Fusing Safety and Security On A Solid Foundation For ERTMS
Fusing Safety and Security On A Solid Foundation For ERTMS
Core System TAS Platform SW Safety Application Safety Application HW Core System
Conditions (SAC) Conditions (SAC)
Subsystems: OCS, MNT, J4S Analyses
SW components HW components
Check of HW-CS SAC Verification/Valid
Analyses Analyses
Validation on HW-CS Safety Case
Verification Verification/Validation
Approval with HW-CS Manufacturing
Validation Manufacturing
Approval
Distributed Development / Maintenance (Thales)
Overview TAS Platform – A Closer Look
Safety approval according to CENELEC 50129 SIL 4 Application Business Logic
Security Management
Process definition based on ISA/IEC 62443
Customer requirements are considered
TAS Platform as „Component“
ISA/IEC 62443-4-1
ISA/IEC 62443-4-2
Apply defined Security process
Security process in-line
with safety process
Security Vulnerability Management
Part of the security process
CVE management tool
developed by Thales
Automatic scan of used Linux
packages for possible affected
CVEs
Based on CVE NIST database
TAS Platform in Unsecure Networks
Several security requests received (partly implemented, in implementation, or
planned)
Move to “category 3” networks according to CENELEC EN 50159 (unsecure
networks)
Deployment of system development processes which consider security
throughout the development
Additional “typical” requirements: Logs, patch management, authentication
modules, …
Challenges:
Long-term availability in field and safety conservative update challenge system
security (legacy)
Legacy applications (need continued support) – “don’t change
interface/hardware/…”
TAS Platform Security – Patch Management
Following standards: IEC TR62443 2-3 for Patch Management
Separate safety and security life-cycles
Using suitable architectures and processes or physical separation of security
and safety functions
TAS PLF Safe and Secure Releases
Comment in draft
norm
(prEN50129:2016)
Safety and Security Life Cycle is Different
Security Zone and Conduits #1
Zones and conduits defined according to ISA/IEC 62443-3-3
Up to now all components are in one zone
Only up to EN 50159 Cat. 2 network is possible
Security Zone and Conduits #2
Security Features (CyberGate as integrated firewall)
Connection to other zones possible by conduits
Enabled for EN 50159 Cat. 3 network
TAS Platform (A) is exchangeable without re-certification of safety-critical
functionality and TAS Platform (B)
Security Zone and Conduits #3
Isolation Layer / MILS Platform (Multiple independent levels of security)
Separate security from safety
Performance / resource usage by security features must be restricted and
predictable
Availability through redundancy (independent boards, links, and CyberGate
instances)
Safety-critical functionality is always provided with redundancy
Summary
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in
Multiple security assessments and customers have driven and are driving improvements
of Thales applications and TAS Platform
TAS Platform architecture has already been ready for security extensions
– simple integration of security functions
We are ready!
And, never stop improving …
reserved.
CERTMILS Contract No: 731456
“This work/project has received funding from the European Union’s Horizon 2020 research
and innovation programme under grant agreement No 731456.”
The information in this document is provided “as is”, and no guarantee or warranty is given that the information is fit for any particular purpose. The content
of this document reflects only the author`s view – the European Commission is not responsible for any use that may be made of the information it contains.
The users use the information at their sole risk and liability.