙ Cohabitation between legacy and new systems. Since rail- usually accomplished using the Attack Potential (AP) calcu-
way infrastructure is a shared common infrastructure used by lation method specified by the standardized method Common
different railway companies, the use of legacy equipments and Criteria [32] which is also used by the ETSI TVRA [33] and
infrastructures introduces new vulnerabilities. in the risk analysis approach described in [31]. Following this
∙ Multiple independent systems. In addition to legacy prob- approach, the attack likelihood is determined in two steps:
lems, railway systems are composed of diverse systems such as first, determining the AP and then, mapping of the AP to a
sensors, computers, payment systems, emergency systems. It is likelihood. Determining the AP consists of measuring the effort
crucial, but difficult, to ensure smooth interfacing, communica- required to mount a successful attack against the considered
tion and securing between such independent and heterogeneous system. It is assumed that the higher is the AP the lower will be
systems. This increases vulnerabilities. the likelihood of a successful attack. The factors considered in
∙ Access to real-time data. Reliable operation of the system the identification the AP and their ranges and values are listed
requires a non-stop real-time data exchange which may result in Table IV (based on [32]).
in costly maintenance and periods of service downtime.
∙ Online passenger services such as timetabling, passenger
information, ticket booking, are also susceptible to cyber Then, the accumulated attack potential is calculated as
follows:
attacks.
𝐴𝑃 = 𝐴𝑃𝑡𝑖𝑚𝑒 +𝐴𝑃𝑒𝑥𝑝𝑒𝑟𝑡𝑖𝑧𝑒 +𝐴𝑃𝑘𝑛𝑜𝑤𝑙𝑒𝑑𝑔𝑒 +𝐴𝑃𝑎𝑐𝑐𝑒𝑠𝑠 +𝐴𝑃𝑒𝑞𝑢𝑖𝑝𝑚𝑒𝑛𝑡
V. I MPACTS , LIKELIHOOD AND RISK ANALYSIS (2)
After AP calculation step, we move to AP/likelihood mapping
A. Impacts and Consequences Determination step. To this end, five levels are defined to rate the calculated
A risk [29] is the potential that a given threat will success- AP. The rating is done following the approach described in
fully exploit vulnerabilities and thereby produce a negative [32]. The AP levels and their mapping to the qualitative scale
impact on the system such as confidentiality and privacy for the likelihood are shown in Table V.
problems for the passengers (since the system uses sensing,
tracking, real-time behaviour evaluation and automated deci- In New Dependable Rolling Stock for a more Sustain-
sions), interruption and disturbance of transport services which, able, Intelligent and Comfortable Rail Transport in Europe
in addition to dissatisfaction of passengers and disruption of (ROLL 2R AIL) project, the likelihood, presented in Table VII
their daily lives, can have secondary consequences on other was determined by estimation, because the lack of information
sectors, loss of revenue, reputation and customers trust, etc[23]. about actual conducted attacks on similar systems does not
However, the most critical impact is when passengers health allow calculating the AP.
and safety are affected. In fact, passengers safety is the priority
C. Unmitigated security risk calculation
to all railway systems actors, nonetheless, some incidents may
endanger health and safety, not to mention threats coming from The unmitigated cybersecurity risk is determined by means
terrorism that need to be accounted for when protecting railway of the risk matrix, presented in Table VI, which was defined
systems and infrastructure. specifically for the TCMS cybersecurity risk assessment within
In this step, we investigate impacts of potential threats the ROLL 2R AIL project [34]. The risk matrix is used to
identified in section IV-A. Table I studies, for each threat, calculate the resulting level of risk (Likelihood x Impact) and
direct impacts and unwanted incidents created on the attacked to identify whether it is acceptable or not. In railway systems,
component and the cascading consequences on the EDC. a risk is considered as unacceptable in case its level is major or
critical, and as acceptable in case its level is minor or negligible
[34].
The risk matrix also helps in the suggestion of mitigation
The identified impacts can affect one or many areas. We solutions. In fact, the countermeasures should be deployed in
distinguish 3 categories of risk based on the impacted area [30]: a way to reduce the threat likelihood but never the impact
safety, financial and operational risks. For each category, we that it could have in the system. As such, if a threat poses an
define 3 levels of severity. Regarding the impact determination, unacceptable risk, we must move in the matrix to the nearest
 TABLE I: Impact Analysis for External Door Control functionality (With Train Lines Safety functions)
Threat Threat Threat Description Asset Cascading effects
class ID
PT01 Vandalism An attacker could unplug the Access Point from the network On-Board Com- DMI is not able to receive information about doors status. The driver cannot receive
or power-off the access point munication Net- information from DMI to ensure that doors are in the right status (such as to verify
work that all doors are closed before start moving). The driver is not able to command door
system, the commands are blocked at the (TDCU- CDCU) level (at the wired level).
