Implementing compliant IT security for control and signaling systems
Control, command, and signaling systems used in roads, railways, ports, and airports are part of critical infrastructure systems: an outage can not only bring passenger and freight transport to a standstill, but also cause significant economic damage and risks to public safety. For this reason – and especially because malfunctions can quickly become life-threatening in these environments – stricter security requirements apply to these systems than in many other IT environments. For good reason: the increasing interconnection of field devices, remote maintenance access, and cloud services expands the attack surface and makes threat mitigation more difficult.
Our contribution to addressing this challenge includes the RSCS SITLine Layer 2 network encryptor as well as the secure and high-performance LANCOM R&S®Unified Firewalls, gateways, and switches. Together, they combine state-of-the-art cryptography with an architecture specifically designed to fulfill the core objectives of OT security:
- Data integrity is the primary focus: cryptographic authentication and cryptographic signatures make any manipulation of control commands impossible. Confidentiality is a positive side effect – the primary purpose of encryption is to ensure that transmitted data arrives unchanged and cannot be viewed by unauthorized parties.
- The deterministic real-time behavior required for control systems is ensured through hardware-based AES-GCM (Advanced Encryption Standard – Galois/Counter Mode). The additional latency is only a few microseconds and remains transparent to control processes.
- A key requirement in control engineering is that faults or process-related transmission changes within one channel must not affect other communication or control channels (non-interference). Line-speed cryptography without significant delay or packet reordering, combined with very low cryptographic overhead, helps fulfill these requirements.
R&S OT and critical infrastructure network architectures take all these factors into account and help build and maintain resilient transportation and control systems.
Safety and security in railway-related control and signaling systems
In critical infrastructure environments such as rail, road, or water transportation systems, as well as in tunnels, safety and security must be considered together.
While safety aims to ensure a safe state in the event of technical failures, security in transportation environments focuses particularly on the integrity and authenticity of control data as well as protection against manipulation, replay attacks, and unauthorized access. This is enabled, among other things, through the following cryptographic measures.
- Protected timestamps, sequence numbers, or nonces (“number used once”) in encrypted communication protocols: Detection and blocking of duplicate or outdated messages
- Non-repudiation, among other things through encrypted digital signatures for configuration changes or control commands: Clear traceability of system and user actions
- Tamper resilience through protected control telegrams (including cryptographic signatures or checksums such as MAC, ICV, etc.): Immediate detection and rejection of modified data packets
- Encryption of transmitted data at Layer 2 level: Additional protection against inspection or disclosure of essential data, such as metadata that is often used in distributed attacks
Control and signaling systems are real-time systems and must remain as independent as possible from external influences. In railway environments, this characteristic is referred to as “non-interference.”
For IT network architectures, this means that security components must be integrated in a way that minimizes any impact on response times, communication channels, and the operational behavior of the original systems. For this reason, it is necessary to define clearly structured network zones and conduits, carefully select security technologies, and design an almost physical separation between operational data traffic and management communications.
When implementing IT networking and Layer 2 encryption for control and signaling systems as an independent security solution, compliance with security requirements, resilient operation, and centralized, secure management are essential.
In addition, events that may impact the security or safety of communications must be reliably detected and disclosed immediately. These event notifications must be integrated both into the organization’s central security management and into centralized monitoring systems / SIEM systems.
Five IT architecture principles for control and signaling systems in transportation
A security target architecture for control and signaling systems in transportation follows five key IT architecture principles.
Clear separation between information technology (IT) and OT
Even though IT is now a necessary foundation for many OT systems, control and signaling systems in transportation require a clear separation from general IT environments. This reduces side effects, limits disruption and attack surfaces, and creates a more resilient planning foundation.
For example, interlocking networks and control center systems are strictly separated from office IT so that a compromised office workstation cannot gain direct access to safety-critical control functions such as signal or switch control.
Zones and conduits model according to IEC 62443
A zones and conduits model aligned with IEC 62443 supports traceable communication relationships, defined transfer points, and clear responsibilities. Communication does not occur implicitly, but through deliberately designed communication paths. Ideally, Layer 2 encryptors such as the Rohde & Schwarz Cybersecurity SITLine are deployed at zone boundaries as clearly defined separation elements.
In practice, for example, control centers, interlocking systems, and trackside components are each assigned to separate zones, with communication permitted exclusively through defined transition points – for example for movement authorities or status messages.
