A Reference Architecture for Integrating Safety and Security

Applications on Railway Command and Control Systems

Extended Abstract
Henk Birkholz, Christoph Krauß, Don Kuzhiyelil
Maria Zhdanova SYSGO AG
Fraunhofer Institute for Secure Information Technology Klein-Winternheim, Germany
SIT don.kuzhiyelil@sysgo.com
Darmstadt, Germany
{firstname.lastname}@sit.fraunhofer.de

Tolga Arul, Markus Heinrich, Christian Schlehuber

Stefan Katzenbeisser, Neeraj Suri, DB Netz AG
Tsvetoslava Vateva-Gurova Frankfurt am Main, Germany
TU Darmstadt christian.schlehuber@deutschebahn.com
Darmstadt, Germany
{arul,heinrich,katzenbeisser}@seceng.informatik.
tu-darmstadt.de,{suri,vateva}@deeds.informatik.
tu-darmstadt.de
KEYWORDS deployed control networks based on the IP. Thus, it is required that
Safety, Security, MILS, Railway Command and Control Systems a given safety certification (and the given guarantees) must not be
violated by the integration of security functions.
ACM Reference Format: In this paper, we present the first results of the ongoing HASEL-
Henk Birkholz, Christoph Krauß, Maria Zhdanova, Don Kuzhiyelil, Tolga
NUSS project1 by introducing the Haselnuss Reference Architecture
Arul, Markus Heinrich, Stefan Katzenbeisser, Neeraj Suri, Tsvetoslava Vateva-
Gurova, and Christian Schlehuber. 2018. A Reference Architecture for Inte-
(HRA) for Railway Command and Control Systems (CCS), that al-
grating Safety and Security Applications on Railway Command and Control lows uncertified security functions to reside on the same hardware
Systems: Extended Abstract. In Proceedings of 4th International Workshop on device as certified safety functions; without voiding the certification
MILS: Architecture and Assurance for Secure Systems (MILS’18). ACM, New of these safety functions.
York, NY, USA, 4 pages. https://doi.org/10.1145/nnnnnnn.nnnnnnn
2 ARCHITECTURE OF RAILWAY SYSTEMS
1 INTRODUCTION Control and safety systems take a central role in the safe operation
In critical infrastructures such as railway systems, the continu- of trains in European rail networks since a long time. In the early
ous and resilient availability of safety critical functions residing days, around 1900, the safety of trains was ensured by the usage
on actuator and sensor components must be ensured. Since these of mechanical interlocking systems. Since then the interlocking
components are also more and more connected using the Internet systems have experienced a steady evolution, which resulted in
Protocol (IP), they additionally require security functions to provide the current electronic interlocking system which are computerized
protection against attackers. Moreover, the railway infrastructure is systems implementing the the safety logic of the interlocking. As
highly distributed, with its critical components residing at the track a part of this evolution, also the general architecture and behav-
side easily accessible to attackers. Thus, a continuous proofing that ior of the interlocking systems evolved; while only a minimum of
the safety-critical systems are not manipulated is required, too. interaction with external systems was required in the beginning,
The (safety) certification of such safety-critical systems covers modern electronic interlocking systems or operating control cen-
both the hardware components and corresponding software com- ters are connected to a wide variety of systems. Partly also public
ponents that compose a specific safety-critical application. Since communication links are used for these connections.
security functions are currently not in use, they are not part of Current signaling systems can in general be divided into three
the certification. However, the integration of security functions is layers:
imperative to provide the basis for preventing or detecting manipu-
lations of the system. In essence, co-residing security functions are Operation Layer On this layer, the operators are working at
required to retain and assure the trusted interoperability of safety specialized workstations and tell the interlocking system,
critical systems integrated in the rapidly growing number of newly which route has to be built and in which direction the trains

MILS’18, June 2018, Luxembourg

2018. ACM ISBN 978-x-xxxx-xxxx-x/YY/MM. . . $15.00
1 https://haselnuss-projekt.de/
https://doi.org/10.1145/nnnnnnn.nnnnnnn
MILS’18, June 2018, Luxembourg H. Birkholz et al.

