04:43 <kyak> mth: safety and security are interrelated, but they are not the same thing. The system is safe (to a certain "level", this is part of the standard) when it satisfies all the "safety requirements".

04:45 <kyak> if the system is secure to attackers, but fails to satisfy safety requirements ("not safe"), this is just as bad (or arguably even worse) than the "safe" system which is not "secure"

04:50 <mth> I agree they're not being the same thing, but shouldn't security be considered as one of the safety requirements?

04:51 <kyak> It should, and it kind of what starts happening now in the related industries. Although very slow

04:52 <kyak> airplanes were designed in 80s and 90s when the (cyber) security was much less important than functional safety

04:52 <kyak> the situation is completely different now

04:52 <mth> in an airplane though, it is relatively easy to spot someone messing with the hardware

04:53 <mth> in a rail system with thousands of kilometers of rail and cables, it's impossible

04:55 <mth> copper theft has been an issue for rail safety already, so data cables aren't safe

04:57 <kyak> yeah, that's probably a bigger issue than malicious hacker trying to pretend to be a signalling equipment by crackign MD4 :)

04:58 <mth> yes and no: there will be more potential attackers interested in making a quick buck stealing copper, but the potential damage from sending fake messages could be much higher

04:59 <mth> even if it wouldn't cause any accidents, it could still be a massive denial of service

04:59 <kyak> it is more probable that a dead cow will be laying on a rail than this. So they try to think about more realistice threats, which use to be from natural factors rather than from malicious factors

05:00 <mth> a dead cow is easy to spot though; how many hours will it take to bisect the location of a device that only transmits once in a while?

05:02 <kyak> both can be very hard to spot :)

05:06 <kyak> don't get me wrong, i'm not saying that security is not needed or not important. Just saying that it is still a very long way for the industries to go. It took them a few dozen years to figure out the safety, and at the cost of human lives