ERTMS

European Rail Train Management System

By Joe Ferguson

Safety and Capacity

  • ERTMS means that a central system can instruct each train to go faster when there is a sufficient gap with the one in front, or go slower when it calculates that this is the safe thing to do
  • ERTMS has been designed to:
  • Enhance Performance
  • Increase Capacity
  • Increase resilience
  • Communicate Securely
  • It will be rolled out across the UK (and Europe in the next ten years)
  • The following slides look at how it works on the Thameslink Service through central London and go on to examine some of the threats that might be encountered. ERTMS will support some of Britain’s modest critical national infrastructure and must be kept safe and operational.
ETRSM

ETRSM: How does it work?

Basic Components

This shows the C700 train which is supplied, via ROSCO, to GTR by Siemens and maintained by Siemens. Siemens use Energy X to manage and analyse energy usage by the train and DEMON for train loading and passenger count to assist in ‘ridership’ analysis.

Siemens diagnostics allows interrogation of data from Com@RL. The Radio Block Centre (RBC) is the main trackside component of the ETCS, responsible for train movement and issues ‘Movement Authorities’ (MA) to trains.

GTR are responsible for operating the trains on time and conveying customer / passenger information systems with operating schedules.

ETRSM: How does it work?

Basic Communications

As well as providing train and station crew to operate the service, GTR are responsible for the Back-Office Server System (BOSS) which passes third party data sources to the Com@RgL.

The Com@RL is basically the communications gateway that will pass data from ‘share-side’ systems and Class 700 units.  The Network Rail Train Planning System feeds into Darwin.  The most important communications in the ETCS is that from the Network Rail RBC to the C700.

The RBC is a computer-based system that generates messages to be sent to the train on the basis of information received from external systems, for example the interlocking, or the ERTMS onboard equipment.  These messages are comprised of a series of data packets which contain information to support the operation of fitted trains.

ETCS

The Service Control Centre houses terminals for managing speed restrictions and adhesion as well as being able to inhibit (over-ride) Automatic Train Operation. systems with operating schedules.

Automatic Train Operation

ATO is an on-board system of the Class 700 train used on Thameslink. Network Rail provides the infrastructure to support ATO. A shore-based system called Automatic Train Regulation (ATR) holds the geographic route map of the core and the base timetable and, for each train, automatically updates both dwell time and run time to next station.

ATR optimises these parameters to keep the service to time, whilst the signaller may make manual adjustments if necessary.

Vulnerabilities 

  • GSM-R developed in the 90’s is circuit switched technology – it needs to be replaced with packet switched technology
  • It relies on poor encryption (Triple DES) which began with the military but was phased out in the 90’s
  • Non-optimised use of bandwidth – cant be used in some areas
  • Future roll-out requires continuous, secure IP based wireless communication – later enhancements will be satellite comms!

Threat Sources

  • Competition – Industrial Espionage Other transport companies (foreign?) wishing to bid for franchises might be inclined to welcome disruption and embarrassment to the incumbent.
  • Terrorism – The terrorism threat to European citizens has been constantly elevated for several years and concerns rail transportation and its associated infrastructure which provide mass transport. Both rail operation and its infrastructure are recognised as critical priorities because of the economic and security impacts of terrorist.

Extended consequences on the surrounding businesses are also expected, as well as the impaired reputation of the railway as a safe and secure transport system. The railway must be seen is an attractive target for security attacks, because of its familiarity, ease of access and openness.

Crime – The criminal threat may be once a system is compromised or a vulnerability discovered by that criminal – the objective is blackmail – to elicit a reward to prevent the perpetration of an incident. Alternatively, train services may be disrupted to facilitate the execution of an associated or totally unrelated crime or to prevent its detection or provide a diversion. All sorts of Hollywood use-cases present themselves as scenarios.

  • Foreign Intelligent Services (Nation State Terrorism) -FIS with significant financial and personnel resources. The state actor/FIS will also have access to the latest technological advancements.

The threat of jamming or interception could be the same for FIS as for terrorists though the motivation might be different – more government embarrassment and commercial pressure so the threat might be of a major disruption to cause severe harm to the flow of workforce to cause disruption to the financial sector.

  • Insider – Employees or third-party contractors who intentionally or accidentally commit malicious actions. This group of individuals could also be coerced by other threat actors, such as criminals or FIS via financial incentives of blackmail
  • Journalists – Journalists could seek out information on particular areas of Thameslink to provide information “in the public interest” or in order to embarrass the companies involved or more likely the Government. Investigative journalist may be interested in data relating vulnerabilities or actual breaches on the Thameslink Estate.

What Can We Do? 

More Governance

  • DfT and the TLP CSWG
  • Joint working of GTR Information Technology with Operational Technology

Cyber Education

Thameslink as a community (NR, Siemens, GTR) should be given the same cyber awareness training. GTR, particularly, as custodians of the IT infrastructure supporting essential services, especially those made vulnerable through the onward connection to bus services, must be made aware of the dangers of phishing; should the introduction of malware spread this may cripple those critical systems supporting essential services and even endanger train-born ICT

Protective Monitoring & Testing

It is highly recommended that the EVC as well as all other IT/Network components are security tested. It is some time since Siemens presented their Statement of Applicability with confirmation that the C700 had been ‘tested’. The most prominent  CHECK team company in the SCADA arena, having carried out penetration tests on cars and ships are Pen Test Partners. https://www.pentestpartners.com/

Incident Management – Practice

Most importantly, the incidents, events, anomalies and lessons learnt need to be fed into respective SWGs and the NCSC CiSP. To learn from events creates better reactions in the future.

Countermeasures

  • Automatic Train Operation – Driver is on board all the time and in communication with shore-side colleagues
  • Three ways to get movement authority:
  • GSM-R
  • Balises
  • Manually
  •  
  • OPERATION IS TO FAIL OVER SAFE
  •  
  • DISRUPTION POSSIBLE BUT SAFETY IS PARAMOUNT