argus - secret project2015/01/28 · application of formal validation methods know-why architecture...
TRANSCRIPT
ARGUS
“Security & safety analysis for electric and computerized signalling systems”
Dr.Marc ANTONI UIC - CCS & Operations Rail System Department
2
Summary
1. New challenge: security for electric signaling system
2. The ARGUS project
3. Security standards
4. A project to clarify the vision of new issues
5. Conclusion
3
New challenge in security of networked critical systems
Appearance of new risks related to (malware, attack on control systems and communication interfaces)
Which approach of risk analysis for real-time system?
How to consider the human factors on the life cycle?
Model of the “security levels” function of the strength of attacks?
Which safety standards for electric signaling systems for instance?
Specification of security requirements for electric signaling systems?
4
ARGUS
The ARGUS Project
ARGUS is a hundred-eyed guardian Having “ARGUS EYES”
to be lucid and vigilant (miss nothing) The spirit to be shared with the members
ARGUS has been defeated by the magic flute of Mercury he fall asleep
The project aims at designing a security analysis approach, based on risk analysis standard, for railways electric signaling systems, including human factors.
5
The current signaling systems
Challenge of safety and security of real-time systems
6 6
Haute gravité avec une faible fréquence d’occurrence les conséquences sont elles-ASSUMABLE ? avec quelles seuils d’acceptabilté (une fois peut suffire à être catastrophique)
Faible gravité mais forte occurrence les conséquences sont elles acceptables pour le business quel seuil ?
Rare events that must be eradicated
DKE Meeting - 15 May 2014 Frankfurt
Risks have to be eradicated
Acceptable and assumed Risks
Severity
What is the «assumable» risk level regarding the consequences of the threats ?
Safety of the railway system presume the postulate of a closed world
Using IP Network leads to open system regarding external threats
Is « Risk = Frequency x Severity » acceptable ?
Frequency
Acceptable??
Challenge of safety and security of real-time systems
7
Dangerous situation leading from possible attacks Three types of threat can lead to unacceptable situations:
1 - OKWSF (event leading directly to a dangerous wrong side failure)
2 - OKUSF and USFWSF (normal event following a unknown safe failure)
3 - OKDSF and DSFWSF (human error following a detected safe failure)
Occurrence probabilities of threaten attacks: 3 > 2 > 1
DSF
OK
USF WSF
DKE Meeting - 15 May 2014 Frankfurt
Challenge of safety and security of real-time systems
8 DKE Meeting - 15 May 2014 Frankfurt
The railway system has priority for military target !
Many armies have now 4 “army”
Air force, Navy, Earth army and Digital army
Example 1 :
Attack initiated in system components
Dangerous situation leading from possible attacks
The challenge: security for electric signalling system
9 DKE Meeting - 15 May 2014 Frankfurt
VPN 1
VPN 2
Activation or virus injection
The railway system has priority for military target ! Many armies have now 4 “army” Air force, Navy, Earth army and Digital army Example 2 :
Dangerous situation leading from possible attacks
The challenge: security for electric signalling system
10
SIL4 functions dependent of the Network type
Security barrier?
SIL4 functions independent of the Network type
Security barrier
Signalling functions are independent of the telecom link
Evolution of the situation Which strategy in order to: • save costs (renewal & maintenance) • control the life span of the real time critical signalling systems, their
availability (common mode especially), security and safety?
Security Platform Steering Committee - 10 June 2013 Paris
SIL4 Signalling System
SIL4 Signalling System
SIL4 Signalling System SIL4
Signalling System
SIL0 Closed Network
Open Network with security function
(e.g. VLAN)
10
SIL4 Signalling System
SIL4 Signalling System
SIL0 Closed Telecoms Links
Today
Tomorrow ?
The challenge: security for electric signalling system
11
Classical architecture • Without independence between
System and Functional SW
Proposed architecture • With distinction between HW&System
SW and the functional SW
Functionalities (interpretable and deterministic model as Petri nets with fixed writing and interpretation rules)
Input (TOR or communications
in the railway context)
Output (TOR or communications
in the railway context)
Software supporting the execution of the functionalities
Hardware
N of P architecture(s) of the real time computerised system – SIL4
development
I1 Interface I2 Interface with interpretation rules…
Know-how
Know-what
Application of formal validation methods
Know-why
Architecture choice for a critical networked system
HW&SW / industrial time Formal Proof / signalling time
Component design issue
12
System design issues
Formal methods for safety and security is a key for a high speed railway critical networked systems, and can help to improve the system durability and to reduce the maintenance Costs.
12
Safety Security
Asset management Performance
The battle of safety and costs is won or lost at the first stage of the system design !!
The battle of safety and costs is won or lost at the first stage of the system design !!
The battle of safety and costs is won or lost at the first stage of the system design !!
13
Security standards
EN 50159, VDE V 0831-102, VDE V 0831-104, IEC 27000…: • Safety-relevant threats only • No internal attacker • No consideration of real-time systems • EN 50159, VDE V 0831-102 : protection of communication • VDE V 0831-104 : description of an approach for security
analysis, guide line • IEC 27000… No consideration of the peculiarities of critical signalling systems!
14
IEC 62443 series…
Risk model:
Risk = damage * probability (Unit: € / year)
What about « non assumable » damage?
Security standards
15
Security standards
IEC 62443 series… Classical risk analysis approach
Alternative Approach 1? Structure analysis of the target system Identification of the relevant threats Estimation of damage and probability Derivation of security measures to reduce unacceptable risks
Prerequisites: Defined methodology for risk analysis Defined classes of damage and probabilities Defined threat catalogue
16
IEC 62443 series… Classical risk analysis approach Alternative modified risk model 1?: Acceptable??
Security standards
17
IEC 62443 series… Model for strength of attacker
Alternative 2: Strength of attacker defined through some parameters
Security level “measure of confidence that the system is free from vulnerabilities and function in the intended manner”
Definition of risk-based security levels (SL) - SL0: no protection requirements - SL1: protection against casual or coincidental violation - SL2: protection against intentional violation using simple means with low
resources, generic skill and motivation - SL3 protection against intentional violation using sophisticated means
with moderate resources, system specific skills and moderate motivation - SL4 protection against intentional violation using sophisticated means
with extended resources, system specific skills and high motivation SIL4 Signaling System
Security standards
18
Threats for signalling systems Malicious software, Escalation of access rights…
Unauthorized access to
communication (50159)
Exploit of vulnerabilities
Possible impact on SAFETY!!
-Wrong Side Failure (WSF)
-Unavailability leading to unsafe situation
Security standards
19
Steps for security inspection design ? Steps for security inspection or certification ? Are IEC 62443-xxx enougth for signalling systems? Witch coherence with EN50126, 128, 129 standards? How to manage the following issues ?
• all life cycle, • the real-time aspects, • the human factor, • the evolution of the technology
Security standards
A long work has to be done to reach a common approach for all UIC infrastructure
signalling system
20 20
Conclusion
Strategic aim of ARGUS:
How to avoid at “railway level” sad consequences coming from threats (cyber attacks, …) on operational signaling networks? Availability (fall down of the network) Security (intrusion) and Safety (malware) “Security” management during all the life of the network
How to provide alternative structures/architecture to operate until the main structures have been “cleaned”
To converge as quick as possible, using the existing or in progress works for all domains or kind of systems
21
Thank you for your kind attention
Project leader in France Dr. Marc Antoni [email protected] +33 6 29 91 77 43
ARGUS