Fusing Safety and Security

on a Solid Foundation for ERTMS

A Platform Approach

Reinhard Hametner, Michael Paulitsch, and Alexander Szoenyi

Contact: reinhard.hametner@thalesgroup.com
Safety & Cyber Security
Cyber Security: « The
Safety: « The state protection of information
of being free of risk systems from theft or
or danger and the damage, as well as from
means/actions to disruption or misdirection
obtain this state ». of the services they
provide ».
The « digital transformation » of Rail Systems requires increased attention on
Cybersecurity,

▌ to avoid operational disruption (availability),

▌ access to user confidential data, and

▌ ensure safety is not impaired (system integrity).

 TAS Platform Use
 Vital HW & SW Platform, common for
all Thales signalling applications in Ground
Transportation Systems (GTS)
 Enables hardware independent signalling
applications Control Center
 CENELEC EN50129 SIL4 Certification
 Used in more than 70% of Thales GTS sales:
 Route control systems: electronic
interlocking - LockTrac
Interlocking  Field equipment: digital axle counters,
warning system
 Train control systems: ETCS standards L1,
L2, L3 - AlTrac
 Urban rail management control systems -
SelTrac
Axle Counter
 Traffic management systems: NetTrac ETCS Onboard
Aramis, operation management centre
Safety: Layered Architecture and Design
 Currently EN 50159 Cat. 2 for Safety is in place.
 Safety is ensured end-to-end
 Security has not been explicitly focused on in the past
 Products use COTS security components for encryption
 TAS Platform – A Generic Safety Case
TAS Platform-based products TAS Platform-based products
Main Line Rail Urban Mobility

Generic TAS Platform

Generic CENELEC approval

ETCS Interlocking On Board Field Elements

TAS Platform System Safety Case Safety Application
Conditions TAS Platform Services
TAS Platform Engineering & Environment

Core System TAS Platform SW Safety Application Safety Application HW Core System
Conditions (SAC) Conditions (SAC)
Subsystems: OCS, MNT, J4S  Analyses
SW components HW components
 Check of HW-CS SAC  Verification/Valid
 Analyses  Analyses
 Validation on HW-CS  Safety Case
 Verification  Verification/Validation
 Approval with HW-CS  Manufacturing
 Validation  Manufacturing
 Approval
Distributed Development / Maintenance (Thales)
 Overview TAS Platform – A Closer Look
 Safety approval according to CENELEC 50129 SIL 4 Application Business Logic

TAS Platform Offline Support Tools

TAS Platform TAS Platform TAS Platform
 Safety layer OCS J4S MNT
Safe Protocol Java for Maintenance
 Fault tolerance Signalling Upload/Download

 Health monitoring (Online Hardware Testing) TAS Platform Core

Methodology and Tool chain

System Safety Case

 Board support package
 Communications interfaces / drivers Core Software
 Based on COTS hardware / operating system Safety Layer
Fault Tolerance & Communication
 Kernel patches to address safety, security, and Online Hardware Testing
maintainability Operating System
 Support 25 years of application business logic (with Linux, Libraries, Tools …
changing underlying hardware and software)
 Security functions supplied with COTS components Core System Hardware
(OS and libraries)
 ISA/IEC 62443

Security Management
 Process definition based on ISA/IEC 62443
 Customer requirements are considered
 TAS Platform as „Component“
 ISA/IEC 62443-4-1
 ISA/IEC 62443-4-2
 Apply defined Security process
 Security process in-line
with safety process
Security Vulnerability Management
 Part of the security process
 CVE management tool
developed by Thales
 Automatic scan of used Linux
packages for possible affected
CVEs
 Based on CVE NIST database
TAS Platform in Unsecure Networks
 Several security requests received (partly implemented, in implementation, or
planned)
 Move to “category 3” networks according to CENELEC EN 50159 (unsecure
networks)
 Deployment of system development processes which consider security
throughout the development
 Additional “typical” requirements: Logs, patch management, authentication
modules, …
 Challenges:
 Long-term availability in field and safety conservative update challenge system
security (legacy)
 Legacy applications (need continued support) – “don’t change
interface/hardware/…”
 TAS Platform Security – Patch Management
 Following standards: IEC TR62443 2-3 for Patch Management
 Separate safety and security life-cycles
 Using suitable architectures and processes or physical separation of security
and safety functions
TAS PLF Safe and Secure Releases

▌Provide safety and security releases (security releases verified only

according to security process)
TAS PLF Additional Security Releases

Comment in draft
norm
(prEN50129:2016)
Safety and Security Life Cycle is Different
Security Zone and Conduits #1
 Zones and conduits defined according to ISA/IEC 62443-3-3
 Up to now all components are in one zone
 Only up to EN 50159 Cat. 2 network is possible
Security Zone and Conduits #2
 Security Features (CyberGate as integrated firewall)
 Connection to other zones possible by conduits
 Enabled for EN 50159 Cat. 3 network
 TAS Platform (A) is exchangeable without re-certification of safety-critical
functionality and TAS Platform (B)
Security Zone and Conduits #3
 Isolation Layer / MILS Platform (Multiple independent levels of security)
 Separate security from safety
 Performance / resource usage by security features must be restricted and
predictable
 Availability through redundancy (independent boards, links, and CyberGate
instances)
 Safety-critical functionality is always provided with redundancy
 Summary
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

Security is becoming a real concern

part or disclosed to a third party without the prior written consent of Thales - © Thales 2017 All rights

Multiple security assessments and customers have driven and are driving improvements
of Thales applications and TAS Platform

TAS Platform architecture has already been ready for security extensions
– simple integration of security functions

Overlaps in processes in achieving security and safety

We are ready!
And, never stop improving …
reserved.
 CERTMILS Contract No: 731456

“This work/project has received funding from the European Union’s Horizon 2020 research
and innovation programme under grant agreement No 731456.”

If you need further information, please contact the coordinator:

Technikon Forschungs- und Planungsgesellschaft mbH
Burgplatz 3a, 9500 Villach, AUSTRIA
Tel: +43 4242 233 55 Fax: +43 4242 233 55 77
E-Mail: coordination@certmils.eu

The information in this document is provided “as is”, and no guarantee or warranty is given that the information is fit for any particular purpose. The content
of this document reflects only the author`s view – the European Commission is not responsible for any use that may be made of the information it contains.
The users use the information at their sole risk and liability.