How Secure Is ERTMS?

  • Richard Bloomfield
  • Robin Bloomfield
  • Ilir Gashi
  • Robert Stroud
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7613)


This paper reports on the results of a security analysis of the European Railway Traffic Management System (ERTMS) specifications. ERTMS is designed to be fail-safe and the general philosophy of ‘if in doubt, stop the train’ makes it difficult to engineer a train accident. However, it is possible to exploit the fail-safe behaviour of ERTMS and create a situation that causes a train to halt. Thus, denial of service attacks are possible, and could be launched at a time and place of the attacker’s choosing, perhaps designed to cause maximum disruption or passenger discomfort. Causing an accident is more difficult but not impossible.


Security assessment safety-critical systems ERTMS railway signaling systems safety security interactions 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bloomfield, R., Stroud, R., Gashi, I., Bloomfield, R.: Information Security Audit of ERTMS, Technical Report (2010)Google Scholar
  2. 2.
    Stroud, R., Gashi, I., Bloomfield, R., Bloomfield, R.: ERTMS Specification Security Audit – Analysis of Attack Scenarios, Technical Report (2011)Google Scholar
  3. 3.
    UNISIG SUBSET-026, System Requirement Specification, Version 2.3.0,
  4. 4.
    UNISIG SUBSET-037, Euroradio FIS, Version 2.3.0,
  5. 5.
    UNISIG SUBSET-038, Offline Key management FIS, Version 2.3.0,
  6. 6.
    UNISIG SUBSET-114, KMC-ETCS Entity Off-line KM FIS, Version 1.0.0,
  7. 7.
    Quirke, J.: Security in the GSM system (2004)Google Scholar
  8. 8.
    Bloomfield, R., Craigen, D., Miller, A.: Dual Use of High Assurance Technologies, Technical Report (2009),
  9. 9.
    Braband, J.: Safety and Security Requirements for an Advanced Train Control System. In: Proc. 16th International Conference on Computer Safety, Reliability and Security (SAFECOMP 1997). Springer, York (1997)Google Scholar
  10. 10.
    Stump, F.: Datenübertragung über öffentliche Netze im Bahnverkehr – Fluch oder Segen?!, Safetronic 2010 (2010)Google Scholar
  11. 11.
    Katzenbeisser, S.: Can trains be hacked? Die Technik der Eisenbahnsicherungsanlagen. In: 28th Chaos Communication Congress, Behind Enemy Lines (December 2011)Google Scholar
  12. 12.
    BBC News, Train-switching technology ‘poses hacking threat’ (December 2011),
  13. 13.
    RailUK Forum, BBC News: Hackers could delay trains (December 2011),
  14. 14.
    Bloomfield, R.E., Guerra, S., Miller, A., Masera, M., Weinstock, C.B.: International Working Group on Assurance Cases (for Security). IEEE Security and Privacy 4(3), 66–68 (2006)CrossRefGoogle Scholar
  15. 15.
    SESAMO – Security and Safety Modelling, ARTEMIS Embedded Computing Systems Initiative 2011, Project Number 295354 (May 2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Richard Bloomfield
    • 1
  • Robin Bloomfield
    • 2
    • 3
  • Ilir Gashi
    • 2
  • Robert Stroud
    • 3
  1. 1.Independent ConsultantUK
  2. 2.Centre for Software ReliabilityCity University LondonLondonUK
  3. 3.Adelard LLPLondonUK

Personalised recommendations