have to move. This is done via the workstations, which con- Operating Center Security Center

sist of a safe display of the controlled area. These worksta-

tions are also connected to several communication systems
like GSM-R or the telephone network. Besides the operators, Central PKI

Diagnosis SDI-DS admin

also SOC/NOC systems as well as disposition systems are lo-
cated. The buildings where these systems are located have to Crypto Network Monitoring

fulfill special requirements regarding physical security. Also

the personnel is trained to perform a safe railway operation. WAN

Interlocking Layer On the interlocking layer, most of the

safety systems are located. The layer is located between the Neighbor Tech.Center Technology Center ETCS
operation layer and the field element layer and checks the
commands from the operation layer for validity and if they
Aux. RBC
respect the safe operation. In addition, it monitors the com- Interlocking
System
Systems
(Doc.) LST-LAN
Interlocking
System

ponents on the field element layer for correct operation and

in case of anomalies, falls into an error state. On this layer,
systems like the interlocking itself and the European Train
Control System (ETCS) are located. The layer is connected WAN
Field Element Field Element
to the operation layer and the field element layer via a wide Area Area

area network owned or leased by the railway operator. Com-

ponents on this layer are developed according to several
safety standards like EN 50126 [2] and only the required Figure 1: Exemplary Architecture of Signaling Systems [10]
functionality is available. Additionally, these components
are built redundant, which means that in case of a defect one
of the standby systems comes in place and the maintenance
guarantees are usually achieved through redundancy. In case
personnel is notified to replace the failing component. The
of a motivated attacker, this might not be enough, especially
data networks and the power supplies are redundant, too.
if redundant components łfail-safež silently, and the attack
According to the size of the facility, the building is equipped
stays undetected until the system limit is reached.
with a battery or also a generator, which is started if the
• Integrity: Considering that a railway CCS is a highly dis-
energy provider is not able to provide sufficient energy.
tributed and complex system, it requires the protection against
Field Element Layer On this layer, the field elements are lo-
any unauthorized modification of its data (configurations,
cated. These are elements like points, signals, axle counters,
commands, access credentials, etc.) as well as software and
or other equipment of this type. Each element is controlled
hardware components. If such modifications stay undetected,
by an object controller, which is connected to the interlock-
the correct operation of the CCS can be disrupted in multiple
ing layer via a network connection. The communication
ways.
between the layers is secured by a security gateway that
• Authenticity: It is necessary to be able to verify the trusted
applies integrity-protection, encryption, etc. For the key dis-
origin of safety- and security-critical data and components in
tribution a Public Key Infrastructure (PKI) is in place.
order to prevent, e.g., that tampered software or hardware is
An exemplary illustration of such an architecture can be seen in deployed in a railway CCS or reactions build on the falsified
Figure 1. information.
• Confidentiality: Data transferred by safety applications in a
3 SECURITY GOALS CCS are not considered confidential. Apart from safety as-
Introduction of networked IT-based components and IP networks sets, the electronic interlocking system architecture contains
into formerly closed railway infrastructures changes their risk land- security assets such as access credentials or cryptographic
scape. In emerging CCS architectures such as the one shown in keys for the PKI that need to be protected from unauthorized
Figure 1 hazardous situations can result from random hardware disclosure or use.
faults and software bugs or be caused by actions of a malicious • Accountability: Any action performed by a CCS should be
attacker. For this reason, security goals in addition to safety goals traceable to an authorized entity responsible for this action.
have to be considered during system design. • Non-repudiation: An authorized entity in a CCS should not
For the HRA, we define the following security goals [6]: be able to deny its actions.
• Auditability: Security-related events need to be recorded in
• Availability: A railway CCS should at any time be able to
an auditable form (including time, source, user, etc.).
provide its required functionality and data, i.e., to generate
safe routes, send and receive signals and commands over
the network, log critical events, etc. This requires provisions 4 HASELNUSS REFERENCE ARCHITECTURE
against Denial-of-Service (DoS) attacks that can be carried The Haselnuss Reference Architecture (HRA) can be integrated in
out on a network or a cyber-physical layer and block or railway systems such as object controllers for field elements, we
delay time-critical operations. In safety systems, availability call them Haselnuss nodes.
Integrating Safety and Security on Railway Command and Control Systems MILS’18, June 2018, Luxembourg

