CYBERSECURITY IN RAIL: IMPLICATIONS FOR OPERATIONAL SAFETY

ავტორი: Jon Torode

ორგანიზაცია: Purdue University

კატეგორია:

საკვანძო სიტყვები: critical infrastructure, rail, railroad, railway, safety, operational safety

აბსტრაქტი. The objective of this paper is to raise awareness of the impact that cybersecurity breaches could have on the operational safety of a rail network. It provides an explanation of the link between cybersecurity and the operations and maintenance activities carried out in the rail industry, bridging the knowledge gap between cybersecurity professionals and rail industry leaders. It proposes a framework for classifying threats and provides examples of potential hazards which could manifest under each subcategory defined in the framework. It also provides recommendations to help mitigate against some of the key threats which are identified.

სტატიის მთლიანად ნახვა

ბიბლიოგრაფია

107th Congress (2001-2002). 2001. “S.1407 - A Bill to Establish a National Competence for Critical Infrastructure Protection, and for Other Purposes.” 2001. https://www.congress.gov/bill/107th-congress/senate-bill/1407/titles

ABB. 2024. “What’s the Difference between Predictive Maintenance and Preventive Maintenance?” August 18, 2024. https://new.abb.com/news/detail/118485/whats-the-difference-between-predictive-maintenance-and-preventive-maintenance.

Al-Wosabi, Abdo Ali A., and Zarina Shukur. 2019. “A Secure Protocol for Remote-Code Integrity Attestation of Embedded Systems: The CSP Approach.” Article. IEEE Access 7:170238–69. https://doi.org/10.1109/ACCESS.2019.2955160

Andrei, A. G., R. Balasa, M. L. Costea, and A. Semenescu. 2021. “Building a Blockchain for Aviation Maintenance Records.” Journal of Physics: Conference Series 1781 (1). https://doi.org/10.1088/1742-6596/1781/1/012067

Bloomfield, Robin, Marcus Bendele, Peter Bishop, Robert Stroud, and Simon Tonks. 2016. “The Risk Assessment of ERTMS-Based Railway Systems from a Cyber Security Perspective: Methodology and Lessons Learned.” Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 9707 (January):3–19. https://doi.org/10.1007/978-3-319-33951-1_1.

Boyle, Emma. 2016. “UK Rail Network Attacked by Hackers Four Times in a Year.” The Independent. July 13, 2016. https://www.the-independent.com/tech/uk-rail-network-railways-hacked-four-times-hackers-trains-a7135026.html

Brezolin, Uelinton, Andressa Vergütz, and Michele Nogueira. 2023. “A Method for Vulnerability Detection by IoT Network Traffic Analytics.” Article. Ad Hoc Networks 149:103247. https://doi.org/10.1016/j.adhoc.2023.103247

CECIMO. 2022. “Cybersecurity for the Machine Tools Industry.” www.cecimo.eu

Centre for Cyber Security. 2021. “The Cyber Threat against the Danish Railway Sector.” Copenhagen. https://www.cfcs.dk/globalassets/cfcs/dokumenter/trusselsvurderinger/en/cfcs-the-cyber-threat-against-railways-mar23.pdf

Clark, Andrew. 2002. “Faulty Points ‘Were Fixed.’” The Guardian. May 15, 2002. https://www.theguardian.com/uk/2002/may/15/pottersbar.transport

Cyber and Infrastructure Security Centre. 2023. “Transport.” December 5, 2023. https://www.cisc.gov.au/information-for-your-industry/transport

2024. “Security of Critical Infrastructure Act 2018 (SOCI).” August 27, 2024. https://www.cisc.gov.au/legislation-regulation-and-compliance/soci-act-2018.

Cybersecurity and Infrastructure Security Agency. n.d. “Transportation Systems Sector.” Accessed March 22, 2025. https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/transportation-systems-sector

Debusmann Jr., Bernd. 2024. “East Palestine: Firm to Pay $310m over Derailment and Toxic Fire.” BBC News. May 23, 2024. https://www.bbc.co.uk/news/articles/cp33nm2j11jo

Department for Digital Culture Media and Sport. 2018. “The NIS Regulations 2018.” GOV.UK. April 20, 2018. https://www.gov.uk/government/collections/nis-directive-and-nis-regulations-2018

Department for Science Innovation and Technology. 2024. “Cyber Security and Resilience Bill.” GOV.UK. September 30, 2024. https://www.gov.uk/government/collections/cyber-security-and-resilience-bill

ERTMS. 2025. “Deployment World Map.” 2025. https://www.ertms.net/deployment-world-map/.

