Method For Operating A Railway System, And Vehicle Of A Railway System

Abstract

A method for operating a railway system. Cryptographic data which includes at least one key and/or at least one digital certificate is stored in a storage device of a vehicle of the railway system. The vehicle transmits the cryptographic data to at least one track-side device of the railway system when the vehicle is in communication range of the least one track-side device as part of the train travel. There is also described a corresponding rail vehicle of a railway system.

Claims

1-15. (canceled)

16. A method of operating a railway system, the method comprising: storing cryptographic data in a storage device of a vehicle of the railway system, the cryptographic data including at least one key and/or at least one digital certificate; and transmitting the cryptographic data from the vehicle to at least one track-side device of the railway system when, on occasion of a journey of the vehicle, the vehicle is present within a communication range of the at least one track-side device.

17. The method according to claim 16, which comprises transmitting the cryptographic data wirelessly from the vehicle to the at least one track-side device.

18. The method according to claim 17, which comprises transmitting the cryptographic data by radio communication.

19. The method according to claim 16, which comprises transmitting the cryptographic data from a central device of a public-key infrastructure of the railway system to the vehicle and storing the cryptographic data in the storage device by the vehicle.

20. The method according to claim 16, which comprises providing to the vehicle supplementary information comprising at least one characteristic variables selected from the group consisting of: an identity of the at least one track-side device; a communication address of the at least one track-side device; a location of the at least one track-side device; an extent of the communication range; and a location of a respective line at or after which the cryptographic data must be transmitted from the vehicle to the at least one track-side device.

21. The method according to claim 16, wherein the track-side device is a local management device of the railway system; and the cryptographic data is distributed from the local management device to at least one further local component of the railway system.

22. The method according to claim 16, wherein the cryptographic data is transmitted from the vehicle to the at least one track-side device during the journey of the vehicle.

23. The method according to claim 16, wherein the cryptographic data is encrypted or otherwise protected when it is being transmitted from the vehicle (40) to the at least one track-side device.

24. The method according to claim 16, which comprises: transmitting data from the track-side device or at least one of the track-side devices to the vehicle or another vehicle which is present within the communication range at a given point in time; storing the transmitted data in the storage device of the respective vehicle; and forwarding the data from the respective vehicle at a location beyond the communication range of the at least one track-side device to a central device of the railway system.

25. The method according to claim 16, which comprises implementing procedures comprising a plurality of communication steps on occasion of at least one further journey of the vehicle or at least one further vehicle.

26. The method according to claim 25, wherein the procedures comprising a plurality of communication steps are an update of certificates or a transmission of a certificate black list.

27. A vehicle of a railway system, the vehicle comprising: a storage device having stored therein cryptographic data with at least one key and/or at least one digital certificate; a control device for detecting that the vehicle is present within a communication range of at least one track-side device of the railway system during a journey; and a communication device configured for transmitting the cryptographic data to the at least one track-side device.

28. The vehicle according to claim 27, wherein the communication device is configured for wireless transmission of the cryptographic data from the vehicle to the at least one track-side device.

29. The vehicle according to claim 28, wherein the communication device is a radio communication device.

30. A railway system, comprising at least one vehicle according to claim 27 and a central device configured to transmit the cryptographic data to the at least one vehicle, and wherein the at least one vehicle is configured to store the cryptographic data in the storage device.

31. The railway system according to claim 30, wherein the railway system is configured to provide the vehicle with supplementary information with at least one characteristic variable selected from the group consisting of: an identity of the at least one track-side device; a communication address of the at least one track-side device; a location of the at least one track-side device; an extent of the communication range; and a location of a respective line at or after which the cryptographic data must be transmitted from the vehicle to the at least one track-side device.

32. The railway system according to claim 30, further comprising: a track-side device being a local management device of the railway system; and said local management device being configured to distribute the cryptographic data to at least one further local component of the railway system.

33. The railway system according to claim 30, configured to implement the method according to claim 22.

Description

[0028] The invention is explained in greater detail below with reference to exemplary embodiments. To this end,

[0029] FIG. 1 shows in a first schematic illustration, for the purpose of explaining an exemplary embodiment of the inventive method, an exemplary embodiment of the inventive railway system including an exemplary embodiment of the inventive vehicle,

[0030] FIG. 2 shows a second schematic illustration for the purpose of further explaining the exemplary embodiment of the inventive method, and

[0031] FIG. 3 shows a third schematic illustration for the purpose of explaining a further exemplary embodiment of the inventive method.

[0032] In the figures, the same reference signs are used for identical or functionally identical components.

