Deprecated: The each() function is deprecated. This message will be suppressed on further calls in /home/zhenxiangba/zhenxiangba.com/public_html/phproxy-improved-master/index.php on line 456
AU2020376035B2 - Balise integrity - Google Patents
[go: Go Back, main page]

AU2020376035B2 - Balise integrity - Google Patents

Balise integrity

Info

Publication number
AU2020376035B2
AU2020376035B2 AU2020376035A AU2020376035A AU2020376035B2 AU 2020376035 B2 AU2020376035 B2 AU 2020376035B2 AU 2020376035 A AU2020376035 A AU 2020376035A AU 2020376035 A AU2020376035 A AU 2020376035A AU 2020376035 B2 AU2020376035 B2 AU 2020376035B2
Authority
AU
Australia
Prior art keywords
balise
cyber
data
train
security system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
AU2020376035A
Other versions
AU2020376035A1 (en
Inventor
Amir LEVINTAL
Michael SHIFMAN
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cylus Cyber Security Ltd
Original Assignee
Cylus Cyber Security Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cylus Cyber Security Ltd filed Critical Cylus Cyber Security Ltd
Publication of AU2020376035A1 publication Critical patent/AU2020376035A1/en
Application granted granted Critical
Publication of AU2020376035B2 publication Critical patent/AU2020376035B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L3/00Devices along the route for controlling devices on the vehicle or train, e.g. to release brake or to operate a warning signal
    • B61L3/02Devices along the route for controlling devices on the vehicle or train, e.g. to release brake or to operate a warning signal at selected places along the route, e.g. intermittent control simultaneous mechanical and electrical control
    • B61L3/08Devices along the route for controlling devices on the vehicle or train, e.g. to release brake or to operate a warning signal at selected places along the route, e.g. intermittent control simultaneous mechanical and electrical control controlling electrically
    • B61L3/12Devices along the route for controlling devices on the vehicle or train, e.g. to release brake or to operate a warning signal at selected places along the route, e.g. intermittent control simultaneous mechanical and electrical control controlling electrically using magnetic or electrostatic induction; using radio waves
    • B61L3/121Devices along the route for controlling devices on the vehicle or train, e.g. to release brake or to operate a warning signal at selected places along the route, e.g. intermittent control simultaneous mechanical and electrical control controlling electrically using magnetic or electrostatic induction; using radio waves using magnetic induction
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L15/00Indicators provided on the vehicle or train for signalling purposes
    • B61L15/0018Communication with or on the vehicle or train
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L15/00Indicators provided on the vehicle or train for signalling purposes
    • B61L15/0072On-board train data handling
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L15/00Indicators provided on the vehicle or train for signalling purposes
    • B61L15/0081On-board diagnosis or maintenance
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/50Trackside diagnosis or maintenance, e.g. software upgrades
    • B61L27/53Trackside diagnosis or maintenance, e.g. software upgrades for trackside elements or systems, e.g. trackside supervision of trackside control system conditions
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/50Trackside diagnosis or maintenance, e.g. software upgrades
    • B61L27/57Trackside diagnosis or maintenance, e.g. software upgrades for vehicles or trains, e.g. trackside supervision of train conditions
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/70Details of trackside communication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L27/00Central railway traffic control systems; Trackside control; Communication systems specially adapted therefor
    • B61L27/20Trackside control of safe travel of vehicle or train, e.g. braking curve calculation
    • B61L2027/202Trackside control of safe travel of vehicle or train, e.g. braking curve calculation using European Train Control System [ETCS]
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B61RAILWAYS
    • B61LGUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
    • B61L2205/00Communication or navigation systems for railway traffic
    • B61L2205/04Satellite based navigation systems, e.g. global positioning system [GPS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/121Timestamp

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Mechanical Engineering (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Virology (AREA)
  • Train Traffic Observation, Control, And Security (AREA)

Abstract

A cyber security system for providing security to a railway, the system comprising a data monitoring and processing hub; a network comprising a plurality of data collection agents configured to monitor railway infrastructure communications associated with balises to detect anomalies indicative of a cyber-attack.

