A guideline for system manufacturers and operators for the implementation and use of maintenance interfaces in embedded systems from an IT security perspective

Digitalisation is the greatest opportunity in the rail sector to achieve Germany’s and Europe’s climate targets. Digitalisation and autonomous driving can increase the competitiveness of the railways, increase transport capacities and improve customer satisfaction. Connectivity and standardisation can also enable predictions and real-time optimisation. However, this is accompanied by an increased dependency on the availability of data and the digital infrastructure of the railways. At the same time, this also increases vulnerability to cyber attacks. Developments in recent months and years show that the critical railway infrastructure is increasingly becoming the focus of attackers. It is clear to everyone involved that the transport of people and goods is worth protecting in many respects, which includes protecting the IT security of the systems in terms of confidentiality, integrity and availability.

Although the risks and threats are well known and much discussed, the industry is still struggling to come up with standardised guidelines and solutions. Why is this the case?

When looking at the various interest groups (railway and public transport operators, as well as vehicle, system and component manufacturers), it is noticeable that there is still no uniform understanding of the requirements and solutions in the area of security. This report discusses the aforementioned challenges using the example of the maintenance interface for rail vehicles. The maintenance interface was chosen because in many cases it allows deep intervention in technical systems and safety-relevant functions of the train and it is already to be found in some vehicles as one of the first digitalisation measures. As these functions and interfaces are increasingly being implemented for the remote maintenance of rail vehicles and their range of functions is constantly expanding, their protection is of particular relevance.

The following report was produced by a working group of the C-NA (Think Tank for Mobility & Logistics) focussing on the IT security of the maintenance interfaces of embedded systems in the railway environment. The report is based on the results of a previous working group Generisches IT Security Architekturmodell von Schienenfahrzeugen, which sets out key aspects of a high-level risk analysis.

Employees of the following companies are involved in the creation of the report under the auspices of the C-NA: IoW, Incyde, DLR, Infoteam, VAG, Critical Software, Wabtec, Ci4Rail.

The full report can be downloaded here: