1. Patent Search
  2. Details

CONCEPT FOR MONITORING NETWORK TRAFFIC COMING INTO A SIGNAL BOX

20200236028 ยท 2020-07-23

    Inventors

    Cpc classification

    International classification

    Abstract

    A device for monitoring network traffic arriving at a signal box of a railway operating system over a communication network includes a network TAP for reading the network traffic arriving at the signal box over the communication network and outputting the read arriving network traffic to a processor in order to check the read arriving network traffic. A network separating device separates the signal box from the communication network. The processor is configured to actuate the network separating device on the basis of the result of the check of the read arriving network traffic in such a way that the network separating device separates the signal box from the communication network. A corresponding method and a computer program product are also provided.

    Claims

    1-10. (canceled)

    11. An apparatus for monitoring network traffic arriving at a signal box of a railway operating system over a communication network, the apparatus comprising: a network TAP for reading the network traffic arriving at the signal box over the communication network; a network separating device for separating the signal box from the communication network; and a processor for receiving the read arriving network traffic from said network TAP and for checking the read arriving network traffic, said processor configured to control said network separating device, based on a result of the checking of the read arriving network traffic, by causing said network separating device to separate the signal box from the communication network.

    12. The apparatus according to claim 11, wherein said processor for checking the read arriving network traffic is configured to check a command stream included by the read arriving network traffic for disallowed commands and, upon recognition of a disallowed command, to control said network separating device by causing said network separating device to separate the signal box from the communication network.

    13. The apparatus according to claim 12, wherein said processor for checking the command stream is configured to compare commands of the command stream with reference commands of a negative command list, in order to recognize disallowed commands.

    14. The apparatus according to claim 11, which further comprises a protocol device for protocolling the read network traffic.

    15. The apparatus according to claim 11, wherein said network separating device is configured to separate the signal box physically from the communication network.

    16. The apparatus according to claim 11, which further comprises: a command feed device for feeding a test command into the arriving network traffic in order to test said processor; said processor being configured, upon recognition of the test command in a context of the checking of the read arriving network traffic, to carry out no control of said network separating device causing said network separating device to separate the signal box from the communication network.

    17. The apparatus according to claim 16, wherein: said processor is configured, upon recognition of the test command in the context of the checking of the read arriving network traffic, to send a success message to said command feed device that the test command has been recognized; and said command feed device is configured, upon an absence of a success message after feeding-in of the test command, to control said network separating device causing said network separating device to separate the signal box from the communication network.

    18. A method for monitoring network traffic arriving at a signal box of a railway operating system over a communication network, the method comprising the following steps: reading the network traffic arriving at the signal box over the communication network; checking the read arriving network traffic; and separating the signal box from the communication network based on a result of the checking of the read arriving network traffic.

    19. The method according to claim 18, which further comprises reconnecting the signal box to the communication network after a separation of the signal box from the communication network and after an expiration of a further pre-determined time span.

    20. A non-transitory computer program product, comprising program code for carrying out the method according to claim 18 when the computer program is carried out on a computer.

    Description

    [0093] The above-described properties, features and advantages of this invention and the manner in which they are achieved are made more clearly and distinctly intelligible with the following description of the exemplary embodiments which are described in greater detail making reference to the drawings, wherein:

    [0094] FIG. 1 shows a first apparatus for monitoring a network traffic arriving at a signal box of a railway operating system via a communication network,

    [0095] FIG. 2 shows a second apparatus for monitoring a network traffic arriving at a signal box of a railway operating system via a communication network,

    [0096] FIG. 3 shows a third apparatus for monitoring a network traffic arriving at a signal box of a railway operating system via a communication network, and

    [0097] FIG. 4 shows a flow diagram of a method for monitoring a network traffic arriving at a signal box of a railway operating system via a communication network.

    [0098] In the following, the same reference signs can be used for the same features.

    [0099] FIG. 1 shows a first apparatus 101 for monitoring a network traffic arriving at a signal box of a railway operating system via a communication network.

    [0100] The first apparatus 101 comprises:

    [0101] a network TAP 103 for reading the network traffic arriving at the signal box via the communication network and for outputting the read arriving network traffic to a processor a 105 for checking the read arriving network traffic,

    [0102] a network separating device 107 for separating the signal box from the communication network,

    [0103] wherein the processor 105 is configured, on the basis of a result of the checking of the read arriving network traffic to control the network separating device 107 such that the network separating device 107 separates the signal box from the communication network.

