This paper presents an action-based methodology for securing railway signalling systems, building upon the TS 50701 framework. In TS 50701, zones represent groups of assets that share common security requirements, while conduits denote controlled communication channels that interconnect zones and enforce defined security policies. Railway systems described within this framework comprise wayside and onboard components, interconnected by a Data Communication System (DCS). We propose an attacker model centred on inter-zone conduits that specifies enforceable rule templates for each conduit. These templates define requirements for source authentication, integrity, freshness, and semantic consistency, thereby constraining permissible behaviours that can be implemented at boundary monitors. Through qualitative security analysis, we demonstrate how these rules address specific threats and trace how security degradations may propagate to safety-critical effects. By formalising zones and conduits as terms in a process description language, system properties can be expressed as sequences of observable actions. This formalisation enables the use of Action-Based Temporal Logic (ACTL) to verify whether security properties are guaranteed, which constitutes our long-term research goal.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Action-Based Security Rules for Railway Control Systems

  • Rocco De Nicola,
  • Simone Soderi

摘要

This paper presents an action-based methodology for securing railway signalling systems, building upon the TS 50701 framework. In TS 50701, zones represent groups of assets that share common security requirements, while conduits denote controlled communication channels that interconnect zones and enforce defined security policies. Railway systems described within this framework comprise wayside and onboard components, interconnected by a Data Communication System (DCS). We propose an attacker model centred on inter-zone conduits that specifies enforceable rule templates for each conduit. These templates define requirements for source authentication, integrity, freshness, and semantic consistency, thereby constraining permissible behaviours that can be implemented at boundary monitors. Through qualitative security analysis, we demonstrate how these rules address specific threats and trace how security degradations may propagate to safety-critical effects. By formalising zones and conduits as terms in a process description language, system properties can be expressed as sequences of observable actions. This formalisation enables the use of Action-Based Temporal Logic (ACTL) to verify whether security properties are guaranteed, which constitutes our long-term research goal.