Vulnerabilities, Attacks, and Countermeasures in Balise-Based Train Control Systems

In modern rail transport systems, balises are widely used to exchange track–train information via air-gap interface. In this paper, we first present the vulnerabilities on the standard balise air-gap interface, and then conduct vulnerability simulations using the system parameters that were specified in the European Train Control System. The simulation results show that the vulnerabilities can be exploited to launch effective and practical attacks, which could lead to catastrophic consequences, such as train derailment or collision. To mitigate the vulnerabilities and attacks, we propose to implement a challenge–response authentication process in the air-gap interface in the existing transport infrastructure.

[1]  Günter Hommel,et al.  A train control system case study in model-based real time system design , 2003, Proceedings International Parallel and Distributed Processing Symposium.

[2]  Wang Zhuo,et al.  The Theory and Method of Design and Optimization for Railway Intelligent Transportation Systems (RITS) , 2012 .

[3]  Jakub Młyńczak,et al.  European Rail Traffic Management System (ERTMS) , 2016 .

[4]  Monica Malvezzi,et al.  DEVELOPMENT OF A BRAKING MODEL FOR SPEED SUPERVISION SYSTEMS , 2001 .

[5]  R. Sharma,et al.  Crosstalk reduction in balise and infill loops in automatic train control , 2007, 2007 2nd International Workshop on Advances in Sensors and Interface.

[6]  George Nikandros,et al.  Calculating Train Braking Distance , 2001, SCS.

[7]  D. Kahn The codebreakers : the story of secret writing , 1968 .

[8]  S. Gevorgian Ferroelectrics in Microwave Devices, Circuits and Systems , 2009 .

[9]  Husain Abdulrahman Ahmad,et al.  Dynamic Braking Control for Accurate Train Braking Distance Estimation under Different Operating Conditions , 2013 .

[10]  Monica Malvezzi,et al.  Train position and speed estimation by integration of odometers and IMUs , 2011 .

[11]  Tao Tang,et al.  Online Learning Algorithms for Train Automatic Stop Control Using Precise Location Data of Balises , 2013, IEEE Transactions on Intelligent Transportation Systems.

[12]  Youxian Sun,et al.  Performance Degradation Monitoring for Onboard Speed Sensors of Trains , 2012, IEEE Transactions on Intelligent Transportation Systems.

[13]  Hui Yang,et al.  Braking Process Modeling and Simulation of CRH2 Electric Multiple Unit , 2012, 2012 Third International Conference on Digital Manufacturing & Automation.

[14]  Zhou Guo,et al.  The optimization study of the on-board antenna of BTM based on electromagnetic model , 2013, 2013 IEEE International Conference on Intelligent Rail Transportation Proceedings.

[15]  Hai Yu,et al.  Study on coexistence and anti-interference solution for subway CBTC system and MiFi devices , 2013, 2013 5th IEEE International Conference on Broadband Network & Multimedia Technology.

[16]  Eitan Altman,et al.  Jamming in wireless networks: The case of several jammers , 2009, 2009 International Conference on Game Theory for Networks.

[17]  Ying Jiang,et al.  Modeling and Optimization Research for Dynamic Transmission Process of Balise Tele-Powering Signal in High-Speed Railways , 2013 .

[18]  H. Schweinzer,et al.  Time Synchronization in the Eurobalise Subsystem , 2007, 2007 IEEE International Symposium on Precision Clock Synchronization for Measurement, Control and Communication.

[19]  Michael Fitzmaurice Wayside Communications: CBTC Data Communications Subsystems , 2013, IEEE Vehicular Technology Magazine.

[20]  Ali Khodadadi,et al.  Optimization of balise placement in a railway track using a vehicle, an odometer and genetic algorithm , 2011 .

[21]  Valentina Colla,et al.  Train position and speed estimation using wheel velocity measurements , 2002 .

[22]  S. Hayat,et al.  Study of the high-speed trains positioning system: European signaling system ERTMS / ETCS , 2011, 2011 4th International Conference on Logistics.

[23]  Jian Wang,et al.  The braking mode simulation and analysis for high-speed railway , 2011, 2011 4th IEEE International Symposium on Microwave, Antenna, Propagation and EMC Technologies for Wireless Communications.

[24]  Martin Lauer,et al.  A Train Localization Algorithm for Train Protection Systems of the Future , 2015, IEEE Transactions on Intelligent Transportation Systems.

[25]  Casey C. Grant,et al.  Performance Requirements for Interoperability , 2012 .

[26]  W. J. Coenraad Intermittent and continuous automatic train protection , 2008 .

[27]  Jian Wang,et al.  European train control system speed-distance mode curve analysis and simulation , 2011, 2011 4th IEEE International Symposium on Microwave, Antenna, Propagation and EMC Technologies for Wireless Communications.

[28]  Juan F. Sevillano,et al.  Reliability analysis of an ERTMS on-board balise transmission equipment , 2009 .

[29]  Lei Yuan,et al.  HAZOP Study on the CTCS-3 Onboard System , 2015, IEEE Transactions on Intelligent Transportation Systems.