This also means that the other consists can be out of the control. As such, for safety
reasons, the train Line locks the doors. The passengers cannot go out of the train until
the doors are opened manually.
PT02 Vandalism An attacker could damage door sensors Door sensors The door control system can not know the state of the concerned door. The damaged
door is locked and cannot be used until it is opened manually.
P HYSICAL T HREATS

PT03 Unauthorized physical An unauthorized person controls the doors of the train by DMI If the attacker tries to open a door, the Train Line locks it and does not allow opening
access/ Unauthorized direct manipulation of the DMI it when the train is moving. If he tries to send continuously “close” commands to the
entry to premises door so the passengers cannot go out of the train until the doors are opened manually.
PT04 Unauthorized physical An unauthorized person can manipulate the door control TDCU Crew In- If the attacker tries to open a door, the Train Line locks it and does not allow opening
access/ Unauthorized system through TDCU Crew interface. terface it when the train is moving. If he tries to send continuously “close” commands to the
entry to premises door so the passengers cannot go out of the train until the doors are opened manually.
PT05 Unauthorized physical An unauthorized person can manipulate the door control CDCU Crew In- If the attacker tries to open a door, the Train Line locks it and does not allow opening
access/ Unauthorized system through CDCU Crew interface. terface it when the train is moving. If he tries to send continuously “close” commands to the
entry to premises door so the passengers cannot go out of the train until the doors are opened manually.
PT06 Unauthorized physical An unauthorized person can manipulate the door control DCU Crew In- If the attacker tries to open a door, the Train Line locks it and does not allow opening
access/ Unauthorized system through DCU Crew interface. terface it when the train is moving. If he tries to send continuously “close” commands to the
entry to premises door so the passenger cannot go out of the train until the doors are opened manually.
PT07 Unauthorized physical An attacker could damage the DMI DMI The door control system cannot be controlled through DMI. Door control services are
access/ Unauthorized inaccessible for the driver. Doors can not be remotely controlled by the driver. In such
entry to premises circumstances,doors are locked by the Train Line and cannot be used until it is opened
manually.
UD08 Erroneous use or ad- An employee may accidentally enter erroneous use or bad EDC system A bad or erroneous administration and configuration of the system may lead to erroneous
ministration of devices administration of door control system in the maintenance actions and/or improper monitoring commands. In this case, the whole door control
and systems phase. system could stop working, doors could be blocked at their current status. The train
cannot move until the door control system is fixed. Such incident may also lead to
increase cyber-physical vulnerabilities of the systems and create entrance points for
U NINTENTIONAL DAMAGE

other potential threats.

UD09 Using information Erroneous configuration,installation or maintenance data may EDC system This can lead to malfunctioning of the door control system or stopping it completely.
from an unreliable be used from unreliable sources Doors could be blocked. The train cannot move until the door control system is fixed.
source Such incident may also lead to increase cyber-physical vulnerabilities of the systems
and create entrance points for other potential threats.
UD10 Unintentional change recorded data about the state of the system may be changed EDC system The system usually records data about system functioning at the aim to using them not
of data in the sys- or deleted only for maintenance purposes, but also to strengthen the system against the problems
tem or destruction of and incidents occurring during operation. such incident leads to loss of operational data.
records
FM11 Failure of device or In case of a hardware failure in DMI and/or TDCU, the driver DMI, TDCU The train Line locks the doors. The passengers cannot go out the train until the doors
systems is not able to command the whole door system. For TDCU and/or TDCU are opened manually.
crew interface hardware failure, the crew is not able to isolate crew interface
specific consist from door operation. In the both cases, the
failure is at the train level.
FM12 Failure of device or In case of a hardware failure in CDCU, the driver is not CDCU and/or The system may be locally affected, doors at the failed consist cannot be controlled.