Description

WO 2021/084542 A1 Published: with international search report (Art. 21(3))
- before the expiration of the time limit for amending the
- claims and to be republished in the event of receipt of amendments (Rule 48.2(h))
WO wo 2021/084542 PCT/IL2020/051132
BALISE INTEGRITY RELATED APPLICATIONS
[0001] The present application claims the benefit under 35 U.S.C. 119(e) of U.S. Provisional
Application 62/927,706 filed on October 30, 2019 the disclosure of which is incorporated
herein by reference.
FIELD
[0002] Embodiments of the disclosure relate to providing a system for providing cyber security
to a railroad system
BACKGROUND
[0003] Early railroad systems visually signaled train drivers and controlled trains operating on
the systems using mechanical signaling and control devices to govern movement of the trains
along fixed lengths of track, referred to as "blocks". Each block was the responsibility of a
signalman who operated signal and control equipment to authorize and control movement of
trains into and out of the signalman's block. Generally, a signalman operated from the vantage
point of a second floor of a small, two story building referred to as a signal box that was high
enough to offer the signalman visual surveillance of the block for which the signalman was
responsible. For example, at railroad track switches at which trains are directed to proceed
along different tracks, track switches and signaling equipment were manually set to required
positions by signalmen operating levers or handles located in a signal box. And early automatic,
track "wayside", devices were mechanical devices that operated by direct physical contact with
trains. For example, train stops, which operated to automatically stop a passing train if it didn't
have authority to proceed from one block to a next block, comprised an arm that engaged a
valve on the passing train to trigger the train's brake system and stop the train.
[0004] However, the growth, urbanization, and globalization of the world's population
generated need for and deployment of railroad systems capable of providing large transport
capacities that span continents, which older conventional signaling and control technology
could not support. The advent of modern digital processors, sensors, communications systems,
and Global Navigation Satellite Systems (GNSSs), have made technologies available that are
capable of supporting the new requirements of the railway systems. Operations of the systems
generate communication activities between railway entities, which may be railway
infrastructure entities, for example, trackside entities, such as balises, railroad switches, and
WO wo 2021/084542 PCT/IL2020/051132
train stations, and/or rolling stock entities, for example trains that move on the railway tracks
and onboard equipment they carry.
[0005] Advanced rail traffic management (ARTMN) systems based on the new technologies
that are deployed and/or under development at various levels of sophistication provide real
time monitoring and flexible management of train movement that adapts to operational
contexts of the trains. The systems may provide such train control functionalities as Automatic
Train Protection (ATP), Automatic Train Operation (ATO), and/or Automatic Train
Supervision (ATS) as defined in various national and international technical standards, such as
by way of example the IEEE 1474 or IEC 61375 standards. An ARTMN system may also
include management and control of passenger facility infrastructures, such as train stations, fire
alarm and safety systems, and passenger services such as automatic ticketing and information
display systems.
[0006] The European Rail Traffic Management System (ERTMS) is an example of an
ARTMN system that is a software-based railway command, signaling, and communication
system, adopted by the European Union as a standard for railway control. The system
comprises an ATP referred to as a European Train Control System (ETCS) that operates to
provide train operation compliance with speed, safety, and inter-train spacing regulations; and
a railway communications system, referred to as Global System for Mobile communications
Railways (GSM-R), for voice and data services.
SUMMARY
[0007] An aspect of an embodiment of the disclosure relates to providing a cyber security
system, hereinafter also referred to as "Rail-Eye", which operates to provide a railway with
protection against cyber-attack. Providing protection against cyber-attack may comprise
identifying an attempt to perpetrate, vulnerability to, and/or presence of a cyber-attack.
Reference to a cyber-attack may refer to any one or any combination of more than one of an
attempt to perpetrate, vulnerability to, and/or a cyber-attack.
[0008] In an embodiment, Rail-Eye comprises an optionally cloud based, data monitoring and
processing hub, and a distributed, synchronized network of data collection agents and
aggregator nodes. The data collection agents which may be referred to as "cyber-sinches",
comprise infrastructure cyber-snitches and rolling stock, "onboard", cyber-snitches.
Infrastructure snitches are configured to monitor communications generated by and/or
operations of infrastructure equipment. Onboard snitches are configured to monitor
WO wo 2021/084542 PCT/IL2020/051132
communications generated by and/or operations of onboard equipment. An infrastructure
and/or rolling stock snitch may operate and provide functions of a network tap. For
convenience of presentation monitoring communications and/or operations of a piece of
equipment is generically referred to as monitoring communications of the equipment.
Aggregator nodes, also referred to simply as aggregators, comprise onboard aggregator nodes
and infrastructure aggregator nodes. Onboard aggregators are located onboard rolling stock.
Infrastructure aggregators, also referred to as RBC aggregators, are installed at fixed locations
generally in railway Radio Block Centers (RBCs).
[0009] In an embodiment, the network of cyber-snitches, aggregators, and Rail-Eye hub are
configured in a hierarchical logical topology. Onboard cyber-snitches transmit data they
acquire from communications that they monitor to onboard aggregator nodes in data messages.
Onboard aggregator nodes may forward data as received, and/or as processed, optionally to
identify presence of a cyber-attack, to RBC aggregators. Infrastructure cyber-snitches also
transmit data they acquire from communications that they monitor to RBC aggregators in data
messages. RBC aggregators in turn may forward data as received, and/or as processed by the
RBC aggregators, optionally to determine presence of a cyber-attack to the Rail-Eye hub for
storage and/or for processing, optionally to determine presence of a cyber-attack. In an
embodiment, the hub and/or an aggregator determining that a cyber-attack is indicated may be
configured to undertake a response to the indicated cyber-attack.
[0010] In an embodiment, the Rail-Eye system is synchronized to a common, network clock
time, optionally based on a reference frequency and time of day (TOD) timing information
provided by transmissions from a GNSS. Data that an onboard and/or infrastructure cyber-
snitch transmits in a data message to an aggregator may be time stamped with a time based on
the network clock time at which the monitored communication comprising the data is received
by the cyber-snitch. The time stamp associated with data that an onboard cyber-snitch transmits
in a data message may comprise a time lapse between a beginning of a turn of a multifunctional
vehicle bus (MVB) comprised in a train communication network (TCN) of the train in which
the onboard cyber-snitch is located.
[0011] In an embodiment cyber-snitches and/or aggregator nodes in Rail-Eye are configured
to monitor communications generated by entities in the railroad system to determine if balise
integrity is maintained and balises in the railway system are operating properly. The
communications monitored to determine balise integrity comprise communications,
conventionally referred to as "telegrams", generated by balises, and/or communications, also
WO wo 2021/084542 PCT/IL2020/051132
referred to as "balise related communications", generated by non-balise entities that are related
to balise telegrams. In an embodiment, Rail-Eye monitors patterns and content of telegrams
and/or communications related to balise communications that are considered to be free of
cyber-infringement to determine normative patterns of balise telegrams and balise related
communications. Rail-Eye vets telegrams and/or balise related communications for proper
operation in real time to determine if communications that appear anomalous in view of
normative patterns of balise communications are indictive of a cyber-attack. Hereinafter, balise
telegrams and/or balise related communications may be referred to generically as balise
communications.
[0012] This Summary is provided to introduce a selection of concepts in a simplified form that
are further described below in the Detailed Description. This Summary is not intended to
identify key features or essential features of the claimed subject matter, nor is it intended to be
used to limit the scope of the claimed subject matter
BRIEF DESCRIPTION OF FIGURES
[0013] Non-limiting examples of embodiments of the invention are described below with
reference to figures attached hereto that are listed following this paragraph. Identical features
that appear in more than one figure are generally labeled with a same label in all the figures in
which they appear. A label labeling an icon representing a given feature of an embodiment of
the invention in a figure may be used to reference the given feature. Dimensions of features
shown in the figures are chosen for convenience and clarity of presentation and are not
necessarily shown to scale.
[0014] Fig. 1A schematically shows a Rail-Eye system comprising a cloud-based data
monitoring and processing hub and a distribution of cyber-snitches operating to protect a
railway system from cyber incursion, in accordance with an embodiment of the disclosure;
[0015] Fig. 1B schematically shows an enlarged image of a portion of the railway system
shown in Fig. 1A, in accordance with an embodiment of the disclosure;
[0016] Fig. 2A schematically show a train, components of the train TCN, and cyber-snitches
and aggregators connected to the TCN, in accordance with an embodiment of the disclosure;
[0017] Fig. 2B schematically shows a locomotive of the train shown in Fig. 2A and cyber-
snitches and aggregators connected to devices in the locomotive, in accordance with an
embodiment of the disclosure;
[0018] Fig. 2C schematically shows a car of the train shown in Fig. 2A and cyber-snitches and
aggregators connected to devices in the car, in accordance with an embodiment of the
disclosure;
[0019] Fig. 3 schematically shows a Rail-Eye operating to protect a railway from cyber
incursion of the balise infrastructure of the railway, in accordance with an embodiment of the
disclosure;
[0020] Fig. 4A shows a flow diagram illustrating a process that Rail-Eye executes to determine
if a balise communication is an anomaly, in accordance with an embodiment of the disclosure;
[0021] Fig. 4B is a continuation of the flow diagram of Fig. 4A, in accordance with an
embodiment of the disclosure; and
