European Rail Train Management System
ETRSM: How does it work?
Basic Components
This shows the C700 train which is supplied, via ROSCO, to GTR by Siemens and maintained by Siemens. Siemens use Energy X to manage and analyse energy usage by the train and DEMON for train loading and passenger count to assist in ‘ridership’ analysis.
Siemens diagnostics allows interrogation of data from Com@RL. The Radio Block Centre (RBC) is the main trackside component of the ETCS, responsible for train movement and issues ‘Movement Authorities’ (MA) to trains.
GTR are responsible for operating the trains on time and conveying customer / passenger information systems with operating schedules.
ETRSM: How does it work?
Basic Communications
As well as providing train and station crew to operate the service, GTR are responsible for the Back-Office Server System (BOSS) which passes third party data sources to the Com@RgL.
The Com@RL is basically the communications gateway that will pass data from ‘share-side’ systems and Class 700 units. The Network Rail Train Planning System feeds into Darwin. The most important communications in the ETCS is that from the Network Rail RBC to the C700.
The RBC is a computer-based system that generates messages to be sent to the train on the basis of information received from external systems, for example the interlocking, or the ERTMS onboard equipment. These messages are comprised of a series of data packets which contain information to support the operation of fitted trains.
The Service Control Centre houses terminals for managing speed restrictions and adhesion as well as being able to inhibit (over-ride) Automatic Train Operation. systems with operating schedules.
Automatic Train Operation
ATO is an on-board system of the Class 700 train used on Thameslink. Network Rail provides the infrastructure to support ATO. A shore-based system called Automatic Train Regulation (ATR) holds the geographic route map of the core and the base timetable and, for each train, automatically updates both dwell time and run time to next station.
ATR optimises these parameters to keep the service to time, whilst the signaller may make manual adjustments if necessary.
Vulnerabilities
Threat Sources
Extended consequences on the surrounding businesses are also expected, as well as the impaired reputation of the railway as a safe and secure transport system. The railway must be seen is an attractive target for security attacks, because of its familiarity, ease of access and openness.
Crime – The criminal threat may be once a system is compromised or a vulnerability discovered by that criminal – the objective is blackmail – to elicit a reward to prevent the perpetration of an incident. Alternatively, train services may be disrupted to facilitate the execution of an associated or totally unrelated crime or to prevent its detection or provide a diversion. All sorts of Hollywood use-cases present themselves as scenarios.
The threat of jamming or interception could be the same for FIS as for terrorists though the motivation might be different – more government embarrassment and commercial pressure so the threat might be of a major disruption to cause severe harm to the flow of workforce to cause disruption to the financial sector.
Journalists – Journalists could seek out information on particular areas of Thameslink to provide information “in the public interest” or in order to embarrass the companies involved or more likely the Government. Investigative journalist may be interested in data relating vulnerabilities or actual breaches on the Thameslink Estate.
What Can We Do?
More Governance
Cyber Education
Thameslink as a community (NR, Siemens, GTR) should be given the same cyber awareness training. GTR, particularly, as custodians of the IT infrastructure supporting essential services, especially those made vulnerable through the onward connection to bus services, must be made aware of the dangers of phishing; should the introduction of malware spread this may cripple those critical systems supporting essential services and even endanger train-born ICT
Protective Monitoring & Testing
It is highly recommended that the EVC as well as all other IT/Network components are security tested. It is some time since Siemens presented their Statement of Applicability with confirmation that the C700 had been ‘tested’. The most prominent CHECK team company in the SCADA arena, having carried out penetration tests on cars and ships are Pen Test Partners. https://www.pentestpartners.com/
Incident Management – Practice
Most importantly, the incidents, events, anomalies and lessons learnt need to be fed into respective SWGs and the NCSC CiSP. To learn from events creates better reactions in the future.
Countermeasures