    [0104] FIG. 1 also shows a signal box 109 of a railway operating system (not shown in further detail) which is connected via a VPN router 111 to a communication network 113.

    [0105] According to one embodiment, the communication network 113 is the Internet.

    [0106] FIG. 1 further shows an operating workstation 115 of a control center (not shown in detail) of the railway operating system.

    [0107] The operating workstation 115 is connected to the communication network 113 via a further VPN router 117.

    [0108] At this point, it should be noted that the further VPN router 117, the Internet as a possible communication network 113 and the VPN router 111 according to one embodiment are not necessarily required. According to one embodiment, the apparatus 101 is installed in the local network of a customer and, for example, must therefore not necessarily be connected to the signal box 109 via the Internet and the VPN router.

    [0109] The network TAP 103 is connected between the VPN router 111 and the signal box 109.

    [0110] Furthermore, the network separating device 107 is connected a between the network TAP 103 and the signal box 109.

    [0111] An exemplary manner of functioning of the first apparatus is described here:

    [0112] The network TAP 103 reads a command stream which is sent by the VPN router 111 to the signal box 109 and outputs the read command stream to the processor 105. Thus, the network TAP 103 reads the network traffic (command stream) arriving at the signal box 109.

    [0113] The processor 105 checks the command stream that is transmitted, according to one embodiment, in the form of PDI and/or SBI telegrams, for disallowed commands or disallowed command sequences or disallowed command types, for example, a command release.

    [0114] If the processor 105 recognizes such a command type or command sequence or a disallowed command, the processor 105 controls the network separating device 107 such that the network separating device 107 separates the network connection between the network TAP 103 and the signal box 109. By this means, the signal box 109 is separated from the communication network 113.

    [0115] It is typically the case that operating actions that are undertaken using the operating workstation 115 and have an effect on a state of a railway track stretch (not shown) of the railway operating system are monitored by the signal box 109, which assumes the responsibility for safety before a change to signals or routes or movement releases takes place. This typically applies for all commands except for those which are identified with command release. Such commands override the signal box 109.

    [0116] By way of the provision of such command releases, it should be possible in the event of a fault, to continue a train operation with limited safety and possibly to lift system conditions in the signal box 109 that have led to a blocking.

    [0117] By this means, however, safety functions which are installed in the signal box 109 can be circumvented, and this can represent an increased risk in the case of an intentional or unintentional incorrect operation. This applies, above all, if such commands can be initiated via a remote control intentionally or unintentionally.

    [0118] However, since the remote control, that is for example the connection between the operating workstation 115 and the signal box 109, will be or is configured or designed only for a situation monitoring and, in particular, is not provided for carrying out command release instructions, then command issuings of the type command release must be either completely prevented or at least their effect must be suppressed. Care should be taken, in particular, that a monitoring device is not put out of operation.

    [0119] In the context of new safety legislation, exacting additional protective measures will be required herein but, at the same time, new functionalities required by customers. This situation of two contradictory demands is taken into account with the concept according to the invention.

    [0120] This is because the command stream which is sent, for example, by the operating workstation 115 via the communication network 113 to the signal box 109 is read by the network TAP 103 and is output to the processor 105 for the purpose of checking. The processor 105 can thus advantageously check this command stream for commands of the type command release and on recognition of such a a command, can activate the network separating device 107.

    [0121] By this means, therefore, in particular, the technical advantage is achieved that by means of a corresponding intended or unintended incorrect operation, no increased endangering takes place, at least a corresponding risk can be reduced.

    [0122] As a result of the network TAP 103 not being visible in the network, it cannot be attacked and, possibly, be put out of operation.

    [0123] Thus, the signal box 109 can be reachable via the communication network 113, which is required, for example, by the customer.

    [0124] At the same time, however, additional protective measures required by the new safety environment are also efficiently implemented.

    [0125] Thus, according to the invention, two actually contradictory requirements can still be fulfilled.

    [0126] FIG. 2 shows a second apparatus 201 for monitoring a network traffic arriving at a signal box of a railway operating system via a communication network.

    [0127] The second apparatus 201 is configured substantially similarly to the first apparatus 101 according to FIG. 1.

    [0128] In addition to the apparatus 101 according to FIG. 1, the second apparatus 201 comprises a protocol device 205 for protocolling the read network traffic.