FAILURES /M ALFUNCTION

systems able to command the door system at the concerned consist. CDCU crew The train Line locks the doors of the a ected consist. The passengers cannot go out the
For CDCU crew interface hardware failure, the crew is not interface consist until the doors are opened manually.
able to lock or release doors in specific vehicle of the consist
concerned.
FM13 Failure of device or Hardware failure: DCU and/or DCU crew interface DCU and/or The door connected to the failed DCU fails. The train Line locks the affected door. The
systems DCU crew door cannot be used until it is opened manually
interface
FM14 Failure or disruption of Software or Hardware failure On-Board com- No data exchange. DMI can not receive any information about doors status. The driver
communication links munication net- cannot receive information from DMI to ensure that all doors are closed before start
work moving as such the train cannot move. Commands are also blocked at DMI-TDCU
level, the driver is not able to command the door system. For safety reasons, the train
Line locks the doors. The passengers cannot go out of the train until the doors are
opened manually.
O15 Network outage Outage of cable or wireless network On-Board com- No data and monitoring commands exchange between door control system entities. DMI
O UTAGE

munication net- cannot receive any information about doors status. The driver cannot receive information
work from DMI to ensure that all doors are closed before start moving as such the train
cannot move. Commands are also blocked at DMI-TDCU level, the driver is not able
to command the door system. In case the train is moving, the driver is also unable to
command the door system, as such, for safety reasons, The train Line locks the doors.
The passengers cannot go out of the train until the doors are opened manually.
E16 Network Malicious activities my be performed at the aim to identify On-Board com- An attacker may learn about weaknesses of the network and use them to disturb the
Reconnaissance, information about network to find security weaknesses munication net- door control system or disconnect its assets.
Network traffic work
manipulation and
Information gathering
E17 Man in the middle / An attacker can conduct a MiTM attack, sniff the data and On-Board com- Operational information could be released.
Session hijacking command traffic exchanged between different Door control munication net-
system entities. As such, he can reveal content of door work
command and status messages (on train level)
E18 Man in the middle / An attacker may send a falsified door command on the train On-Board com- The Train Line locks the doors and does not allow opening them when the train is
Session hijacking level (to the TDCU) munication net- moving. If the attacker tries to send continuously “close” commands to the door so the
work - TDCU passenger cannot go out of the train until the doors are opened manually.
E19 Man in the middle / An attacker may send falsified door status information to DMI On-Board com- The driver receives a false doors open signalisation, as such he cannot move the train
Session hijacking and/or TDCU. The driver receive an erroneous information munication net- until the DMI notify him that all doors are closed.
about door status. work - DMI -
TDCU
E20 Man in the middle / An attacker may send a falsified door command on the consist On-Board com- The Train Line locks the doors and does not allow opening them when the train is
E AVESDROPPING

Session hijacking level (to the CDCU) munication net- moving. If the attacker tries to send continuously “close” commands to the door so the
work - CDCU passenger cannot go out of the train until the doors are opened manually.
E21 Man in the middle / An attacker may send falsified door status information to On-Board com- The driver receives a false information about the doors of the attacked consist are
Session hijacking CDCU (on consist level). The driver receive an erroneous munication net- opened, as such he cannot move the train until the DMI notify him that all doors are
information about door status at the attacked consist. work - CDCU closed.
E22 Man in the middle / An attacker may send a falsified information about actual On-Board com- The Train Line locks the doors to not allow opening external doors from the wrong
Session hijacking train/consist composition, or actual train backbone status to munication net- side in the station. If the attacker tries to send continuously “close” commands to the
TDCU or CDCU (such as erroneous train orientation) work - TDCU - door so the passenger cannot go out of the train until the doors are opened manually.
CDCU
E23 Man in the middle / An attacker may send a falsified door command on the On-Board com- The Train Line locks the doors and does not allow opening them when the train is
Session hijacking individual door level (to the DCU) munication net- moving. If the attacker tries to send continuously “close” commands to the door so the
work - DCU passenger cannot go out of the train until the doors are opened manually.
Continued on next page
 Impact Analysis for External Door Control functionality With Train Lines Safety – continued from previous page
Threat Threat Threat Description Asset Cascading effects
class ID
E24 Man in the middle / An attacker may send falsified information about train speed to On-Board The Train Line locks the doors and does not allow opening them when the train is
Session hijacking DCU. The doors can be released during train movement or the communica- moving. If the attacker tries to send continuously “close” commands to the door so the
doors cannot be released when the train stops. tion network passenger cannot go out of the train until the doors are opened manually.
