Conference paper Open Access
Birkholz, Henk; Krauß, Christoph; Zhdanova, Maria; Kuzhiyelil, Don; Arul, Tolga; Heinrich, Markus; Katzenbeisser, Stefan; Suri, Neeraj; Vateva-Gurova, Tsvetoslava; Schlehuber, Christian
In critical infrastructures such as railway systems, the continuous and resilient availability of safety critical functions residing on actuator and sensor components must be ensured. Since these components are also more and more connected using the Internet Protocol (IP), they additionally require security functions to provide protection against attackers. Moreover, the railway infrastructure is highly distributed, with its critical components residing at the track side easily accessible to attackers. Thus, a continuous proofing that the safety-critical systems are not manipulated is required, too. The (safety) certification of such safety-critical systems covers both the hardware components and corresponding software components that compose a specific safety-critical application. Since security functions are currently not in use, they are not part of the certification. However, the integration of security functions is imperative to provide the basis for preventing or detecting manipulations of the system. In essence, co-residing security functions are required to retain and assure the trusted interoperability of safety critical systems integrated in the rapidly growing number of newly deployed control networks based on the IP. Thus, it is required that a given safety certification (and the given guarantees) must not be violated by the integration of security functions. In this paper, we present the first results of the ongoing HASELNUSS project1 by introducing the Haselnuss Reference Architecture (HRA) for Railway Command and Control Systems (CCS), that allows uncertified security functions to reside on the same hardware device as certified safety functions; without voiding the certification of these safety functions.