Overview of the European Project Security of Railways
in Europe Against Electromagnetic Attacks (SECRET)
V. Deniau, virginie.deniau@ifsttar.fr, IFSTTAR (France)
Introduction
The European project SECRET studies the security of the railway
network against Electromagnetic Attacks. The SECRET consortium
involves 10 partners from five European countries. The project is
coordinated by IFSTTAR which is the French institute of science
and technology for transport, development and network. The proj­
ect started in August 2012 for a duration of 36 months.
�IFSTTAR
coordinator
ALSTO'M
SECRET
PROJECT
�
UPV EHU
!ilIi Fraunhofer
SECURITY OF RAILWAYS AGAINST
ELECTROMAGNETIC ATTACKS
Figure 1. The SECRET Consortium
Why the Railway Network could be concerned by
Electromagnetic Attacks
The terrorism threat to European citizens has been elevated for sev­
eral years and this threat notably concerns rail transportation and
the infrastructures providing mass transport. Both rail operation and
its infrastructure are critical priorities because of the economic and
security impacts of potential attacks (loss of service, destruction of
vehicles and destruction of infrastructure ...), extended conse­
quences on the surrounding businesses and finally, the impaired
reputation of being a safe and secure transport system.
The railway can be an attractive target for security attacks or
trouble makers, because of its familiarity, ease of access and
openness. Attacks, which were carried out on the French railway
infrastructure in November 2008 [1][2] involving metal bars on the
catenaries, caused delays for 160 TGV's, Eurostar and Thalys
(coordinated attacks that targeted four different rail lines on the
French Railway network). This event shows that the railway organ­
isation can be sabotaged by more subtle actions than bombing, if
the offenders base their actions on the vulnerability of employed
technologies. Equally, an electromagnetic attack is based on a
similar approach as it involves failing equipment or devices which
serve the efficiency and safety of railway transport system. Differ­
ent profiles of attackers (terrorist, vandals, criminals ...) could use
80 ©2014 IEEE Electromagnetic Compatibility Magazine - Volume 3 - Quarter 4
electromagnetic attacks and this article deals with EM attackers
in a generic fashion.
The European railway infrastructure is concerned by EM attacks
because it constitutes a mass transport system which includes a
large number of telecommunication, command-control, electronic
and informatics systems and subsystems vulnerable to electro­
magnetic interferences. The Electromagnetic interferences can
act on the wireless communications, on the wired networks and
on the electronic and informatics systems. If we consider only
low-level EM threats and we make the assumption that they
would not involve enough high powerful interference to destroy
equipment or components, they could still have two main effects:
scrambling information transmitted and thus impeding commu­
nication between two components
modifying the information transmitted and thus enabling or dis­
abling certain functions unexpectedly
The effect produced will generally depend on the complexity of the
control/useful signals expected by the potential victim equipment.
On the one hand, when the control or useful signal is relatively
basic, generally concerning command-control and signaling equip­
ment of the railway infrastructure, it is possible to enable or dis­
able certain functions unexpectedly. That was notably demonstrat­
ed in Poland in January 2008, when a 14 year old boy activated
tram track switches with an amateur tele powering system in the
city of Lodz [3]. The consequences were that four trams were
derailed, and others had to make emergency stops.
On the other hand, when useful signals expected are more complex,
such as in continuous communication networks which transmit vari­
able information, the most potential effect is the scrambling of the
information. This is the principle of WiFi/GSM Jammers which can
also be able to jam the GSM-Railway transmissions. GSM-R is an
international wireless communications standard for railway commu­
nication which is used for communication between train and railway
regulation control centers. In ERTMS (European Rail Traffic Man­
agement System), GSM-R is the European radio system for transmit­
ting movement authorities to the trains in Europe.