- DCU
NA25 Denial of Service An Attacker can conduct Distributed Denial of network service On-board DMI is not able to receive information about doors status. The driver cannot receive
(DDoS) attack at the network layer using several techniques commu- information to ensure that doors are in the right status. The driver is also not able to
as Protocol exploitation, Malformed packets, Flooding,Spoofing. nication command door system. Door system is out of the control. As such, for safety reasons,
He can conduct a DDOS attack at the application layer us- network the train Line locks the doors. Passengers cannot go out of the train until the doors are
ing techniques like Ping of Death, XDoS, WinNuke. He can opened manually.
conduct DDoS attack to both network and application services
using amplification/ reflection methods i.e. NTP, DNS .Such
type of attack aims to disconnect the network (communication
disruption) or degrade the performance of the network, to abuse
of resources, to alter network configuration or even physically
destroy or alter network components.
NA26 Malicious code/ soft- An Attacker can access to the network and inject a malicious Door control The malicious code or software allows for conducting malicious activities and thus
ware/ activity code, or install a malicious software to conduct a malicious ac- system disturbing the system by altering configuration, manipulating data and monitoring
tivity within the system. The attacker can use several techniques commands, disrupting services, disrupting the whole system, changing doors states
such as abuse of resources, Worms / Trojans, Rootkits, Elevation (unsafe states) or blocking them. The system can also be remotely controlled by attacker
of privileges, Viruses, Rogue security software / Rogueware / using such techniques. If the system detects an abnormal functioning of EDC, the Train
Scareware, Exploits/Exploit Kits Line locks the doors to allow opening them when the train is moving. If the attacker
tries to send continuously “close” commands to the door so passengers cannot go out
of the train until the doors are opened manually.
NA27 Identity Fraud An Attacker can conduct malicious identity theft actions. This Door control Identity Fraud actions allow attackers to access to the door control system with
can be done using identity theft malicious computer programs system more advanced privileges such as administrator and thus allow them to commit
such as credentials- stealing trojan unauthorized activities such as unauthorised use or administration of devices and
systems, unauthorised use of software, unauthorized changes of records. If the attacker
N EFARIOUS ACTIVITY

attempts to open external doors in an appropriate conditions, the Train Line locks the
doors to not allow opening them when the train is moving. If the attacker tries to send
continuously “close” commands to the door so passengers cannot go out of the train
until the doors are opened manually.
NA28 Manipulation of hard- An attacker can maliciously manipulate hardware and software Door control Loss control of the system, all door control system components can be damaged. The
ware and software components of the door control system. Such attacks are done system door control system is disrupted. For safety reasons, the train Line locks the doors.
by taking advantages of some IT vulnerabilities, accessing to (Network, Passengers cannot go out of the train until the doors are opened manually.
device software (it could also be done through modifications of software and
code or data, attacking its integrity), or by accessing directly to hardware)
hardware
NA29 Manipulation of infor- An attacker can maliciously manipulate recorded data about the Door control This can lead to loss of data for maintenance and control purposes, malfunctioning of
mation state of the system. He can also alter system configurations system the system in case of altering configuration data which can lead to serious problem and
endanger the safety of train and passengers. For safety reasons, the train Line locks the
doors. Passengers cannot go out of the train until the doors are opened manually.

TABLE II: Determination of Impact value TABLE V: Likelihood level

Impact Severity Description Impact AP Value AP Level Likelihood Level
Area level Value
1 Life-threatening injuries (survival uncertain), fatal injuries 10000
0−9 Basic Certain
Safety
and/or extreme damage to the environment 10 − 13 Enhanced Basic Likely
2 Severe and life-threatening injuries (survival probable) and/or 1000
large damage to the environment 14 − 19 Moderate Possibly
3 Light and moderate injuries and/or minor damage to the envi- 100 20 − 24 High Unlikely
ronment
4 No injuries 0 > 24 Beyond High Remote
1 Existence-threatening financial damage and/or the incident will 1000
incur people suing the company, severe impact to the public
Financial
image of the company
2 Substantial financial damage, but yet not existence-threatening
and/or the incident may have a serious impact on the public
100 “Acceptable” cell in the vertical direction. To reduce the
image of the company impact a change of the architecture of the system is necessary.
