Presentation is loading. Please wait.

Presentation is loading. Please wait.

RESOURCEFUL RELIABLE RESPONSIBLE Computer Security Web Firewalls Viruses Passwords Internet Banking Online Shopping Privacy Industrial Espionage Hackers.

Similar presentations


Presentation on theme: "RESOURCEFUL RELIABLE RESPONSIBLE Computer Security Web Firewalls Viruses Passwords Internet Banking Online Shopping Privacy Industrial Espionage Hackers."— Presentation transcript:

1 RESOURCEFUL RELIABLE RESPONSIBLE Computer Security Web Firewalls Viruses Passwords Internet Banking Online Shopping Privacy Industrial Espionage Hackers

2 RESOURCEFUL RELIABLE RESPONSIBLE Computer Security

3 RESOURCEFUL RELIABLE RESPONSIBLE Your Life

4 RESOURCEFUL RELIABLE RESPONSIBLE Computer Security As If Your Life Depended On It Katherine Eastaughffe

5 RESOURCEFUL RELIABLE RESPONSIBLE OUTLINE Westinghouse Rail Systems – What do we do? Safety Critical Systems on the Railway How do we develop Safety Critical Systems? Where does Security fit in? Looking to the future

6 RESOURCEFUL RELIABLE RESPONSIBLE COMPANY OVERVIEW Company established in 1862 Offices in Birmingham, Crawley, Croydon, Glasgow, Swanley, York, Beijing, Germany and Singapore with HQ in Chippenham 1390 employees Part of Invensys Rail Systems (Australia, US and Spain)

7 RESOURCEFUL RELIABLE RESPONSIBLE WHAT IS OUR BUSINESS? Design, manufacture, installation, commissioning and maintenance of: –Railway signalling systems and equipment –Train control systems –Railway monitoring systems & control centres Supplying Main Line and Mass Transit operators in the UK, Europe and Far East

8 RESOURCEFUL RELIABLE RESPONSIBLE

9 LONDON’S PPP – PUBLIC PRIVATE PARTNERSHIP Westinghouse supplying resignalling projects to Metronet consortium through Bombardier Resignalling Victoria, District, Circle, Hammersmith, Metropolitan lines over 14 years (>1/2 of the Tube)

10 RESOURCEFUL RELIABLE RESPONSIBLE Victoria Line/SSL Resignalling Statistics ~ $850 million contract Resignalling of more than ½ of Tube people enter the system each hour About 400 km of track About 160 stations Victoria line to provide > 30 trains per hour London Underground has 2.7 million passenger journeys/day

11 RESOURCEFUL RELIABLE RESPONSIBLE

12 AUTOMATIC TRAIN CONTROL Protection Profile Line Speed = 80 km/h Trackside Equipment Location Basic Operation

13 RESOURCEFUL RELIABLE RESPONSIBLE Train Control Systems ERTMS (European Rail Traffic Management System) –To be deployed across Europe DTG-R (Distance To Go- Radio) –Aimed at Metro systems –To be deployed on London Undeground

14 RESOURCEFUL RELIABLE RESPONSIBLE ERTMS Recommended by the Uff-Cullen Inquiry for Automatic Train Protection on UK Mainline railway Common specifications to which suppliers provide equipment Radio Block Centre derives and sends “movement authorities” to trains via a GSM-R radio system A movement authority specifies how far a train can travel along the route ahead Train-borne computer calculates a safe speed based on its received movement authority

15 RESOURCEFUL RELIABLE RESPONSIBLE DTG-R Processors send “Signalling States” from the interlocking to the train via a radio system Train-borne computer calculates a movement authority and from that a safe speed

16 RESOURCEFUL RELIABLE RESPONSIBLE What if something interferes with the data? Protection Profile Line Speed = 80 km/h Trackside Equipment Location Basic Operation

17 RESOURCEFUL RELIABLE RESPONSIBLE What if something interferes with the data? Protection Profile Line Speed = 80 km/h Trackside Equipment Location

18 RESOURCEFUL RELIABLE RESPONSIBLE What if something interferes with the data? Protection Profile Line Speed = 80 km/h Trackside Equipment Location

19 RESOURCEFUL RELIABLE RESPONSIBLE What if something interferes with the data? Protection Profile Line Speed = 80 km/h Trackside Equipment Location

20 RESOURCEFUL RELIABLE RESPONSIBLE How do we prove our systems are safe? Try and identify all the ways that something can go wrong Make sure we have ways for protecting against these threats We construct a Safety Case One part of the Safety Case for Automatic Train Control addresses the questions: –What can go wrong with messages sent from the trackside to trains (either accidentally or deliberately) –How do protect against failures of message transmission?

