Increased efficiency will result from the roll out of the European Rail Train Management System (ERTMS). ERTMS was pronounced to be a major driver for economic growth early in its development. Passenger number forecasts are rising by 3% per annum, meaning that the current 1.6 billion journeys per year will have risen to three billion by 2035. Some examples of the predicted increase per route are WCML 201%, Thameslink 171%, GW Suburban 108%, South West Trains to Woking 154%, Southern Suburban to Caterham 149%. Handling this capacity is not just aligned to signalling but will need to embrace customer interfaces, ticketing, journey planning, infrastructure operations and the whole operational framework.

ERTMS (especially the ETCS – European Train Control System – element) is very much part of this and should yield around a 40% increase in capacity. Spin-offs include a 10% reduction in delay minutes through better reliability, an 80% reduction in SPADs (signals passed at danger), a 50% reduction in the need for lineside work, energy savings from better regulation of trains and improved utilisation of maximum line speed. Needing to go hand in hand with Traffic Management Systems (TMS), ETCS will be introduced on a route-by-route basis with the initial plan covering the period 2019 to 2029. And we will see, with anxiety, that all this efficiency needs to be protected.

The Threat Landscape contributes to this anxiety. The capability of Hacker Groups to target SCADA and their focus on CPNI (see http://www.il7security.com/threat landscape/) make them a primary threat source. While in the main era of competition between railway manufacturers, Franchisees and ROSCOs the threat has been industrial espionage or criminals.  Today, the threat comes from unfriendly nation states and the potential of terrorism.  Today the heads of the security services (MI5, MI6 and GCHQ) and armed forces readily admit they are at constant electronic war with Russia and China, whilst the risk of friendly fire (in electronic terms) from the USA has never been higher.  The target is the UK Critical National Infrastructure and the Railway is included.  The terrorism threat to European citizens has been constantly elevated for several years and concerns rail transportation and its associated infrastructure which provide mass transport. Both rail operation and its infrastructure are recognised as critical priorities because of the economic and security impacts of terrorist attacks (loss of service, destruction of vehicles, and destruction of infrastructure). Extended consequences on the surrounding businesses are also expected, as well as the impaired reputation of the railway as a safe and secure transport system. The railway must be recognised as an attractive target for security (cyber) attackers, because of its familiarity, ease of access and openness. Coordinated attacks that target different rail services simultaneously show that more subtle actions than bombings can be carried out by terrorists with limited resources and without major financial backing. Terrorists can base their action methods on the vulnerabilities of technologies employed. Equally, electromagnetic terrorism is based on failing equipment or devices which serve the efficiency and safety of railway systems.  In the extreme case, threats that become escalated to safety and concerns may be just as terrible as those bombs or other attacks that lead to derailment, train crash and loss of life.

There is a myriad of potential dangers with regard to secure operation of Operational Technology. These include built-in obsolescence of diagnostic, maintenance and operating tools – often not upgraded from early Microsoft or proprietary, long defunct operating systems.  This extends to networked connectivity between comfort and operational systems, lack of malware checking and shared usage and access to systems.  However, while these are important and need to be addressed through a Code of Practice similar to the NIS CAF, this paper would like to concentrate on the current most talked about technological developments, GSM-R and ERTMS. These are the issues that require to be supported by central authority sponsorship and protection rather than being left to the mercy of competitive, profit-based implementation.

GSM-R is a standard communication platform for railways. It is a strategic communication system focused on the interoperability between European railway infrastructures. By the end of 2016, 56 countries in five continents should have operational GSM-R networks. Its specifications are widely disseminated.  Europe is leading GSM-R implementation in 11 countries (Austria, Belgium, Czech Republic, France, Germany, Italy, the Netherlands, Norway, Spain, Sweden and Switzerland). In 2011, GSM-R deployment provided coverage of about 30% of the European railway network with 68,000 km in operation; 156,000 km are planned to be covered (70% of the European railway network). The main objectives of GSM-R are to replace analogical radio communication and to provide a unique data transmission solution for ERTMS/ETCS (both level 2 and level 3).

GSM-R is an evolution of public GSM dedicated to railway application. Therefore, GSM-R has similar characteristics to those of public GSM system. GSM-R functionality is built on standards and recommendations supported by mainly two organisations, ETSI (European Telecommunications Standards Institute) and UIC (Union Internationale des Chemins de fer, International Union of Railways). ETSI technical committee RT (Railway Telecommunications) is responsible for those aspects of Global System for Mobile communications standardization which are specific to Railway (GSM-R) and Private Mobile Radio (PMR) operations. UIC specifies through its EIRENE (European Integrated Railway Radio Enhanced Network) project, a digital radio standard for the European railways. It forms part of the specification for technical interoperability.

GSM-R performances are guaranteed for high-speed conditions (up to 500 km/h). A common European frequency band is allocated to GSM-R below the frequencies of the public GSM standard. The allocated frequency bands are for the uplink: 876 MHz – 880 MHz and for the downlink: 921 MHz – 925 MHz. GSM-R has its own cellular network installed along the track designed to provide a minimum level of received power > -95 dBm anywhere along the track. This is a mandatory requirement coming from the EIRENE specifications. This represents a limited level of power with the potential of being jammed.

The GSM-R band occupies the 4 MHz central part of this 10 MHz band. A single GSM-R beacon channel, providing strong radio coverage of the station, is received in the GSM-R band; Line of Sight (LOS) of the corresponding GSM-R BTS antenna is nearly possible from this measurement location. Another, weaker, GSM-R BTS signal is also discernible higher in frequency, corresponding to a farther GSM-R BTS. The upper part of the band is fairly busy due to the number of cellular phone users in the station and its surroundings. The lower part of the monitored band is free of activity.

The deployment of ERTMS not only homogenises the technologies to manage the trains over the European territory, but also the vulnerability points to EM interferences. Some examples can be set up in the context of the harmonisation of systems and rules due to interoperability requirements for all operational domains in the rail transportation in Europe (operation, control, management, maintenance…). These include the strategy to reduce the number of control centres of the track switches in Europe that will rely on interlocking remote-controlled systems in order to activate switches. Thus, if a terrorist is designing an intentional Electromagnetic (EM) emissions device capable of disrupting management systems for rail infrastructure in Berlin, for instance, the same device will have the same attack capacity in all European cities. This will cause immediate economic consequences and possibly more…. Harmonisation thus facilitates the implementation of organised and simultaneous EM attacks.

The easiness of implementation of an EM attack will notably depend on the accessibility of the required devices to generate a given EM attack signal. Today, with the proliferation of the telecommunication applications, it is really easy to obtain equipment providing relatively low-level power interference able to jam wireless communication signals. Consequently, in SECRET, the priority is given to the study of the potential impacts of low power interference sources, such as jammers, on wireless railway communication systems.

Meanwhile, the technologies and frequencies employed in the railway field can be similar to technologies and frequencies used for applications available to the general public. Indeed, the railway no longer develops technology “owners” but adapts general public technologies. This increases the vulnerability of the railway because it is easy to obtain emission devices capable of disrupting rail technologies. With a relatively low basic knowledge of electronics and the performance of electronic components and antennas available on the open market, these emission devices can be combined with amplifiers to increase the capacity of EM attacks.    Given the potential vulnerability of the railway network and the ease of implementation of such EM attacks, we chose to work on an integrated solution to ERTMS offering the capability of detecting EM attack situations and engaging appropriate responses to maintain the security and capability of the railway network.