3 Undesirable financial damage and/or the incident may have an 10
impact on the public image of the company According to this risk matrix, any catastrophic impact shall
4 No or tolerable financial damage 0
1 Train unusable, i.e., one or more fundamental functions are 100 be avoided by design (introducing additional systems in the
affected. The train usage is infeasible.
Operational
2 Service required, i.e., an important function is affected. The 10 system architecture) because independently of the likelihood
train/vehicle can be used only with massive restrictions
3 Comfort affected. The vehicle can be used with some restric- 1
level the risk would be unacceptable.
tions
4 No relevant effects, i.e., at most, an unimportant function is 0
affected and the train/vehicle can be used without restrictions. TABLE VI: Risk matrix
Likelihood Level Risk Level
TABLE III: Impact level Certain Unacceptable Unacceptable Unacceptable Unacceptable
Likely Acceptable Unacceptable Unacceptable Unacceptable
Possibly Acceptable Unacceptable Unacceptable Unacceptable
Impact Value Impact Level
Unlikely Acceptable Acceptable Unacceptable Unacceptable
0−2 Insignificant Remote Acceptable Acceptable Acceptable Unacceptable
Insignificant Medium Critical Catastrophic
3 − 21 Medium
Impact Level
22 − 210 Critical
> 210 Catastrophic

D. Risk evaluation
TABLE IV: Attack potential factors, ranges and values
AP Factor Description Range Value
When conducting a risk assessment, impacts on the system
The time needed by an attacker to identify a particular
Hours 0 should be determined without any additional protection system
Days 1
Elapsed Time potential vulnerability, to develop an attack method and to
sustain effort required to perform the attack against the target.
Weeks 3 in order to evaluate the real consequences. For the specific
Months 7
Layman
Proficient
0
3
case of railway systems, the train operates necessarily with an
Expertise Level of knowledge of the underlying principles, product type
or attack methods. Expert
Multiple experts
6
8
additional protection control called Train Lines. Train Lines
Knowledge of Level of target related knowledge needed to perform the
Public
Restricted
0
3
consists of a set of safety functions that aims to protect the
Target attack. Sensitive
Critical
7
11
train especially in case of abnormal functioning.For example,
Unnecessary or 0
Level of access to the target system needed to perform the unlimited for EDC, Train Lines system adds doors locking and releasing
Access Easy 1
attack.
Moderate 4 functions which reduces considerably impacts of the system
Difficult 10
Standard 0 malfunctioning and especially avoid catastrophic ones.
Equipment required to identify or exploit the vulnerability Specialized 4
Equipment
and to perform the attack. Bespoke 7 In the context of ROLL 2R AIL, we evaluated impacts of
Multiple bespoke 9
cyber-physcial threats identified in step 2, on the system for
both cases; with and without Train Lines safety functions. We
started by studying impacts and consequences with Train Lines
Table VII presents the risk evaluation of threats previously
safety functions transparent. We noticed that all impacts are
studied in section V-A. From the impact-likelihood combina-
evaluated critical or catastrophic (mostly catastrophic). These
tion for each unwanted incident, the risk level can be calculated
catastrophic impacts according to the risk matrix, presented
and identified whether it is acceptable or not following the risk
in Table VI, cannot be avoided independently the likelihood
matrix presented in Table VI. In case the risk is unacceptable,
of the threat. Therefore, the only way to avoid this case is to
countermeasure should be applied in order to reduce the
change the evaluated architecture by taking into account the
likelihood of the corresponding threats.
existence of Train Lines. As such, for the current analysis,
we are conducting the security risk assessment including the VI. G OOD PRACTICES
Train Lines, therefore reducing the impact of security threats
and making able to set these threats in an acceptable risk level According to the methodology presented in section II, at
by introducing new countermeasures in the SuC. Likewise, this level of the risk assessment, we should identify a set of
the impacts presented in Table I are also identified with countermeasure with the aim to eliminate unacceptable risks.
consideration of Train Lines safety functions. However, these countermeasures cannot be presented as their
are classified. Instead, in this paper, we presents high level
TABLE VII: Risk Analysis for External Door Control func- countermeasures, sort of good practices that helps to design
tionality With Train Lines Safety a properly protected TCMS. In Table VIII, we present a first
Threat Impact Severity Impact Resulting Impact Likelihood Risk estimation about time and efforts needed to recover from an
ID Area Value Impact Value Level Level Level
Safety 4 0 unwanted incident, some good practices that helps to avoid
PT01 Financial 3 10 20 Medium Unlikely Acceptable
Operational 2 10 exposure of the system to the identified threats or to limit
Safety 4 0
PT02 Financial 4 0 1 Insignificant Unlikely Acceptable their impacts, and the existent challenges and gaps that may
Operational 3 1
Safety 4 0 increasing vulnerability and exposure of the system.