[0022] Fig. 4C is continuation of the flow diagram of Fig. 4B, in accordance with an
embodiment of the disclosure.
DETAILED DESCRIPTION
[0023] In the following detailed description, components of a Rail-Eye system operating to
provide cyber security to a railway system in a train operations area are discussed with
reference to Figs. 1A and 1B. Figs. 2A-2C schematically show details of a train communication
network (TCN) optionally comprising a "train-wide", wire train bus (WTB) that spans the
length of a train and is coupled to multifunctional vehicle buses (MVB), each of which supports
communications for onboard devices in a single car of the train. Placement and operation of
onboard cyber-snitches and onboard aggregators located in the train in accordance with an
embodiment of the disclosure are discussed with reference to the figures.
[0024] In the discussion, unless otherwise stated, adjectives such as "substantially" and
"about" modifying a condition or relationship characteristic of a feature or features of an
embodiment of the disclosure, are understood to mean that the condition or characteristic is
defined to within tolerances that are acceptable for operation of the embodiment for an
application for which the embodiment is intended. Unless otherwise indicated, the word "or"
in the description and claims is considered to be the inclusive "or" rather than the exclusive or,
and indicates at least one of, or any combination of items it conjoins.
[0025] Fig. 1A schematically shows a perspective view of Rail-Eye system 20, operating to
provide cyber-protection to a railway system 200, in accordance with an embodiment of the
disclosure. Fig. 1B schematically shows an enlarged portion of railway system 200 and Rail-
Eye 20, in accordance with an embodiment of the disclosure.
[0026] Railway system 200 comprises an infrastructure of tracks 202 along which trains 300
move to transport passengers and goods, and infrastructure equipment that cooperate to control
movement of the trains in an operations area schematically represented by a dashed rectangle
204. The infrastructure equipment comprises switches (not shown) at track junctions 206,
signaling apparatuses represented by color light signal equipment 208 along the tracks and at
track junctions 206 and crossovers 207, interlocking trackside units 210 at the track junctions,
trackside balises 218, RBCs 230, each represented by a house and radio antenna tower, and
train stations represented by clusters of human icons 260.
[0027] A signaling apparatus 208 conventionally referred to as a "signal" is a trackside device,
typically a color light device as schematically shown in Fig. 1A, operable to visually transmit
to a train driver by color of lights that the signal displays, information relating to the state of
track ahead of a train which the train driver is driving. For example, a signal 208 might inform
the train driver of a speed at which the train may safely proceed, or, if the track ahead of the
train is occupied by another train, instruct the train driver to stop the train. An interlocking
trackside unit 210, controls signaling and switches at a track junction 206 to prevent conflicting
movement and provide for safe passage of trains through the junction. A balise 218, such as a
Euro-balise used by the ERTMS, is a passive electronic beacon mounted to a track sleeper
between the rails of a track. The balise receives energy from a train passing over the balise and
uses the energy to transmit information to the train via a signal referred to as a telegram. The
telegram typically comprises a unique identification of the balise and thereby location of the
train as it passes over the balise, speed limits, gradients, and if the balise is a balise referred to
as a switchable or transparent balise, it may be operated to provide movement authority.
[0028] A radio block center, RBC 230, is a radio control center that communicates with trains
300, and infrastructure equipment over a railway communications system, such as GSM-R, in
an area referred to as an RBC control area for which the RBC has radio coverage and is
responsible for safe operations of the trains. By way of example, control areas for two adjacent
RBCs 230 are schematically indicated by dashed hexagonal boundaries 231. An RBC 230
receives data relevant to the status and locations of trains 300 in control area 231 of the RBC
via GSM-R radio transmissions from the trains and data relevant to status of infrastructure
equipment from interlocking trackside units 210 in the RBC control area 231 via wire and/or
radio communication. The RBC processes the received data and information to formulate and
transmit movement authorities to trains 300 and data to interlocking trackside units 210 for use
by the trackside units to control signaling and switching at track junctions 206 at which the
WO wo 2021/084542 PCT/IL2020/051132
trackside units and interlocking components such as signal lights and switches are respectively
located. The movement authorities that an RBC generates and transmits to the trains are
determined to provide distances between trains that maintain safe headways (distances between
trains and next trains) and generally also advantageous transport capacity.
[0029] Trains 300 comprise a locomotive 310 and optionally one or more train vehicles 330,
also referred to as cars 330. Enlarged images and details of a train 300, locomotive 310, and
car 330 are schematically shown in Figs. 2A, 2B and 2C respectively. Generally, a train 300
has a train communications network, TCN 331 (Figs. 1B, 2A-2C), comprising a train-wide bus,
WTB 336, running the length of the train, and for each car 330 and locomotive 310, an MVB
bus 332 connected to the WTB by a train vehicle gateway 334. MVB 332 in a given car 330 or
locomotive 310 supports communications between and with onboard devices, generically
referenced in Figs. 2A-2C by the label 360 (Figs. 2A-2C), in the car or locomotive. For
example, in a train car 330 door control actuators, air-conditioning, lighting, and passenger
information devices are connected to MVB 332. Transmissions over MVB 332 by devices 360
attached to MVB 332 are controlled by at least one bus master 335 which controls access to
MVB 332 during sequential time periods referred to as turns. WTB 336 supports
communications between cars 330 and between cars 330 and locomotive 310. Brake control
apparatus 362 (Fig. 2C) in each car 330 and locomotive 310 is typically directly connected to
WTB SO that application and release of brakes in train 300 may be properly synchronized.
Locomotive 310 typically comprises a communication module 312 (Fig. 1B) having a suitable
front end and antenna that supports GSM-R communications with RBCs 230 (Figs. 1A and
1B) and trackside equipment, a GSNS (Global Satellite Navigation System) receiver 313, and
a balise "reader", conventionally referred to as a balise transmission module (BTM), 314, (Figs.
2A, 2B) configured to interface with balises 218 (Figs. 1A, 1B).
[0030] The locomotive is mandated to comprise an event recorder, which in European Train
Control Systems, ETCS, is a Juridical Recording Unit (JRU). The event recorder or JRU,
hereinafter generically referred to as a JRU, is a rolling stock "black box" recorder, which
receives and stores data relevant to events of specific interest that may occur during operation
of train 300 to facilitate analysis of train behavior and accidents in which the train may be
involved. The ERTMS has defined a set of specific events, hereinafter also referred to as JRU
events, which trigger transmission to the JRU of data relevant to the events in formatted
message packets, referred to as JRU data messages that identify the events. A JRU data
messages associated with a given JRU event includes the date and time of occurrence in UTC
WO wo 2021/084542 PCT/IL2020/051132
of the event and other information items that identify the JRU event. A list of JRU events is
provided in an ERTMS/ETCS functional interface specification (FIS) entitled FIS Juridical
Recording.
[0031] Rail-Eye system 20 optionally comprises a data monitoring and processing hub 22 (Fig.
1A and 1B), which may, as shown in Figs. 1A and 1B, be cloud based, and a network of
onboard cyber-snitches schematically represented by diamond shape icons 32, and onboard
aggregator nodes 34 schematically represented by hexagonal icons, located on trains 300. For
convenience of presentation, in Figs. 1A and 1B, to accommodate constraints on sizes of
images shown in the figures, onboard cyber-snitches 32 and aggregators 34 are shown over or
on images of trains 300, and a single onboard cyber-snitch 32 and/or onboard aggregator 34
associated with a train 300 or portion of a train 300 in Figs. 1A and 1B represents one or more
cyber-snitches and/or one or more onboard aggregators respectively.
[0032] Figs. 2A-2C schematically show details discussed below of possible placements of
onboard cyber-snitches 32 and onboard aggregators 34 in a train 300 and how they may be
connected to the train's TCN 331 (Fig. 1B, 2A-2C). Rail-Eye 20 also comprises stationary,
infrastructure cyber-snitches, schematically represented by icons 36, and RBC aggregators 38
(Figs. 1A-2C) that communicate with the infrastructure cyber-snitches. A single infrastructure
cyber-snitch 36 and/or a single RBC aggregator 34 shown in Figs. 1A and 1B represents one
or more of an infrastructure cyber-snitch and aggregator respectively.
[0033] Onboard and infrastructure cyber-snitches 32 and 36, and aggregators 34 and 38 may
be configured as separate bare metal components, as might be inferred from Figs. 1A-2C.
However, cyber-snitches and aggregators in accordance with an embodiment of the disclosure
may be defined by software and hardware components, or only by software components and
may quite generally comprise any combination of software and/or hardware components that
support functionalities of the cyber-snitches and aggregators.
[0034] For example, a cyber-snitch or aggregator may be a bare metal, hardware module
comprising any electronic and/or optical processing and/or control circuitry, to provide and
enable functionalities that the cyber-snitch or aggregator may require to support monitoring or
processing functionalities of the cyber-snitch or aggregator. The cyber-snitch or aggregator
may comprise any one, or any combination of more than one of, a microprocessor, an
application specific circuit (ASIC), field programmable array (FPGA) and/or system on a chip
(SOC). The cyber-snitch or aggregator may comprise a memory having any electronic and/or
optical circuitry suitable for storing data and/or computer executable instructions and may, by way of example, comprise any one or any combination of more than one of a flash memory, random access memory (RAM), read only memory (ROM), and/or erasable programmable read-only memory (EPROM). A cyber-snitch or aggregator may be a software module comprised in any of various onboard and/or infrastructure equipment of a railway system and may cooperate with hardware and/or software in railway system equipment to perform functionalities of the cyber-snitch and/or aggregator. A cyber-snitch or aggregator may be a virtual entity. Similarly, hub 22 optionally has a memory 23 and a processor 24 configured to support functionalities of the hub, may comprise any combination of hardware and software components, and may comprise or be a virtual entity.
