Cyber security assessment of ethernet train control and monitoring systems

Lodge, Mark Stephen ORCID: 0000-0002-1640-761X (2026). Cyber security assessment of ethernet train control and monitoring systems. University of Birmingham. Ph.D.

[img] Lodge2026PhD.pdf
Text - Accepted Version
Restricted to Repository staff only until 1 August 2030.
Available under License All rights reserved.

Download (7MB)

Abstract

In this thesis, we investigate the cyber security of rolling-stock, beginning with a systematic analysis of the threats facing modern trains. Building on this threat analysis, we present a case study of an Ethernet Train Backbone (ETB) Train Control and Monitoring System (TCMS) designed in accordance with the IEC 61375 international standard series. We examine its implementation in a modern train through network mapping, packet capture and analysis, and simulated attacks conducted on a representative test-bed built by the manufacturer using genuine train components.

Despite the quality of the implementation and considerable attention given to its security, the findings show that strict adherence to the standard enables the injection of spoofed Train Real Time Data Protocol (TRDP) datagrams directly into the TCMS, which are subsequently accepted by the Train Management Computer (TMC). At best, such an attack could cause confusion that prompts the driver to stop the train, resulting in immediate service disruption and significant associated financial losses of up to approximately £76,000 per train per day (£3,170 per hour) to the operator, or £177,000 per day (£7,375 per hour) to the wider economy, not including passenger compensation. At worst, it could create the conditions in which a hazardous event might occur.

To address these issues, we propose several improvements applicable to this train and others built to the same standard, including the introduction of a TRDP cryptographic authenticity and integrity verification mechanism, packet filtering, repositioning of an intrusion detection system, and enhancements to physical security. Whilst some of these measures, such as physical security enhancements, are relatively straightforward to implement, others - particularly the redevelopment of TRDP - would require significant engineering effort and deviation from the existing standard. All, however, can be achieved with minimal performance impact, and together offer a substantial improvement in security. Drawing on both the threat analysis and case study findings, we conclude the thesis by presenting TrainCAF, a cyber security assessment framework tailored to rolling-stock.

Type of Work: Thesis (Doctorates > Ph.D.)
Award Type: Doctorates > Ph.D.
Supervisor(s):
Supervisor(s)EmailORCID
Easton, John MUNSPECIFIEDorcid.org/0000-0001-8745-6753
Chothia, TomUNSPECIFIEDUNSPECIFIED
Licence: All rights reserved
College/Faculty: Colleges > College of Engineering & Physical Sciences
School or Department: School of Engineering, Department of Electronic, Electrical and Systems Engineering
Funders: Other
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Q Science > QA Mathematics > QA76 Computer software
T Technology > TF Railroad engineering and operation
URI: http://etheses.bham.ac.uk/id/eprint/17198

Actions

Request a Correction Request a Correction
View Item View Item

Downloads

Downloads per month over past year