[0033] FIG. 1 shows in a first schematic illustration, for the purpose of explaining an exemplary embodiment of the inventive method, an exemplary embodiment of the inventive railway system including an exemplary embodiment of the inventive vehicle. Illustrated is a railway system 10 comprising on one side a central device 20, which can also be referred to as a central communication infrastructure or control center. In the illustrated exemplary embodiment, the central device 20 comprises a central management and/or control device 21 which is used to manage and/or control the railway system 10. Also provided for the purpose of realizing a public-key infrastructure are a Registration Authority 22 (RA) and a Certification Authority 23 (CA). Together with further components if applicable, the Registration Authority 22 and the Certification Authority 23 form the public-key infrastructure, i.e. a system which can issue, distribute and check digital certificates. The certificates issued within the public-key infrastructure are used in this case within the railway system 10 for the purpose of protecting computer-based communication.

[0034] The central device 20 of the railway system 10 further comprises a central communication device 24, which provides or allows communication via radio in the illustrated exemplary embodiment. The components 21, 22, 23 and 24 of the central device 20 of the railway system 10 are indirectly or directly connected to each other by wireless or wire-based technical communication means. In this case, by way of example, FIG. 1 shows an architecture in which the Registration Authority 22 and the Certification Authority 23 are directly connected to each other and indirectly connected via the central communication device 24 to the central management and/or control device 21.

[0035] In addition to the central device 20, the railway system 10 also comprises a decentral device 30 which, in the context of the described exemplary embodiment, comprises components that control and/or monitor the fail-safety of a passing point or a passing track 51 in relation to a route 50, i.e. a track or rails, such that any meeting of vehicles on the route 50 is prevented or vehicles meeting on the route 50 in the form of the single-track section can pass each other at the passing point 51.

[0036] Specifically, the decentral device 30 in the illustrated exemplary embodiment comprises a fail-safe signaling device 31, which can be e.g. a signal and/or an element controller that controls a track switch, and a local management device 32 which may be embodied as e.g. a local Registration Authority or a local Certification Authority, i.e. likewise forms a component of the public-key infrastructure. According to the illustration in FIG. 1, the local management device 32 is linked to a decentral communication device 33 in the form of a radio transfer device and together with this forms a track-side device 35.

[0037] It should be noted that the decentral device 30, which can also be referred to as an interlocking island, may comprise further components which are not shown in FIG. 1 for reasons of clarity. This relates to e.g. a decentral interlocking facility and if applicable further fail-safe signaling devices, which are preferably likewise connected to each other by technical communication means.

[0038] In order to ensure the safety of the data transfer and therefore ultimately the safety of the operation of the railway system 10, information or messages or data sent between the decentral devices 30 of the railway system 10 are digitally signed and encrypted. By virtue of the public-key infrastructure, an asymmetric encryption system is realized here in which the sending unit requires the public key of the respective receiver in each case in order to perform an encrypted transmission. In order to prevent corruption, it must be ensured here that the relevant key is actually the respective public key of the respective receiver, and not a forgery by an attacker or fraudster. In order to achieve this, use is made of digital certificates which confirm the authenticity of a public key and optionally the permitted scope of application and validity thereof. The digital certificate itself is protected here by a digital signature, whose authenticity can be checked using the public key of the issuer of the certificate. In order to ensure the continuous safety of the railway system 10, it is necessary or appropriate for keys and certificates that are used to be changed at regular intervals. This therefore applies likewise in relation to the corresponding keys and/or certificates of the decentral device 30 of the railway system 10.

[0039] In the context of the exemplary embodiment described here, it is now assumed that the decentral device 30 is situated at a location which is far away from the central device 20 of the railway system 10 and to which no communication connection exists. This can apply to mine railways, for example, which operate in large remote areas whose access by technical communication means for the purpose of linking the decentral device 30 to the central device 20 would incur disproportionately high costs or is impractical or impossible for other reasons. Even if the decentral device 30 is able autonomously to ensure the fail-safety in the region of the passing point 51, the problem exists in relation to the current encryption system that, in the absence of a link by technical communication means to the central device 20, an update or replacement of cryptographic data in the decentral device 30, in particular in the form of keys and/or certificates, is not readily possible. Corresponding cryptographic data could still be updated or replaced by maintenance staff in the context of maintenance measures. However, this would necessitate a trip by the maintenance staff to the relevant location and would therefore be comparatively expensive and resource-intensive.

