Embed Size (px)
Citation preview
Safety & Security Principlesfor Railway AutomationProf. Dr. Jens Braband
siemens.com/mobility© Siemens AG 2017
© Siemens AG 2017November 17Page 2 Mobility Division / Mobility Management
Agenda
Short introduction to Railway Automation
Some stories…
So what’s the problem?
Eight Safety and Security Principles
Conclusion
© Siemens AG 2017November 17Page 3 Mobility Division / Mobility Management
… has, as a leadingmanufacturer in thefield of mobilitysolutions, a uniquerange of integratedtechnologies forpassenger mobility andcargo logistics.
… generates newrevenue and savingspotential for cities andcommunities by meansof flexible road usagefees and operatormodels for trafficmanagement andservices.
… combineshardware, softwareand services to forminnovative products,systems and solutions– from componentsthrough to completeturnkey solutions.
… optimizesinfrastructures for railand road by means ofautomation,digitization andelectrificationthroughout the entirevalue chain.
… offers newtechnologies forsustainable mobilityand logistics, e.g.Controlguide Dispolino,Trackguard Sinet oradaptive, environment-oriented road trafficcontrol, achievingsignificant energysavings.
Siemens Mobility Management
Copyright: Siemens AG / © 2014 Google-Map data © 2014 GeoBasis-DE/BKG (© 2014), Google
© Siemens AG 2017November 17Page 4 Mobility Division / Mobility Management
Siemens Mobility ManagementKey Facts
Austin
Pittsburgh
New YorkNovatoLouisvilleMarionJacksonville
London
PooleChippenham
Caracas
São PaoloMidrand
Singapore
Mumbai
Dubai
BeijingX'ian
RouibaMadrid
Wallisellen
Ankara
Vienna
Zilina
Lisbon
Châtillon
AugsburgBerlinBraunschweig
ErlangenHamburgMunich
BrisbaneMelbourneEmployees: 12,200
Headquarter: BerlinHeadquartersSegment headquartersLocation
Brno
© Siemens AG 2017November 17Page 5 Mobility Division / Mobility Management
Portfolio OverviewRail Automation
Mainline Mass Transit Freight & Products
Operations control and safetysystems as well as products formonitoring and controlling to ensuresafe and efficient long-distance railservices
Automatic train control systemsand signaling products monitor allvehicle movements to make masstransit operations efficient andcost-effective
Rail Automation solutions for thespecific needs of yards andindustrial, mining and freight trainsto ensure a just-in-time delivery
© Siemens AG 2017November 17Page 6 Mobility Division / Mobility Management
Passenger information system CCTV
Operations control center
LED signal
Train control system
Access pointPassenger announcement
CBTC system
Rail AutomationMass Transit
© Siemens AG 2017November 17Page 7 Mobility Division / Mobility Management
Some recent railway news stories …
• German TV broadcasted a demo by a hacker who claimed he could hack the automated metro system inNuremberg [BR].
• An IT consultancy reported that they registered about 2.7 million access attempts to a honeypot lookinglike a railway control system within six weeks [KORAMIS].
• A scientist said to be a government adviser claimed that ERTMS might be endangered by cyber threats,in particular malware [BBC].
• On October 4, 2015, a fire completely destroyed an interlocking at Mülheim/Ruhr station in Germany,leading to severe service disruptions in the Ruhr area expected to last more than six months [DIE WELT].
• Many railway operators try to enhance their service by predictive maintenance collecting data from thesystems in the field 24/7 [IET].
© Siemens AG 2017November 17Page 8 Mobility Division / Mobility Management
What’s the problem?
If it’s not secure, then it’s probably not safe! (DoT, UK)
Safety and Security have
• complementary goals• different regulatory authorities• different terminology• different communities• different standards• ….