21 RESOURCEFUL RELIABLE RESPONSIBLE What may go wrong with messages? Repetition of Messages Deletion of Messages Insertion of Messages Resequencing of Messages Corruption of Messages Delay of Messages Masquerade of Messages

22 RESOURCEFUL RELIABLE RESPONSIBLE Repetition of Messages Due to failure of equipment eg message buffer is not properly flushed Due to deliberate storage and replay of messages Sequence Numbers and Timestamps

23 RESOURCEFUL RELIABLE RESPONSIBLE Sequence Numbers Add a running number to each message exchanged between a transmitter and a receiver Receiver checks that number is within suitable range of number of previous message Suitable range means: –Eg between 1 and 30 greater than previous number (module 255) for an 8 bit number –Suitable range depends on the expected frequency of transmission. This ensure message in specified range is no older than x seconds/minutes Except that if the message is really old, then it might be in range, because sequence numbers have gone right the way round!!

24 RESOURCEFUL RELIABLE RESPONSIBLE Timestamps Timestamps can plug the hole that sequence numbering technique has Transmitter adds a timestamp to message Receiver checks that timestamp is within given tolerance of the timestamp of previous message Bandwidth may prevent timestamp being sent with all messages Need to be careful about the 1 st message received from a transmitter – how do you know its clock is right and the message is not years old.

25 RESOURCEFUL RELIABLE RESPONSIBLE Deletion of Messages May be the result of equipment failure Or Denial of Service attack Most likely source of disruption of message transmission Design the system to be “fail-safe” – if messages are not received it will not cause a hazard Timeout on receipt of messages. If a train does not receive any messages after a given period of time, braking will be applied In emergency situations, you may want to know that a message has been received, in which case there must be an acknowledgement

26 RESOURCEFUL RELIABLE RESPONSIBLE Insertion of Messages Due to cross-talk Due to deliberate insertion of messages Sequence numbers will protect against a large number of false messages because the sequence number is unlikely to be within the expected range Otherwise see masquerading of messages

27 RESOURCEFUL RELIABLE RESPONSIBLE Resequencing of Messages Messages received in different order to that transmitted Sequence Numbers and Timestamps

28 RESOURCEFUL RELIABLE RESPONSIBLE Corruption of Messages Accidental changes eg from Electromagnetic Interference or collision of messages Deliberate changes Safety Codes –CRC (Cyclic Redundancy Codes) –Hash Codes –Cryptographic Block Codes (Message Authentication Code)

29 RESOURCEFUL RELIABLE RESPONSIBLE ERTMS – Encryption Uses a MAC – a function of the whole message and a secret key A private key for each train Block Cipher used is single DES with modified MAC algorithm 3

30 RESOURCEFUL RELIABLE RESPONSIBLE Delay of Messages Timestamps Timeouts – if you don’t receive a message within a given period, enter a fail-safe state, that is, shut-down and apply braking

31 RESOURCEFUL RELIABLE RESPONSIBLE Masquerading of Messages Use of identifiers Use of cryptographic techniques

32 RESOURCEFUL RELIABLE RESPONSIBLE Security of Rail Networks Of course, there are easier ways of deliberately disrupting railways than spoofing/deleting messages from trackside to train Difficult to gain physical access to network

33 RESOURCEFUL RELIABLE RESPONSIBLE An Interesting Website Allows you to graphically monitor train traffic on railroads that use the Association of American Railroad’s Advanced Train Control System (ATCS) Specification 200 protocol (among others) All you need is a radio scanner! That is when you’re not listening to the police, or baby monitors

34 RESOURCEFUL RELIABLE RESPONSIBLE Some other Security Issues Security of map data and software loaded into train control units Management of private keys for each train The future will involve satellite positioning systems (Galileo) and use of more and more COTS products, which increase the security risk

35 RESOURCEFUL RELIABLE RESPONSIBLE Summary Security issues can be safety issues too To get approval for systems, you have to show that you have considered threats from message integrity and protected against them Real applications for cryptographic techniques

36 RESOURCEFUL RELIABLE RESPONSIBLE Further Information Railway Safety Standards –BS EN 50159: Railway Applications – Communication, Signalling and Processing Systems ERTMS Standards - Lots of information about Communications Systems for train control, US focussed, no future maintenance, “Safeware: System Safety and Computers” by Nancy Leveson. Addison Wesley 1995 IEE Website (Institute of Electrical Engineers) – –Railway Professional Network –Functional Safety Professional Network

37 RESOURCEFUL RELIABLE RESPONSIBLE WESTINGHOUSE RAIL SYSTEMS RESOURCEFUL RELIABLE RESPONSIBLE


Download ppt "RESOURCEFUL RELIABLE RESPONSIBLE Computer Security Web Firewalls Viruses Passwords Internet Banking Online Shopping Privacy Industrial Espionage Hackers."

Similar presentations


Ads by Google