Ensuring safety in communication for signaling applications Based on EN 50159:2010 1

Background More and more Signalling applications are using transmission of safety information on Indian Railways. We are moving from copper cable to optical fiber or even wireless media How safety is ensured during transmission of digital information? What are Open communication and closed communication systems?. EN 50159:2010 is the standard which deals with all above. 2

Content Some examples from Indian Railways Role of transmission medium in safety. What can go wrong in Transmission? (Modes of errors) What required to be done? (Various defences) Which defences to be used and where? Quantifying errors. Classification of Transmission systems (Open and Closed) Discussion on safety in open and closed systems Examining the examples in light of discussions done. 3

Example: Change of medium for block working through UFSBI on copper cable Changing medium to point to point wireless link using free frequency band of 2.4 GHz. It is obvious that Additional safety is required for wireless medium. 4 What may be additional safety measures? What are the parameters which affect the quantitative assurance?

Another example which is not so obvious It is to be worked on Optical fiber cable Existing Axle counter working on quad cable It is to be worked on digital transmission medium 5

Change of transmission medium for Axle Counter Whether do we need to relook the safety aspect in such cases? Here the questions are If yes, then understanding the issues involved in such cases. 6

Role of Transmission medium Safety is function of transmission medium’s characteristics. But, No safety requirement is placed on the Transmission system However certain performance level is required from transmission medium in some cases. The communication safety requirements are fulfilled signaling device. The safety case for a signaling device is for a particular transmission system. 7

What can go wrong in Transmission? The messages carrying safety information may be subject to following errors; Deletion : A message can be deleted due cable cut. It can cause unsafe situation if e.g. deleted message was to change status from track clear to track occupied. Data Corruption (bits in errors) some bits changed during transmission It can be due to EMI or deliberate by attacker Unsafe if undetected at the receiver 8

What can go wrong in Transmission? Repetition It means that an old message is again sent to the recipient. This can be by attacker, known as replay attack Alternatively it can also be caused when a non-safety device (like NMS) is also sharing the same transmission system and it resends an earlier stored message due to some fault. If such repeated message says e.g. “Line clear” when actually it is not, it can lead to unsafe situation. Insertion attacker inserts a message permitting movement of train when it should not be happening re-sequencing (out of sequence) Due to hardware failure the message sequence is changed or the message reaches out of sequence e.g. in IP based network or attacker changes the sequence of the message. 9

What can go wrong in Transmission? (Contd.) Delay Delay can cause unsafe condition due to same reasons as deletion. The delay may be caused by congestion in network. The congestion may be caused by other non - safety applications sharing the network or by attacker by overloading the network. Masquerade (impersonate, disguise oneself as) If attacker X intercept message from A to B and replaces by its own message pretending to B as if message coming from A, this attack is known as masquerading 10

What is required to be done ? Failure to detect error at the receiver can lead to Unsafe situation We have to use various techniques (defences) to detect various message errors. We aim to bring probability of undetected error below a required level. This probability will depend on probability of each type of error and the type of defences used. Probability of each error depends on type of transmission medium used. E.G. probability of bit error is more for wireless and less for optical fiber.

Various techniques to detect errors (defences) – Sequence number Detect out of sequence message Detects repeated message – Time stamp; Detects delayed message – Time-out; Protection against deleted message – Source and destination identifiers Detects message from stated source – Safety code Detects Data corruption – Cryptographic techniques Used when chances of un-authorised access to detect message errors cause deliberately by attacker

Requirement of defenses  The type of defense will depend on the types of likely errors  Types of errors depend on Type of transmission systems.  Parameters of various defences will depend on type of transmission medium e.g. length of error correction code.  Cryptographic techniques are normally used only in those cases where there are chances of unauthorized access 13

Quantitative analysis: Probability of undetected error It will depend on Message rate Likelihood of bit error Hardware fault rate of transmission system Length of safety code (error correcting code). The error correcting code being used by transmission medium etc.

Classification of Transmission system Transmission system affects the safety in the following ways  The technical properties of the system which affect reliability, availability, delay in transmission and  Consistency of the performance, as the deterioration will affect safety.  Access to the system by unauthorised user, the degree of control which can be exercised over other users sharing the transmission system etc. 15

Classification of Transmission system Keeping these criteria in view, the transmission system is categorised in three categories: Category 1 (Closed system): Category 2 (Open System): Category 3 (Open System): Why classify: Different safety requirements are placed on the communication module depending upon the type of system is likely to be used. Before working out requirements we try to identify the type of transmission system.