For the integration of safety and security applications on the state of the safety-critical device that just completed the transition
same hardware platform, a certifiable MILS (Multiple Independent procedure of a software update. Appropriated measures can be
Levels of Safety and Security) operating system or a separation ker- selected with an significantly improved confidence, if these key
nel (SK) [12] is used. By making use of the separation capabilities of performance indicators about the targets integrity can be provided
the SK [8], the existing safety application is spatially and temporally to the owner or maintainer of safety-critical infrastructure.
separated from the newly introduced security applications. Spatial The integrity and remote attestation function provides a con-
separation is required to ensure that the security application will tinuous proofing function of the platform integrity. It currently
not affect the integrity of safety application’s code and data. Tem- includes the integration of a secure boot process and a time-based
poral separation is required to ensure that the temporal behavior uni-directional attestation (TUDA) [4] procedure. The TUDA proto-
of safety application is not affected by the security applications col defined in the HRA utilizes the Trusted Platform Module (TPM)
and thus, not influencing the real-time guarantees to be fulfilled version 2.0, a Hardware Security Module (HSM) specified by the
by the safety application. Of course, the hardware platform used Trusted Computing Group (TCG) [11]. The TUDA protocol is also
for the integration shall be fast enough to reserve the CPU time used to illustrate the complete continuous proofing work-flow from
required for the safety application to meet its deadlines and at the creating integrity evidence (Attestor role), streaming it to a manage-
same time have remaining CPU time that can be made available to ment system, and appraising the evidence (Verifier role) to confirm
the security applications to perform its functions. the integrity of software components. In this proof-of-concept, the
Information channels to the safety application are realized mak- implementation of TUDA is used to provide and assess integrity
ing use of the communication objects provided by the SK that evidence both for security functions and safety functions via an
allows precise control over the information flows in the system. integrated solution. Since TUDA only provides an assurance of the
This partitioned architecture based on the certifiable SK allows to system’s software integrity at boot time, a health monitoring func-
provide evidence of non-interference between the high assurance tionality complements this security function with runtime integrity
safety applications (i.e., Safety Integrity Level (SIL) 4) and the se- monitoring.
curity applications which does not contribute to the safety of the The functional architecture of the Health Monitor includes com-
system (and thus having a lower SIL). This freedom from interfer- ponents for non-invasive data collection, runtime analysis of ap-
ence evidence is needed to keep the existing certification of safety plications (if the integrity state has changed) and reporting. The
application when integrated with the security applications. The SK ultimate goal is to make a railway object controller resilient against
that we use is also certifiable at the same assurance levels (i.e., SIL malicious attacks that cannot be detected or prevented using boot-
4) as the safety application, e.g., an railway object controller2 . time mechanisms. This can be achieved using a hypevisor-based
The MILS template is used to run the critical infrastructure’s monitoring techniques that analyze the integrity state of applica-
safety application(s) on the same hardware as the security appli- tions and detect anomalies [1, 9]. For this purpose, amongst other
cations that are created to protect the safety functionality against state parameters, the information channels to and from safety ap-
attacks. MILS’s separation allows us to define exact contact points plications are controlled via new security applications adding the
of information flow between the safety application and the secu- desired security properties to the currently implemented availabil-
rity application such as an Intrusion Detection System (IDS). This ity measures, without impact on the assurance level of the safety
structures the safety case, where the influence of security has to be applications. The communication objects of the SK are extended
investigated and freedom of interference with the safety has to be with monitoring capabilities. In addition, system services are mon-
proven. itored to detect failures or attacks. The capability of systems to
The HRA provides several security functions. This includes, recover after failures or attacks can help reducing the service down-
amongst others, mutual authentication of Haselnuss nodes with the times. For example, depending on a particular scenario, it may be
interlocking system, protecting the software integrity of Haselnuss desirable for an application in case of a failed configuration or code
nodes at boot- and runtime, integrity reporting and remote attes- update to automatically resume to an older software version instead
tation of Haselnuss nodes, remote software update of Haselnuss of failing or trigger some other recovery mechanisms. In this regard,
nodes, and an IDS. the applicability of approaches from adaptive systems similar to
There are vital transition points in the life-cycle of a safety- ones proposed in [3, 5] is analyzed for HRA.
critical system and one prominent example (next to on-boarding The IDS provides a defense mechanism against network-based
or enrollment) are software updates. Three types of information attacks. By collaborating among the HRA instances in a defined area
elements, composed into manifests, increase the trust in a software of the critical infrastructure, the IDS is enabled to detect adverse
update significantly: the integrity evidence created by the device commands and configurations of the infrastructure’s actuator and
to be updated (the Attestor) before the update, proving that the sensor components. It includes a concept to fine-tune the IDS on
safety-critical device is in a state that warrants the deployment of the critical infrastructure’s network topology and utilized protocols.
potentially confidential information as part of an software update. In this way, the IDS is enabled to leverage context information of
Evidence about the acquisition of a signed manifest of a software the controlled infrastructure to enhance the intrusion detection
update, a composite of the firmware or the pointer to a trusted accuracy. In a second step, counteractions on detected intrusions
source of firmware and corresponding metadata [7], created also are defined that respect the safety functions of the critical infras-
by the Attestor. The integrity evidence of the new operational tructure. We carefully design the intrusive counteractions such that
they do not alter the network channel properties beyond the speci-
2 https://www.sysgo.com/solutions/safety-security-certification/
fication that the safety application is anyway required to tolerate.
MILS’18, June 2018, Luxembourg H. Birkholz et al.