In the case of EM attacks, both effects may occur on the railway
infrastructure which includes systems of different levels of com­
plexity: control-command systems (track switches, barrier cross­
ing, traffic signal light...), spot communication systems for detec­
tion (track circuits, Eurobalise, Euroloop), continuous communica­
tion systems (Local train radio systems, GSM-Railway). Conse­
quently, the railway infrastructure is a very realistically potential
victim of electromagnetism attacks. According to the attacked
systems or subsystems and to the nature of the intentional EM
fields, the consequences on the individuals, the structures and the
materials can significantly vary. However, dramatic scenarios
could occur due to electronic devices being employed at every
level of the railway network and the potential cascade effects that
the disruption of one element can induce.
The deployment of ERTMS (European Rail Traffic Management Sys-
tem) homogenizes the technologies to manage the trains over the
European territory, but also homogenizes the vulnerability points to
the EM fields. Same examples can be imagined in the context of the
harmonization of systems and rules due to interoperability require-
ments for all operational domains in the rail transportation in Europe
(operation, control, management, maintenance ...). These include
the strategy to reduce the number of control centers of the track
switches in Europe that will rely on remote controlled interlocking
systems to activate switches. Thus, if an attacker is designing an
intentional EM emissions device capable of disrupting management
systems for rail infrastructure in Berlin, for instance, the same
device will have the same attack capacity in all European cities.
This will cause immediate economic consequences at the least and
possibly more.... Harmonization thus facilitates the implementation
of organized and simultaneous EM attacks. The European project
SECRET aims to complete the harmonization solution to ensure its
resilience and robustness against EM attacks.
Meanwhile, the technologies and frequencies employed in the
railway field are similar to technologies and frequencies used for
applications available to the general public. Indeed, the railway no
longer develops technology "owners" but adapts general public
technologies. This increases the vulnerability of the railway
because it is easy to obtain emission devices capable of disrupt­
ing rail technologies. With relatively basic electronics knowledge
and the performance of electronic components and antennas
available on the open market, these emission devices can be com­
bined with amplifiers to increase the capacity of EM attacks.
During the design phase of electric or electronic devices, topology
rules (shielding, filters, ground...) are applied in order to limit the
susceptibility of the equipment to spurious EM fields. Neverthe­
less, the design and assembly rules do not ensure the protection
of the equipment against intentional EM fields used by potential
attackers. Moreover, testing methodologies are used in electro­
magnetic compatibility to verify independently the immunity of
equipment to spurious electromagnetic fields but no tests can be
performed to assess the vulnerability of the whole railway infra­
structure to electromagnetic fields.
The Victim Equipment Considered in SECRET
The potential victim systems considered in SECRET are systems
which could be affected by jamming devices and which are cur­
rently deployed in Europe. Indeed, SECRET takes place in the con­
text of deployment of ERTMS [4] and Eurobalise and GSM-R being
the main technological components on which ERTMS is based,
are the priorities in the project.
©2014 IEEE Electromagnetic Compatibility Magazine - Volume 3 - Quarter 4
Eurobalise is a spot (short-range radio) communication system
progressively deployed in Europe to permit the trains to control
their position. Eurobalise is composed of beacons, on fixed
points of the track and an on-board antenna under the train.
The Eurobalise beacons are on the floor between the rails and
transmit information to the trains such as the movement
authority, cab-signal information together with other route data.
Eurobalise beacons constitute a reference system for the train
positioning and are used to precisely re-calibrate the on-board
odometer.
The beacon is tele-powered by a 27.115 MHz radio frequency
signal generated by train antenna. The trains are equipped with
a loop antenna and continuously generate an RF signal at
27.115 MHz. When the train passes above the balise, the balise
is powered by the emitted signal and activated. It sends its
identity and specific signalling information back to the train.
The Eurobalise response is also an inductively coupled Up-link
signal. The modulation of the Up-link signal, from the balise to
the train antenna is a frequency shift keying (FSK) with a 4.234
MHz center frequency.
