Abstract

Some recent incidents have shown that possibly the vulnerability of information technology (IT) systems in railway automation has been underestimated. Fortunately, so far, almost only denial-of-service attacks have been successful, but due to several trends, such as the use of commercial IT and communication systems or privatization, the threat potential could increase in the near future. However, up to now, no harmonized IT security requirements for railway automation exist. This chapter defines an IT security framework which aims to separate IT security and safety requirements as well as certification processes as far as possible. It builds on the well-known safety and certification processes from EN 50129 and integrates IT security requirements based on the ISA99/IEC 62443 standard series.