A Resilience-Based Security Assessment Approach for CBTC Systems

,


Introduction
At present, railway is developing rapidly around the world, especially in China, where the high-speed railway (HSR) has a total length of 35,000 kilometers, accounting for approximately 66.7% of the world's high-speed railways [1].China has also made significant progress in urban rail transit; there are more than 200 lines, and the total operation length is more than 6000 km [2].Ensuring the punctuality of trains is the most significant goal of railways, and it can promote the sustainable development and bring the maintenance of social stabilization.
Communication-based train control (CBTC) is the key technology of urban rail transit to keep trains operation safe and efficient, which can provide real-time operation information for trains and generate control and dispatch strategies.In order to increase the automation and informatization level of CBTC systems, communication, computer, and control technologies have been widely applied [3].Additionally, security risks are introduced in CBTC systems and can cause the destruction of railway transportation organization, which is the same as the other industrial control systems [4,5].
Generally, a CBTC system can be taken as a typical cyber-physical system [6], where the computer network is working at the cyber domain while trains are running at the physical domain.Cyber attacks are usually carried out on computer nodes or communication links, which will cause information delay and tampering.Considering the principles of CBTC systems, the normal operation of trains could be disturbed, such as emergency braking.For example, wireless local area networks (WLANs) are adopted as the main method of bidirectional train-ground communications of train control systems [7,8], which could be easily interfered and attacked [9] as WLANs work at the public frequency and the authentication mechanism is unidirectional.Once wireless links are cut off under denial of service (DoS) attacks, trains cannot receive the movement authority (MA) from the control center, and emergency braking must be implemented in order to keep trains safe.Obviously, the operation efficiency is seriously reduced.
As urban railways are designed to deliver passengers, CBTC systems are safety-critical, and the fail-safe mechanisms are applied in order to achieve the demanded performance including reliability, availability, maintainability, and safety (RAMS) [10,11].In the traditional assessment approach to CBTC systems, RAMS is the significant statistical indicator system [12,13] according to IEC 62278 [14], where qualitative measures include failure probabilities, mean time to failure (MTTF), mean time between failures (MTBF), and two-dimensional risk matrixes (risk probabilities and risk consequences).erefore, the existing assessment approach focuses on the large time scale, which cannot determine in real time the effects caused by the temporal or sudden disruption.However, security events are often unexpected, and malicious attacks are implemented depending on the subjective will of attackers, being random.As a result, it is not appropriate to adopt traditional statistics indicators to evaluate performance of train control systems under attack.
As mentioned above, CBTC systems are designed to provide transportation service, and the robustness and recovery capability are critical when cyber attacks are performed.e Department of Homeland Security developed a plan to achieve critical infrastructure security and resilience in 2013 [15].e transportation systems sector-specific plan [16] was also proposed.It identifies the transportation system's security and resilience priorities and describes the approach to managing critical infrastructure risks, where the railway system is included.erefore, a novel assessment approach based on resilience is proposed in this paper.
e resilience of a CBTC system could be illustrated as Figure 1 according to [17].Generally, a CBTC system keeps at the normal operation level, and trains are running according to the predesigned timetable.At t o i , the cyber attacks are implemented, and system performance is still kept at the same level.From t o i to t d i , attackers search the target and inject malware to affect the normal operation.
erefore, system performance begins to go down at t d i , and it reaches the lowest point at t m i .Meanwhile, some protection mechanisms are triggered to mitigate effects of attacks.From t s i , the system begins to recover and reaches a new stable level at t r i .erefore, when a security assessment approach is applied, there are three stages which should be considered: the preevent stage (t < t o i ), the during-event stage Considering the characteristics of cyber-physical systems, performance of a train control system should contain both indicators of network from cyber domain and those of train operation performance from physical domain.Generally, the cyber domain is discrete while the physical domain is continuous.erefore, the structure information entropy is applied to fuse different indicators [18], which can measure consequences of cyber attacks and demonstrate overall performance changes of CBTC systems versus the whole process of security events.In this paper, the resilience of CBTC system is assessed by the structure information entropy.e rest of this paper is organized as follows.A typical CBTC system is shown in Section 2. Section 3 describes the assessment model based on structural information entropy.Section 4 presents simulation results and some discussions.Finally, we conclude the study in Section 5.

