resourceful reliable responsible computer security web firewalls viruses passwords internet banking...
TRANSCRIPT
RESOURCEFUL RELIABLE RESPONSIBLE
Computer Security
Web
Firewalls
Viruses
Passwords
Internet Banking
Online Shopping
Privacy
Industrial Espionage
Hackers
RESOURCEFUL RELIABLE RESPONSIBLE
Computer Security
RESOURCEFUL RELIABLE RESPONSIBLE
Your Life
RESOURCEFUL RELIABLE RESPONSIBLERESOURCEFUL RELIABLE RESPONSIBLE
Computer Security As If Your Life Depended On It
Katherine Eastaughffe
RESOURCEFUL RELIABLE RESPONSIBLE
OUTLINE
• Westinghouse Rail Systems – What do we
do?
• Safety Critical Systems on the Railway
• How do we develop Safety Critical
Systems?
• Where does Security fit in?
• Looking to the future
RESOURCEFUL RELIABLE RESPONSIBLE
COMPANY OVERVIEW
• Company established in 1862
• Offices in Birmingham, Crawley, Croydon, Glasgow,
Swanley, York, Beijing, Germany and Singapore
with HQ in Chippenham
• 1390 employees
• Part of Invensys Rail Systems (Australia, US and
Spain)
RESOURCEFUL RELIABLE RESPONSIBLE
WHAT IS OUR BUSINESS?
• Design, manufacture, installation,
commissioning
and maintenance of:
– Railway signalling systems and
equipment
– Train control systems
– Railway monitoring systems & control
centres
• Supplying Main Line and Mass Transit
operators in the UK, Europe and Far East
RESOURCEFUL RELIABLE RESPONSIBLE
UNDERG ROUND
PAC
LSC
PLATFORM ATOCOMMUNICATOR
FBP
Door IndicationsService BrakesMotors
Emergency BrakesDoor Side EnableTraction Inhibit
Driver Indications
APR Transponder
Leaky Feeder
TMSDrivingData
Train Information
Tx
Tx
Rx
FIXEDCOMMUNICATIONS
UNIT &RADIO BASE STATIONS
MCUs
ATP
ATO
APR Reader
Tachogenerator(Speed Sensor)
ATO Rx Antenna
FCU& RBS
FIXEDBLOCK
PROCESSOR
OUTPUTS TO TRAIN
LOCALSITECOMPUTER(LSC)
Doppler
KEY:AUTOMATIC TRAIN PROTECTION EQUIPMENT
AUTOMATIC TRAIN OPERATION EQUIPMENT
INTERLOCKING EQUIPMENT
AUTOMATIC TRAIN SUPERVISION EQUIPMENT
EQUIPMENT SUPPLIED BY OTHERS
UNDERGROUND
State of Railway
To ATO Tx Antenna
FIBRE OPTIC LINK BETWEEN WESTRACES
ATPAntennas
Tachogenerator(Speed Sensor)
DIVERSE MONITORCONTROLLER
SIGNALLING EQUIPMENT ROOM
SER
Train Information
Train Information
Control Data
Control DataPoint Machines, Track Circuits,
Position Detectors, Signals
WESTRACEINTERLOCKING
FIBRE OPTIC LINK BETWEEN WESTRACES
DUAL RUNNING INTERFACE TO EXISTING SIGNALLING(OVERLAY SYSTEM)
NEW INTERLOCKINGS IN CONTROL(FINAL SYSTEM)
T e c h n i c a l P u b l ic a t i o n s
To rear DopplerTo rear
APR Reader
ODR
PPP SYSTEM
Driver's Display
Equipped TrainReport
State of Railway
Equipped Train Reports
MCTDMC
CONTROL CENTRE
STATIONMANAGEMENTSYSTEM(SMS)
SMS
WESTRACE
S2IMR
For Information Purposes Only Issue: Draft Date 15 May 2003
EXISTING I/L
CountDownClock
P I Display
WRSLScope
Scopeof
Others
Westinghouse Brake and Signal Holdings Limited 2003C
MAINTAINER'SCONTROL TERMINAL
(incl Operational Data Recorder)
RESOURCEFUL RELIABLE RESPONSIBLE
LONDON’S PPP – PUBLIC PRIVATE PARTNERSHIP
• Westinghouse supplying
resignalling projects to
Metronet consortium
through Bombardier
• Resignalling Victoria,
District, Circle,
Hammersmith,
Metropolitan lines over
14 years (>1/2 of the
Tube)
RESOURCEFUL RELIABLE RESPONSIBLE
Victoria Line/SSL ResignallingStatistics
• ~ $850 million contract
• Resignalling of more than ½ of Tube
• 150 000 people enter the system each hour
