Skip to main content

CV Stefan Karg

Work experience

2025/01 - Present | Head of Competence Center Security & Team Lead Rail Security

Company: Informatik Consulting Systems GmbH

Driving security innovation

  • Alignment and strategic development of the Competence Center Security within Informatik Consulting Systems GmbH
  • Expansion of know-how and support for internal training measures
  • Addressing new customers
  • Evaluation of promising business cases

Team management

  • Team Lead Rail Security
  • Lead a distributed team of currently six specialists across Germany and Switzerland.
  • Implement a modern leadership style in a hybrid work environment.
  • Ensure and balance workload of team members.
  • Serve as the first point of contact for team members
  • Prepare and conduct annual employee performance reviews and monthly 1 on 1 meetings.
  • Identify necessary qualification and professional development of team members.
  • Plan team goals and the strategic development of the Rail Security team
  • Contribute to the strategic development of the Security department.

Project Management & Technical Sales for railway projects

  • Manage technical and commercial aspects of projects with distributed teams.
  • Ensure completion of project to the satisfaction of the customer in time and budget.
  • Identify technical needs of customers and prepare technical concepts for quotations.
  • Estimation of effort to realize technical concepts & security management.
  • Discuss technical and commercial aspects of quotations with customers.

Technical Skills

  • Security Lifecycle Management
    • Security management for the whole lifecycle of railway systems according to CENELEC TS 50701.
    • Integrate security lifecycle into RAMS lifecycle according to CENELEC TS 50701.
    • Tailor IEC 62443 and CENELEC TS 50701 for customer projects.
  • Develop specific approaches in complex and international project environments for railway operators as well as large and small suppliers.
  • Conduct security risk assessments according to IEC 62443-3-2.
  • Secure railway applications of customers using IEC 62443-3-3 and IEC 62443-4-2 requirements.
  • Consider specific limitations in safety-critical OT (Operational Technology) environments.
  • Security Management in accordance with IEC 62443-4-1.
  • Ensure traceability between requirements and security-related tests
  • Apply CENELEC TS 50701 for Security Management Plans.
  • Apply CENELEC TS 50701 for railway-specific Security Cases.
  • Apply agile development processes in safety-critical environments (EN 50126 / EN 50128).
  • Audit(non-accredited) security lifecycle management according to CENELEC TS 50701, IEC 62443-3-2, IEC 62443-3-3, IEC 62443-4-1, IEC 62443-4-2

2022/04 - 2024/12 | Team Lead Rail Security

Company: Informatik Consulting Systems GmbH

Team management

  • Team Lead Rail Security
  • Lead a distributed team of currently six specialists across Germany and Switzerland.
  • Implement a modern leadership style in a hybrid work environment.
  • Ensure and balance workload of team members.
  • Serve as the first point of contact for team members
  • Prepare and conduct annual employee performance reviews and monthly 1 on 1 meetings.
  • Identify necessary qualification and professional development of team members.
  • Plan team goals and the strategic development of the Rail Security team
  • Contribute to the strategic development of the Security department.

Project Management & Technical Sales for railway projects

  • Manage technical and commercial aspects of projects with distributed teams.
  • Ensure completion of project to the satisfaction of the customer in time and budget.
  • Identify technical needs of customers and prepare technical concepts for quotations.
  • Estimation of effort to realize technical concepts & security management.
  • Discuss technical and commercial aspects of quotations with customers.

Technical Skills

  • Security Lifecycle Management
    • Security management for the whole lifecycle of railway systems according to CENELEC TS 50701.
    • Integrate security lifecycle into RAMS lifecycle according to CENELEC TS 50701.
    • Tailor IEC 62443 and CENELEC TS 50701 for customer projects.
  • Develop specific approaches in complex and international project environments for railway operators as well as large and small suppliers.
  • Conduct security risk assessments according to IEC 62443-3-2.
  • Secure railway applications of customers using IEC 62443-3-3 and IEC 62443-4-2 requirements.
  • Consider specific limitations in safety-critical OT (Operational Technology) environments.
  • Security Management in accordance with IEC 62443-4-1.
  • Ensure traceability between requirements and security-related tests
  • Apply CENELEC TS 50701 for Security Management Plans.
  • Apply CENELEC TS 50701 for railway-specific Security Cases.
  • Apply agile development processes in safety-critical environments (EN 50126 / EN 50128).
  • Audit(non-accredited) security lifecycle management according to CENELEC TS 50701, IEC 62443-3-2, IEC 62443-3-3, IEC 62443-4-1, IEC 62443-4-2