Overview of CBTC Systems
Figure 2 demonstrates a typical CBTC system for urban rail transit, which includes some critical equipment, e.g., automatic train supervision (ATS), data storage unit (DSU), computer interlock (CI), zone controller (ZC), and vehicle on-board controller (VOBC).VOBC receives the control command from ZC and transmits the train status through wireless communications, where WLANs and long-term evolution for metro (LTE-M) are usually applied.WLANs-based train-ground communication systems consist of wayside access points (APs) and on-board mobile stations (MSs).
Generally, trains are running at a high speed and sending the corresponding information including velocity, position, and direction to the ZC.ZC generates movement authorities (MAs) to trains to inform the train about the location of the nearest obstacle, which could be a running train, a station, or a turnout.e train obtaining the MA should calculate the permitted maximum velocity to keep a safe distance to the nearest obstacle.During the process, messages between trains and ZCs are transmitted through WLANs or LTE-M.Obviously, the reliability and dependability of wireless communications are significant to CBTC systems.
As mentioned above, the fail-safe mechanisms are embedded in the operating principle of the CBTC system so that when a specific type of failure occurs, it will not cause harm to other equipment, the environment, or the personnel or cause minimal harm.erefore, redundant and fault tolerance architectures are applied, such as double 2-vote-2 architecture for ZC, DSU, and CI.On the left part of

Complexity
Figure 2, the double 2-vote-2 architecture is demonstrated, where there are two communication controllers (CCs), four processing units (PUs), and two logic decision makers.In the architecture, one CC, two PUs, and one logic decision maker make up the main system while the others are the standby system.Generally, when the main system does not work well, the standby system switches to the main role.erefore, ZC, DSU, CI, and ATS are not standalone devices but subsystems.For example, ATS includes database servers, communication servers, application servers, and network gate computers.Some dedicated protocols are developed to keep the confidentiality, integrity, and availability of information, such as railway signalling safe protocols (RSSP) derived from EN 50159.
Conversely, applications of general information technologies could bring security risks, such as server message block (SMB) protocol vulnerabilities, remote code execution vulnerabilities, authentication vulnerabilities, DoS threats on wireless communications, and false data injection threats.
e combined effects of security threats and vulnerabilities can generally bring changes of CBTC network topology, such as the downtime of one server due to virus, which can lead to interruptions of communications from the server to any other equipment.For some specific scenarios, under protection of fail-safe mechanisms, changes of CBTC topology cannot affect the normal train operation.With dualnetwork redundancy of wireless communications, although one wireless link between a train and ZC is blocked due to jamming attacks or DoS attacks, the train could still keep the preset running trajectory as the other wireless link can provide one channel to transmit the control command.erefore, a security assessment approach should consider effects of the existing fail-safety mechanisms, which can precisely evaluate the practical robustness and the recovery capability of train control systems.

