Rule-based Anomaly Detection for Railway Signalling Networks

Abstract: We propose a rule-based anomaly detection system for railway signalling that mitigates attacks by a Dolev-Yao attacker who is able to inject control commands and to perform semantic attacks. The system as well mitigates the effects of a compromised signal box that an attacker uses to issue licit but mistimed control messages. We consider an attacker that could cause train derailments and collisions, if our countermeasure is not employed. We apply safety principles of railway operation to a distributed anomaly detection system that inspects incoming commands on the signals and points. The proposed anomaly detection system detects all attacks of our model without producing false positives, while it requires only a small amount of overhead in terms of network communication and latency compared to normal train operation.

• The paper introduces a rule-based anomaly detection system that prevents hazardous control commands in railway networks.
• It employs decentralized, stateful validation protocols to mitigate semantic and timing attacks on signalling elements.
• Lab evaluations confirmed the system’s effectiveness by detecting semantic attacks without triggering false positives or safety delays.

Rule-based Anomaly Detection for Railway Signalling Networks

Introduction

This paper explores the development and application of a rule-based anomaly detection system specifically designed for railway signalling networks. It addresses the dual challenges posed by a Dolev-Yao attacker capable of injecting control commands and engaging in semantic attacks, and potential security threats emanating from a compromised signal box issuing mistimed control messages. These vulnerabilities could potentially lead to severe railway incidents such as train derailments and collisions.

Infrastructure and Attacker Models

Railway signalling systems, akin to other ICS, utilize COTS hardware, public networks, and open protocols, opening them to security threats. The proposed model employs a distributed anomaly detection system leveraging these safety principles. This system inspects incoming control commands at the level of signals and points in the railway network, ensuring no hazardous states are achieved due to mistimed or manipulated commands from compromised sources.

The infrastructure model comprises a signal box communicating with Field Elements (FEs) such as light signals, points, and TDS via an Ethernet/IP network. FEs report their state changes to the signal box to maintain a safe train movement environment. As depicted in Figure 1, the complexity of monitoring such an extensive network requires robust security mechanisms capable of supplementing and protecting the safety functions without introducing any delay that might compromise system performance.

Figure 1: Example topology of a railway signalling network. Black lines depict the railway track, and thin dashed lines depict safety channels.

Anomaly Detection System

The anomaly detection system is built to operate in parallel with the current safety infrastructure. It establishes a security channel that permits communication between neighboring FEs, enriched with stateful information about each element's current and anticipated states. This decentralized communication strategy empowers each FE to collaboratively vet commands, validating their compatibility with the broader network configuration.

Detection Triggers and Algorithms

Two primary triggers initiate the detection algorithms:

• Point Trigger: Activated upon commands to change a point's position.
• Signal Trigger: Initiated when signals are commanded to clear for train passage.

The detection algorithm for points verifies track vacancy states using communication with TDS before executing switching commands. Similarly, the signal algorithm ensures the track sections following the signal are safe to traverse, engaging in recursive validation through successive FEs connected via the security channel.

Evaluation and Results

The evaluation executed on datasets from a railway signalling lab confirmed the efficacy of the proposed detection system. The anomaly detection system successfully identified semantic attacks without generating false positives, validating its robustness against potential threats. Despite the increase in message exchanges within the security channel, the system maintains efficient communication overhead, operating well within the latency margins allowed by the safety systems.

Discussion

The anomaly detection approach maturely incorporates security into railway networks without impacting operational safety certifications. It embraces a strategy of defense in depth, addressing the critical challenge of synchronizing cybersecurity measures with traditional safety protocols. The system’s effectiveness in blocking unsafe commands demonstrates a significant advancement in securing railway signalling networks.

Conclusion

By embedding a rule-based anomaly detection system within the topology of railway signalling networks, safety and cybersecurity measures are harmonized, offering protection against sophisticated threats. This system exemplifies an integrated approach to verifying command integrity, reinforcing the resilience of critical infrastructures against evolving cyber threats while respecting stringent safety protocols inherent to railway operations.