[0035] As schematically shown in Figs. 2A-2C onboard cyber-snitches 32 and onboard
aggregators 34 may be coupled to different onboard equipment in a train 300 to monitor
communications generated by devices in the train and transmit data from the monitored
communications to onboard aggregator 34 of the train for forwarding to an RBC 230 and/or
hub 22 for processing and optionally storage. And a cyber-snitch 32 may be coupled in different
ways to a device 360 in train 300 and to TCN 331 of the train to acquire and forward the data.
[0036] For example, an onboard cyber-snitch 32 distinguished by a label 32-1 located in a car
330 (Fig. 2C) may be coupled directly to a device 360 in the car to monitor communications
generated by the device. Cyber-snitch 32-1 may be coupled to a port (not shown) of device 360
to monitor communications propagated through the port or to a processor (not shown)
comprised in the device to monitor activity of the processor. Cyber-snitch 32-1 is optionally
not directly connected to TCN 331 by a connection to MVB 332 and may be configured to use
a connection that device 360 has to MVB 332 to transmit data acquired from the monitored
communications or activity to the MVB and therefrom to aggregator 34 in car 330.
Alternatively or additionally, a cyber-snitch 32, such as the cyber-snitch distinguished by a
label 32-2 in Fig. 2C, monitoring a device 360 in car 330 may itself be directly coupled to
MVB 332 to transmit data to TCN 331 that cyber-switch 32-2 acquires from monitored
communications. An onboard aggregator 34 in car 330 may be connected to MVB 332 to
receive and aggregate data comprised in data messages transmitted by cyber-snitches 32-1 and
32-2 for forwarding and processing. Onboard aggregator 34 may process the aggregated data
to determine possible presence of a cyber-attack and forward aggregated data and/or
aggregated data as processed to train vehicle gateway 334 for transmission via WTB 336 to
locomotive 310 and forwarding by GSM-R communication to an RBC 230. An onboard
aggregator, such as aggregator 34 comprised in locomotive 310 schematically shown in Fig.
2B may receive data messages generated by a cyber-snitch distinguished by a label 32-3 (Fig.
2B) monitoring WTB 336.
[0037] In an embodiment, to reduce bandwidth use and possible interference that activity of
cyber-snitches 32 and 36 and aggregators 34 and 38 may have on operations of onboard and/or
infrastructure equipment of railway system 200, a cyber-snitch and/or aggregator may
compress data it receives for transmission in a data message and/or processing. Optionally, to
facilitate processing data comprised in data messages that cyber-snitches and aggregators
comprised in Rail-Eye 20 generate and transmit, the data messages may be configured in
accordance with a common Rail-Eye rapporteur protocol. In an embodiment a data message
configured in accordance with the Rail-Eye rapporteur protocol may comprise a message field
encoding a weighting vector having components that indicate degree of relevance of the data
for different operational aspects of the railway system The weighting vector for a data message
generated by a cyber-snitch aggregator may for example indicate how relevant the data may be
for safety of operation of rolling stock and/or infrastructure equipment, provide a desired time
frame and/or priority for processing the data, and/or that an alarm should be raised to indicate
that human intervention is advised. Weighting may be context dependent.
[0038] Rail-Eye 20 components are optionally synchronized to a same network clock
schematically represented by a clock 25 that generates a reference frequency and TOD based
on timing information and TOD signals received from a GNSS system schematically
represented by satellites 50. Cyber-snitches and aggregators may time stamp data that they
acquire with network clock times at which they acquire the data. In an embodiment, the Rail-
Eye system is synchronized to a common, network clock time, optionally based on a reference
frequency and time of day (TOD) timing information provided by transmissions from a GNSS.
As noted above, transmissions over MVB 332 by devices attached to the MVB are controlled
by at least one bus master 335 which controls access to MVB 332 during sequential time
periods turns. In an embodiment, an onboard snitch 32 may time stamp data that it acquires
from an onboard device 360 with a time lapse, also referred to as a "turn time" lapse, between
a time at which the cyber-snitch acquired the data and a beginning of a turn during which the
data was acquired. An onboard and/or RBC aggregator, a train vehicle gateway, and/or hub 22
that receives the data may determine when the data was acquired relative to network time using
the turn time lapse.
[0039] In an embodiment, as indicated in Fig. 1A and 1B, the network of cyber-snitches 32
and 34, aggregators 36 and 38, and Rail-Eye hub 20 are configured in a hierarchical logical topology. Onboard snitches 32 transmit data messages to onboard aggregators 34 for processing and/or forwarding to RBC aggregators 38. Onboard aggregators 34, infrastructure snitches 34, and optionally onboard snitches 32, transmit data to RBC aggregators 38 for processing. RBC aggregators 38 in turn transmit data they receive and/or have processed to
Rail-Eye hub 22 for processing.
[0040] Optionally, Rail-Eye 20 is configured to process data acquired by onboard and
infrastructure cyber-snitches 32 and 34 in "layers" homomorphic to the hierarchical network
topology to determine presence of a possible cyber-attack.
[0041] Onboard aggregators 34 may be configured to identify anomalous events responsive to
data they receive and aggregate from onboard snitches 32 on respective trains 300 in which the
onboard aggregators are located. In an embodiment, an onboard aggregator 34 may determine
an operational train context for the train in which the onboard aggregator is located, and identify
anomalous events based on the train context. A train context may comprise by way of example,
at least one or any combination of more than one of train speed, track conditions, traffic
congestion, ambient weather conditions, passenger or freight loading, number of cars in the
train, number of locomotives in the train and specifications of locomotives and cars.
Optionally, upon identifying an indication of a cyber-attack, onboard aggregator 34 may
operate to undertake a response to the attack.
[0042] For example, in an embodiment, onboard cyber-snitches 32 in a car 330 of a train 300
may monitor devices 360 controlling doors in the car and generate and transmit to an onboard
aggregator 34 in the car data messages comprising data indicating status of the doors. The
onboard aggregator 34 in the car that receives the data messages may determine an operational
context for the train comprising values based on speed and location of the train for times at
which time stamps in the data messages indicate the status data was acquired by the cyber-
snitches. For a situation in which the data messages from cyber-snitches 32 indicate that doors
of car 330 are open, aggregator 34 may generate and transmit to an RBC aggregator 38 (Fig.
1B) a data message for which a weighting vector has a very large weight for each of both
operational safety and anomalousness indicative of possible cyber-attack if train 300 is carrying
passengers between railway stations. The magnitudes of the large weights may be dependent
on speed and/or location of the train indicated by the operational train context. Optionally,
onboard aggregator 34 may be configured to respond to the situation as a function of
magnitudes of the safety and anomalousness weights. For instance, if the weighting vector
weight for either operational safety or anomalousness exceeds a predetermined threshold, aggregator 34 may generate an alarm notice to a driver of the train and/or the RBC aggregator
38. On the other hand, the weights for operational safety and anomalousness may be relatively
low if the train context determined by aggregator 34 indicates that car 330 is empty of
passengers or the train is in a train yard.
[0043] By way of another example, an onboard cyber-snitch 32 may be coupled to WTB 336
and an output of train vehicle gateway 334. The cyber-snitch may generate and transmit data
messages to an onboard aggregator 34 responsive to time delays between the gateway receiving
a communication via WTB 336 to activate or release brakes in the car and a time at which the
gateway transmits a corresponding activation signal to the brakes. If the time delay exceeds a
predetermined maximum could be the cyber-snitch may determine presence of an anomaly
indicating a possible cyber-attack.
[0044] RBC aggregators 38 may be configured to identify anomalous events indicating a
possible cyber-attack responsive to data the RBC aggregators 38 receive from infrastructure
snitches 34, and onboard snitches 32 and/or onboard aggregators 34 located in respective
control areas 231 (Fig. 1) of the RBCs 230 in which the RBC aggregators are located. An RBC
aggregator 38 may be configured to determine an RBC control area context for rolling stock
and/or infrastructure equipment in its control area 231 and identify anomalous events,
optionally based on the RBC context. An RBC control area context may comprise at least one
of or any combination of more than one of measures related to track conditions, such as state
of rail repair and railhead adhesion, weather conditions, such as visibility and precipitation,
and rolling stock status, such as congestion and types of rolling stock moving in a control area
231 of an RBC 230. A control area context may also comprise customer demand for rail
transportation as evidenced by numbers of people physically present at railroad stations and/or
ticket purchases for train travel in the RBC control area. Optionally, an RBC aggregator 38
may be configured to undertake a response to an identified possible cyber-attack.
[0045] For example, anomalous situations on a single train 300, such as anomalous door
statuses or time delays discussed above with respect to a train 300 may be due to device
malfunction on the train rather than a cyber-attack. However, in an embodiment, an RBC
aggregator 38 (Fig. 1B) is configured to correlate data messages from different onboard and
infrastructure cyber-snitches in a control area 231 of RBC 230 with which RBC aggregator 38
is associated. If the RBC aggregator receives data from onboard aggregators 34 reporting
similar anomalies in door status or time delays for a plurality of different trains 300 in control area 231 of RBC 230, the RBC aggregator may correlate the data to determine with greater reliability that the data is indicative of a cyber-attack.
[0046] By way of another example, in an embodiment an RBC aggregator 38 may determine
that a cyber-attack is possibly present responsive to data messages received from infrastructure
cyber-snitches 36 monitoring signal lights 208, balises 218, and interlocking trackside units
210 at a track intersection 206 (Fig. 1B). For example, control of switches and signals 208 at a
track intersection 206 in a control area 231 (Fig. 1B) of an RBC 230 to enable trains to move
through the intersection safely generally involves a carefully timed choreography of signals
and events orchestrated by the RBC in cooperation with an interlocking trackside unit 210