The Resilience Assessment Model of CBTC Systems
As mentioned above, cyber domain of CBTC system is a computer network with different computer nodes and communication links.e physical domain consists of trains with effects of traction and braking according to commands from the cyber domain.Obviously, abnormal performance of cyber domain could affect the operation of trains and bring on disturbance to the transportation service of urban rail transit.
According to the definition of resilience, system performance indicators should be determined based on the characteristics of CBTC.As a cyber-physical system, there are amounts of performance indicators of cyber domain and physical domain.erefore, the performance variance due to cyber attacks should be described based on difference indicators.In this section, we develop a novel method based on the structural information entropy to demonstrate the realtime system performance of both the cyber domain and the physical domain.
3.1.Cyber Domain.As a CBTC system could be treated as a computer network, we built a graph model G(V, E), where v i ∈ V is the device of CBTC systems and e i ∈ E is the communication link among devices.Two-dimensional structural information of graphs is proposed to quantitatively measure the force of the network to resist cascading failures caused by intentional virus attacks, as the general Shannon's information entropy failed to support where L is the number of modules in partition P which could be the subsystem of a CBTC system, n j is the number of nodes in module X j , d i is the degree of the i th node in X j , V j is the volume of module X j (i.e., the sum of degrees of all the nodes in X j ), g j is the number of edges with exactly one endpoint in module j, m is the number of edges in G, and 2m is the volume of G.
Equation ( 1) assumes that each vertex and each edge is completely the same.However, in CBTC systems, different operation systems and hardware platforms are adopted based on functional attributes of devices.Meanwhile, according to safety-critical requirements, RSSP-1 and RSSP-2 are individually applied to the closed network and the open network.As a matter of fact, some private protocols (PPs) are also developed due to specific requirements.For some unsafe communication links, information is transmitted in clear text.erefore, there are a few types of vertexes and edges, which means every element of a CBTC graph model should be described with specific parameters according to its inherent features.
Based on the password strength, the security protection policies, and the number and level of vulnerabilities, a security factor of a node could be designed.Vulnerabilities could be classified into five levels according to the common vulnerability scoring system (CVSS), where the corresponding weight of a node can be determined.
where χ denotes the security protection situation of a device, ] α is the index which demonstrates the overall state of vulnerabilities, ] β is the measure of the password strength, n pp is the number of practical security protections, n dp is the number of desirable security protections, N is the number of vulnerability classifications, n k is the number of the k th vulnerabilities, w k is the weight of the k th vulnerability, N op is the number of the password character sets, and L is the length of the password.
Similarly, for an edge, based on protocols of communication links, the weight of each edge could be determined as follows: where S j is the security level of the protocol adopted by the communication link j, R j is the reliability level of the protocol, N s is the number of protection methods practically adopted by the protocol, and N d is the number of protection methods which should be adopted by the protocol.erefore, S j is determined by the openness of the standard protocol, where the private protocol can be assigned to the maximum value.R j depends on whether the communication link is wireless, where the value of a wireless link is obviously smaller than that of a wired link.N d is the maximum value of N s in the system.erefore, the structural entropy of a CBTC system can be formulated as follows: where V j (ω e ) is the weighted V j in (1), (ω e ) is the weighted d j i in (1), and g j (ω e ) is the weighted g i in (1).

Physical Domain.
e structural entropy in (4) can demonstrate changes of network typologies due to node failures and interruptions of communication links caused by security issues, which is the performance variance of cyber space.However, due to cyber-physical characteristics of CBTC systems, performance variances of physical space should also be considered.Based on the transportation service attribute of CBTC systems, the achievement rate of timetables can be used to describe effects caused by security attacks on train operation.Firstly, the normalized value of the performance loss of a train is expressed as follows, where the min-max principle is applied.
where Δs min , Δv min , Δt arr−min , Δs max , Δv max , and Δt arr−max are the minimum and maximum value of the variation of the displacement, velocity, and arriving time, and α, β, and c are the weight of three parameters.erefore, the performance of a whole subway line under attack can be formulated as follows, which is the y axis of Figure 1.
where p p (t) is the train operation performance of the entire line under normal conditions and p l (t) represents the performance loss of the whole line under attack.

