Rail Security Research Improving Transportation Safety Mark Hartong, Federal Railway Administration and GMU, Murad Mehmet, George Mason University Rajni Goel, Howard University, Duminda Wijesekera, GMU 1 Overview • Why Rail Security? • Areas of Research – Requirements Analysis and Modeling – Threat Modeling & Analysis – Forensic Analysis – Trust management for railroads 2 1
Why Rail Security? • $38 billion industry • 549 freight railroads , 20 Commuter, Amtrak • 141,000 miles track • 25% intercity freight tonnage • 36% Hazardous Material by Volume • 411 million commuters • 23 million intercity passengers 3 Basic Positive Train Control Dispatch Center GPS Locomotive & Onboard System Wayside Devices 4 2
PTC Requirements Basic Positive Train Control • Positive Train separation Core PTC Functionality •Ensure Positive Train Separation • Mandatory speed control • Railroad worker protection •Enforce Mandatory Speed Restrictions • Arranged in four levels with increasing functionality •Provide Roadway Worker Protection 5 Gathering and Analyzing Requirements Communicates Authority Information <<Prevents>> <<Dispatcher>> <<Engineer>> Use Cases and-Misuse Cases <<Attacker>> 6 3
Detailed Use Cases and Misuse Cases Prevent Train- Transmit Train Train Collision Information PTC Functional Use Cases Capability Authorize Track Warrant <extends> <extends> <extends> Process Consist <extends> <extends> Data Process Wayside Status Process Track Process Train Data Warrant Information Wayside Wayside Mobile Wayside Units Central Office Units Units Units Mobile Dispatch Mobile Mobile Units Central Office Units Units Central Office Wayside Central Office Dispatch Dispatch Units Dispatch <prevents> <prevents> <prevents> <prevents> Intercepts Modifies Interrupts <includes> <includes> Attacker Data Field 7 Misuse Cases Attacker Attacker Signal/Wayside Signal/Wayside Dispatch Center Dispatch Center Onboard System Onboard System Engineer Engineer Change Change Signal Signal Report Report Signal Signal Status Status Request Request Signal Signal Status Status Report Report Signal Signal Status Status In Detail….. Respond Respond Command Command 8 Normal 4
Attacker Attacker Signal/Wayside Signal/Wayside Dispatch Center Dispatch Center Onboard System Onboard System Engineer Engineer Change S 0 D 0 Signal ρ (D 0 ) Max ( λ CS-S , λ CS--D ) λ CS-D λ CS-S D 1 S 1 λ CS-RSS-S λ CS-RSS-D Max ( λ CS-RSS-S , λ CS-RSS-D ) Report Signal S 0 ρ (S 0 ) D 0 Max ( λ -RSS-S , λ RSS-D ) Status λ RSS-D λ RSS-S S 1 D 1 λ RQ-RSS-D Request D 0 ρ O 0 ) O 0 Signal Max ( λ RQ-D , λ RQ--O ) λ RQ-D Status λ RQ-O O 1 D 1 Max ( λ RQ-RSS-D , λ RQ-RSS-O ) λ RQ-RSS-D λ RQ-RSS-O Report Signal D 0 O 0 ρ (D 0 ) Status λ RSS-D λ RSS-O Max ( λ RSS-D , λ RSS-O ) D 1 O 1 λ RC-RSS-O Even More Respond O 0 ρ O 0 ) E 0 Command λ RC-O Max ( λ RC-E , λ RC-O ) λ RC-E O 1 E 1 Detail….. 9 Normal Detailed Requirements • Requirements are time dependent • Each task need to be finished in a time interval within a probabilistic distribution • We model them as a collection of communicating probabilistic temporal automatons to • Analyze the effect of deliberate attacks on the control system by: • Mis-signaling • Delaying signal messages • Altering signal codes in transmission • Their effect in causing an accidents 10 5
Example: Signal Passed at Danger d OVER d SAFE KE d BRAKE V V M Solution: model controlling entities as probabilistic temporal automatons 11 Forensic Analysis Misuse Case Use Summary: Misuse <<prevents>> Basic Path: Alternate Path : Requirement 1 Evidence 1 Requirement 2 Evidence 2 Requirement 3: Evidence Generated Requirements Evidence Identifier 12 6
Use Cases and Misuse Cases for Forensic Analysis Generated Requirements New Requirements Misuse Case Misuse Case Misuse Case New Misuse 2 n Case 1 Evidence Evidence Evidence Identifier 1 Identifier 2 Identifier n New Evidence A A C Identifier C B B C F G F L H H H p K Forensic Evidence 1 Forensic Evidence 2 A C B L G H H 13 K Trust Management for Railroads • Railroads share trains • Railroad A’s train travels on B’s track with C’s crew • How does one recognize these entities? • Need some trust management • Suggest – Using certificates and identity management function 14 7
Suggested Assets • Private Assets-within railroad • Public Assets-across railroad • Current Crypto Period-in use • Next Crypto Period-next use • Active-in use • Spare-for use if compromise 15 Eg: Change Railroad Dispatch Centers Engineer Onboard Dispatch Dispatch CA CA CA (A) System Center Center (D) (C) (B) (B) (C) (D) MEK BC,PUB B MEK BC ( Change to D Pub D) Sign C ? B Pub Cert ? B Pub Cert E(D Pub/Login D Pub B )- B Pub Cert B Pub Cert E(B Pub/Y) E(D Pub/Y) E(PUB B/ ZERO MEK) E(PUB B/ NEW MEK) (REQ Data Update to D) SIGN-B Via Trusted Communication Network (Data Load D to C) Road Change 16 SIGN-D 8
Threat Modeling & Analysis • Socio-Political-Economic Causations • Hazardous Material Routing • Risk Analysis • Damage Assessment 17 Publications 1. “Communications Based Positive Train Control Systems Architecture in the USA” 63rd IEEE International Vehicle Technology Conference. 2. “Communications Security Concerns in Communications Based Train Control” 10th International Conference on Computer System Design and Operation in the Railway and Other Transit Systems 3. “Use Misuse Case Driven Analysis of Positive Train Control” Second IFIP WG 11.9 International Conference on Digital “ Forensics. 4. “Key Management Requirements for Positive Train Control Communications Security” 2006 IEEE/ASME Joint Rail Conference 5. “Mapping Misuse Cases to Functional Fault Trees for Positive Train Control Security” 9th International Conference on Applications of Advanced Technology in Transportation Engineering 18 9
Recommend
More recommend