located at the intersection. Trains 300 approaching and leaving a neighborhood of the
intersection report their locations based on balise telegrams and/or GNNS locations via GSM-
R to RBC 230. Based on the location information and an RBC control area context parameter
such as train congestion, the RBC determines movement authorizations for the trains and
corresponding control sequences for the switch and signal 208 to be mediated by interlocking
trackside unit 210 to enable safe passage of a train through the intersection. For passage of a
given train 300 through the intersection, RBC aggregator 38 may process data messages
received from onboard cyber-snitches 32 via an onboard aggregator 34 on the train and
infrastructure cyber-snitches 36 monitoring equipment at the intersection, to determine whether
passage of the train comports with a normative scenario of signaling and movement of a train
through the intersection. If events associated with passage of the train do not comport with a
normative scenario, RBC aggregator 38 may determine that presence of a possible cyber-attack
is indicated. Normative scenarios for use by the RBC aggregator may be stored in a database
(not shown) comprised in the RBC aggregator or in a database, for example database 23
comprised in hub 22, to which the RBC aggregator has access.
[0047] Rail-Eye hub 22 may operate to identify anomalous events indicating a possible cyber-
attack responsive to data the hub receives from cyber-snitches 32 and 34 and aggregators 36
and 38 in geographical railway operations area 204 in which railway system 200 for which
Rail-Eye 20 is responsible operates. Optionally, hub 22 is configured to generate a system
context for operations of the railway system in railway operations area 204 and identify
anomalous events indicating a possible a cyber-attack based on the system context. A system
context may comprise at least one of or any combination of more than one of time of day,
season, holiday, special events in the operations area, weather, and/or status of a power grid
supplying power to railway system 200. In an embodiment, hub 22 may be configured to
WO wo 2021/084542 PCT/IL2020/051132
identify, based on data that the hub receives, anomalous events indicative of a possible cyber-
attack on a given train 300, in a given RBC control area 231, as well as a possible system-wide
cyber-attack in railway operations area 204 of railway system 200. Hub 22 may be configured
to undertake a response to an identified possible cyber-attack.
[0048] As in the case of an RBC aggregator 38 which may correlate data received from a
plurality of trains in a control area of the aggregator's RBC 230 to improve reliability of
identification of a possible cyber-attack, hub 22 may operate to correlate data received from a
plurality of RBC aggregators 38 to improve reliability of an identification of a cyber-attack.
For example, as in the case of a malfunction of onboard equipment in a train giving rise to a
suspicion of a cyber-attack, malfunction and/or weather conditions may affect operation of
wayside equipment and/or an RBC 230 and give rise to an RBC aggregator 38 determining that
there is a suspicion of a cyber-attack. By correlating data received from a plurality of RBC
aggregators 38 hub 22 may improve reliability of a determination that the suspicion is due to
an actual cyber-attack.
[0049] By way of another example, in an embodiment of the disclosure hub 22 may be
configured to determine normative geographic and/or temporal patterns for activity of railway
system 200 in railway operations area 204 and store the normative patterns in memory 23 of
the hub. The hub may compare real time patterns of activity of the railway system based on
data that the hub receives in data messages from cyber-snitches and aggregators to normative
patterns to determine if a cyber-attack is present. For example, activity of railway system 200
may exhibit normative diurnal, monthly, and/or seasonal patterns of activity and if a real time
pattern of activity differs from a normative pattern, hub 22 may determine that the difference
indicates presence of a cyber-attack.
[0050] By way of a specific example, normative passenger rail traffic in a given suburban
region of a particular RBC control area 231 may be high in the morning as people from the
suburban region travel to work in a metropolis in another RBC control area, taper off during
late morning and early afternoon and increase again towards evening as people return from
work. Normative train speeds and headways in the given suburban region are expected to
correlate with the traffic. Train speeds may be expected to be high and headways relatively
short during the morning and late afternoon hours to provide capacity advantageous for
servicing the heavy passenger traffic. Train speeds are expected to be respectively relatively
low and headways long during the late morning and early afternoon hours when traffic is
relatively light. If data processed by hub 22 indicates that magnitudes of real time train speeds
WO wo 2021/084542 PCT/IL2020/051132
and/or headways vary from magnitudes of the normative train speeds and headways
respectively or are out of phase with passenger traffic load hub 22 may determine that a cyber-
attack is present.
[0051] In an embodiment, hub 22 comprises a rule-based system for providing an initial
classification of received messages. In an embodiment, telegrams classified by the rule-based
system may be used to teach a supervised neural network to distinguish anomalous
communications that may indicate a cyber-attack on the railway. Subsequent to being taught,
the neural network may be used to classify, in real time, communications as normative or
anomalous. The database of received messages may be constantly updated with new messages
and the updated database periodically used to reteach the neural network. In an embodiment,
an unsupervised neural network may be used to process communications in the database and
learn to distinguish in real time normative from anomalous messages. The unsupervised neural
network may constantly update itself as communications are mirrored to hub 22 and
accumulated.
[0052] Fig. 3 schematically shows Rail-Eye 20 monitoring balise integrity in a region 200a, of
railway 200 to provide cyber-protection to the region in accordance with an embodiment of the
disclosure. The region comprises tracks 202 and is shown having three balise groups BGj, 1<
j < 3, which may be referred to generically by the label BG. A balise group BGi has at least
one and may conventionally have up to a maximum of eight balises Bijj I<i<I, where 1<
8. For example, balise group BGI has six balises B1,1 B1,6- Cyber snitches 32 copy balise
telegrams sent by balises Bij and send the balise telegrams to hub 22 for processing and vetting
for proper operation in real time to determine if communications appear anomalous in view of
normative patterns. A train 300 is schematically shown in perspective traveling along a section
of track 202.
[0053] A balise or the balise group may be linked or unlinked. A linked balise or balise group
has information as to the location of another balise or balise group and transmits the location
information to a train when the train passes over the linked balise or balise group. Location of
a given linked balise group and locations of balises in the given balise group are referenced to
a location of a reference balise, generally a first balise in the given linked balise group. In
addition, balises may be fixed or non-fixed. Fixed balises transmit the same data in every
telegram they transmit. Non-fixed balises, also referred to as switchable or transparent balises,
transmit data that can change dynamically, generally responsive to signaling information.
WO wo 2021/084542 PCT/IL2020/051132
[0054] Inset 30 of Fig. 3 schematically shows an enlarged image of train 300 passing over
balise B1,1 of balise group BG and a BTM 314 of the train communicating with balise B1,1
As previously noted, a balise is passive and requires a charge of energy to send out its
telegrams. The balise is charged with energy by the BTM as the train passes over the balise.
Once the balise charge reaches a threshold, the balise starts to broadcast a telegram and may
broadcast a duplicate of the same telegram a plurality of times. Once the train passes and the
balise charge falls below the threshold, the balise stops broadcasting.
[0055] Communications and balise telegrams propagated for example in ERTMS/ETCS
systems are based on variables, packets, and messages that are nested, defined, and configured
in accordance with specific syntaxes. ERTMS/ETCS variables are used to encode single data
values. ERTMS/ETCS packets may include more than one variable and comprise a header that
identifies the packet by a unique packet type number, referred to as a NID-Packet. The header
may include such administrative variables that may identify a railway, such as a country code,
NID_C", a RBC code, "NID_RBC", a train driver code "Driver_ID", a user identity
"NID_USER", "Q_DIR" which specifies a running direction of a Eurobalise group, and a
"Q_SCALE", which specifies a distance scale that characterizes distance information that may
be included in a packet payload. ERTMS/ETCS messages typically group a plurality of
ERTMS/ETCS variables and/ or packets. As in the case of an ERTMS/ETCS packet, an
ERTMS/ETCS message comprises a header that includes an ID number referred to as a
NID_MESSAGE, that identifies the type of message, and administrative variables.
Administrative variables may include a time, "T_TRAIN", in accordance with a train borne
clock, a balise group identity number "NID_LRBG", and/or a track gradient profile.
[0056] Figs. 4A-4C show a flow diagram 500 which illustrates an algorithm, also referred to
by the numeral 500, by which Rail-Eye 20 may process balise telegrams to determine if a
telegram, such as a telegram transmitted by a balise 218 is anomalous, in accordance with an
embodiment of the disclosure.
[0057] Whereas any of various components of Rail-Eye 20, or combinations of the components
may execute algorithm 500, in the description that follows, hub 22 is assumed to process balise
telegrams generated by balises in railway region 202a. The sequential order of blocks
representing actions as shown in algorithm 500 is not compulsory, and the order of the
sequence may be different from that shown.
[0058] In a block 501, hub 22 receives copies of telegram TGi,j from an i-th balise Bi,j (1<i<I)
of balise group (BGj) (1<j<J). Optionally, in a block 503, hub 22 decodes the balise telegram.
WO wo 2021/084542 PCT/IL2020/051132
Balise telegrams are usually sent compressed or encoded to save bandwidth when broadcast
and the balise telegram is decoded to be read and/or further analyzed. In a block 505, the hub
reads the decoded balise telegram for a selection of variables. Using ETCS numerical ID (NID)
packet coding these variables may by way of example comprise country code "NID_Cj" of
balise group "j", "NID_BGj" an ID number of balise group j, and position "NID_PIGi,j" in
balise group j of balise i which transmitted the telegram TGi,j. Algorithm 500 optionally
continues to a decision block 507 where if the country code is not known or is determined not
to match the country in which the balise is known to be located, algorithm 500 continues to a
