DKE / Siemens
Some recent incidents have shown that possibly the vulnerability of IT systems in railway automation has been underestimated. Fortunately, so far, almost only denial-of-service attacks have been successful, but due to several trends, such as the use of commercial IT and communication systems or privatization, the threat potential could increase in the near future. However, up to now, no harmonized cybersecurity risk assessment framework for railway automation exists. This paper shows problems with common approaches of It security risk analysis for safety-related systems and defines a cybersecurity risk assessment framework which aims to separate security and safety requirements as well as certification processes as far as possible. It builds on the well-known safety and approval processes from IEC 62425 and integrates security requirements based on the ISA99/IEC62443 standard series.