[0040] In order to allow a transmission of cryptographic data from the central device 20 of the railway system 10 to the decentral device 30 of the railway system 10 in this situation, it is now advantageously possible to use a vehicle 40 of the railway system 10 as part of an automated sequence. Said vehicle 40 has an on-board control device 41, an on-board storage device 42 and an on-board communication device 43. The communication device 43 is likewise embodied for communication via radio in this case, specifically such that a data transfer via radio is possible between the decentral communication device 33 and the on-board communication device 43. The range of communication or transfer that is provided here by the communication devices and communication protocols and by the type of data transmission (unidirectional or bidirectional) in use is indicated in FIG. 1 in the form of a receiving region 34 of the decentral communication device 32. It is assumed here that the decentral communication device 32 only has a short or medium (transmission) range and therefore it is only possible to establish a communication connection between the on-board communication device 43 and the decentral communication device 33 within the circular receiving region 34, whose radius may be one hundred meters or several hundred meters, for example.

[0041] Cryptographic data is stored in the storage device 42 of the vehicle 40 and comprises at least one key and/or at least one digital certificate. When the vehicle 40 moving in the direction of travel 45 approaches the decentral device 30 to the extent that it is situated in communication range of the decentral communication device 33, and therefore communication between the decentral communication device 33 and the on-board communication device 43 is possible, the cryptographic data can be read out from the storage device 42 and transmitted via the decentral communication device 33 to the track-side device 35 or to the local management device 32 thereof. For this purpose, the control device 41 of the vehicle 40 is so embodied as to detect that the vehicle 40 has moved close enough to the track-side device during its journey. In order to achieve this, the control device 41 can use supplementary information which is preferably likewise saved in the storage device 42 and which preferably comprises as a characteristic variable at least the identity of the at least one track-side device, a communication address of the at least one track-side device, the location of the at least one track-side device, the extent or distance of the communication range and/or the location of the line 50 at or after which the cryptographic data must be transmitted from the vehicle 40 to the track-side device 35. The vehicle 40 or its storage device 42 can therefore advantageously be used to transport the cryptographic data, whereby a decentral communication device 33 having a comparatively shorter communication range can be used by the decentral device 30 in particular.

[0042] In advance of the journey of the vehicle 40 to the track-side device 35, the cryptographic data can be transmitted e.g. from the Registration Authority 22, the Certification Authority 23 or the central management and/or control device 21 of the central device 20, e.g. likewise via radio, to the vehicle 40 where following receipt by the on-board communication device 43 it is stored in the storage device 42 by means of the control device 41. This step therefore takes place at a time point prior to the situation illustrated in FIG. 1, i.e. an earlier time point when the vehicle 40 is located closer to the central device 20 and therefore a corresponding transfer via radio is possible.

[0043] In the situation illustrated in FIG. 1, the vehicle 40 has moved just close enough to the track-side device for the cryptographic data to be transmitted from the vehicle 40 the track-side device 35. It is then possible for the cryptographic data to be distributed from the local management device 32 to at least one further local component of the railway system 10 in the form of the fail-safe signaling device 31 and further fail-safe signaling devices if applicable. The transfer or transmission of the cryptographic data from the vehicle 40 to the track-side device 35 or the local management device 32 thereof advantageously takes place here during the journey of the vehicle 40, such that retardation or interruption of the journey of the vehicle 40 is not necessary. This means that the cryptographic data can be transmitted without adversely affecting the regular operation of the vehicle 40. In this case, the transmission of the cryptographic data from the vehicle 40 to the at least one track-side device is advantageously encrypted or otherwise protected, such that attacks or corruption of the cryptographic data are prevented.

[0044] FIG. 2 shows a second schematic illustration in order to further explain the exemplary embodiment of the inventive method. The illustration in FIG. 2 corresponds to a sequence diagram, the central device 20 of the railway system being shown on the left-hand side and comprising as per the exemplary embodiment in FIG. 1 the central management and/or control device 21, the Registration Authority 22, the Certification Authority 23 and the central communication device 24. Correspondingly, the decentral device 30 is illustrated on the right-hand side of FIG. 2 and comprises the track-side device 35 and the fail-safe signaling device 31 as per the exemplary embodiment in FIG. 1. Further fail-safe signaling devices 31a and 31b are also indicated in FIG. 2.

[0045] A transmission of cryptographic data from the central device 20 to the decentral device 30 can now take place in such a way that, for example, the relevant cryptographic data is transmitted e.g. from the Certification Authority 23 in a message 60 to the central communication device 24. From the central communication device 24, the cryptographic data is transmitted in a message 61 via radio to the on-board communication device 43 of the vehicle 40 and is stored in the storage device 42 via intermediate switching of the control device 41. The vehicle 40 subsequently travels in the direction of travel 45 towards the decentral device 30 and at some point reaches the communication range of the track-side device 35. This is detected by the control device 41, whereupon the cryptographic data is transmitted via radio in a message 62 to the track-side device 35, which receives this as a message 63. For this transmission step, which is therefore temporally independent of the transfer of the cryptographic data to the vehicle 40, the cryptographic data is depicted and identified by the reference sign 70 in FIG. 2. Notwithstanding this, the relevant cryptographic data is also completely or partially contained in the messages 60, 61 and 63 and in the subsequent messages 64, 65 and 66, wherein for the sake of clarity a corresponding graphical depiction of the cryptographic data is omitted for these messages.