PT03 Financial 3 10 20 Medium Possibly Unacceptable
Operational 2 10
Safety 4 0
PT04 Financial 3 10 20 Medium Possibly Unacceptable
Operational
Safety
2
4
10
0
VII. C ONCLUSIONS
PT05 Financial 3 10 20 Medium Possibly Unacceptable
Operational
Safety
2
4
10
0
In this paper, we presented a security risk assessment
PT06 Financial
Operational
3
2
10
10
20 Medium Possibly Unacceptable
of EDC system of Train Control and Monitoring System
PT07
Safety
Financial
4
3
0
10 20 Medium Unlikely Acceptable
(TCMS). This work was conducted as a part of ROLL 2R AIL
Operational 2 10
Safety 4 0 project. The security risk analysis showed that the absolute
UD08 Financial 4 0 100 Critical Unlikely Unacceptable
Operational 1 100 majority of threats targets mainly integrity and availability
Safety 4 0
UD09 Financial 4 0 100 Critical Possibly Unacceptable of the EDC system which can lead to severe consequences.
Operational 1 100
Safety 4 0 Regarding data confidentiality, this security property is not of
UD10 Financial 4 0 100 Critical Unlikely Unacceptable
Operational 1 100 huge impact for EDC system. During ROLL 2R AIL project,
Safety 4 0
FM11 Financial 3 10 20 Medium Unlikely Acceptable the security risk assessment was conducted for others func-
Operational 2 10
Safety 4 0 tionalities of TCMS. At the end, a set of countermeasures was
FM12 Financial 3 10 20 Medium Unlikely Acceptable
Operational 2 10 proposed to strengthen the security of TCMS against identified
Safety 4 0
FM13 Financial 4 0 1 Insignificant Possibly Acceptable potential threats. The effectiveness of the countermeasures
Operational 3 1
Safety 4 0 was demonstrated through several iterations of risk evaluation
FM14 Financial 3 10 20 Medium Unlikely Acceptable
Operational 2 10 process.
Safety 4 0
O15 Financial 3 10 20 Medium Unlikely Acceptable
Operational 2 10 ACKNOWLEDGMENT
Safety 4 0
E16 Financial 2 100 100 Critical Likely Unacceptable
Operational 4 0 This works was supported by the European H2020 Roll2Rail
Safety 4 0
E17 Financial 2 100 100 Critical Likely Unacceptable project. The authors gratefully acknowledge the support pro-
Operational 4 0
Safety 4 0 vided by this institution.
E18 Financial 3 10 20 Medium Likely Unacceptable
Operational 2 10 R EFERENCES
Safety 4 0
E19 Financial 3 10 20 Medium Likely Unacceptable
Operational 2 10 [1] ISA-62443: Security for Industrial Automation and Control Sys-
Safety 4 0
E20 Financial 3 10 20 Medium Likely Unacceptable tems. Standard, International Society of Automaton (ISA), 2016.
Operational 2 10
Safety 4 0
[2] ISO/IEC 27000: Prévisualiser Technologies de l’information –
E21 Financial 3 10 20 Medium Likely Unacceptable Techniques de sécurité – Systèmes de gestion de sécurité de
Operational 2 10
Safety 4 0 l’information – Vue d’ensemble et vocabulaire. Standard, ISO
E22 Financial 3 10 20 Medium Likely Unacceptable
Operational 2 10
and IEC, 2016.
Safety 4 0 [3] ISO/IEC 15408-1:2009 Preview Information technology – Se-
E23 Financial 3 10 20 Medium Likely Unacceptable
Operational 2 10 curity techniques – Evaluation criteria for IT security – Part 1:
Safety 4 0
E24 Financial 3 10 20 Medium Likely Unacceptable Introduction and general model. Standard, ISO and IEC, 2009.
