European Rail Traffic Management System (ERTMS) is a widely adopted standard unifying train management in the EU. While the standard allows for use cases like fully autonomous driving, cybersecurity has been an afterthought. Risk analysis enables the systematic assessment and prioritization of threats and mitigations. To date, it remains unclear which threats are most significant in ERTMS. This study systematically models components of ERTMS and analyzes their security in light of threats identified in the underlying technologies. The results suggest a concerning state of ERTMS, despite its critical role in railway safety. The use of legacy standards like EuroBalises and GSM-Railway (GSM-R) introduces vulnerabilities that persist across minimal ERTMS implementations, deployments incorporating various optional safety measures, and prospective future evolutions of the system, e.g., adopting Future Railway Mobile Communication System (FRMCS). Fully transitioning to European Train Control System (ETCS) level 2 was identified as the most significant measure for advancing ERTMS cybersecurity. The results indicate that a shift of ERTMS toward security is required to ensure availability and safe operation. While the chosen methodology proved its feasibility and shows remaining weaknesses of ERTMS, future work is needed to develop railway-centric adaptations to improve the quantification and evaluation of the computed risks.

翻译：欧洲铁路交通管理系统（ERTMS）是一项广泛采用的标准，旨在统一欧盟内部的列车管理。尽管该标准支持完全自动驾驶等应用场景，网络安全却始终是事后考虑的问题。风险分析能够系统性地评估威胁与缓解措施并确定其优先级。迄今为止，ERTMS中哪些威胁最为显著仍不明确。本研究系统性地对ERTMS组件进行建模，并根据底层技术中已识别的威胁分析其安全性。结果表明，尽管ERTMS在铁路安全中扮演关键角色，其现状令人担忧。EuroBalises和GSM-Railway（GSM-R）等遗留标准的使用引入了持续存在的漏洞，这些漏洞贯穿于最小化ERTMS实施方案、采用了多种可选安全措施的部署，以及系统未来的演进（例如采用未来铁路移动通信系统FRMCS）。全面过渡至欧洲列车控制系统（ETCS）2级被认定为推动ERTMS网络安全的最重要措施。结果表明，ERTMS需要转向安全导向以确保可用性与安全运营。尽管所选方法验证了可行性并揭示了ERTMS的残余弱点，未来仍需开展以铁路为中心的适应性研究，以改进计算风险的量化与评估。