• About 400 km of track
• About 160 stations
• Victoria line to provide > 30 trains per hour
• London Underground has 2.7 million passenger
journeys/day
RESOURCEFUL RELIABLE RESPONSIBLE
RESOURCEFUL RELIABLE RESPONSIBLE
AUTOMATIC TRAIN CONTROL
Protection Profile
Line Speed = 80 km/h
Trackside Equipment
Location
Basic Operation
RESOURCEFUL RELIABLE RESPONSIBLE
Train Control Systems
• ERTMS (European Rail Traffic Management
System)
– To be deployed across Europe
• DTG-R (Distance To Go- Radio)
– Aimed at Metro systems
– To be deployed on London Undeground
RESOURCEFUL RELIABLE RESPONSIBLE
ERTMS
• Recommended by the Uff-Cullen Inquiry for
Automatic Train Protection on UK Mainline railway
• Common specifications to which suppliers provide
equipment
• Radio Block Centre derives and sends “movement
authorities” to trains via a GSM-R radio system
• A movement authority specifies how far a train can
travel along the route ahead
• Train-borne computer calculates a safe speed
based on its received movement authority
RESOURCEFUL RELIABLE RESPONSIBLE
DTG-R
• Processors send “Signalling States” from
the interlocking to the train via a radio
system
• Train-borne computer calculates a
movement authority and from that a safe
speed
RESOURCEFUL RELIABLE RESPONSIBLE
What if something interferes with the data?
Protection Profile
Line Speed = 80 km/h
Trackside Equipment
Location
Basic Operation
RESOURCEFUL RELIABLE RESPONSIBLE
What if something interferes with the data?
Protection Profile
Line Speed = 80 km/h
Trackside Equipment
Location
RESOURCEFUL RELIABLE RESPONSIBLE
What if something interferes with the data?
Protection Profile
Line Speed = 80 km/h
Trackside Equipment
Location
RESOURCEFUL RELIABLE RESPONSIBLE
What if something interferes with the data?
Protection Profile
Line Speed = 80 km/h
Trackside Equipment
Location
RESOURCEFUL RELIABLE RESPONSIBLE
How do we prove our systems are safe?• Try and identify all the ways that something can go wrong
• Make sure we have ways for protecting against these
threats
• We construct a Safety Case
• One part of the Safety Case for Automatic Train Control
addresses the questions:
– What can go wrong with messages sent from the
trackside to trains (either accidentally or deliberately)
– How do protect against failures of message
transmission?
RESOURCEFUL RELIABLE RESPONSIBLE
What may go wrong with messages?
• Repetition of Messages
• Deletion of Messages
• Insertion of Messages
• Resequencing of Messages
• Corruption of Messages
• Delay of Messages
• Masquerade of Messages
RESOURCEFUL RELIABLE RESPONSIBLE
Repetition of Messages
• Due to failure of equipment eg message
buffer is not properly flushed
• Due to deliberate storage and replay of
messages
• Sequence Numbers and Timestamps
RESOURCEFUL RELIABLE RESPONSIBLE
Sequence Numbers
• Add a running number to each message exchanged between a
transmitter and a receiver
• Receiver checks that number is within suitable range of number
of previous message
• Suitable range means:
– Eg between 1 and 30 greater than previous number (module 255)
for an 8 bit number
– Suitable range depends on the expected frequency of transmission.
• This ensure message in specified range is no older than x
seconds/minutes
• Except that if the message is really old, then it might be in
range, because sequence numbers have gone right the way
round!!
