IEC cyber-security standard application on railway equipment diagnostic products

SERVICE MARKET CLIENT Leading company in the railway sector YEAR 2020 - in corso

Brief

Support was requested for the design, planning, definition and execution of the testing of a railway equipment diagnostic product for metro applications on which cyber-security standards were to be applied and tested.

Project challenge

Apply primary cyber-security rules to a railway equipment diagnostic product (virtual machine installed in a Windows 2016 environment) to make it invulnerable to external attacks. Create GPO (Group Policy Object) to strengthen system security. Manage the Cyber Security Platform (CSP – platform installed in a dedicated workstation external to the product to be validated) and its modules:

  • NTP Server (virtual machine for time synchronization);
  • SysLog collector (virtual machine for collecting system logs);
  • Domain controllers (primary and secondary – also virtual machines);
  • Antivirus Server (virtual machine for antivirus management).

Test the product based on its cyber-related and functional requirements.

Solution

NIER meticulously supported the client on the design of the test scenarios to verify the product’s cyber-vulnerability. The aforementioned scenarios are classified into:

  • “WORKGROUP” mode (without Cyber Security Platform);
  • “CSPDOMAIN” mode (with Cyber Security Platform).

In both scenarios, the creation of users is expected. They have a dual classification:

  • First classification:
    • “Local Users” for the “WORKGROUP” mode;
    • “Domain Users” for the “CSPDOMAIN” mode;
  • Second classification:
    • “Admin” users;
    • “Operator” users.

A password policy applies to each user (minimum/maximum password age, minimum password length, password history) together with an account lockout policy (account lockout duration, account lockout threshold, reset account lockout counter) must be applied. Furthermore, each user must belong to one or more specific groups to fulfill the function for which it was conceived.

For domain users in particular, a GPO must be created at the CSP level to enable them to log on to the VM as an Administrator/Operator, either remotely (Remote Desktop Connection) or locally (using KVM technology).

NIER then undertook the planning and execution of the product tests in accordance with its cyber and functional requirements.

Execution phases

FASE 1

Client support phase to design the test scenarios

FASE 2

Drafting of the Requirement Test Plan and Description

FASE 3

Set-up of the test environment

FASE 4

Execution of the cyber tests based on the cyber requirements covered by the applicable tests

FASE 5

Running of functional tests based on the product requirements covered by the applicable tests

FASE 6

Identification and discussion with the client regarding the detected anomalies and unexpected behaviours

FASE 7

Drafting of the Requirement Test Report

Achieved results

NIER helped to achieve the following goals:

  • Making the railway equipment diagnostic product compliant with cyber-security standards;
  • Discovery of product defects, reducing retrofit costs thanks to the timely detection of bugs and anomalies in the development phase.

Subscribe our Newsletter .