Implications of Cyber Security to Safety Approval in Railway

Abstract

The railway domain has a justifiable preoccupation with safety, but less of a focus on cyber security. This could result in the risk of cyber security flaws in current railway systems being unacceptably high. However, in recent years the railway industry has realized the importance of cyber security, and the possible effects cyber security could have on safety functions, necessitating these aspects to also be considered as part of the safety approval. This trend can be seen from the fact that later updates of the railway standards from CENELEC to a larger degree include cyber security. This is also a consequence of the increasing digitalisation trend in the railway sector, as elsewhere in society (e.g., the ERTMS national implementation project in Norway). This paper presents findings from a brief literature study on how railway systems are vulnerable to cyber security threats and discusses how cyber security issues are covered by current railway legislation. Challenges related to the handling of cyber security threats as part of the railway approval processes is then elaborated. The fact that cyber security threats change faster than the pure safety threats must be taken into account. The problem is viewed from an independent safety assessor's point of view. Some major findings of the study are elaborated, and conclusions on how to deal with cyber security as part of the railway approval process are outlined with pros and cons.