Thilo Parg / Wikimedia Commons
Lizenz: CC BY-SA 4.0
© Siemens AG 2017November 17Page 9 Mobility Division / Mobility Management
What‘s in and what‘s out…
9
© Siemens AG 2017November 17Page 10 Mobility Division / Mobility Management
Principle 1: Safety and Security are different and should be treated as such
Some proposed distinctions• benevolent ↔ malicious• danger to the environment ↔ threat from the environment• unintentional ↔ intentional• slow changes ↔ rapid changes The safety
expert…
… and thesecurity
expert
© Siemens AG 2017November 17Page 11 Mobility Division / Mobility Management
Principle 2: Security shall protect essential functions incl. safety
1. Security approaches need to be holisticand realistic to be successful.
2. Security provides an environment in whichessential functions are not adverselyaffected.
3. Safety evaluations are based on theassumption of effective security measures.
Security protectedenvironment
EssentialFunctions
and SafetyFunctions
Vulnerability
Operation environment
Defense-in-depth is advised.
The weakest link in the chain matters…
Organizational, physical and ITdefenses need to be coordinated.
© Siemens AG 2017November 17Page 12 Mobility Division / Mobility Management
Principle 3: Seperate Security and Safety as far as possible …
Safety
Impact on:• Physical harm to
humans• Environment
Transparency on:• Methods• Measures• Defects
Rather static field
Foreseeable misuse
Security
Impact on:• Availability• Integrity• Confidentiality
Confidentiality on:• Methods• Measures• Vulnerabilities
Highly dynamic field
Intentional andunintential manipulation
Criminal intent
More items of separation:
• Different experts and methods• Different processes and timelines• Different laws, technical reguations and
standards
© Siemens AG 2017November 17Page 13 Mobility Division / Mobility Management
… but coordinate them effectively
Safety DomainSafety Management
Safety Risk Assessment
Analysis related to:• Physical harm to humans• Environment
Identified Safety Measures
SafetyDesign
Security DomainSecurity Management
Threat-risk Assessmentrelated to:• Availability• Integrity• Confidentialityalso with impact on Safety
Identified Securitycountermeasures
SecurityEnvironment
support by Safety Expert
Conflict Resolution & Compatibility
Reference to other domain
© Siemens AG 2017November 17Page 14 Mobility Division / Mobility Management
Principle 4: Security shall be evaluated based on international standards
© Siemens AG 2017November 17Page 15 Mobility Division / Mobility Management
Additional Technical Principles
Principle 5: Threat & Risk Analysis is the interface to Safety Analysis• Safety Analysis is concerned with the proof that Security cannot impact Safety Functions• Safety should only reference adequate Security Standards• Safety can rely on appropriate Security Certificates
Principle 6: It is impossible to evaluate Security Risk probabilistically• Security attacks have a systematic nature, there are no laws of nature behind• Security should be treated qualitatively similar to SW faults in Safety
Principle 7: Safety and Security Target measures shall not be coupled• There is no intrinsic relation between Safety Integrity Level (SIL)/Performance Level (PL) and Security Level(SL) /Protection Level (PL)• Nevertheless Safety Functions can support Security as part of Defense-in-depth
© Siemens AG 2017November 17Page 16 Mobility Division / Mobility Management
Principle 8 (last but not least): Security is a collaborative continuous effort
© Siemens AG 2017November 17Page 17 Mobility Division / Mobility Management
Conclusion: Security principles have to become part of our DNA
• Safety and Security have to beseparated as far as reasonablebut need effective coordination
• Adequate level of integrity,availability, traceability andconfidentiality is needed fromSecurity environment
• Products, systems and serviceshave to be developed and usedin accordance with the applicablelegal and normative standards
• IT security has to be reflectedholistically in all relevantprocesses and supported byadapted procedures and tools byall stakeholders
© Siemens AG 2017November 17Page 18 Mobility Division / Mobility Management
Thanks for your attention! Questions?
Prof. Dr. Jens Braband
Siemens AGMobility DivisionMobility Management
Ackerstr. 2238126 BraunschweigGermany
E-mail: [email protected]