Separation of management and operational data
Management and operational data traffic should be separated as physically as possible. Where this is not entirely feasible, interactions must be minimized through the architecture, and the separation should be implemented at the lowest possible ISO/OSI layer. Especially in railway environments, this separation is not merely a convenience feature but essential for controllability and non-interference.
For example, control data for signals and switches is transmitted via separate communication paths, while configuration changes or monitoring access are handled through a dedicated management network in order to avoid impacting real-time communications.
Minimal privileges and passive OT transparency
With their special requirements regarding real-time behavior, availability, security, and long service life, traditional OT networks are increasingly being migrated to modern IT networks and integrated with them. In this context, it is especially important that the IT network has only minimal privileges within the OT network and exerts little to no influence on it. To still detect events at an early stage, the IT side is therefore granted only passive OT transparency. This avoids unnecessary modifications to productive communication paths and ensures that the required visibility does not come at the expense of system stability.
For example, maintenance systems may access only specifically defined components such as individual interlocking systems, while monitoring solutions passively observe network traffic without actively interfering with control communications.
Resilient design and fail-safe operation
Fail-safe operation, redundancy, and robust transition paths are fundamental requirements in safety-critical transportation networks. Failures of individual components or secured communication paths must not propagate uncontrollably to other channels. Equally essential are autonomous, resilient operation, node- and edge-disjoint network design, and alignment with Safety Integrity Level (SIL) 3 and SIL 4 requirements.
For example, if a communication link between two interlocking systems fails, redundant and physically separated transmission paths automatically take over data transfer without affecting other track sections or control functions. Ideally, safety-related network elements should be separated from security-related network elements in order to minimize the risk of successful attacks against, or disruptions and failures of, safety and security functions.
A dedicated management zone is a prerequisite for secure management, traceable administration, and stable operational processes. This includes standardized interfaces and management functions such as SNMP, NETCONF, REST, audit logs, and Syslog archiving, as well as a redundant design.
- The management infrastructure itself must meet the highest requirements and achieve at least the same security level (e.g., SIL levels 1–4 according to IEC 62443) as the connected control zones and security components.
- In addition, functions such as centralized PKI (Public Key Infrastructure), secure device management, and standardized disclosure and audit functions are required.
- Events must not only be recorded locally, but also forwarded to centralized security and monitoring systems such as SIEM platforms in order to evaluate security-relevant conditions across systems.
Monitoring and auditability are not optional add-ons in this environment. They must be integrated into the core IT architecture from the very beginning. Only in this way can events, changes, and security-relevant conditions remain traceable without compromising the stability and non-interference of productive control networks.
Control and signaling systems, for example in railway environments, are always closely linked to standards and certification requirements. Relevant reference frameworks include, among others:
- EN 50159
- EN 50129
- IEC 61508
- IEC 62443
- ISO 26262
- ISO 27001
- as well as certifications and security evaluations such as Common Criteria (e.g., EAL4+) or national requirements to demonstrate the trustworthiness of the deployed components.
Depending on the deployment environment, additional requirements may apply regarding certification, verifiability, approval, and secure operations management. The IT architecture itself does not automatically guarantee certification or approval. However, it creates the foundation for implementing and demonstrating integrity, digital sovereignty, non-interference, management separation, logging, monitoring, long-term operability, and secure operational processes in a consistent manner.
Secure control system networks from Rohde & Schwarz as the foundation for stable traffic control
Modern control and signaling technology in transportation infrastructure requires a comprehensive security concept that equally ensures integrity, availability, and deterministic behavior. The focus is not on isolation at any cost, but on the reliable and unaltered transmission of control-relevant information at a high level – as the foundation for safe operations.
What matters is a solution that integrates seamlessly into existing systems, protocols, and processes without affecting their behavior. Non-interference, strictly separated communication channels, and a resilient design ensure that security mechanisms do not negatively impact the actual control systems or other network segments.
At the same time, autonomous operational capability, centralized and secured management structures, and standards-compliant implementation ensure long-term stable operations – even under demanding environmental conditions and in the event of disruptions. Open standards, clear separation of management and operational data, and redundant architectures provide transparency, control, and high availability.
For operators, this means an independent and integrable security layer that protects existing railway control networks without impairing their functionality – thereby creating the foundation for safe, reliable, and future-ready transportation operations.
Feel free to contact us for individual, no-obligation consultation. We look forward to working with you to successfully realize your project.
