Security Architect

The I-ICT service supports Infrabel's managements and services for everything related to IT and telecommunications (design, delivery, support, management and maintenance).
Within the latter, the 'Railways Infrastructure Install' cell is an office dedicated to the automation and digitalisation of asset management processes (mainly signalling) ranging from design/definition to commissioning, including parameterisation (data preparation), laboratory testing, installation and field testing in safety missions (example: TBL1+ and, ETCS (European Train Control System)), railway infrastructure expansion and renewal (major modernisations of signalling equipment).
The 'Railways Infrastructure Install' cell realises, maintains, supports contemporary and user-friendly web (or not), mobile (or not) applications and microservices, custom-developed or packages, both centrally and in the field.

For this mission, the 'Railways Infrastructure Install' cell needs a Security architect (& devops) for the KMC application and possibly for various other Signalling and other projects of this cell.

Description of the KMC application :

The Level 2 ETCS, already in use on the high-speed lines L3 and L4, is currently being deployed on Infrabel's conventional network. The implementation of ETCS 2 and any other subsequent evolution of ETCS that uses (GSM-R) (e.g. ETCS Level 3) to exchange security data requires continuous and efficient management of encryption keys used to secure communications between trains and infrastructure.
Any communication for the exchange of data between an ETCS train (OBU for on-board equipment) and the infrastructure's ETCS equipment (RBC for Radio Bloc Centre) is therefore encrypted and always starts with an authentication procedure between the OBU and the RBC.
To enable this authentication mechanism and subsequent encryption of data exchange, the same key, a KMAC key, must first be loaded into the train's ETCS equipment (i.e. OBU) and the infrastructure's ETCS equipment (i.e. WICs).
The tool for managing KMAC keys is called a KMC (Key Management Centre).
The concept of KMAC key management includes:

• Key generation;
• Exchange and distribution of keys;
• Updating keys (e.g. extending validity);
• Deletion of keys;
• Key archiving.

Tasks

The following tasks are involved,
For the KMC project (and if necessary for other applications/projects) :

• Define the technical (and architectural) solutions for the application.
• Write the required technical documentation.
• Work closely with other members of the development team and other I-ICT agencies involved.
• Write, based on the functional and non-functional requirements of the business and ICT verbally formulated during the working groups, the technical user stories/technical tasks in Jira based on the template applicable in the cell.
• (Participating in the development of new functionalities).
• Propose technical improvements.
• Conduct and manage technical impact assessments and risk assessment.
• Assess whether certain applications fall within the scope of the NIS.
• Participate in the improvement of design and implementation processes (Devops/DevSecOpS/SLDC).

For KMC in particular, the duties of the Security (& Devops) Architect will involve :

• distribution with variant on subgroup 038, automatic (or at least assisted) distribution to a specific RBC and foreign RBCs,
• evaluation and possible hardening of the chosen platform,
• evaluation of the design and deployment processes (Devops/DevSecOpS/SLDC, recommendation integration CISO),
• assessment whether the MVP/offline and/or online KMC falls within the scope of the NIS,
• the review and continuation of a risk assessment of the entire KMC scope,
• review of exchange protocols,
• event/incident management,
• participation/contribution to FMEA (Failure Modes and Effects Analysis),
• participation in scrum ceremonies.

Work schedule

• Part-time 80%

Technical skills

• Knowledge in cryptography.
• Knowledge in PKI.
• Knowledge Cyber Risk Management, ISO27001, NIS.
• 1 expert security architect (minimum 9 years' experience in technical analysis and/or software architecture) with the following desired skills :
• Knowledge Agile, Scrum,
• knowledge of Jira, Confluence,
• experience in analysing applications to be developed and integrated into an existing IT landscape,
• knowledge of Java, Jenkins, Git,
• knowledge of CI/CD, Devops/DevSecOps,
• knowledge of Enterprise Architect is a plus,
• Knowledge of HSM,
• Knowledge of KMS is a plus,
• Knowledge of railways, TSI interoperability subset 038, 114, 137 is a plus.
• The 3 ETCS Subsets references are available on Unisig's European Railway Agency website (www.era.europa.eu/) below:
• [1] Off-Line Key Management FIS, ERTMS/ETCS Subset-038, issue 3.1.0.
• [2] KMC-ETCS Entity Off-line KM FIS, ERTMS/ETCS Subset-114, issue 1.1.0.
• [3] On-line Key Management FFFIS, ERTMS/ETCS Subset-137, issue 1.0.0.

Soft skills

The soft skills are as follows:

• Demonstrates autonomy while enjoying teamwork.
• Synthetic and rigorous.
• Agile mind and sense of quality.
• Can bring new ideas to the Agile team while being open to the ideas of others.
• Highly sociable, available and results-oriented.
• Communication strong, flexible, transparent, committed, respectful.

Language skills

• French & English