System security assessment for safety critical railway signalling systems for the thameslink infrastructure programme

摘要

In railway signalling there is a shift from bespoke stand-alone technology to commercial-off-the-shelf (COTS) connected devices. In addition, the ownership of assets within one connected system has changed from one to several industry partners, creating a need for a common approach. In addition, the business impact of a potential cyber security attack has increased. The challenges of managing cyber security risk for safety-critical systems, when technology and culture changes, was addressed by using a quantitative assessment method. This was used to develop the cyber security risk register and to design the cyber security architecture. This paper outlines the approach taken by the Network Rail Thameslink Programme. This paper recommends use of a common approach for security risk management in the rail industry. Detailed results on the outcome of the risk assessment cannot be shared due to the sensitive nature of the information.