2020/07 - 2022/03 | Lead Security Consultant

Company: Informatik Consulting Systems GmbH

  • Business Unit Mobility / Business Center Security
  • Project Manager
  • Technical and commercial management of project teams distributed over multiple locations
  • Tailoring of IEC 62443 and CENELEC TS 50701 for our customer projects
  • Project Security Management
  • Security risk assessment according to IEC 62443-3-2
  • Securing railway applications of our customers with the help of IEC 62443-3-3 and IEC 62443-4-2 requirements
  • Application of CENELEC TS 50701 for railway specific security cases
  • Application of agile development process in safety critical environment (EN50128)

2019/05 - 2020/06 | Senior Security Consultant

Company: Informatik Consulting Systems GmbH

  • Business Unit Mobility / Business Center Security
  • Project Manager (since 01/2020)
  • Technical management of project teams distributed over multiple locations
  • Project Security Management
  • Security risk assessment according to IEC 62443
  • Development of customized ETCS solutions for our customers
  • Application of agile development process in safety critical environment (EN50128)

2016/06 - 2019/04 | Software Engineer

Company: Informatik Consulting Systems GmbH

  • Business Unit Transportation
  • Project Security Management
  • Security risk assessment according to IEC 62443
  • Development of customized ETCS solutions for our customers
  • Application of agile development process in safety critical environment (EN50128)

2015/08 - 2016/05 | Software Engineer

Company: LEA Railergy

  • Development of simulation software for automatic train protection systems such as ETCS (European Train Control System)
  • Product development for innovative railway simulations

2015/04 - 2015/07 | Working student

Company: DB Netz AG (German railway infrastructure operator)

  • Integration tests for on-board unit model
  • Train simulation model for openETCS on-board unit
  • Top 3 contributor to the openETCS work package 3 (formal on-board unit model)
  • Experience in European collaboration

2015/10 - 2015/04 | Master thesis

Company: DB Netz AG (German railway infrastructure operator)

  • Thesis title: “Evaluation of the model-driven development approach in the openETCS project”
  • Top 3 contributor to the openETCS work package 3 (formal on-board unit model)
  • Experience in European collaboration

2012/04 - 2014/08 | Student assistant

Company: Ulm University

  • Supervision and assistance of students (bachelor and master level) during the lab course “Lab Microcomputer”.
  • Support of the student teams during the complete design and implementation process of a control module for a sorting facility.

The following steps were supervised and supported:

  • Design of the electrical circuits using the CAD tool Eagle
  • Layout of PCB using Eagle
  • Assembly and soldering of PCB
  • Implementation of software using the language C
  • Debugging and testing
  • Integration of the control circuit into the facility and testing the communication via CAN bus
  • Documentation of the whole project

Publications

SIGNAL + DRAHT | Automated security risk management for trains

Security is playing an increasingly important role in the development and maintenance of modern, connected rail vehicles. Digital twins enable the precise and holistic modelling of these systems and form the basis for automatic Security Risk Assessments. These assessments systematically identify any security vulnerabilities and evaluate potential attack paths. Daily updates of the risk assessments and efficient countermeasure definition ensure the continuous security and reliability of the vehicles throughout their entire lifecycle.

SIGNAL + DRAHT | Security lifecycle management for existing ETCS products – a case study

Since the IT Security Act for the traffic and transport sector came into effect, one of the key challenges for security managers in the rail sector has been to integrate the necessary security activities into the processes established for safety-relevant systems. ICS GmbH has been entrusted with security management in numerous rail projects since 2016, especially in the field of ETCS (European Train Control System) and retrofitting. In addition to the article on the implementation of legacy rolling stock security, this article describes proven approaches to security management in ETCS projects.