Classification of Transmission system The systems which do not meet any of the above conditions are Open transmission systems. Open systems are further divided into two categories based on the risk of un-authorised access. Open system (Category 2): When risk of unauthorised access is negligible. Open system (Category 3): When risk of unauthorised access is there. Closed transmission system (Category 1): The number of equipments connected to the transmission system are fixed. The configuration of transmission system is defined The characteristics of transmission system (under worst case) are known and fixed. 17

Some examples of categories of transmission systems (Ref EN 50159) Category 1 Closed): Close air gap transmission e.g. track balise to train antenna; Industry standard LAN subject to fulfilment and maintenance of the preconditions. Category 1 Closed): Close air gap transmission e.g. track balise to train antenna; Industry standard LAN subject to fulfilment and maintenance of the preconditions. Category 2 (Open): Industry standard LAN connecting different systems (safety related and non-safety related) within a controlled and limited area. WAN belonging to Railways; Leased permanent point to point circuit in public telecom network; Radio transmission system with restricted access (e.g. using proprietary scheme of modulation, impossible to reproduce with off the shelf or affordable lab equipments) Category 3 (Open) : Internet, Circuit switched data radio (e.g. GSM-R); Packet switched data radio (e.g. GPRS); Short range broadcast radio (e.g. wi-fi); Radio transmission system without restrictions. Category 3 (Open) : Internet, Circuit switched data radio (e.g. GSM-R); Packet switched data radio (e.g. GPRS); Short range broadcast radio (e.g. wi-fi); Radio transmission system without restrictions. 18

Relation between category of transmission systems and threats Category Threats Closed Transmission system (Cat. 1) Open system with negligible chances of unauthorized access (Cat 2.) Open system with chances of unauthorized access (Cat 3.) Repetition +++ Deletion +++ Insertion +++ Re-sequence ++++ Corruption ++ Delay +++ Masquerade --++ Key: ++ Threat exists, strong counter measures required, + Threat exists but rare, weak countermeasure sufficient, - Threat can be neglected 19

Implementation of Safety in Closed transmission system Use of safety code: 1.Safety code is used to detect message corruption. E.g. CRC 2. The safety code shall be different from any error detection/ correction code being used by transmission system. 3. The probabilistic analysis of the performance of the safety code shall be as per requirement of safety target.

Ensuring safety in Closed communication system: Quantitative analysis Working out length of safety code based on SIL: It is worked out on the basis of overall error model signalling device and transmission system. It is related to probability of residual data error rate (undetected data errors). Length of safety code can be worked out to achieve the desired safety levels.

Summary : Safety in closed transmission system The safety case is involves error model of non- trusted transmission system also. Therefore the SIL certification for a particular closed transmission system may not be valid for another transmission system. The physical characteristics of the transmission system are fixed. If major parameters are changed, all safety related aspects shall be reviewed.

Examining in view of discussion held It is to be worked on Optical fiber cable Existing Axle counter working on quad cable 23

Examining in view of discussion held When worked on OFC: a.The errors due to EMI will be reduced; b.The modem is replaced by another device to convert RS 232 C serial data to optical signal. Its error detecting and correcting mechanism will come into play. c.Alternatively, the modem is also retained and resulting analog signal to be converted into optical signal. The error model of this device need to be worked out and taken into account. d.The device being used for converting electrical to optical signal may have to be specified and will become part of safety case. 24

Safety in open transmission system In open system, there is no control on transmission parameter and also the other users sharing transmission systems are unknown, therefore stronger measures like longer safety code is required. Cryptographic technique is used where unauthorized access can not be ruled out. In cases where un-authorised access is not ruled out, the safety is determined mainly by strength of cryptographic means like length of safety code or length of key. 25

Safety in open transmission system (Contd.) Ensuring Authenticity: Putting source address on the message does not ensure authenticity as unauthorised person may replace the original message with its own message retaining the valid source address. Ensuring Integrity (implying correctness of data): Use of error detection code does not ensures Integrity as unauthorised person may replace the original message with its own message with recalculated error detection code. Authenticity and Integrity both can be ensured by Message Authentication code (MAC) which is a cryptographic technique and requires use of shared secret key by both source and receiver.

Safety in open transmission system (contd.) Replay attack: However MAC does not prevent replay attack. In this attacker can store previous valid message and send to the receiver after some time. e.g. track clear message sent on earlier occasion is stored by the attacker and sent again when the track is not clear. Sequencing and time stamp will prevent replay attacks because the sequence and time will be different from what was expected at receiver. Enciphering is another technique to prevent attacks from unauthorized person. Here entire message is encrypted using secret key. Management of Secret key (its generation, storage and distribution) is very important aspect, so that it is not intercepted by the attacker while being distributed.

Safety in open transmission system: Quantitative analysis The probability of changes in the message going undetected depends on length of MAC. 28 Sufficient length of MAC is worked out to meet the required SIL. Similarly in case enciphering is used in place of MAC, then length of secret key and choice of cryptography algorithm will determine the safety level. Possible defense against a message delay may be to use time out in the receiving equipment.

Coming back to earlier example: Block working through UFSBI on point to point wireless link using free frequency band of 2.4 GHz. The issues are Categorization either as category 2 or category 3 mainly being wireless communication. Types of wireless devices used, i.e. type of modulation. Incorporation of necessary defences Use of cryptographic techniques if necessary with selection of key length or MAC as per required safety level. Quantitative analysis to show achieving desired safety level.

Thanks 30