Question: Modern signalling systems require different levels of safety integrity levels for communication between different systems. Provide a...

80.2K

Verified Solution

Question

Electrical Engineering

Question:
Modern signalling systems require different levels of safetyintegrity levels for communication between different systems.Provide a system architecture which shows a signalling systemincluding:
i) The signallersâ€™ interface
ii) The interlocking
iii) Object controllers
iv) Line side objects
(a) Your answer should describe the safety integrityrequirements for each part of the signaling system.
(b) Identify the key system interfaces and describe thecommunication method, including a outline of the protocolrequirements and how the safety integrity level is maintained.

Answer & Explanation Solved by verified expert

3.8 Ratings (621 Votes)

AbstractSecuring a safetycritical system is a challenging task becausesafety requirements have to be considered alongside securitycontrols We report on our experience to develop a securityarchitecture for railway signalling systems starting from the baresafetycritical system that requires protection We use athreatbased approach to determine security risk acceptancecriteria and derive security requirements We discuss the executedprocess and make suggestions for improvements Based on thesecurity requirements we develop a security architecture Thearchitecture is based on a hardware platform that provides theresources required for safety as well as security applications andis able to run these applications of mixedcriticalitysafetycritical applications and other applications run on thesame device To achieve this we apply the MILS approach aseparationbased highassurance security architecture to simplifythe safety case and security case of our approach We describe theassurance requirements of the separation kernel subcomponent whichrepresents the key component of the MILS architecture We furtherdiscuss the security measures of our architecture that are includedto protect the safetycritical application from cyberattacks1 IntroductionThe integration of commercial offtheshelf COTS hardware andsoftware into industrial control systems such as railway commandand control systems CCSs is in progress However introducingCOTS components into a previously proprietary safety system leadsto novel security threats The interplay between safety andsecurity is an active research area where many questions are yetto be answered An extensive survey of approaches to combine safetyand security in industrial control systems has been performed byKriaa et al 1 Our study of the safetysecurity interplay ismotivated by the lack of a security architecture for railwaysignallingCurrent train control is centralized in a signal box alsocalled interlocking system ILS that controls a defined area ofthe tracks comprising of multiple track switches points andsignals An example with a single point and signal is shown inFigure 1 If a train needs to move on the tracks the ILS sets thepoints according to the desired route If the movement of the trainis considered safe the ILS sets the signal for the route to clearThe aspect of the signal is observed by the train driver who isallowed to safely proceed on the journey A route is consideredsafe for a train if it is not occupied by or reserved for anothertrain thus precluding collisionsPoints signals and other controllable objects are summarizedunder the term field elements Earlier ILS generations usedanalogue signal transmission to set their field elements ModernILSs utilize IP networks to transmit their commands digitally to anobject controller OC that in turn steers the field element bystarting and stopping the point machine or turning on and off thesignals light bulbs respectively This allows for decouplingenergy supply and command transmission and thus for largerdistances between ILS and field element Since railway signallingnetworks are classified as critical infrastructure CI the impactof potential security incidents on the railway system can be hugeThis calls for the need of a security concept to ensure therobustness of railway signalling networks against cyberattacksFurthermore the railway system as a CI must meet national safetyregulations To address these issues we execute a railwaydomainspecific requirements engineering process that has beenproposed for German railways 2 but can be used as a template forinternational railway operation The output of this processprovides the foundation of a security architecture which wepropose for railway CCSOur contribution consists of the following We report on ourexperience with the requirements engineering process of DIN VDE V0831104 and make suggestions for improvements Then weinvestigate the effect of these requirements on our case study thesafetycritical railway CCS We show and discuss the derivedsecurity requirements for the case study Subsequently we use theidentified threats and requirements to propose a securityarchitecture for mixedcriticality systems such as the railway CCSrunning safetycritical applications along nonsafetycriticalsecurity applications A mixedcriticality system must be carefullydesigned in order to maintain functionalities such as dependabilityand responsiveness under constrained resources and in the presenceof attackers 3 We propose the Secure Object Controller SecOCa security architecture based on a hardware platform that includesa hardware trust anchor On top of the hardware a separationkernel SK provides a software framework that allows runningapplications of mixedcriticality on our platform On the softwareplatform safety and security applications coexist The securityapplications protect the safetycritical application fromcyberattacks Complementary the SK ensures that the securityapplications cannot exhaust the resources required by the safetyapplication to fulfill its safetycritical task Additionally toenhance the security of the system we apply security measures Anauthenticated boot process uses the hardware trust anchor to ensurethat only authorized software instances are executed on thehardware platform A health monitor observes the system stateduring runtime and can report conspicuous state changes A secureupdate mechanism allows for altering the system software firmwareand configuration from authorized sources only We further See Answer

Get Answers to Unlimited Questions

Join us to gain access to millions of questions and expert answers. Enjoy exclusive benefits tailored just for you!

Membership Benefits:

Unlimited Question Access with detailed Answers
Zin AI - 3 Million Words
10 Dall-E 3 Images
20 Plot Generations
Conversation with Dialogue Memory
No Ads, Ever!
Access to Our Best AI Platform: Flex AI - Your personal assistant for all your inquiries!

Become a Member