    [0129] The network TAP 103 is thus configured to output the read network traffic to the protocol device 205.

    [0130] The further elements shown in FIG. 2 and their functional method are identical to the elements shown in FIG. 1, or a their functional methods. For the avoidance of repetition, reference is made to the description above.

    [0131] By means of the protocol device 205, it is made possible in an advantageous manner to be able to show, even at a later time point, whether the command stream included disallowed commands.

    [0132] For example, it is provided that the protocol device 205 is configured to protocol a separation of the signal box 109 from the communication network 113.

    [0133] A protocolling comprises, for example, a storage.

    [0134] FIG. 3 shows a third apparatus 301 for monitoring a network traffic arriving at a signal box of a railway operating system via a communication network.

    [0135] The third apparatus 301 is configured substantially similarly to the second apparatus 201 according to FIG. 2.

    [0136] In addition to the second apparatus 201 shown in FIG. 2, the third apparatus 301 according to FIG. 3 also comprises a command feed device 303 for feeding a test command into the arriving network traffic in order to test the processor 105.

    [0137] According to this embodiment, the processor 105 is configured, on recognition of the test command in the context of the checking of the read arriving network traffic to carry out no control of the network separating device 107 such that the network separating device 107 separates the signal box 109 from the communication network 113.

    [0138] In one embodiment it is provided that the third apparatus 301 does not comprise the protocol device 205. According to a this embodiment, the third apparatus 301 is configured substantially similarly to the first apparatus 101 according to FIG. 1. According to this embodiment, in addition to the first apparatus 101 shown in FIG. 1, the third apparatus 301 additionally comprises the command feed device 303.

    [0139] In one embodiment it is provided that the processor 105 is configured, on recognition of the test command in the context of the checking of the read arriving network traffic, to send a success message to the command feed device 303 that the test command has been recognized, wherein the command feed device 303 is configured, in the absence of a success message after feeding in of the test command, in particular, in the absence of a success message after feeding in of the test command after a pre-determined timespan has expired, for example a maximum of 3 s, to control the network separating device 107 such that the network separating device 107 separates the signal box 109 from the communication network 113.

    [0140] According to one embodiment, an apparatus for monitoring a network traffic arriving at a signal box of a railway operating system via a communication network comprises the signal box.

    [0141] In one embodiment, an apparatus for monitoring a network traffic arriving at a signal box of a railway operating system via a communication network does not comprise the signal box.

    [0142] FIG. 4 shows a flow diagram of a method for monitoring a network traffic arriving at a signal box of a railway operating system via a communication network, comprising the following steps:

    [0143] reading 401 the network traffic arriving at the signal box a via the communication network,

    [0144] checking 403 the read arriving network traffic,

    [0145] separating 405 the signal box from the communication network on the basis of a result of the checking of the read arriving network traffic.

    [0146] According to one embodiment, it is provided that the method shown and described in relation to FIG. 4 is carried out or executed by means of one of the three apparatuses 101, 201, 301.

    [0147] This therefore means, for example, that the reading 401 is carried out by means of the network TAP 103.

    [0148] The network TAP 103 outputs, for example, the read network traffic to the processor 105.

    [0149] The checking 403 is carried out, for example, by means of the processor 105.

    [0150] The separation 405 is carried out, for example, by means of the network separating device 107. For this purpose, the processor 105 controls the network separating device 107 accordingly.

    [0151] In one embodiment, it is provided that after the expiry of a further pre-determined timespan, the signal box 109 is again connected to the communication network 113.

    [0152] This therefore means, for example, that the network separating device 107 is configured to connect the signal box 109 to the communication network 113 again after the expiry of a pre-determined timespan.

    [0153] This therefore means, for example, that the processor 105 is configured to connect the signal box 109 to the communication network 113 again after the expiry of a pre-determined timespan.

    [0154] According to one embodiment, it is provided that the network separating device 107 is configured to separate the signal box 109 from the communication network 113 reversibly.

    [0155] In one embodiment, it is provided that the network separating device 107 is configured to separate the signal box 109 from the communication network 113 irreversibly.

    [0156] Although the invention has been illustrated and described in detail based upon the preferred exemplary embodiments, the invention is not restricted by the examples given and other variations can be derived therefrom by a person skilled in the art without departing from the protective scope of the invention.