RESOURCEFUL RELIABLE RESPONSIBLE
Timestamps• Timestamps can plug the hole that sequence
numbering technique has
• Transmitter adds a timestamp to message
• Receiver checks that timestamp is within given
tolerance of the timestamp of previous message
• Bandwidth may prevent timestamp being sent
with all messages
• Need to be careful about the 1st message
received from a transmitter – how do you know
its clock is right and the message is not years
old.
RESOURCEFUL RELIABLE RESPONSIBLE
Deletion of Messages
• May be the result of equipment failure
• Or Denial of Service attack
• Most likely source of disruption of message
transmission
• Design the system to be “fail-safe” – if messages are
not received it will not cause a hazard
• Timeout on receipt of messages. If a train does not
receive any messages after a given period of time,
braking will be applied
• In emergency situations, you may want to know that
a message has been received, in which case there
must be an acknowledgement
RESOURCEFUL RELIABLE RESPONSIBLE
Insertion of Messages
• Due to cross-talk
• Due to deliberate insertion of messages
• Sequence numbers will protect against a
large number of false messages because
the sequence number is unlikely to be
within the expected range
• Otherwise see masquerading of messages
RESOURCEFUL RELIABLE RESPONSIBLE
Resequencing of Messages
• Messages received in different order to
that transmitted
• Sequence Numbers and Timestamps
RESOURCEFUL RELIABLE RESPONSIBLE
Corruption of Messages
• Accidental changes eg from Electromagnetic
Interference or collision of messages
• Deliberate changes
• Safety Codes
– CRC (Cyclic Redundancy Codes)
– Hash Codes
– Cryptographic Block Codes (Message
Authentication Code)
RESOURCEFUL RELIABLE RESPONSIBLE
ERTMS – Encryption
• Uses a MAC – a function of the whole
message and a secret key
• A private key for each train
• Block Cipher used is single DES with
modified MAC algorithm 3
RESOURCEFUL RELIABLE RESPONSIBLE
Delay of Messages
• Timestamps• Timeouts – if you don’t receive a message
within a given period, enter a fail-safe state, that is, shut-down and apply braking
RESOURCEFUL RELIABLE RESPONSIBLE
Masquerading of Messages
• Use of identifiers• Use of cryptographic techniques
RESOURCEFUL RELIABLE RESPONSIBLE
Security of Rail Networks
• Of course, there are easier ways of
deliberately disrupting railways than
spoofing/deleting messages from trackside
to train
• Difficult to gain physical access to network
RESOURCEFUL RELIABLE RESPONSIBLE
An Interesting Website
• www.atcsmon.com
• Allows you to graphically monitor train traffic on
railroads that use the Association of American
Railroad’s Advanced Train Control System (ATCS)
Specification 200 protocol (among others)
• All you need is a radio scanner! That is when
you’re not listening to the police, or baby monitors
RESOURCEFUL RELIABLE RESPONSIBLE
Some other Security Issues
• Security of map data and software loaded
into train control units
• Management of private keys for each train
• The future will involve satellite positioning
systems (Galileo) and use of more and
more COTS products, which increase the
security risk
RESOURCEFUL RELIABLE RESPONSIBLE
Summary
• Security issues can be safety issues too
• To get approval for systems, you have to
show that you have considered threats
from message integrity and protected
against them
• Real applications for cryptographic
techniques
RESOURCEFUL RELIABLE RESPONSIBLE
Further Information• www.westinghouserail.co.uk
• Railway Safety Standards
– BS EN 50159: Railway Applications – Communication, Signalling
and Processing Systems
• ERTMS Standards - www.aeif.org/ccm/doclist.asp
• Lots of information about Communications Systems for train
control, US focussed, no future maintenance, www.tsd.org
• “Safeware: System Safety and Computers” by Nancy
Leveson. Addison Wesley 1995
• IEE Website (Institute of Electrical Engineers) – www.iee.org
– Railway Professional Network
– Functional Safety Professional Network
RESOURCEFUL RELIABLE RESPONSIBLE
WESTINGHOUSE RAIL SYSTEMS
RESOURCEFUL RELIABLE RESPONSIBLE