Operational
Safety
2
4
10
0
[4] EN 50159: Railway applications - communication, signalling and
NA25 Financial 3 10 20 Medium Likely Unacceptable processing systems - safety-related communication in transmis-
Operational 2 10
Safety 4 0 sion systems. Standard, European Committee for Electrotechnical
NA26 Financial
Operational
3
2
10
10
20 Medium Likely Unacceptable Standardization (CENELEC), 2010.
Safety 4 0 [5] B Fraser. Rfc 2196. site security handbook. 1997. URL:
NA27 Financial 3 10 20 Medium Likely Unacceptable
Operational 2 10 http://www. faqs. org/rfcs/rfc2196. html, 2003.
NA28
Safety
Financial
4
3
0
10 20 Medium Likely Unacceptable
[6] ETSI - TS 102 165 : Telecommunications And Internet Con-
Operational 2 10 verged Services And Protocols For Advanced Networking
Safety 4 0
NA29 Financial 3 10 20 Medium Likely Unacceptable (Tispan); Methods And Protocols. Standard, European Telecom-
Operational 2 10 munications Standards Institute (ETSI), 2007.
 TABLE VIII: Recovery time and efforts, challenges and Gaps and good practices
Threat class Threat Recovery Time and efforts Challenges and Gaps Good Practices
Physical Vandalism A physical inspection is needed to fix the Insecure design or develop- An alarm should be triggered once a door is attacked or
Threats Unauthorized physical access/ damaged component and to ensure its nor- ment damaged.
Unauthorized entry to mal functioning Local door controllers should be properly protected.
premises Physical access to driver cabin should be limited/ avoided.
Unintentional Erroneous use or administra- A Software-based vulnerabilities such as er- Concerned staff lacks of Engage in staff training
Damage tion of devices and systems roneous administration, modification of con- awareness about security Employ identity management systems and advanced authen-
Unintentional change of data figuration,etc...) may be fixed by an update issues and good practices tication techniques (to request additional Identification, au-
in the system or destruction of of the software. Insecure design or thentication and authorization techniques for administration
records development processes)
Employ alarms to protect digital assets (to add alerting
notifications and alarms for maintenance and administration
processes, that are different from and more sophisticated then
when used for controlling processes)
Establish a recovery processes and maintain backups of the
recorded data
Failures Failure of device or systems For hardware malfunctions and failure, a Concerned staff lacks of Implement a disaster recovery processes and define a de-
Malfunction Failure or disruption of com- physical inspection is needed to replace or awareness about security graded mode of operations : safe mode should be im-
munication links fix the failing or damaged components and issues and good practices plemented such as putting all or a number of doors at
to ensure their back to the normal function- Insecure design or safe state (depending of the situation and the state of the
ing development (especially train/consist/car), isolating the damaged doors until problem
Software-based malfunctions and failure maintenance tools) is solved for safety purposes, etc . . .
may be fixed by update For
Outages Network outage A physical inspection is needed to fix the Insecure design or develop- Implement a disaster recovery processes and define a de-
damaged components and ensure their back ment graded mode of operations.
to the normal functioning
Eavesdropping Network Reconnaissance, Net- Recovery time and efforts depend of the Vulnerabilities caused by the Limit physical access to the communication network
work traffic manipulation and attack deployment and the use of Set up intrusion detection solutions to detect hijacking at-
Information gathering the communication infrastruc- tempts or other advanced measures preventing spoofing
Man in the middle / Session ture in a public environment
hijacking Insecure design or develop-
ment
Nefarious Denial of Service Recovery time and efforts generally depend Vulnerabilities caused by the Limit physical access to all EDC system components
Activity Malicious code/ software/ ac- of the attack. deployment and the use of the Set up intrusion detection solutions to detect hijacking at-
tivity Software-based vulnerabilities concerning communication infrastructure tempts or other advanced measures preventing such events
Identity Fraud identification, authentication and authoriza- in a public environment Employ identity management systems and advanced identifi-
Manipulation of hardware and tion may be fixed by updating the software. Insecure design or cation, authentication and authorization techniques
software Some nefarious activities may cause physi- development Employ alarms to protect digital assets (additional alerting
Manipulation of information cal damage of some components that can no Concerned staff lacks of notifications and alarms whenever configuration is modified
longer been remotely monitored, as such a awareness about security or for each action of administration of critical components)
physical inspection is needed to ensure the issues and good practices Establish a recovery processes and maintain backups of the
normal functioning of door control system system state
components Engage in staff training to rise awareness concerning Identi-
fication, authentication and authorization problems

[7] VDE V 0831-102:2013-12: Electric signalling systems for rail- profile. Standard, International Electrotechnical Commission
ways - Part 102: Protection profile for technical functions in (IEC), 2016.
railway signalling. Pre-standard, the German Institute for Stan- [21] Threat taxonomy: A tool for structuring threat information.
dardization (DIN), 2013. Technical report, ENISA, 2016.
