Digital Transit Cyber Security Assessment Case Studies

Trust assurance in IoT environments
A case study of Digital Rail’s RailSight Assist system and Siemens RailCom Manager

With the rise of the Internet of Things in industrial environments and the convergence of information technology with operational technology, several new cyber risks have surfaced. Trustworthiness is an important attribute in IoT systems as it defines the confidence level of the ’human’ and the ’things’. When two or more organisations are involved in an IoT project, it is essential that they trust each other, their systems and the environments. Integrating a new IoT system to an existing operational environment can increase the risks and it is essential to confirm that the system is safe before deploying/integrating. Despite the efforts of evaluating trust in service offering between the devices, there is little evidence of assuring trust between the organisations and the stakeholder-system trust before the system is deployed/integrated into an environment.

This thesis will take Digital Rail’s RailSight Assist system and Siemens RailCom Manager interface as a case study and explore methods to assure trust in the environment. First, the project will define trust factors that are essential in establishing trust. Then it will use a variation of MAPE-K feedback loop to evaluate the trust with respect to the factors established. The data collection will take place through reviewing the system specifications and a survey conducted for the company personnel. After evaluating trust levels, a series of recommendations are given to both the organisations to improve the weak trust areas. This project thus gives both Digital Rail and Siemens to understand each other’s roles, their systems, improve cyber aspects and assure the safety of the system before deployment.

By Avanthika Vineetha Harish

A Risk Assessment Framework for Third-Party Providers Connecting to the Siemens Railcom Manager; Digital RailSight Assist as a Case Study

This project will define a risk assessment approach for providers connecting to the Siemens Railcom Manager, using the Digital RailSight Assist as its starting point. The project will seek to generalise principles for risk assessment in the Siemens environment, applicable to current and future providers. This review will account for the variation of devices and systems each provider may wish to connect, their size and maturity in the cybersecurity domain. Through a systematic literature review, risk assessment methods applied in the SCADA systems, ICS and Rail systems were selected and examined in detail in terms of the approach used, coverage, system characterisation and risk matrix used.

Based on the analysis, a simplistic framework supporting the continued assessment of providers in the Siemens environment has also been proposed to ensure that no additional risks are introduced through provider devices/systems/practices. With explicit feedback loops on how identified risks might be addressed, extra confidence is established in the continued interconnectivity of provider systems. This research also includes direction towards appropriate resources through which providers can address identified risks as well as a detailed controls that can be applicable to SRCM. The proposed framework is based on ISA99 (ISA/IEC 62443) standards that are tailored towards mitigation of vulnerabilities in industrial automation and control systems as well as the NIST Risk management Framework.

by Janet Silantoi Leparteleg