For example, in case of a connection loss or temporary network tolerate, such as a defined threshold of latency or a certain amount
breakdown, the system is fail-safe already. We plan to evaluate the of message loss or channel failure.
extent of this interference in a test-bed that will be built during the
project. ACKNOWLEDGMENTS
In addition to these functions, the system itself is hardened We would like to thank the anonymous reviewers for their insightful
against attacks. Due to the co-location of the safety application feedback. The work presented in this paper has been partly funded
with other services, mechanisms to prevent violations of the confi- by the German Federal Ministry of Education and Research (BMBF)
dentiality of the system through a covert- or side-channel attack under the project "HASELNUSS: Hardwarebasierte Sicherheitsplat-
stemming from the usage of shared resources (e.g., [14] and [13]) tform für Eisenbahn-Leit- und Sicherungstechnik" (ID 16KIS0597K).
will be considered. These mechanisms will consider the probabil-
ity of a side-channel attacker process co-residing with the safety REFERENCES
and security applications that can exploit the cache of the under- [1] A. M. Azab, P. Ning, E. C. Sezer, and X. Zhang. 2009. HIMA: A Hypervisor-Based
lying system to leak information. The underlying SK of the HRA Integrity Measurement Agent. In Computer Security Applications Conference, 2009.
ACSAC ’09. Annual. 461ś470. https://doi.org/10.1109/ACSAC.2009.50
already employs measures to prevent cache covert-channel and [2] CENELEC - European Committee for Electrotechnical Standardization. 2010.
side-channel exploits. As a defense mechanism, the cache can be EN50126 - Railway applications - The specification and demonstration of Reliability,
flushed at every context switch when involving an application that Availability, Maintainablity and Safety (RAMS) Part 1: Basic requirements and
generic process. Number EN 50126:1999 E. CENELEC Central Secretariat, rue de
deals with confidential data. This mechanism makes the cache un- Stassart, 36, B-1050 Brussels.
available as a covert channel in respect to the particular application. [3] M. Dinkel, S. Stesny, and U. Baumgarten. 2007. Interactive Self-Healing for Black-
Box Components in Distributed Embedded Environments. In Communication in
Such an approach erases the cache footprint left by the application Distributed Systems (KiVS), 2007 ITG-GI Conference. 1ś12.
and with that eradicates the cache-based covert-channel threat. [4] Andreas Fuchs, Henk Birkholz, Ira McDonald, and Carsten Bormann. 2017.
Moreover, the proposed HRA ensures that the co-residency of com- Time-Based Uni-Directional Attestation. Internet-Draft draft-birkholz-i2nsf-tuda.
The Internet Engineering Task Force (IETF). https://datatracker.ietf.org/doc/
partments is established statically and cannot be changed during draft-birkholz-i2nsf-tuda/
runtime which reduces the probability of a malicious co-resident. [5] D. Garlan, S. W. Cheng, A. C. Huang, B. Schmerl, and P. Steenkiste. 2004. Rainbow:
HRA does not make use of the memory de-duplication feature Architecture-based Self-adaptation with Reusable Infrastructure. Computer 37,
10 (Oct 2004), 46ś54. https://doi.org/10.1109/MC.2004.175
for better memory utilization eliminating a class of side-channel [6] Markus Heinrich, Tsvetoslava Vateva-Gurova, Henk Birkholz, Maria Zhdanova,