In addition to Eurobalise, GSM-R is the continuous communication
system in deployment to ensure the voice exchanges and the
transmission of signalling information between the trains and the
control centres in Europe. The aim is to progressively replace the
national continuous communication systems by the GSM-R in
order to permit the interoperability of the train. Currently this sys­
tem is mainly used for voice communication between the conduc­
tors and the railway control centres. In the future, it will be
employed for transmitting signalling data to the train in order to
replace the lateral signalling information along the track. The
GSM-R is a radio communication system which exploits its own
cellular network deployed along the railway lines. While the trains
move along the longitudinal cells, the train and track radio equip­
ment receive power levels varying with the distance between the
trains and the base stations. GSM-R has its dedicated frequency
bands: 876 MHz to 915 MHz for the uplink (from the train to the
base station) and 921 MHz to 960 MHz for the downlink (from the
base station to the train). Frequency spacing between each physi­
cal channel is 200 kHz.
A GMSK modulation type is used by this communication system.
Moreover, GSM-R is a Time Division Multiple Access (TDMA) sys­
tem that means time division multiplexing. Thus, for each frequen­
cy channel, data are organized per periodic TDMA frame, with a
period of 4.615 ms. Each TDMA frame is divided into 8 time inter­
vals of 577 �s called "Time Slots".
Figure 2. Illustration of the GSM-R Cells along the GSM-R network
81
 Parallel to ERTMS, certain railway operators employ the TETRA
(terrestrial trunked radio) communication standard for applications
in train stations, including voice and data communications. This
system is also considered in SECRET. TETRA is a TDMA system
such as the GSM-R and two distinct frequency bands are also
allocated to the up-link and the down-link. However, the frequency
bands are not necessarily the same for all the users. TETRA is an
ETSI standard [5] of a second generation digital cellular network
solution developed for professional mobile radio. It is not limited to
the railway domain but it was designed for use by government
agencies, emergency services (police, fire departments, ambu­
lance) for public safety networks, public transportation services
and the military. TETRA offers a high security level for transmis­
sion thanks to an end-to-end encryption and was developed in
accordance with the current requirements for interoperability and
multi-provider situations.
TETRA includes Direct Mode Operation (DMO) allowing "back to
back" communications between radio terminals independently of
the network. In the case of poor coverage by the network, DMO
offers the possibility of using one or more TETRA terminals as
relays. The frequency bands allocated to TETRA are generally in the
400 MHz band and two frequency bands are also allocated to the
up-link and the down-link. The carrier frequency spacing is 25 kHz
and the system uses DPSK modulation. TETRA is also a TDMA sys­
tem permitting 4 communications per channel (4 timeslots per
TDMA frame).
The jamming of all these communication and signalling systems
could be problematic for the Railway network, and could involve
important operational consequences. But, in this article, only the
approach dedicated to the GSM-R will be presented.
GSM-R
Base Station
GSM-R Up-link
876-880 MHz
GSM-R g own-link
921-925 MHz Ie'
I �
I�� __
ITrain �I �I
Power of the
r eceived signal on received signal on
board train
:::-25 dBm
Figure 3. Illustration of the GSM-R transmissions between trains and base station
82 ©2014 IEEE Electromagnetic Compatibility Magazine - Volume 3 - Quarter 4
The EM Attack Devices Considered in SECRET
A reference list of possible EM attack devices was established. The
specificity of SECRET is that its list does not include very high power
EM weapons but devices which can be accessible to general public
and the attacks devices have to be sufficiently small to be hidden in
a pocket, a bag or a car. It could be a COTS jammer or home-made
devices built with components for sale to the general public. Certain
jammers designed to jam the public telecommunication also partial­
ly or fully cover the GSM-R frequency bands.
The EM attack devices reference list permitted to classify the signal
according to their waveform and the associated parameters in
order to define the immunity tests to perform and to identify the EM
attack devices which can affect the potential victim considered in
SECRET. These EM attack devices are also classified according to
other attributes like easy to use, easy to transport, easy to boost. ..in
order to assess the threat and risk associated to each EM attack
device and to define the more relevant scenarios to consider.