Établissement public de sécurité ferroviaire. 2022. “Taking Cybersecurity Challenges into Account in Railway Safety.” https://www.era.europa.eu/system/files/2022-11/enr135-taking_cybersecurity_challenges_into_account_in_railway_safety_en.pdf

GNW Instrumentation. 2025. “Risks and Negatives of Not Calibrating Your Torque Wrenches.” 2025. https://www.gnw.co.uk/blog/risks-of-not-calibrating-your-torque-wrenches/

Gonzalez-Palacio, Mercedes, and Steven Hughes. 2018. “Proven SIL Levels on New Rail Projects.” In AusRAIL 2016. Adelaide. https://www.researchgate.net/publication/378933143_Proven_SIL_Levels_on_New_Rail_Projects.

Health and Safety Executive. n.d. “Maintenance of Work Equipment.” Accessed March 24, 2025. https://www.hse.gov.uk/work-equipment-machinery/maintenance.htm.

Hiller, Janine, Kathryn Kisska-Schulze, and Scott Shackelford. 2024. “Cybersecurity Carrots and Sticks.” American Business Law Journal 61 (1): 5–29. https://doi.org/10.1111/ABLJ.12238

HTL Group. 2025. “What Are Smart Torque Wrenches?” 2025. https://www.htlgroup.com/product-news/what-are-smart-torque-wrenches/.

Johnson, C. W., and C. M. Holloway. 2007. “The Dangers of Failure Masking in Fault-Tolerant Software: Aspects of a Recent In-Flight Upset Event.” In 2nd International Conference on System Safety 2007. London

Kecklund, Lena, Ingrid Anderzén, Sara Petterson, Johan Haggstrom, and Bo Wahlstrom. 2012. “Evacuation in Trains - The Railway Safety Challenge.” Rail Human Factors Around the World: Impacts on and of People for Successful Rail Operations, 815–23. https://doi.org/10.1201/B12742-92.

Knorr-Bremse. 2021. “Digitalization: Knorr-Bremse Wins Contract for Extensive Remote Condition Monitoring of Climate Control Systems on UK Train Fleets.” December 6, 2021. https://newsroom.knorr-bremse.com/en/digitalization-knorr-bremse-wins-contract-for-extensive-remote-condition-monitoring-of-climate-control-systems-on-uk-train-fleets/.

LNER. n.d. “Azuma Factsheet.” Accessed March 23, 2025. https://www.lner.co.uk/contentassets/4145ccab371b491886a21af1447a8620/lner169-azuma-factsheet-print-1.pdf.

Lufthansa Group. n.d. “Airbus A380-800.” Accessed March 23, 2025. https://www.lufthansagroup.com/en/company/fleet/lufthansa-and-regional-partners/airbus-a380-800.html.

Mathson, Robert. 1977. “Computers Replacing Safety Relays in Railway Signalling: Analysis of Different Methods, Description of and Experience from Two Applications. LME First Interlocking and ATC System Containing Computers.” IFAC Proceedings Volumes 10 (16): 321–28. https://doi.org/10.1016/S1474-6670(17)69539-9

Mors Smitt. 2022. “N.S1 Signalling Relays.” March 2022. www.morssmitt.com

National Protective Security Authority. 2025. “Critical National Infrastructure.” 2025. https://www.npsa.gov.uk/critical-national-infrastructure-0.

Occupational Safety and Health Administration. n.d. “Recommended Practices for Safety and Health Programs.” Accessed March 24, 2025. https://www.osha.gov/safety-management/hazard-identification.

Ouedraogo, Kiswendsida Abel, Julie Beugin, El Miloudi El-Koursi, Joffrey Clarhaut, Dominique Renaux, and Frederic Lisiecki. 2018. “Toward an Application Guide for Safety Integrity Level Allocation in Railway Systems.” Risk Analysis 38 (8): 1634–55. https://doi.org/10.1111/RISA.12972

Pawlik, Marek. 2019. “Concept of the Railway Safety, Security and Cybersecurity Functional Integrity Levels.” In MATEC Web of Conferences 294, 03003. https://doi.org/10.1051/matecconf/201929403003

Rail Accident Investigation Branch. 2006. “Rail Accident Report: Wagon Derailment at York Station 18 January 2006.” www.raib.gov.uk.

2009. “Rail Accident Report: Incident Involving a Container Train at Basingstoke Station 19 December 2008.” www.raib.gov.uk.

2019. “Loss of Safety Critical Signalling Data on the Cambrian Coast Line.” Derby. https://assets.publishing.service.gov.uk/media/5df8fa1be5274a08de86827d/R172019_191219_Cambrian_Coast_line.pdf

2023. “Report 13/2023: Serious Injury to a Passenger Alighting from a Train at Loughborough Central Station.” GOV.UK. October 31, 2023. https://www.gov.uk/raib-reports/report-13-slash-2023-serious-injury-to-a-passenger-alighting-from-a-train-at-loughborough-central-station

Rail Delivery Group. 2023. “RDG Guidance Note: Extreme Weather Arrangements, Including Failure or Non-Availability of On-Train Environment Control Systems.”