Resilience of CBTC Systems. Equation (6) demonstrates the overall performance of CBTC systems under attack.
With the attacking process being implemented, states of nodes and edges are changing.erefore, AR(t) and H s (G(t)) are time-varied functions.By combining AR and H s (G(t)), the performance of cyber space and physical space can be monitored, which can demonstrate effects of security attacks on CBTC systems shown as follows: According to the metric proposed in [19], there are three attributes to measure resilience: absorptive capacity, adaptive capacity, and restorative capacity, and the corresponding expression is shown as follows: where j is the j th cyber attack, S p is the recovery speed factor, H r is the stable level after the system recovers from cyber attacks, H d is lowest performance level of the system due to attacks, and H o is the normal performance level of the systems.Obviously, H r /H o describes the adaptive capacity while H d /H o presents the absorptive capacity.
In addition, the recovery speed factor is determined according to some key timing.
where t delta is the tolerable time before the recovery measures are implemented, t r * is the time when some initial measures are performed to decrease the effects of attacks, t r is the time when CBTC system recovers to a stable operation level, and a is a decay factor.Considering operation principles of CBTC systems, when attacks are performed and cause failures of critical equipment such as ZC, trains will implement emergency braking to keep safe based on fail-safe mechanisms.Obviously, the performance of the whole subway line will fall down to a lowest level H d , and the corresponding time is t δ .Due to the existence of backup operation mode, CBTC system can still operate with ZCs and trains will recover from the emergency braking state, which is the initial measure to keep the continuous service.erefore, t r * is determined.Finally, after cyber attacks finish, ZCs being attacked can run at a normal state and CBTC systems can return to a stable level H r which is generally smaller than the normal level H o .Hence, t r can also be obtained.

Simulation Results and Discussions
4.1.Simulation Description.Take Beijing Subway Yizhuang Line, for example, where there are 13 stations, 6 ZCs, and 6 CIs and the length is 23.3 km.Based on the structure of CBTC systems and the architectures of ZCs, CIs, and ATS, a computer network of CBTC is demonstrated in Figure 3, where the double 2-vote-2 architecture is applied in ZC and CI subsystems.
e normal timetable of Beijing Subway Yizhuang Line is taken as the input of simulations as shown in Figure 4. e typical jamming attack is implemented on train-ground wireless communications.ere are two scenarios: Scenario 1 took ZCs as attacking targets.Generally, ZC failures could cause serious disturbances to train operations, as trains have to perform the emergency braking when they cannot receive MAs from ZCs. erefore, operators must try their best to repair failures or implement some other emergency response Complexity measures.We assume that operators should take several minutes to make the system recover from ZC failures.According to the architecture in Figure 2, the attacking path is CC1 (300 s) ⟶ PU1 and PU2 (400 s) ⟶ CC2 (600 s) ⟶ PU3 and PU4 (700 s).In the scenario, there were three ZC systems being attacked and crashing.After several minutes, the three ZC systems successively recovered at 2500 s, 2900 s, and 3300 s, respectively.Scenario 2 took trains as attacking targets, where DoS attacks were implemented on wireless communications between ZCs and VOBCs.
rough sending a large number of data packets to exhaust bandwidth resources, communication interruptions could be caused, and trains have to perform the emergency braking to keep safe based on "fail-safe" mechanisms.erefore, trains worked under the degraded mode depending on operation of drivers until wireless communications recovered to normal.In the scenario, we attacked the 5th, 10th, and 15th trains, respectively, at t � 1000 s, t � 2000 s, and t � 2500 s.Successively, trains ran under the normal mode at t � 1500 s, t � 2500 s, and t � 3000 s.