[0046] From the track-side device 35, the cryptographic data or the parts thereof which are relevant to the respective components are transmitted by means of the messages 64, 65 and 66 to the fail-safe signaling devices 31, 31a and 31b. As a result of this, it is subsequently possible for said devices to continue to communicate securely with each other on the basis of updated or replaced keys and/or certificates, this being indicated in FIG. 2 by means of messages 67, 68 and 69.

[0047] FIG. 3 shows a third schematic illustration in order to explain a further exemplary embodiment of the method according to the invention. The illustration in FIG. 3 corresponds essentially to that in FIG. 2, a separate illustration of the individual components being omitted in respect of the central device 20. This is intended to indicate that these components can themselves be variously embodied.

[0048] In the exemplary embodiment according to FIG. 3, an exchange of communication first takes place between the fail-safe signaling device 31 and the further fail-safe signaling devices 31a, 31b and the track-side device 35 (or the local management device 32 thereof) by means of messages 80, 81 and 82. These may be, for example, queries in the context of public-key infrastructure procedures, which are answered by the track-side device 35 in the form of messages 83, 84 and 85. The fail-safe signaling devices 31, 31a and 31b subsequently exchange messages 86, 87, 88 and 89 among themselves, said messages being protected by keys and digital certificates.

[0049] Data or an information query 71 is now transmitted in a message 90 from the track-side device 35 to the vehicle 40. In the context of the exemplary embodiment described, it is assumed here that this takes place in the opposite direction to a transfer of cryptographic data from the vehicle 40 to the local management device 32 as explained above in connection with FIG. 2. Alternatively, this can however take place in a manner which is temporally independent of the corresponding transfer of cryptographic data, and the information query 71 may also be transmitted to a different vehicle of the railway system 10. In this case, the information query may relate to cryptographic procedures or realize corresponding procedures, e.g. a request for an update of certificates, or be unrelated to cryptographic procedures, e.g. a transfer of diagnostic data.

[0050] The transmitted data is stored in the storage device 42 of the vehicle 40 and is forwarded from the vehicle 40 beyond the transfer range of the track-side device 35 to the central device 20 of the railway system 10. This is indicated by the messages 92 and 93 in FIG. 3. An exchange of communication in the form of messages 95 and 96 subsequently takes place in the central device 20, messages 97 and 98 being exchanged in the decentral device 30 as the same time. A message 99 is then used to transmit an information reply 72 from the central device 20 to a further vehicle 40a, which is therefore not the vehicle 40. In a similar manner to the vehicle 40, the further vehicle 40a has a further control device 41a, a further storage device 42a and a further communication device 43a and moves in a direction of travel 45a towards the decentral device 30. As soon as the further vehicle 41a is in the communication range of the track-side device 35, it transmits the information reply 72 by means of messages 100/101 to the track-side device 35 or the local management device thereof. The latter transmits the information reply or a respective part thereof in messages 102, 103 and 104 to the fail-safe signaling devices 31, 31a and 31b, whereby these can be supplied with necessary information or updates. This means that it is advantageously also possible to perform procedures comprising a plurality of communication steps, e.g. in the form of an update of certificates or a transmission of a certificate black list, by means of multiple journeys by vehicles 40, 40a. It is thereby also possible to realize complex handshake procedures, for example. The corresponding data transported by the vehicles 40, 40a is protected again here, e.g. using a transport key.

[0051] In accordance with the foregoing explanations in connection with the exemplary embodiments as described above of the inventive method, the inventive vehicle and the inventive railway system, these have the advantage in particular that they allow a transmission of in particular cryptographic data from a control center to decentral track-side devices even in the absence of a direct communication link between them. Automatic transport of the corresponding data is effected here by means of vehicles or trains using storage devices installed therein. The relevant data is then transmitted or downloaded at the respective remote location, such that a maintenance team is advantageously not required on site. In this way, the method can advantageously execute completely automatically and does not require any maintenance action. It is therefore also possible to perform key replacement more frequently, thereby increasing the IT safety without incurring additional costs. Furthermore, it is also advantageously possible to report the state of the local IT security at the remote location to the control center.