flow junction A connected to a block 540 (Fig. 4C), and in a block 540 determines that the
telegram is anomalous and raises an alarm. If the country code is known, the algorithm
continues to a block 509 and the hub determines if balise group BGj is known. If the balise
group is not known, algorithm 500 continues to junction A which couples to a block 540 (Fig.
4C), and in block 540 determines that the telegram is anomalous and raises an alarm. However,
if balise group BGj is known, algorithm 500 continues to a block 511. In block 511, the hub
may determine if the position of balise Bi,j in the balise group correct, and if the position of
balise Bi,j in balise group BGj is not correct, algorithm 500 continues to junction A, and in
block 540 determines that the telegram is anomalous and raises an alarm. Conversely, if the
balise position in the balise group is correct, then the algorithm continues to a block 513.
[0059] In block 513, the hub determines the number of balise telegram duplicates, "NTGij" of
the telegram "TGij" that the balise transmitted. The number of duplicates transmitted by a
balise for a specific speed of a train is known or determinable by the Rail-Eye. After the hub
determines the number of balise telegram duplicates, it further determines if the number of
balise telegram duplicates is the correct number of balise telegram duplicates for that balise
group and train speed. If it is not the correct number of balise telegram duplicates, the
algorithm continues to junction A, and in block 540 determines that the telegram is anomalous
and raises an alarm. However, if it is the correct number of duplicates, the process proceeds to
a block 515.
[0060] In block 515, the hub analyzes the electromagnetic waveform, "WTGi,j" of telegram,
TGi,j and determines a feature vector or vectors, referred to as a fingerprint for the waveform.
The feature vector of a balise telegram waveform may comprise by way of example values for
shape, duration and/or signal to noise ratio that characterizes waveform that may be
advantageous in determining whether the waveform and thereby the telegram is normative or
anomalous.
WO wo 2021/084542 PCT/IL2020/051132
[0061] In a block 517, (Fig. 4B), the hub classifies waveform fingerprint feature vector,
"WTGi,j" to determine if the waveform is normative or not normative. Any of various
classifiers, for example a support vector machine (SVM), or artificial intelligence (AI), may
be used to classify a balise waveform feature vector as normative or anomalous. If the
waveform is not normative, algorithm 500 continues to junction A, and in block 540 determines
that the telegram is anomalous and raises an alarm. If the waveform is normative, the
algorithm optionally continues to a block 519. In block 519 the hub reads the balise telegram
"Q_LINK" field to determine if the balise is linked or unlinked. In accordance with
conventional coding if Q_LINK equals 0, the balise in unlinked and if LINK equals 1 the
balise is linked. In a block 521, the hub may determine if the link status of the balise is correct,
and if the link status is not correct, algorithm 500 continues to junction A, and in block 540
determines that the telegram is anomalous and raises an alarm.
[0062] In block 523 the hub optionally determines a location, "Lij" of balise, Bij relative to a
reference balise "RBj" of balise group, BGj, based on the train velocity, "Vtr", the number of
copies of balise telegrams "NTGi,j" transmitted by the balise, and/or times at which the train's
onboard processor determines that the train passes over the balises.
[0063] In block 525, the hub optionally determines distances ALBi',i,j between balises, Bi.j
and Bi',j optionally for any i ii)" in balise group, BGj. In a block 527, the hub determines
if a distance found in block 525 is normative or not. If the distance found in block 525 is not
normative, algorithm 500 continues to junction A, and in block 540 determines that the
telegram is anomalous and raises an alarm. On the other hand, if the determined distance is
normative, the algorithm optionally continues to a block 529. In block 529, the hub may
determine a distance, "ALRBj,j" between reference balise RBj of balise group BGj and
reference balise RBj' of balise group BGj' optionally (for any j j'))". In a block 531, the hub
determines if the distance between the two reference balises is normative. In determining if the
distance between reference balises is normative, if one of the balise groups is linked, hub 22
determines whether the distance between the reference balises agrees with linking information
in the linked balise group. If not normative, algorithm 500 continues to junction A, and in block
540 determines that the telegram is anomalous and raises an alarm. If the distance is normative,
the algorithm continues to a junction C in FIG. 4C.
[0064] Optionally, in a block 533 of FIG. 4C, the balise telegram copies are further analyzed
by hub 22 for their format, which may include checking the format of variables, which may be
country code "NID_Cj" of balise group "I", "NID_BGj" an ID number of balise group j, and
WO wo 2021/084542 PCT/IL2020/051132
position "NID_PIGi,j" in balise group j of balise i which transmitted the telegram TGi,j. In a
block 535, if the formatting of these variables is not normative, algorithm 500 continues to
junction A, and in block 540 determines that the telegram is anomalous and raises an alarm,
and if the formatting is normative, the algorithm continues to a block 537. Optionally in block
537, packets, "Pi,j,n", of telegram TGi,j are read and analyzed by the hub. In a block 539, the
hub determines if the packets are normative. If the hub determines that the packets are not
normative, the algorithm continues to block 540 determines that the telegram is anomalous and
raises an alarm. In a block 541 algorithm 500 optionally returns to block 501 and hub 22
receives copies of a next balise telegram.
[0065] There is therefore provided in accordance with an embodiment of the disclosure a cyber
security system for providing security to a railway, the system comprising: a data monitoring
and processing hub; and a network comprising a plurality of data collection agents
synchronized to a same network clock and configured to monitor railway balises, and/or BTMs
comprised in a train, and forward monitored data to the hub for processing to detect anomalies
indicative of a cyber-attack; wherein an agent of the plurality of the data collection agents
monitoring communications between a balise and a BTM of a train passing over the balise that
powers the balise forwards for processing to the hub data based on the communications
together with a time stamp comprising a network clock time at which the communications are
respectively received by the agent. Optionally, the data based on the communications
comprises a copy of a telegram transmitted by the balise to the BTM. Optionally, processing
comprises decoding the telegram and determining if data encoded in a selection of data packets
comprised in the telegram is expected data.
[0066] The selection of data packets may comprise at least one or any combination of more of
a data packet encoding a country code (NID_C) identifying a country in which the balise is
located, a balise group identifier (NID_BG) identifying a balise group of which the balise is a
member , a position of the balise in the balise group (NID_PIG); a movement authority that
provides a maximum train speed for a region of track in which the balise is located; a gradient
profile that provides a slope for the region of track; and/or linking data that provides a distance
to a next balise group.
[0067] In an embodiment, the processing comprises determining how many copies of the
telegram the balise transmitted to the BTM and determining if the communications indicated a
cyber incursion based on the determined number. Optionally, determining if there is an
indication of a cyber incursion comprises determining a number of copies of the telegram that the balise is expected to transmit and comparing the expected number to the number of copies the balise actually transmitted to the BTM. Optionally, the cyber security system determines a speed at which the train moves over the balise and determines the expected number of copies based on the speed. Optionally, the cyber security system determines the expected number of copies based on a balise group to which the balise belongs.
[0068] In an embodiment the cyber security system determines a format that formats data in a
packet comprised in the telegram and determines if the communications indicate a cyber
incursion based on the format.
[0069] In an embodiment the data based on the communications comprises a transmitted
electromagnetic waveform that encodes the telegram. Optionally, determining whether there is
an indication of a cyber incursion comprises determining a feature vector that characterizes the
waveform and determining whether there is an indication of a cyber incursion based on the
feature vector. Optionally, the feature vector comprises components having values that
characterize at least one or any combination of more than one of the waveform shape, duration,
and/or signal to noise ratio.
[0070] Processing may comprise identifying a BTM that powered the balise and determining
whether there is an indication of a cyber incursion based on the identity of the BTM. Optionally,
determining whether there is an indication of a cyber incursion based on the identity of the
BTM comprises determining the feature vector based on the identity of the BTM.
[0071] In an embodiment processing comprises determining a distance between the balise and
another balise in the railway and determining if the communications indicate a cyber incursion
based on the distance. Optionally, the balise and the other balise belong to a same balise group.
Alternatively, the balise and the other balise belong to different balise groups.
[0072] In an embodiment processing comprises determining a difference between a time stamp
of the balise and a time stamp of another balise in the railway and determining if the
communications indicate a cyber incursion based on the difference. Optionally, the balise and
the other balise belong to a same balise group. Alternatively, the balise and the other balise
belong to different balise groups.
[0073] In the description and claims of the present application, each of the verbs, "comprise"
"include" and "have", and conjugates thereof, are used to indicate that the object or objects of
the verb are not necessarily a complete listing of components, elements or parts of the subject
or subjects of the verb.
WO wo 2021/084542 PCT/IL2020/051132
[0074] Descriptions of embodiments of the invention in the present application are provided
by way of example and are not intended to limit the scope of the invention. The described
embodiments comprise different features, not all of which are required in all embodiments of
the invention. Some embodiments utilize only some of the features or possible combinations
of the features. Variations of embodiments of the invention that are described, and
embodiments of the invention comprising different combinations of features noted in the
described embodiments, will occur to persons of the art. The scope of the invention is limited
only by the claims.