Performance of Cyber Space.
Figure 5 shows the network performance based on the two-dimensional structure information entropy under scenario 1, where A, B, C, and D, respectively represent failures of CC1, PU1 and PU2, CC2, and PU3 and PU4 of ZC2. e initial network performance under the normal mode was 7.6754.During the attacking process, the main system and the standby system of ZC2 crashed, and the network performance fluctuated.When ZC3 and ZC4 successively crashed, the network performance reached 7.4068.
en, some measures were implemented to make ZCs recover to normal.
erefore, ZC2, ZC3, and ZC4 started to work normally in sequence, and the network performance quickly returned to the original value before the attack.
Figure 6 demonstrates the network performance under scenario 2, where wireless communications between trains and ZC were blocked by DoS attacks.
e network performance had little influence, which means attacks on single or several wireless links could hardly bring obvious changes of the network topology.However, communication interruptions could lead to the emergency braking of trains, which obviously affected the operation of a subway line.
erefore, gentle changes of network performance cannot describe effects of DoS attacks on CBTC systems.7 and 8 present practical timetables under two different scenarios.It can be seen from the timetable that, in the two attack scenarios, the normal operation of the train was greatly affected.Figure 7 indicates that after the first ZC system was compromised, the timetable began to be delayed under scenario 1.With the restoration of the ZC system one by one, the timetable began to recover, but it still had an impact on subsequent train operations.Figure 8 shows that even if there was no impact on the network domain, due to the DoS attack on the wireless communication between ZCs and VOBCs, the train could not obtain MAs, so it led to emergency braking, which still had an impact on the timetable.erefore, cyber attacks   It is necessary to evaluate the train performance loss of a whole subway line under cyber attacks.As shown in Figure 9, the train operation performance (defined in ( 6)) of the subway line decreased as several ZCs broke down (A ∼ B) and then increased with the recovery of ZCs (B ∼ C).With the recovery of ZCs, each train returned to the normal operation state.However, the performance loss is irreparable, and the curve could not reach the normal operation level as shown in area C. e train operation performance of the subway line under DoS attacks on wireless communications is shown in Figure 10.It began to decrease (area A) and fell to the lowest point (area B) at t � 2300 s.In order to keep the continuity of transportation service, trains had to recover to the normal operation mode, and then the curve started rising.However, trains performing the emergency braking could affect normal operation of following trains in a certain area, and those far from the attacked ones could keep the normal model.

Resilience Assessment of CBTC Systems. As shown in
Figures 11 and 12, the performance of the cyber domain and that of the physical domain were integrated, which could demonstrate the security state of the whole subway line under attack, and the corresponding polynomial fitting results were also included.
According to fitting results, the key parameters of ( 8) and ( 9) were determined as shown in Table 1.e lowest value of the security level under the two scenarios was close.In scenario 1, failures of one single ZC could affect all the trains within its control.Meanwhile, with the longer attacking    Complexity time, the affected area was wider.Hence, it should take more time to recover to the normal level compared with scenario 2. In addition, interruptions of wireless communication could directly affect performance of trains.erefore, the performance fading rate of scenario 2 was larger.In scenario 2, due to the DoS attack on the wireless communication between ZCs and VOBCs, although it still causes train delays, system performance will return to normal levels after the attack ends.We could calculate three attributes of resilience as shown in Table 2. e absorptive capacities under the two scenarios were almost the same, which indicated that the CBTC system had similar robustness.As one ZC can control several trains, adaptability and recovery capacity of CBTC systems were weaker under scenario 1.
erefore, resilience can be quantitatively assessed according to the process of attacks.

Conclusion
In this paper, a resilience-based assessment approach is proposed to measure the security level of CBTC systems.e two-dimensional structure entropy is adopted to describe the performance of the cyber domain, and that of physical space is calculated according to the practical timetable and running states of trains.Based on stages of attacks, resilience metrics are utilized to analyze the security level of the whole subway line, where both cyber space and physical space are considered.Two typical attacking scenarios were built, and a practical subway line was taken as an example.Simulation results show that the resilience-based approach can efficiently evaluate the security level of CBTC systems under different attacks.

Figure 1 :
Figure 1: e resilience of a CBTC system.

Figure 3 :
Figure 3: e computer network of Beijing Subway Yizhuang Line.

Figure 5 :Figure 6 :
Figure 5: Network performance changes of the CBTC system under scenario 1.

Figure 9 :Figure 10 :
Figure 9: e train operation performance of the subway line under Scenario 1.

Figure 11 :
Figure 11: e overall performance of the subway line under scenario 1.

Table 1 :
Resilience parameters of CBTC system under two different scenarios.

Table 2 :
Resilience assessment results of CBTC systems under two scenarios.