Rail Security Research Improving Transportation Safety Mark - - PDF document

1

1

Rail Security Research Improving Transportation Safety

Mark Hartong, Federal Railway Administration and GMU, Murad Mehmet, George Mason University Rajni Goel, Howard University, Duminda Wijesekera, GMU

2

Overview

• Why Rail Security?
• Areas of Research

– Requirements Analysis and Modeling – Threat Modeling & Analysis – Forensic Analysis – Trust management for railroads

2

3

• $38 billion industry
• 549 freight railroads , 20 Commuter,

Amtrak

• 141,000 miles track
• 25% intercity freight tonnage
• 36% Hazardous Material by Volume
• 411 million commuters
• 23 million intercity passengers

Why Rail Security?

4

GPS Wayside Devices Dispatch Center Locomotive & Onboard System

Basic Positive Train Control

3

5

Basic Positive Train Control

Core PTC Functionality

• Ensure Positive Train Separation
• Enforce Mandatory

Speed Restrictions

• Provide Roadway

Worker Protection

PTC Requirements

• Positive Train separation
• Mandatory speed control
• Railroad worker protection
• Arranged in four levels with increasing

functionality

6

Gathering and Analyzing Requirements

Communicates Authority Information

<<Engineer>> <<Dispatcher>> <<Attacker>>

<<Prevents>>

Use Cases and-Misuse Cases

4

7 Central Office Dispatch Attacker Data Field Misuse Cases Interrupts Modifies <prevents> <extends> Mobile Units Wayside Units PTC Functional Use Cases Capability Prevent Train- Train Collision Intercepts <extends> <extends> <extends> <extends> <prevents> <prevents> <prevents> <includes> <includes> Process Wayside Status Data Process Consist Data Process Track Warrant Process Train Information Wayside Units Central Office Dispatch Mobile Units Mobile Units Central Office Dispatch Mobile Units Wayside Units Wayside Units Central Office Dispatch Authorize Track Warrant Transmit Train Information

Detailed Use Cases and Misuse Cases

8

Engineer Signal/Wayside Onboard System Dispatch Center Attacker

Respond Command Respond Command Request Signal Status Request Signal Status Change Signal Change Signal

Engineer Signal/Wayside Onboard System Dispatch Center Attacker

Report Signal Status Report Signal Status Report Signal Status Report Signal Status

Normal

In Detail…..

5

9

Engineer Signal/Wayside Onboard System Dispatch Center Attacker Engineer Signal/Wayside Onboard System Dispatch Center Attacker

Normal

Change Signal Report Signal Status Request Signal Status Report Signal Status

S0 S1 S0 S1 D0 D1 D1 D0 D0 D1 D0 D1 O1 O0 O0 O1 ρ(D0) ρ(S0) ρO0) ρ(D0) λCS-S λCS-D λRSS-D λRSS-S λRSS-D λRSS-O λRQ-O λRQ-D

Respond Command

O0 O1 E1 E0 ρO0) λRC-O λRC-E Max (λCS-RSS-S, λCS-RSS-D) λCS-RSS-D λCS-RSS-S Max (λRQ-RSS-D, λRQ-RSS-O) λRQ-RSS-O λRQ-RSS-D λRC-RSS-O λRQ-RSS-D Max (λCS-S, λCS--D) Max (λ-RSS-S, λRSS-D) Max (λRQ-D, λRQ--O) Max (λRSS-D, λRSS-O) Max (λRC-E, λRC-O)

Even More Detail…..

10

Detailed Requirements

• Requirements are time dependent
• Each task need to be finished in a time

interval within a probabilistic distribution

• We model them as a collection of communicating

probabilistic temporal automatons to

• Analyze the effect of deliberate attacks on the

control system by:

• Mis-signaling
• Delaying signal messages
• Altering signal codes in transmission
• Their effect in causing an accidents

6

11

Example: Signal Passed at Danger

dSAFE dBRAKE dOVER

V KE V M

Solution: model controlling entities as probabilistic temporal automatons

12

<<prevents>> Summary: Basic Path: Alternate Path: Requirement 1 Requirement 2 Requirement 3: Evidence 1 Evidence 2 Evidence Use Misuse

Evidence Identifier Generated Requirements Misuse Case

Forensic Analysis

7

13 Misuse Case 1

Evidence Identifier 1

A C F Misuse Case 2 A B G H Misuse Case n C B F H p A B G H

Forensic Evidence 1

C L H K

Forensic Evidence 2

Generated Requirements

C L H K New Misuse Case

New Requirements

Evidence Identifier 2 Evidence Identifier n New Evidence Identifier

Use Cases and Misuse Cases for Forensic Analysis

14

Trust Management for Railroads

• Railroads share trains
• Railroad A’s train travels on B’s track

with C’s crew

• How does one recognize these entities?
• Need some trust management
• Suggest

– Using certificates and identity management function

8

15

Suggested Assets

• Private Assets-within railroad
• Public Assets-across railroad
• Current Crypto Period-in use
• Next Crypto Period-next use
• Active-in use
• Spare-for use if compromise

16

Engineer (A) Onboard System (B) Dispatch Center (C) CA (D) CA (C) CA (B)

( Change to D Pub D) Sign C ? B Pub Cert B Pub Cert MEK BC,PUB B ? B Pub Cert B Pub Cert E(D Pub/Login D Pub B )- Road Change E(PUB B/ NEW MEK) (REQ Data Update to D) SIGN-B E(B Pub/Y) Via Trusted Communication Network (Data Load D to C) SIGN-D

Dispatch Center (D)

MEK BC E(D Pub/Y) E(PUB B/ ZERO MEK)

Eg: Change Railroad Dispatch Centers

9

17

Threat Modeling & Analysis

• Socio-Political-Economic

Causations

• Hazardous Material Routing
• Risk Analysis
• Damage Assessment

18

Publications

1. “Communications Based Positive Train Control Systems Architecture in the USA” 63rd IEEE International Vehicle Technology Conference. 2. “Communications Security Concerns in Communications Based Train Control” 10th International Conference on Computer System Design and Operation in the Railway and Other Transit Systems 3. “Use Misuse Case Driven Analysis of Positive Train Control” Second IFIP WG 11.9 International Conference on Digital Forensics. 4. “Key Management Requirements for Positive Train Control Communications Security” 2006 IEEE/ASME Joint Rail Conference 5. “Mapping Misuse Cases to Functional Fault Trees for Positive Train Control Security” 9th International Conference on Applications of Advanced Technology in Transportation Engineering

“