460 likes | 733 Views
Computer Security. Passwords. Web. Online Shopping. Industrial Espionage. Internet Banking. Viruses. Hackers. Privacy. Firewalls. Computer Security. Your Life. Computer Security As If Your Life Depended On It Katherine Eastaughffe. RESOURCEFUL RELIABLE RESPONSIBLE. OUTLINE.
E N D
Computer Security Passwords Web Online Shopping Industrial Espionage Internet Banking Viruses Hackers Privacy Firewalls
Computer Security As If Your Life Depended On It Katherine Eastaughffe RESOURCEFUL RELIABLE RESPONSIBLE
OUTLINE • Westinghouse Rail Systems – What do we do? • Safety Critical Systems on the Railway • How do we develop Safety Critical Systems? • Where does Security fit in? • Looking to the future
COMPANY OVERVIEW • Company established in 1862 • Offices in Birmingham, Crawley, Croydon, Glasgow, Swanley, York, Beijing, Germany and Singapore with HQ in Chippenham • 1390 employees • Part of Invensys Rail Systems (Australia, US and Spain)
WHAT IS OUR BUSINESS? • Design, manufacture, installation, commissioning and maintenance of: • Railway signalling systems and equipment • Train control systems • Railway monitoring systems & control centres • Supplying Main Line and Mass Transit operators in the UK, Europe and Far East
LONDON’S PPP – PUBLIC PRIVATE PARTNERSHIP • Westinghouse supplying resignalling projects to Metronet consortium through Bombardier • Resignalling Victoria, District, Circle, Hammersmith, Metropolitan lines over 14 years (>1/2 of the Tube)
Victoria Line/SSL ResignallingStatistics • ~ $850 million contract • Resignalling of more than ½ of Tube • 150 000 people enter the system each hour • About 400 km of track • About 160 stations • Victoria line to provide > 30 trains per hour • London Underground has 2.7 million passenger journeys/day
AUTOMATIC TRAIN CONTROL Basic Operation Line Speed = 80 km/h Protection Profile Location Trackside Equipment
Train Control Systems • ERTMS (European Rail Traffic Management System) • To be deployed across Europe • DTG-R (Distance To Go- Radio) • Aimed at Metro systems • To be deployed on London Undeground
ERTMS • Recommended by the Uff-Cullen Inquiry for Automatic Train Protection on UK Mainline railway • Common specifications to which suppliers provide equipment • Radio Block Centre derives and sends “movement authorities” to trains via a GSM-R radio system • A movement authority specifies how far a train can travel along the route ahead • Train-borne computer calculates a safe speed based on its received movement authority
DTG-R • Processors send “Signalling States” from the interlocking to the train via a radio system • Train-borne computer calculates a movement authority and from that a safe speed
What if something interferes with the data? Basic Operation Line Speed = 80 km/h Protection Profile Location Trackside Equipment
What if something interferes with the data? Line Speed = 80 km/h Protection Profile Location Trackside Equipment
What if something interferes with the data? Line Speed = 80 km/h Protection Profile Location Trackside Equipment
What if something interferes with the data? Line Speed = 80 km/h Protection Profile Location Trackside Equipment
How do we prove our systems are safe? • Try and identify all the ways that something can go wrong • Make sure we have ways for protecting against these threats • We construct a Safety Case • One part of the Safety Case for Automatic Train Control addresses the questions: • What can go wrong with messages sent from the trackside to trains (either accidentally or deliberately) • How do protect against failures of message transmission?
What may go wrong with messages? • Repetition of Messages • Deletion of Messages • Insertion of Messages • Resequencing of Messages • Corruption of Messages • Delay of Messages • Masquerade of Messages
Repetition of Messages • Due to failure of equipment eg message buffer is not properly flushed • Due to deliberate storage and replay of messages • Sequence Numbers and Timestamps
Sequence Numbers • Add a running number to each message exchanged between a transmitter and a receiver • Receiver checks that number is within suitable range of number of previous message • Suitable range means: • Eg between 1 and 30 greater than previous number (module 255) for an 8 bit number • Suitable range depends on the expected frequency of transmission. • This ensure message in specified range is no older than x seconds/minutes • Except that if the message is really old, then it might be in range, because sequence numbers have gone right the way round!!
Timestamps • Timestamps can plug the hole that sequence numbering technique has • Transmitter adds a timestamp to message • Receiver checks that timestamp is within given tolerance of the timestamp of previous message • Bandwidth may prevent timestamp being sent with all messages • Need to be careful about the 1st message received from a transmitter – how do you know its clock is right and the message is not years old.
Deletion of Messages • May be the result of equipment failure • Or Denial of Service attack • Most likely source of disruption of message transmission • Design the system to be “fail-safe” – if messages are not received it will not cause a hazard • Timeout on receipt of messages. If a train does not receive any messages after a given period of time, braking will be applied • In emergency situations, you may want to know that a message has been received, in which case there must be an acknowledgement
Insertion of Messages • Due to cross-talk • Due to deliberate insertion of messages • Sequence numbers will protect against a large number of false messages because the sequence number is unlikely to be within the expected range • Otherwise see masquerading of messages
Resequencing of Messages • Messages received in different order to that transmitted • Sequence Numbers and Timestamps
Corruption of Messages • Accidental changes eg from Electromagnetic Interference or collision of messages • Deliberate changes • Safety Codes • CRC (Cyclic Redundancy Codes) • Hash Codes • Cryptographic Block Codes (Message Authentication Code)
ERTMS – Encryption • Uses a MAC – a function of the whole message and a secret key • A private key for each train • Block Cipher used is single DES with modified MAC algorithm 3
Delay of Messages • Timestamps • Timeouts – if you don’t receive a message within a given period, enter a fail-safe state, that is, shut-down and apply braking
Masquerading of Messages • Use of identifiers • Use of cryptographic techniques
Security of Rail Networks • Of course, there are easier ways of deliberately disrupting railways than spoofing/deleting messages from trackside to train • Difficult to gain physical access to network
An Interesting Website • www.atcsmon.com • Allows you to graphically monitor train traffic on railroads that use the Association of American Railroad’s Advanced Train Control System (ATCS) Specification 200 protocol (among others) • All you need is a radio scanner! That is when you’re not listening to the police, or baby monitors
Some other Security Issues • Security of map data and software loaded into train control units • Management of private keys for each train • The future will involve satellite positioning systems (Galileo) and use of more and more COTS products, which increase the security risk
Summary • Security issues can be safety issues too • To get approval for systems, you have to show that you have considered threats from message integrity and protected against them • Real applications for cryptographic techniques
Further Information • www.westinghouserail.co.uk • Railway Safety Standards • BS EN 50159: Railway Applications – Communication, Signalling and Processing Systems • ERTMS Standards - www.aeif.org/ccm/doclist.asp • Lots of information about Communications Systems for train control, US focussed, no future maintenance, www.tsd.org • “Safeware: System Safety and Computers” by Nancy Leveson. Addison Wesley 1995 • IEE Website (Institute of Electrical Engineers) – www.iee.org • Railway Professional Network • Functional Safety Professional Network
WESTINGHOUSE RAIL SYSTEMS RESOURCEFUL RELIABLE RESPONSIBLE