Vulnerability of the GSM-R System to Jamming Devices
The length of the GSM-R cells depends on the distance between
the successive base stations and the power level of the GSM-R
signal received depends on the distance between the train and
the base station. The deployment of the cell is not necessarily
identical in all the European countries but in general the power
level of the signal received when the train is nearby the base sta­
tion is approximately -25 dBm and it decreases progressively up to
the middle distance between two base stations. The minimum
level of the signal received has to be superior or equal to -95 d Bm.
GSM-R
::: some km Base Station
GSM-R a nte nna
��� �
Power of the
board train
�-95 dBm
Different scenarios of an EM attack were defined in the project.
The scenario definition includes the type of jamming signal (power,
time and frequency characteristics) and the position of the jam-
ming equipment in the network (in train station, on board train or
along the track side). For each scenario, in SECRET a risk analysis
is performed in order to identify the link and railway functions
which can be affected and to identify the potential consequences.
The coupling between the GSM-R antenna and jamming equip-
ment were also measured in station and on-board train in order to
assess the power of the jamming signal which can be superposed
on the GSM-R communication. Then, laboratory tests were per­
formed by emulating the different scenario in order to determine
the time duration during which the communication link could be
disrupted. This time duration of break on the GSM-R communica­
tion link between the train and the control centre can be intro-
duced in the risk analysis in order to deduce the global reaction of
the system and to identify new required counter measures.
Tests Performed on the GSM-R System in SECRET
An EM attack test on a GSM-R system cannot be easily performed
in real situations due to the GSM-R already being employed and
the tests could disturb the correct operation of the trains. The
tests were then performed in laboratory in a conducted mode.
According to the scenarios defined, some of these radio link con­
ditions were reproduced in laboratory.
The tests were carried out to emulate several attack scenari­
os. Firstly, we varied the received GSM-R signal to emulate
the movement of the train and the variation of distance
between the train and the GSM-R base station. Secondly, we
applied a variable attenuator on the jammer output in order to
simulate different coupling levels between a jammer on board
the train and the on board GSMR antenna. This permits us to
reproduce the different positions that the jammer could have
inside the train.
Cab radio
Including filters and
GSM-R terminal
Figure 4. Schema of the test bench to assess the impact ofjammer on
GSM-R communications
The time duration of break on GSM-R communication links
between the train and the control centre inside a GSM-R cell
is then estimated in linking the GSM-R covering curves along
the track with the level of the GSMR received signal for which
the communication is lost in presence of the jammer. This
time duration without a communication link can then be intro­
duced into the risk analysis in order to deduce the global
reaction of the system.
©2014 IEEE Electromagnetic Compatibility Magazine - Volume 3 - Quarter 4
The obtained results show that the communication link is not
affected by jammers, when the train is in proximity of the base sta-
tion. But when the train moves progressively away from the base
station, the communication quality deteriorates to be finally cut.
However, the distance at which the communication is lost
depends on the jammer type and its position. The question is if the
time during which the communication is operational is sufficient to
warrant a correct operation of the railway network. If not, what
can be the best counter measures to secure the railway network
and to reduce the operational impact?
These tests emulated different jamming scenarios involving a jam­
mer on board a train. However, the jammer could be placed in
proximity of a base station in order to jam the up-link signal
received by the base station. Nevertheless, this type of configura­
tion is difficult to reproduce in laboratory conditions and requires
equipment similar to those employed in the base stations.
Detection of Jamming Signals in SECRET
The main issue of SECRET concerning the detection is that we
have to be able to detect relatively low power level attack signals.
Indeed, a jamming signal can be efficient without high power level
due to the GSM-R useful signal can be relatively low.
The second objective is that we would like to detect the presence
of jamming signal even if the communication quality is not affected
because such detection can permit the management system to
anticipate what could happen.
