Optimizing Cyber Security Gap Analysis for Legacy Railway Control Systems : A Proposed New Gap Analysis Process using CIS Benchmarks™

Abstract: The global concern over cyber security threats to railway control systems is growing due to the factual and potential threats that could lead to severe consequences, including disruption, derailment, and collision. Legacy railway control systems, which were not originally designed with cyber security in mind, are particularly vulnerable to common cyber attacks. It is important and urgent for both operators and asset owners of railway control systems to determine and understand the cyber security capabilities and gaps in their current railway systems. This report proposes a new gap analysis process to optimize cyber security gap analysis process for legacy railway control systems by using the CIS benchmarks produced by Center for Internet Security (CIS). The proposed process includes an efficient verification testing approach to cover most of the IEC 62443-4-2 requirements. Furthermore, we compared the proposed new process with the traditional gap analysis process and show that the new process has advantages in efficiency, cost-effectiveness, and standardization.