DESIGN AND VALIDATION OF A RAILWAY EQUIPMENT DIAGNOSTIC PRODUCT APPLYING IEC CYBER-SECURITY STANDARDS
Support was requested for the design, planning, definition and execution of the testing of a railway equipment diagnostic product for metro applications on which cyber-security standards were to be applied and tested.
Apply primary cyber-security rules to a railway equipment diagnostic product (virtual machine installed in a Windows 2016 environment) to make it invulnerable to external attacks. Create GPO (Group Policy Object) to strengthen system security. Manage the Cyber Security Platform (CSP – platform installed in a dedicated workstation external to the product to be validated) and its modules:
- NTP Server (virtual machine for time synchronization);
- SysLog collector (virtual machine for collecting system logs);
- Domain controllers (primary and secondary – also virtual machines);
- Antivirus Server (virtual machine for antivirus management).
Test the product based on its cyber-related and functional requirements.
NIER meticulously supported the client on the design of the test scenarios to verify the product’s cyber-vulnerability. The aforementioned scenarios are classified into:
- “WORKGROUP” mode (without Cyber Security Platform);
- “CSPDOMAIN” mode (with Cyber Security Platform).
In both scenarios, the creation of users is expected. They have a dual classification:
- First classification:
- “Local Users” for the “WORKGROUP” mode;
- “Domain Users” for the “CSPDOMAIN” mode;
- Second classification:
- “Admin” users;
- “Operator” users.
A password policy applies to each user (minimum/maximum password age, minimum password length, password history) together with an account lockout policy (account lockout duration, account lockout threshold, reset account lockout counter) must be applied. Furthermore, each user must belong to one or more specific groups to fulfill the function for which it was conceived.
For domain users in particular, a GPO must be created at the CSP level to enable them to log on to the VM as an Administrator/Operator, either remotely (Remote Desktop Connection) or locally (using KVM technology).
NIER then undertook the planning and execution of the product tests in accordance with its cyber and functional requirements.
Client support phase to design the test scenarios
Drafting of the Requirement Test Plan and Description
Set-up of the test environment
Execution of the cyber tests based on the cyber requirements covered by the applicable tests
Running of functional tests based on the product requirements covered by the applicable tests
Identification and discussion with the client regarding the detected anomalies and unexpected behaviours
Drafting of the Requirement Test Report
NIER helped to achieve the following goals:
- Making the railway equipment diagnostic product compliant with cyber-security standards;
- Discovery of product defects, reducing retrofit costs thanks to the timely detection of bugs and anomalies in the development phase.