The third item is that detection solutions can be focused on the
protection of one particular communication system or on the pro­
tection of several communication systems. For example, on board
train, it can be essential to monitor only what can affect the
GSM-R and to have a very quick detection but in a train station it
can be necessary to monitor several communication systems
which a relatively longer time of reaction. In consequence, several
detection approaches are studied in SECRET.
• Detection by statistical spectrum analysis
The first detection approach studied in SECRET is based on the
analysis of the spectrum occupation. The method consists in
determining the statistical laws which define the "normal" distri­
bution and time evolution of the signal over the different monitored
channels or the "abnormal" distribution and time evolution of the
signal. The term "normal" defines the situation without jamming
signal and the "abnormal" corresponds to a spectrum distribution
in presence of jamming signals. For this spectrum distribution
approach, two different methodologies can be applied to detect an
EM attack situation: the supervised "abnormality" detection or the
jammer classification.
On the one hand, the supervised detection consists in learning the
"normal" environment and extracting a model of this environment.
After, the detection process will be able to recognize an environ­
ment which does not belong to the "normality".
83
 On the other hand, the classification consists in learning the
environment produced by different jamming devices and to
extract models for each attack device. In that case, the detec­
tion will consist in comparing the environment with the differ­
ent models to recognize or not the presence of one of the
models [6].
For the approach of detection by statistical spectrum analysis,
measurements were performed in different situations (on
board train, along track and in train stations) in order to
define the laws corresponding to all these "normal" situations
and to check if all the situations can belong to a unique
model. Both "supervised detection" and "classification"
methodologies can be used separately or in addition to each
other to improve the detection performance. The advantage of
this approach is that it can allow the monitoring of several
communication systems by adapting the frequency bands
monitored and using adequate antennas.
• Detection by quadratic analysis
The second approach consists of analysing the GMSK IQ con­
stellation with and without jamming. This approach is based
on the quadratic data received by the GSM-R terminal. Thanks
to the quadratic data, we analyse the Error Vector Magnitude
(EVM) which corresponds with the sum of the errors on the
sample positions during one GSM-R time slot. The values
reached by the EVM and the evolution of these values over
the time permits to efficiently detect the presence of jamming
signals [7].
350
No jamming
300
jamming
250-
200
�
> of a break in communication the train reduces its speed up to a
w
150
100
.. '
'1
50 .. ." " ,:',1
" I
•
o .·· .... ·· ..·h·····1 I�: . �.. � .. � �;.
o 20 40
Number of EVM observations (1 value per burst)
Figure 5. EVM with and without jamming
However, the method required the taking into account of the
T DMA properties of the GSM-R in order to check if the occu­
pied and unoccupied time slot can be used for detection. The
interest of this method is that the variation of the EVM is real­
ly significant in presence of jamming signals even if the power
of the jamming signal is 20
Then, the jamming signal could be detected even if the com­
munication is not affected and the reaction to have could be
anticipated.
The approach has to be tested in the presence of the unintentional
EM noises naturally present in the railway environment. In particu-
84
lar, on board train the catenary-pantograph creates disturbances
which can also affect the EVM but the difference with jamming
signals is that the impact on the EVM is really punctual. The meth­
od then has to be tested in real railway situations to assess the
risk of fault detection.
Protecting the Railway Signalling and Communication
Systems against Jamming
SECRET aims to assess the real risks involved in EM attack on
railway network but also has to identify solutions to reach the
resilience of the railway systems against EM attacks. Recom­
mendations that may be issued by SECRET are of different
types. Firstly, technical recommendations concerning the
antennas can be made to reduce the coupling between the
jamming devices and the on-board antenna. For example, the
use of several GSM-R on board antennas can warrant that one
of the antennas will be less affected by the jammer. In parallel,
minimum distances between the antennas can be recommend­
ed so that one of the antennas is sufficiently decoupled from
the jamming system. Obviously, this solution can be inefficient
if there are several jammers on board. But this solution could
resolve some scenarios. The recommendations can also con­
cern the design of the antenna and their radiation pattern to
reduce the coupling with the signal which comes from the inte­
rior of the train.
