Abstract
Cyber security has emerged as an important issue for urban railway systems (URS) due to the increasing usage of information and communication technologies (ICT). As a safety-critical public infrastructure with complex, interconnected, and often legacy systems, URS pose challenges for stakeholders seeking to understand cyber threats and their impact, and prioritize investments and hardening efforts. However, other critical infrastructure industries such as the energy sector offer best practices, risk assessment methodologies, and tools that may be both useful and transferable to the railway domain. In this work we consider one successful security initiative from the energy sector in North America, the development of common failure scenarios and impact analysis (NESCOR failure scenarios), and assess their applicability and utility in URS. We use a publicly-available software tool that supports failure scenario analysis to assess example failures on railway supervisory control systems and identify directions for further improving railway failure scenario analysis.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
ARGUS. www.secret-project.eu/IMG/pdf/20150128-02-uic-argus.pdf
CyberSAGE portal. https://www.illinois.adsc.com.sg/cybersage/index.html
Drools business rule management system. www.drools.org/
Repository of industrial security incidents. www.risidata.com/Database
Secured urban transportation project. www.secur-ed.eu/
Security of railways against electromagnetic attacks. www.secret-project.eu/
SecUTS: A cyber-phyiscal approach to securing urban transportation systems. www.secuts.net
Smart grid protection against cyber attacks. https://project-sparks.eu/
Trustworthy cyber infrastructure for the power grid. https://tcipg.org/
SECRET project white paper, November 2015. www.secret-project.eu/IMG/pdf/white_paper_security_of_railway-against_em_attacks.pdf
APTA security for transit systems standards program, July 2016. http://www.apta.com/resources/standards/security/Pages/default.aspx
Moxa EDR-G903 vulnerabilities, May 2016. https://ics-cert.us-cert.gov/advisories/ICSA-16-042-01
UK rail cyber attacks, July 2016. http://www.telegraph.co.uk/technology/2016/07/12/uk-rail-network-hit-by-multiple-cyber-attacks-last-year/
Bloomfield, R., Bloomfield, R., Gashi, I., Stroud, R.: How secure is ERTMS? In: Proceedings of SAFECOMP (2012)
den Braber, F., Hogganvik, I., Lund, M., Stølen, K., Vraalsen, F.: Model-based security analysis in seven stepsa guided tour to the CORAS method. BT Technol. J. 25(1), 101–117 (2007)
Electric Power Research Institute: Smart Grid Resource Center - NESCOR. http://smartgrid.epri.com/NESCOR.aspx
Haimes, Y.Y., Kaplan, S., Lambert, J.H.: Risk filtering, ranking, and management framework using hierarchical holographic modeling. Risk Anal. 22(2), 383–397 (2002)
IEC 60812: Analysis techniques for system reliability - procedure for failure mode and effects analysis (FMEA) (2006)
Industrial Control Systems Cyber Emergency Response Team: ICS-CERT year in review. https://ics-cert.us-cert.gov/Year-Review-2014
Jauhar, S., Chen, B., Temple, W.G., Dong, X., Kalbarczyk, Z., Sanders, W.H., Nicol, D.M.: Model-based cybersecurity assessment with NESCOR smart grid failure scenarios. In: Proceedings of IEEE PRDC (2015)
National Electric Sector Cybersecurity Organization Resource (NESCOR) Technical Working Group (TWG) 1. Electric Sector Failure Scenarios and Impact Analyses, Version 3.0 (2015)
Refsdal, A., Solhaug, B., Stølen, K.: Cyber-Risk Management, pp. 33–47. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23570-7
Sindre, G.: Mal-activity diagrams for capturing attacks on business processes. In: Sawyer, P., Paech, B., Heymans, P. (eds.) REFSQ 2007. LNCS, vol. 4542, pp. 355–366. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73031-6_27
Stouffer, K., Falco, J., Scarfone, K.: Guide to industrial control systems (ICS) security. NIST special publication 800–82 (2011)
Vu, A.H., Tippenhauer, N.O., Chen, B., Nicol, D.M., Kalbarczyk, Z.: CyberSAGE: a tool for automatic security assessment of cyber-physical systems. In: Norman, G., Sanders, W. (eds.) QEST 2014. LNCS, vol. 8657, pp. 384–387. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10696-0_29
Winther, R., Johnsen, O.-A., Gran, B.A.: Security assessments of safety critical systems using HAZOPs. In: Voges, U. (ed.) SAFECOMP 2001. LNCS, vol. 2187, pp. 14–24. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45416-0_2
Acknowledgments
This work was supported in part by the National Research Foundation (NRF), Prime Minister’s Office, Singapore, under its National Cybersecurity R&D Programme (Award No. NRF2014NCR-NCR001-31) and administered by the National Cybersecurity R&D Directorate. It was also supported in part by the research grant for the Human-Centered Cyber-physical Systems Programme at the Advanced Digital Sciences Center from Singapore’s Agency for Science, Technology and Research (A*STAR).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Temple, W.G., Li, Y., Tran, B.A.N., Liu, Y., Chen, B. (2017). Railway System Failure Scenario Analysis. In: Havarneanu, G., Setola, R., Nassopoulos, H., Wolthusen, S. (eds) Critical Information Infrastructures Security. CRITIS 2016. Lecture Notes in Computer Science(), vol 10242. Springer, Cham. https://doi.org/10.1007/978-3-319-71368-7_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-71368-7_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-71367-0
Online ISBN: 978-3-319-71368-7
eBook Packages: Computer ScienceComputer Science (R0)