Adapting operational rules for degraded mode based on a human centred risk assessment

Information Technology (IT) systems have been widely used in industrial facilities and also in critical infrastructures like the railway system. With it, it became necessary to prepare for IT security attacks. The importance... [ view full abstract ]

Information Technology (IT) systems have been widely used in industrial facilities and also in critical infrastructures like the railway system. With it, it became necessary to prepare for IT security attacks. The importance of operational continuity under/after IT security attacks has gained much attention in the last decade. Today, it is often tried to solve the IT security issue by technology only. The main work of today’s railway IT security activities is focused on, e.g. secure programming, developing IT security management systems or setting up standards for certificating components.

However, even with all those technical measures in place, railway operations cannot be completely secure indefinitely. When the railway system is under attack or has been breached, staff with skills and training will be needed to ensure the continuity of operations by using defined degraded procedures. We argue that today’s operational procedures in degraded operations are not completely suitable as they were developed mainly under the consideration of safety issues.

In our paper, we begin with a brief overview of our ongoing Project SysRULES. The main focus of this project is to develop a complete set of operational procedures for degraded operational mode, which is applicable after safety and IT security issues have occurred or are suspected.

The main argument of this paper is that due to the increase in IT attacks, the train operator will need to run railway operations in degraded mode more frequently. We can assume that the frequency of safety-related events during degraded mode stays the same. This will lead to an overall increase in the number of safety-related events and therefore also an increase in the associated risk. In this paper, we focus on discussing how safe and reliable our existing procedures for degraded mode are and how to make the procedures safer and more secure. As railway operators are mostly at the core of the procedures, we will deal with human factor issues as input and solution for our analysis.

We perform an adapted risk assessment based on the system definition for degraded mode as given in the German railway rulebook. We begin with a Failure Mode and Effects Analysis (FMEA) based on the different tasks a train operator has to perform. We broaden the FMEA to look more in detail at the safety barriers installed to prevent the train operator making mistakes.

In a second step, we further extend the FMEA and consider possible IT attacks. We use a catalogue of typical attack scenarios as given in standard 0831-102 to analyse, which tasks of the train operator are vulnerable.

Using a qualitative risk assessment method, we rank the risks associated with the tasks. Starting with tasks which are especially risky, we look at the barriers and suggest changes in the procedures for degraded mode, making operations safer and more secure. These changes will be focussing on the performance of the train operator, but will also include suggestion for technical measures.