Rail Safety and Standards Board. 2017. “RIS-2747-RST: Functioning and Control of Exterior Doors on Passenger Vehicles.” March 2017. www.rssb.co.uk/railway-group-standards

Reuters. 2023a. “Poland Investigates Further Cases of Railway Disruptions.” August 29, 2023. https://www.reuters.com/world/europe/poland-investigates-further-cases-railway-disruptions-2023-08-29/.

2023b. “Poland Investigates Hacking Attack on State Railway Network.” August 28, 2023. https://www.reuters.com/world/europe/poland-investigates-hacking-attack-state-railway-network-2023-08-26/.

Saudi Arabia Railways. 2023. “Saloon HVAC – Check Operation .” In Maintenance Instructions: Push-Pull – Arabia SAR EW, 5th ed. Riyadh.

Schneier, Bruce. 2018. Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World. 1st ed. New York: W. W. Norton & Company. https://read.amazon.co.uk/?asin=B07BLMQKZK&ref_=kwl_kr_iv_rec_1.

Schooling, C. Mary, Heidi E. Jones, and Suzanne McDermott. 2023. “East Palestine, Ohio, Railroad Derailment - Lessons to Learn, Actions to Take.” American Journal of Public Health 113 (8): 841–43. https://doi.org/10.2105/AJPH.2023.307353.

Secretary of State. 2024. “The Network and Information Systems Regulations 2018.” The National Archives. April 25, 2024. https://www.legislation.gov.uk/uksi/2018/506/introduction

Sherratt, Philip. 2017. “Automating Maintenance.” Modern Railways. December 21, 2017. https://www.modernrailways.com/article/automating-maintenance

Siemens Mobility. 2025. “Remote Software Updates.” 2025. https://www.mobility.siemens.com/global/en/portfolio/digital-solutions-software/digital-train-solutions/remote-software-update.html.

Steve Vick International. 2025. “SMARTester.” 2025. https://www.stevevick.com/services/smartester/smartester/smartester/.

Stewart, Oliver. 2023. “Letter Responding to ‘RAIB Report: Train Travelling with Doors Open on the Jubilee Line on 1 September 2018.’” August 3, 2023.

SUG TECH. 2021. “SUG AWI Series Digital Torque Wrench Operation Guide Video.” YouTube. July 31, 2021. https://www.youtube.com/watch?v=qSt2MB7VmKA

Tippenhauer, Nils Ole, Christina Pöpper, Kasper B. Rasmussen, and Srdjan Čapkun. 2011. “On the Requirements for Successful GPS Spoofing Attacks.” CCS ’11: Proceedings of the 18th ACM Conference on Computer and Communications Security, October, 75–86

TPI Europe. 2025. “SP620 Differential Pressure Meter Smart Probe.” 2025. https://www.tpieurope.com/manometers-pressure/sp620-differential-pressure-meter/#1536267471978-b2cf3776-4664.

Transportation Safety Board of Canada. 2013. “Railway Investigation Report R13D0054.” https://www.tsb.gc.ca/eng/rapports-reports/rail/2013/r13d0054/r13d0054.html

Triplett, William J. 2022. “Addressing Human Factors in Cybersecurity Leadership.” Article. Journal of Cybersecurity and Privacy 2 (3): 573–86. https://doi.org/10.3390/jcp2030029

Vankeirsbilck, Jens, Steven Lauwereins, and Jeroen Boydens. 2024. “Enabling Remote Software and Firmware Updates for Bogie Control and Safety Systems.” Proceedings - 2024 19th European Dependable Computing Conference, EDCC 2024, 69–74. https://doi.org/10.1109/EDCC61798.2024.00024.

Westcott, Richard. 2015. “Rail Signal Upgrade ‘Could Be Hacked to Cause Crashes.’” BBC News. April 24, 2015. https://www.bbc.com/news/technology-32402481

Westinghouse Air Brake Company. 1882. The Westinghouse Automatic Brake. Pittsburgh. https://babel.hathitrust.org/cgi/pt?id=mdp.39015021046555&seq=1.

Zetter, Kim. 2014. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. New York: Crown

Zhou, Luying, Huaqun Guo, Dong Li, Jun Wen Wong, and Jianying Zhou. 2017. “Mind the Gap: Security Analysis of Metro Platform Screen Door System.” Cryptology and Information Security Series 15:70–85. https://doi.org/10.3233/978-1-61499-744-3-70