Wireless Security and Key Management for Positive Train Control Systems

Wireless Security and Key Management for Positive Train Control Systems

The first 49 CFR 236.1033-compliant solution on the market: LILEE Systems Solution for Wireless Security and Key Management 

In 2008, the United States Congress mandated Positive Train Control (PTC) for most passenger and freight trains. Forty-two railroads are subject to the statutory mandate to implement PTC. Railroads are required to have PTC fully implemented by December 31, 2020.

The Advanced Civil Speed Enforcement System (ACSES) is a vital overlay system which, in combination with automatic train control (ATC), constitutes one of two major PTC systems and has been implemented by the Northeast Corridor (NEC) passenger rail operators. As of today, all NEC operators face major challenges associated with obtaining viable solutions for secure wireless communication to comply with the PTC requirements of the Federal Railroad Administration (FRA). Originally, the NEC implementation of PTC lacked two major requirements—wireless link security and interoperability. The FRA reports that software issues related to these two requirements are the biggest roadblock.

Fulfilling these mandates requires research and development, implementation, integration, and testing and commissioning (T&C) of an authentication and integrity check method and an interoperable key management technique. LILEE Systems is the first vendor to offer a complete solution that meets and exceeds all the security and interoperability requirements and that provides the best path to meeting the December 2020 PTC deadline.

Security challenges that must be addressed

From the regulatory perspective, the challenge is how to comply with requirements for wireless security as defined in 49 CFR 236.1033. This regulation requires that all wireless communications between the office, wayside, and onboard components in a PTC system provide cryptographic message integrity and authentication. The problem, however, was that no commercial system was available to meet this requirement for NEC operators.

The original design of the ACSES wireless communication protocol did not provide for message authentication and integrity check mechanisms. A sophisticated attacker could have potentially forged a message to tell a train that it has the authority to enter a train station while another train is still in the station. Since the onboard computer doesn’t have a way to distinguish whether the message is coming from a legitimate source or an attacker, it can only blindly accept the message and allow the train to continue to enter the station. This poses not only security but also safety concerns.

A system can only be as secure as its cryptographic keys. Therefore, in addition to a wireless security protocol which protects against unauthorized disclosure, modification, and substitution, the system must also include a means to distribute cryptographic keys securely and efficiently.

Consider the scenario where keys for both the wayside and onboard systems are expired and need to be rotated. The process typically starts with key generation in the back office. Once the keys are securely generated, the keys must be securely handed over to field technicians for installation. The technicians then need to connect to the wayside and onboard systems either physically or via network to update the keys. This is not only error-prone but also time-consuming.

The Key Management System (KMS) is an integral part of the wireless security system which provides simple and efficient management of keys for both the wayside and onboard assets. A KMS provides a centralized management console from which operators in the back office can provision and rotate keys on both the wayside and onboard systems via the touch of a button.

How to secure shared tracks with key management?

Rail trackage in the NEC is shared not only between the passenger rail operators in the corridor but also with some of the freight rail operators. Therefore, maintaining interoperability to support trains moving between host and tenant territories securely and efficiently is also very important. This poses additional challenges and requires that the KMS provides an inter-KMS key exchange and distribution interface to allow the KMS hosted by one rail operator to interoperate with the KMS hosted by the other rail operators in the corridor. The cryptographic keys must be delivered to the wayside systems of a host operator before the trains from a tenant operator enters the territory, so that the wireless rail base station at the wayside can validate the messages sent by the incoming train.

The other challenge is when keys from any of the rail operators need to be updated or rotated. The inter-KMS interface must also allow real-time key updates to other rail operators in the corridor to minimize downtime. The KMS must be able to dynamically accept key updates from different tenant rail operators’ KMS and distribute the keys to the wayside systems accordingly, so the rail operators in the corridor don’t need to coordinate a shared track downtime for key updates.

Additional considerations in the Northeast Corridor territory

Another challenge the NEC rail operators are facing is the limitations of the current 220 MHz radio technology and the number of available 220 MHz channels for running these radios. This makes it very difficult for the operators to increase the coverage and capacity of the communication system without creating RF interferences and contention. The operators must always ask themselves how they are going to procure the radio hardware, whether they have unused channels in the area, and whether they can reuse some of the channels that are already in service nearby without creating unwanted co-channel interferences.

LILEE Systems’ Next Generation Communications Management Unit (CMU) solution based on TransAir™ STS-2025 provides direct replacement for the existing CMU hardware. The new cloud-enabled STS-2025 platform includes two 5Ge Cellular interfaces that allow rail operators in the corridor to manage onboard and wayside systems remotely to improve operational efficiency. It also provides an alternative communication path, in addition to the 220 MHz radio, for train control functions. The cellular backup path allows train control messages to continue to be available even in areas which 220 MHz communication options are out of coverage, too congested, or suffering from interference. This capability can help the NEC operators reduce train delays and improve rider satisfaction.

STS-2025 is built on the latest-generation, state-of-the-art computing and communication technologies and standards. It provides the NEC operators with new options both in terms of hardware life cycle and future software and feature upgrades.

To learn more about implementing secure wireless communications and key management for your rail systems, please contact yjlee@lileesystems.com.

 


About the author


About the author - Yale Lee

Yale Lee

Yale Lee is the Co-founder and Vice President of Technology at LILEE Systems. He has over twenty years of product development experience in the networking and security industry. For the past ten years, Yale has led the LILEE engineering and professional services teams to develop and deliver wireless communications solutions to North American Class I railroads to meet Positive Train Control (PTC) requirements.

Yale has authored several patents and is a member of the IEEE 802.15.4 and JCP JSR-289 committee. He received his BS degree in Electrical Engineering and MS degree in Computer Engineering both from the University of Massachusetts, Lowell.