Securing the Signal: The Complete Guide to EN 50159 Safety Communication Standards

What is EN 50159?

EN 50159 is the European Standard titled “Railway applications – Communication, signalling and processing systems – Safety-related communication in transmission systems.” It defines the safety requirements for transmitting vital data between railway safety-critical equipment (such as an Interlocking unit and a Train Control computer).

In modern railways, systems rarely operate in isolation. They communicate over copper wires, fiber optics, GSM-R, or even public networks. EN 50159 ensures that if the transmission medium (the cable or wireless signal) is corrupted, hacked, or delayed, the safety of the train operation is not compromised. It serves as the bridge between the safety software (EN 50128) and the hardware safety (EN 50129).

The Evolution: From Part 1 & 2 to a Single Standard

Historically, the standard was split into two parts: EN 50159-1 (for Closed Transmission Systems) and EN 50159-2 (for Open Transmission Systems). In 2010, these were merged into a single document. This unification reflects the reality that the boundary between “closed” and “open” networks is becoming increasingly blurred in modern digital railways.

Classification of Transmission Systems

EN 50159 categorizes transmission systems based on the level of control the operator has over the network and the risk of unauthorized access. This classification dictates the level of defense required.

• Category 1 (Closed System): The system is completely under the control of the railway operator. The number of connectable participants is fixed, and the risk of unauthorized access is considered negligible (e.g., a dedicated copper cable inside a secure cabinet).
• Category 2 (Open System – Controlled): The risk of unauthorized access exists, but is low. The operator does not fully control the medium, but measures are in place to restrict access.
• Category 3 (Open System – Uncontrolled): The system uses public or shared networks (like the Internet or public radio frequencies). Unauthorized access is possible, and the integrity of the transmission is not guaranteed by the medium itself.

Threats and Defenses

The standard identifies specific threats that can occur during data transmission and mandates cryptographic or logical defenses to neutralize them. If a safety message is altered, the system must detect it and revert to a safe state (usually stopping the train).

The 7 Fundamental Threats

To comply with EN 50159, a system must defend against:

1. Repetition: A valid message is recorded and replayed later.
2. Deletion: A message is removed from the stream.
3. Insertion: A fake message is injected by an intruder.
4. Re-sequencing: Messages arrive in the wrong order.
5. Corruption: Data bits are altered (noise or malice).
6. Delay: The message arrives too late to be useful.
7. Masquerade: A non-safe entity pretends to be a safe source.

Comparison: Closed vs. Open Transmission

The requirements for a transmission system vary drastically depending on whether the environment is trusted (Category 1) or untrusted (Category 3).