attacks based on the Flush+Reload strategy relying on memory Don Kuzhiyelil, and Christian Schlehuber. 2017. Requirements Analysis. Deliver-
able D1. Project "HASELNUSS" (ID 16KIS0597K).
de-duplication. [7] B. Moran, H. Tschofenig, H. Birkholz, and J. Jimenez. 2018. Firmware Updates for
Internet of Things Devices - An Information Model for Manifests. Internet-Draft
draft-ietf-suit-information-model-00. The Internet Engineering Task Force (IETF).
https://tools.ietf.org/html/draft-ietf-suit-information-model-00
5 CONCLUSION AND FUTURE WORK [8] Sven Nordhoff and Holger Blasum. 2017. Ease Standard Compliance by Technical
Means via MILS. Zenodo. https://doi.org/10.5281/zenodo.571175
Safety and security are historically two different and isolated worlds. [9] Carbone M. Lee W. Payne, B.D. 2007. Secure and flexible monitoring of vir-
Safety certification, especially in the railway sector, does not con- tual machines. In Proceedings of the 23rd Annual Computer Security Applications
sider security measures. Moreover, one of the greatest challenges Conference (ACSAC 2007).
[10] Christian Schlehuber, Markus Heinrich, Tsvetoslava Vateva-Gurova, Stefan
of the ongoing railway digitalization, is how to guarantee the trans- Katzenbeisser, and Neeraj Suri. 2017. A Security Architecture for Railway Sig-
portation safety of the new IT-based railway systems now open nalling. In International Conference on Computer Safety, Reliability, and Security.
to malicious attackers? Can state-of-the-art IT components and IP Springer, 320ś328. https://doi.org/10.1007/978-3-319-66266-4_21
[11] Trusted Computing Group 2016. Trusted Platform Module Library Specification
networks be used in railway scenarios to increase efficiency but (Family 2.0, Level 00, Revision 01.38 ed.). Trusted Computing Group.
without putting people’s lives at risk? The proposed Haselnuss [12] Sergey Tverdyshev. 2017. Security by Design: Introduction to MILS. In 3rd
International Workshop on MILS.
Reference Architecture tries to answer this question positively, [13] Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A High Resolution,
equipping safety applications with the necessary security func- Low Noise, L3 Cache Side-channel Attack. In Proc. of USENIX Security. 719ś732.
tions. [14] Y. Zhang, A. Juels, M. Reiter, and T. Ristenpart. 2012. Cross-VM side channels
and their use to extract private keys. In Proc. of CCS. 305ś316.
As a work in progress, the Haselnuss Reference Architecture first
needs to be fully specified, including handling of system upgrades
or security incidents, and implemented. It then will be tested in a
realistic railway test-bed being currently built as well to analyze the
applicability and achievable security of our approach. For example,
effects related to timing of safety applications introduced by the
SK and additional security components will be analyzed. Certain
aspects of HRA will be formally evaluated, too. In addition, the
possible certification of our solution will be evaluated together
with the responsible authorities, e.g., the German Federal Railway
Office (EBA). In this context, the freedom of interference between
safety and security will be investigated. If the actions of security
are transparent to the safety application, we believe that we can
keep the safety-case. This could be possible if the security only
affects network channel properties that the safety is already able to