The Stockholm Line – the main metro line in the Capital city of Sweden –appointed us as providers of System Engineering Services, to upgrade the signalling system of the red line. One of the focuses of such an upgrade was cybersecurity.
The challenge of this project though was the cultural change, rather than the technical upgrade. It is custom to regard the safety of industrial automation in the transport and infrastructure sector more as an engineering feat rather than anything to do with cybersecurity, which is usually associated with internet, social networks or company network systems and computers.
Our approach to the project design was to look at it from the prospective of regular safety and, from there, explain how certain accidental events/effects that constitute a serious risk can be intentionally created by means of cybersecurity attacks.
In particular, our scope of work for the Stockholm metro system included the following main tasks:
• monitoring security verification activities carried out by the supplier of the signalling system and validating contractual requirements
• developing vulnerability analyses aimed at verifying if the requirements specified in the contract were covering the cybersecurity topic exhaustively and, if needed, we specified any additional requirements, filled in the identified gaps and further verified compliance
All cybersecurity testing activities and analyses were conducted on an engineering track, a metro segment used exclusively for tests and representative of the real system. This allowed the normal metro traffic to continue unimpaired and protect the integrity of the operations’ environment.