WHITE PAPERSecurity of railways against

electromagnetic attacks

November 2015

Warning

This work has been carried out as part of the SECRET project (www.secret-project.eu). This project has received funding from the European Unions Seventh Framework Programme for research, technological development and demonstration under grant agreement no 285136.No part of this document may be copied, reproduced, disclosed or distributed by any means whatsoever, including electronic without the express permission of IFSTTAR, Coordinator of the EU SECRET Project. The same applies for translation, adaptation or transformation, arrangement or reproduction by any method or procedure whatsoever.

978-2-7461-2465-3 - SECRET Consortium Member 2015

ACRONYMSBTS Base Transceiver StationCENELEC European Committee for Electrotechnical StandardizationEIRENE European Integrated Railway Radio Enhanced NetworkEM ElectroMagneticEMF ElectroMagnetic FieldsETSI European Telecommunications Standards InstituteEVM Error Vector MagnitudeGSM Global System for Mobile communicationsGSM-R Global System for Mobile communications - RailwaysHSL High Speed LineIEM Intentional ElectroMagneticI/Q In-phase/QuadratureLGV Ligne Grande Vitesse (High Speed Line - HSL)MiMo Multiple-input Multiple-outputMS Mobile StationONF Organization Normative FrameworkPSD Power Spectral Density QoS Quality of ServiceRBC Radio Block CentreRF Radio FrequencySJR Signal to Jamming RatioSR Staff ResponsibleTGV Train Grande Vitesse (High Speed Train HST)TVRA Threat Vulnerability Risk Assessment

STANDARD REFERENCES

EMC

> Electromagnetic compatibility and Radio spectrum Matters (ERM); ElectroMagnetic Compatibility EMC) standard for radio equipment and services; Part 1: Common technical requirements: ETSI EN 301 489-1

> Electromagnetic compatibility and Radio spectrum Matters (ERM); ElectroMagnetic Compatibility (EMC) standard for radio equipment and services; Part 23: Specific conditions for IMT-2000

> CDMA, Direct Spread (UTRA and E-UTRA) Base Station (BS) radio, repeater and ancillary

> equipment: ETSI EN 301 489-23

Radio

> Global System for Mobile communications (GSM); Harmonized EN for Base Station equipment covering the essential requirements of article 3.2 of the R&TTE Directive: ETSI EN 301 502.

> Global System for Mobile communications (GSM); Part 4: Harmonized EN for GSM Repeaters covering the essential requirements of article 3.2 of the R&TTE Directive: ETSI EN 300 609-4.

> Electromagnetic compatibility and Radio Spectrum Matters (ERM) Electromagnetic Compatibility (EMC) standard for radio equipment and services Part 1: Common technical requirements: ETSI EN 301 489-1

> Specific conditions for mobile and portable radio and ancillary equipment of digital cellular radio telecommunications systems (GSM and DCS) : ETSI EN 301 489-7 Part 7.

> Specific conditions for GSM base stations: ETSI EN 301 489-8 Part 8.

> Specific conditions for Terrestrial Trunked Radio (TETRA) equipment: ETSI EN 301 489-18 Part 18.

3

CONTENT

INTRODUCTION .......................................................................................5

1. PREVENTION FROM EM JAMMING EFFECTS ...........................7

1.1 Methodology recommendations .....................................................................7

1.1.1 Planning security risk assessment study .......................................................... 7

1.1.2 Ensuring Interoperability of Risk Analysis Methods ..................................... 8

1.1.3 Security Analysis in Confidential Settings ....................................................... 8

1.1.4 Creating Knowledge Repository based on ISO 27034 ............................... 8

1.2 Operational recommendations ........................................................................9

1.2.1 Minimizing train emergency brake impact ....................................................... 9

1.3 Engineering recommendations .....................................................................10

1.3.1 System Architecture ............................................................................................... 10

1.3.2 Radio Network features ......................................................................................... 12

1.3.3 Rolling Stock ...............................................................................................................13

1.3.4 Train antenna ..............................................................................................................14

1.3.5 BTS antenna ................................................................................................................14

2. DETECTION OF EM JAMMING .................................................... 15

2.1 Jammer Detection Techniques ...................................................................... 15

2.1.1 Detection based on the Error Vector Magnitude (EVM) monitoring ...15

2.1.2 Detection based on the monitoring of the frequency spectrum occupation ...................................................................................................................16

2.1.3 Detection of an excess of energy in the operated band ........................... 17

2.1.4 Detection based on the monitoring of QoS ...................................................18

2.2 Jammer Detection application ...................................................................... 19

2.2.1 On board vehicle detector ....................................................................................19

2.2.2 On-board portable detector .................................................................................19

2.2.3 Track side (BTS proximity) Detector .................................................................19

2.2.4 Track side mobile Detector ................................................................................. 20

2.2.5 Train Station Detector ........................................................................................... 20

WHITE PAPER | SECURITY OF RAILWAYS AGAINST ELECTROMAGNETIC ATTACKS

4

2.3 Methodology recommendations ................................................................... 21

2.3.1 Jamming indicators: through harmonized indicators and reference conditions ....................................................................................................................21

2.3.2 Input to consider to design a dedicated EM attack detection solution .....................................................................................................21

2.3.3 Resilient Architecture Components .................................................................22

3. MITIGATION OF EM JAMMING EFFECTS ON TRAIN TO GROUND COMMUNICATIONS .................................................... 24

3.1 Operational recommendations ..................................................................... 25

3.1.1 Ground BTS ................................................................................................................25

3.1.2 Train Mobile Station ................................................................................................25

3.1.3 Train antenna .............................................................................................................25

3.1.4 Radio Network ..........................................................................................................27

3.2 Decision criteria for mitigation activation ................................................. 28

CONCLUSION ......................................................................................... 31

Prevention from EM Jamming effects

5

INTRODUCTION

Cyber threats are an increasing concern for every business. Barely a week goes by without new reports of sophisticated IT systems even of the largest organisations or intelligence services falling victim to cyber-attacks. It was therefore important to check what further precautions could be taken within the railway sector should the need arise.

The SECRET EU project addresses the issue of electro-magnetic attacks targeting rail infrastructure and contributes to reinforce the signalling systems. The electro-magnetic attacks considered in SECRET are low power intentional interferences that can break the communication links and affect voice communication and the good transmission of signalling information.

The SECRET consortium and its 10 members came together to assess the risks and consequences of electromagnetic (EM) attacks on the rail infrastructure, to identify preventive and recovery measures and to develop protection solutions to ensure the security of the rail network, subject to intentional EM interferences, which can disturb a large number of command-control, communication or signalling systems.

SECRET approach

The project illustrated the risk by implementing some electromagnetic attacks and analyzing their effects, thereby inciting the different railway actors to work together to strengthen the resilience of a system that must remain effective and safe for the serenity of our society.

Then, the project opened ways to resilience solutions regarding this type of attack. Preferring to avoid unconstructive and alarming rhetoric, which is unjustified as the European railway system is above all a very safe means of transport, the project identified and proposed strategies in which each actor would be able to inspire itself in order to act towards resilience.

The strategies de