[8] VDE V 0831-104:2015-10: Electric signalling systems for rail- [22] Cyber security and resilience of smart cars : Good practices and
ways - Part 104: IT Security Guideline based on IEC 62443. recommendations. Technical report, ENISA, December 2016.
Pre-standard, DIN, 2015. [23] C. Lévy-Bencheton and E. Darra. Cyber security and resilience
[9] FIPS PUB 199: Standards for Security Categorization of Federal of intelligent public transport: Good practices and recommenda-
Information and Information Systems. Standard, Federal Infor- tions. Technical report, ENISA, 2015.
mation Processing Standards Publication, 2004. [24] CERT Insider Threat Team. Unintentional insider threats: A
[10] FIPS PUB 200: Minimum Security Requirements for Federal foundational study. Software Engineering Institute Technical
Information and Information Systems. Standard, Federal Infor- Report, 2013.
mation Processing Standards Publication, 2006. [25] M. Ahmed, L. Sharif, M Kabir, and M. Al-Maimani. Human
[11] NIST Special Publication 800-37 Revision 1 : Guide for Ap- errors in information security. International Journal of Advanced
plying the Risk Management Framework to Federal Information Trends in Computer Science and Engineering, 1(3), 2012.
Systems: A Security Life Cycle Approach . Technical report, [26] J. P. Farwell and R. Rohozinski. Stuxnet and the future of cyber
NIST, 2014. war. Survival, 53(1):23–40, 2011.
[12] NIST Special Publication 800-53 Revision 4: Security and Pri- [27] G. McDonald, L. O Murchu, and S. Dohertyand E. Chien.
vacy Controls for Federal Information Systems and Organiza- Stuxnet 0.5: The missing link. Technical report, Symantec, 2013.
tions. Technical report, National Institute of Standards and [28] J. Vazquez M. Boer. Cyber security and financial stability: How
Technology (NIST), 2013. cyber-attacks could materially impact the global financial system.
[13] W. Knowles, D., D. Hutchison, J. F. Pagna Disso, and K. Jones. Technical report, Institute of international finance, 2017.
A survey of cyber security management in industrial control sys- [29] ISO/IEC 27005:2011 technologies de l’information – tech-
tems. International Journal of Critical Infrastructure Protection, niques de sécurité – gestion des risques liés à la sécurité de
9, 2015. l’information. Standard, ISO and IEC, 2011.
[14] Control Engineering Europe. Cyber security: a threat to industry [30] ROLL2RAIL-WP2.4. Cyber Threat Scenarios for Rail Vehicle
4.0 implementation? IT Systems. Technical report, 2016.
[15] V. Watson, A. Tellabi, J. Sassmannahausen, and X. Lou. Interop- [31] M. Wolf and M. Scheibel. A systematic approach to a qualified
erability and security challenges of industry 4.0. INFORMATIK security risk analysis for vehicular IT systems. In Automotive-
2017, 2017. Safety & Security, pages 195–210, 2012.
[16] ROLL2RAIL-WP2.1. Specification of Wireless TCMS. Techni- [32] Common Critera, Common Methodology for Information Tech-
cal report, 2016. nology Security Evaluation: Evaluation methodology. Standard,
[17] ROLL2RAIL-WP2.5. WLAN in WTCN Discussion Paper. Tech- ISO (the International Organization for Standardization) and IEC
nical report, 2016. (the International Electrotechnical Commission), 2017.
[18] ROLL2RAIL-WP2.5. Deliverable D2.5 - Architecture for the [33] ETSI TS 102 165-1 V4.2.3 (2011-03): Part 1: Method and
Train and Consist Wireless Networks. Technical report, 2016. proforma for Threat, Risk, Vulnerability Analysis. Standard,
[19] ROLL2RAIL-WP2.5. Infotainment and CCTV. Technical report, ETSI, 2011.
2016. [34] ROLL2RAIL-WP2.4. WTCMS Security Risk Assessment
[20] IEC 61375-2-4 TS: Electronic Railway Equipment – Train Methodology. Technical report, 2016.
Communication Network (TCN) – Part 2-4: TCN Application