Other recommendations can concern the GSM-R network, such
as the possibility to increase the power of the signal in case of
loss of communication or to modify the minimum covering level
so that the time of disruption would be really short whatever
No jao/lming the situation.
.',
,
; "
In parallel certain recommendations can concern the whole rail­
I'
way management system. We can notably imagine that in the case
given distance from the next base station in order to use the prox­
" , "
imity with the base station to exchange priority information and
�I I
I , ' ,'. " ,I , ••
avoid an emergency breaking.
.
• : .. �: . ......... I
Finally, the major solution developed by SECRET consists in
60 80 100 120
proposing a dynamic protection solution based on the detection
of the attack signals. The principle consists in analysing the
information provided by the detection systems to define the
best reaction to have and to identify the other telecommunica­
tion protocols which could be employed to transmit the priority
information.
References
dB lower than the GSM-R signal.
[1] Grassart P. La vie du Rail. (19 novembre 2008) Sabotages. face au defi
extremiste. pp4·8
[2] Crumley B, French Anarchists Charged With Rail Sabotage, httpJ/www.
time.com/time/world/article/0,8599,1858191 ,00.html
[3] Baker G., (2008) Schoolboy hacks into city's tram system,httpJ/www.tele·
graph. co. uk/news/worid news/157 52 93/Scho 0 I boy·hacks·into·citys·tram·
system.html
[4] Surajit Midya, Rajeev Thottappillil, An overview of electromagnetic compati·
©2014 IEEE Electromagnetic Compatibility Magazine - Volume 3 - Quarter 4
 bility challenges in European Rail Traffic Management System,Transporta­
tion Research Part C 16 (2008) 515-534 ment number "285136". She received her Ph. D in Electron­
(5] ETS I EN 300 392-1 V1.4.1 (2009-011, Terrestrial Trunked Radio (TETRA); Voice ics in 2003 from the University of Lille in France. She worked
plus Data (V+D); Part 1: General network design as an EMC researcher at INRETS (French National Institute
[6] Mili,S; Sodoyer, D.; Deniau, V; Heddebaut, M.; Philippe, H.; Canavero, F.,
Recognition process of jamming signals superimposed on GSM-R radiocom­ for Transport and Safety Research) in 2003 and she joined
munications, International Symposium on Electromagnetic Compatibility IFSTTAR in 2004 as a full time researcher. Her research
(EMC EUROPE), 2013, pp45-50 activities are focused on EMC for communication technolo­
[7] Mill,S; Deniau, V; Sodoyer, D.; Heddebaut, M.; Detection of railway signal­
ling jamming signals using the EVM method, AMEREM 2014, Albuquerque, gies and transports. She was involved in several French and
New Mexico, USA, July 27-31,2014 European projects. Ms. Deniau leaded work packages in
several FP6 and FPl projects dedicated to EMC in the rail­
way domain. She is author and coauthor of several interna­
Biography tional publications and patents. She is currently an official
member of the URSI Commission E (Electromagnetic Environ­
Virginie Deniau is a senior researcher at ment and Interference). EMC
IFSTTAR (T he French Institute of Science
and Technology for Transport, Develop­
ment and Networks). She is the scientific
leader of the SECRET project funded by
the European Community's Framework
Program FP1/2001-2013 under grant agree-

§ Fair-Rite Products Corp. Your Signal Solution'

NeW" Solutions for Evolving Markets

Highest Impedance at Lower Frequencies.
ASK ABOUT OUR
2

I
NEW MATERIAL
FLEXIBLE FERRITE
• 6 Material Grades, 4 Thicknesses, Adhesive-backed
• Improve Wireless Charging and RFID Performance
• Suppress Radiated Noise on PCB'sllC's l1f.1e
� 1509001

Phone: 888-324-7748 • Fax: 845-895-2629 • www.fair-rite.com

©2014 IEEE Electromagnetic Compatibility Magazine - Volume 3 - Quarter 4 85