Claims (18)

CLAIMS 04 Feb 2026
1. A cyber security system for providing security to a railway, the system comprising: a data monitoring and processing hub; and a network comprising a plurality of data collection agents synchronized to a same network clock and configured to monitor railway balises, and/or balise transmission modules (BTMs) comprised in a train, and forward monitored data to the hub for processing to detect 2020376035
anomalies indicative of a cyber-attack; wherein an agent of the plurality of the data collection agents monitoring communications between a balise and a BTM of a train passing over the balise that powers the balise is configured to forward for processing to the hub data based on the communications together with a time stamp comprising a network clock time at which the communications are respectively received by the agent and wherein the data based on the communications comprises a copy of a telegram transmitted by the balise to the BTM processing comprises determining how many copies of the telegram the balise transmitted to the BTM and determining if the communications indicated a cyber incursion based on the determined number.
2. The cyber security system according to claim 1 wherein processing comprises decoding the telegram and determining if data encoded in a selection of data packets comprised in the telegram is expected data.
3. The cyber security system according to claim 2 wherein the selection of data packets comprises at least one or any combination of more of a data packet encoding a country code (NID_C) identifying a country in which the balise is located, a balise group identifier (NID_BG) identifying a balise group of which the balise is a member , a position of the balise in the balise group (NID_PIG); a movement authority that provides a maximum train speed for a region of track in which the balise is located; a gradient profile that provides a slope for the region of track; and/or linking data that provides a distance to a next balise group.
4. The cyber security system according to any of claims 1-3 wherein determining if there is an indication of a cyber incursion comprises determining a number of copies of the telegram that the balise is expected to transmit and comparing the expected number to the number of copies the balise actually transmitted to the BTM.
5. The cyber security system according to claim 4 wherein determining the expected number of copies comprises determining a speed at which the train moves over the balise and determining the expected number of copies based on the speed.
6. The cyber security system according to claim 4 or claim 5 wherein determining the expected number of copies comprises determining a balise group to which the balise belongs 2020376035
and determining the expected number of copies based on the balise group.
7. The cyber security system according to any of claims 1-6 wherein processing comprises determining a format that formats data in a packet comprised in the telegram and determining if the communications indicate a cyber incursion based on the format.
8. The cyber security system according to any of claims 1-7 wherein the data based on the communications comprises a transmitted electromagnetic waveform that encodes the telegram.
9. The cyber security system according to claim 8 wherein processing comprises determining a feature vector that characterizes the waveform and determining whether there is an indication of a cyber incursion based on the feature vector.
10. The cyber security system according to claim 9 wherein the feature vector comprises components having values that characterize at least one or any combination of more than one of the waveform shape, duration, and/or signal to noise ratio.
11. The cyber security system according to claim 9 or claim 10 wherein processing comprises identifying a BTM that powered the balise and determining whether there is an indication of a cyber incursion based on the identity of the BTM.
12. The cyber security system according to claim 11 wherein determining whether there is an indication of a cyber incursion based on the identity of the BTM comprises determining the feature vector based on the identity of the BTM.
13. The cyber security system according to any of the preceding claims wherein processing 04 Feb 2026
comprises determining a distance between the balise and another balise in the railway and determining if the communications indicate a cyber incursion based on the distance.
14. The cyber security system according to claim 13 wherein the balise and the other balise belong to a same balise group. 2020376035
15. The cyber security system according to claim 13 wherein the balise and the other balise belong to different balise groups.
16. The cyber security system according to any of the preceding claims wherein processing comprises determining a difference between a time stamp of the balise and a time stamp of another balise in the railway and determining if the communications indicate a cyber incursion based on the difference.
17. The cyber security system according to claim 16 wherein the balise and the other balise belong to a same balise group.
18. The cyber security system according to claim 16 wherein the balise and the other balise belong to different balise groups.
AU2020376035A 2019-10-30 2020-10-30 Balise integrity Active AU2020376035B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201962927706P 2019-10-30 2019-10-30
US62/927,706 2019-10-30
PCT/IL2020/051132 WO2021084542A1 (en) 2019-10-30 2020-10-30 Balise integrity