MODELS'16 | Model-driven software engineering in the openETCS project: project experiences and lessons learned

  • Publication date: October 2016
  • Journal/Publisher: MODELS ’16 Proceedings of the ACM/IEEE 19th International Conference on Model Driven Engineering Languages and Systems**
  • Authors: Stefan Karg, Alexander Raschke, Matthias Tichy, Grischa Liebel
  • Link to article (ACM DL)

Model-driven software engineering in industrial practice has been the focus of different empirical studies and experience reports. Particularly, positive effects of model-driven software engineering have been reported in the domain of embedded and safety-critical systems.

We report in this paper on the experiences of the openETCS European research project whose goal was to formalize the System Requirements Specification and to develop an open source reference implementation of the European Train Control System including open source modeling tools. Furthermore, we will discuss lessons learned, e.g., about using open source modeling toolchains in safety-critical contexts and about using the SCADE Suite for the development of the safety-critical parts.

zevrail | openETCS: Modellbasiert, agil und open Source – Ergebnisse aus dem ITEA2-Förderprojekt

  • Publication date: April 2016
  • Journal/Publisher: zevrail
  • Authors: Jakob Gärtner, Dr. Michael Jastram, Dr. Peter Mahlmann, Dr. Rüdiger Hase, Bernd Hekele, Stefan Karg
  • Link to article (zevrail)

Publication in zevrail regarding the results of the European research project openETCS.

MobileHCI '15 | ColorSnakes: Using Colored Decoys to Secure Authentication in Sensitive Contexts

  • Publication date: August 2015
  • Journal/Publisher: MobileHCI ’15 Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services / Pages 274-283 / ACM New York, NY, USA
  • Authors: Jan Gugenheimer, Alexander De Luca, Hayato Hess, Stefan Karg, Dennis Wolf, Enrico Rukzio
  • Link to article (ACM DL)

In this paper we present ColorSnakes, a PIN-based authentication mechanism for smartphones which uses fake paths on a grid of numbers to disguise user input. In a lab study (n=24), we evaluated variations of ColorSnakes in terms of usability and security.

In comparison to direct input, indirect input significantly reduced the risk of shoulder surfing (10.5%) without increasing the input time.

In a follow up real-world study (n=12), we compared ColorSnakes with PIN entry and Android’s Pattern Unlock over the course of three weeks. Although authentication time for ColorSnakes was higher than for the other two mechanisms, participants valued the security benefit over its slightly higher error rate and increased authentication time.

We argue that ColorSnakes could be used as an additional authentication mechanism alongside current mechanisms, thus providing the user with the choice of changing to ColorSnakes for certain applications or when there is an observer.

Certificates

Certified Information Systems Security Professional (CISSP)

  • Issued by: ISC2
  • Date issued: 17.03.2021
  • Expires: 31.03.2027

Basic Certificate in Project Management

  • Issued by: "GPM
  • Date issued: July 2018

Microsoft Certified: Azure AI Fundamentals

  • Issued by: Microsoft
  • Date issued: 03.06.2023

Training

EULYNX Introduction Module

  • Date: December 2024
  • Organization: EULYNX Academy

Information Security and ISO 27001

  • Date: June 2020
  • Organization: Informatik Consulting Systems GmbH

EUG2015B ERTMS Specialist Training

  • Date: April 2015
  • Organization: ERTMS Users Group, Brussels

Introduction into development of safety-critical systems

  • Date: June 2016
  • Organization: Informatik Consulting Systems GmbH

Model-Based Design with SCADE Suite

  • Date: January 2015
  • Organization: ANSYS, Inc.

Memberships

Education

2012 – 2015 | Ulm University

  • Master’s Degree in Computer Science

2009 – 2012 | Ulm University

  • Bachelor’s degree in Communications and Computer Engineering

Languages

  • English (C1 – Advanced)
  • German (C2 – Native)