Publications (2)

Publication Number Publication Date
AU2020376035A1 AU2020376035A1 (en) 2022-06-23
AU2020376035B2 true AU2020376035B2 (en) 2026-03-12

Family

ID=73646397

Family Applications (1)

Application Number Title Priority Date Filing Date
AU2020376035A Active AU2020376035B2 (en) 2019-10-30 2020-10-30 Balise integrity

Country Status (3)

Country Link
EP (1) EP4051553A1 (en)
AU (1) AU2020376035B2 (en)
WO (1) WO2021084542A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113708854B (en) * 2021-09-03 2024-03-01 沈阳铁路信号有限责任公司 BTM high-low temperature circulation real-time test system
CN114421993B (en) * 2022-01-19 2024-03-08 北京全路通信信号研究设计院集团有限公司 Transponder testing system and method
GB2635352A (en) * 2023-11-08 2025-05-14 Universal Signalling Ltd Railway interlocking
DE102024202407A1 (en) * 2024-03-14 2025-09-18 Siemens Mobility GmbH Monitoring data communication of a rail vehicle

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3553682A1 (en) * 2018-04-09 2019-10-16 Shaked Kafzan Methods systems devices circuits and functionally related machine executable instructions for transportation management network cybersecurity

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9840212B2 (en) * 2014-01-06 2017-12-12 Argus Cyber Security Ltd. Bus watchman
LT3625102T (en) * 2018-05-15 2021-01-11 Cylus Cyber Security Ltd. Railway cyber security system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3553682A1 (en) * 2018-04-09 2019-10-16 Shaked Kafzan Methods systems devices circuits and functionally related machine executable instructions for transportation management network cybersecurity

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
WU YONGDONG ET AL: "Vulnerabilities, Attacks, and Countermeasures in Balise-Based Train Control Systems", IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, IEEE, PISCATAWAY, NJ, USA, vol. 18, no. 4, 1 April 2017, pages 814 - 823. *

Also Published As

Publication number Publication date
AU2020376035A1 (en) 2022-06-23
EP4051553A1 (en) 2022-09-07
WO2021084542A1 (en) 2021-05-06

Similar Documents

Publication Publication Date Title
US11502999B2 (en) Cyber security anonymizer
AU2020376035B2 (en) Balise integrity
Shafiullah et al. Survey of wireless communications applications in the railway industry
CN103010267B (en) The Train Detection and Identification equipment of self adaptation obturation, system and method
CN110712667B (en) Comprehensive train control system capable of adapting to foreign requirements
Jacyna et al. Characteristics of event recorders in Automatic Train Control systems
Lagay et al. The Autonomous Train: a game changer for the railways industry
Martinez et al. TERMINOLOGY, DIFFERENCES, AND CHALLENGES
Schnieder Communications-based train control (CBTC)
KR101606646B1 (en) Tram priority signal control system working in association with road traffic system
CA3218746C (en) Train control systems with hazard management and associated methods
Kukulski et al. Selected aspects of the selection of data sent to the vehicle in automatic rail vehicle driving systems
Quaglietta et al. Exploring virtual coupling: operational principles and analysis
Schutte Recent trends in automatic train controls
Coll et al. The communications system architecture of the North American advanced train control system
EP4112419A1 (en) Systems for cybersecurity of a rail transportation network
Fenner Train protection
Byegon et al. Review paper on positive train control technology
Schnieder Communications-Based Train Control (CBTC): Automation of metros and urban rapid transit systems
Niculescu et al. Smart rail infrastructure, maintenance and life cycle costs
Platt Signalling within the context of a rail business
Quaglietta et al. Journal of Rail Transport Planning & Management
Bezabih Automatic train control standard for Ethiopia
Brownson et al. Strategic Control of the San Francisco Bay Area Rapid Transit System
Tse Alaska Railroad Collision Avoidance System (CAS) Project: Research Results