Security analysis and assessment of threats in European signalling systems?

Transcription

1 Security analysis and assessment of threats in European signalling systems? New Challenges in Railway Operations Dr. Thomas Störtkuhl, Dr. Kai Wollenweber TÜV SÜD Rail Copenhagen, 20 November 2014 Slide 1

2 Agenda The challenge: Security for Electric Signalling Systems Security Standards Security Analysis using IEC Steps for Security Inspection or Certification Summary Slide 2

3 Day-to-day experience with vulnerabilities General Application Password No or only a minimum of network segmentation Assets are not known, no network plan No periodic IT security audits No security monitoring No or weak processes (e.g. security incident handling) Employees with no security skills Possibility of attacks (DoS, Cross Site Scripting, code execution) Security is not integrated into the development process No security tests, incl. 3rd party software Incorrect implementation of cryptographic algorithms Default passwords Weak/trivial passwords Password in clear text Passwords on post-it Generic password for user groups Root passwords are group passwords for suppliers Slide 3

4 Day-to-day experience with vulnerabilities Use of Engineering Workstations Remote Access & Maintenance Any accessible interfaces in the industrial IT infrastructure is used EWS is used in different networks for different customers EWS is often used as a standard computer Different solutions of the suppliers are implemented and allowed For Remote Access no DMZ is implemented Remote access is always enabled and therefore can be used at any time without control Group accounts Multi-factor authentication are not used Slide 4

5 Day-to-day experience with vulnerabilities Protocols USB-Token Unprotected communications TLS/SSL: use of weak cipher suites Wireless communication without authentication and encryption Incorrect implementation of cryptographic algorithms No regulations for the use of USB Tokens Uncontrolled USB tokens are used by suppliers No virus scanning for USB tokens (not to think about Bad USB ) Slide 5

6 80% of Malware cannot be Detected by Anti-Virus Software Digitization becomes increasingly complex entry points for attacks grow exponentially Slide 6

7 Our Industrial IT Security Services Consulting Security Management & Organisation Threat & Risk Analysis IT Security Processes (Development, Operation, Maintenance) Technical & Process Audits Security Handbook Testing Communication Robustness Testing Penetration Testing Assessment & Certification (DAkkS accredited) IT Security Management Systems, Industrial Control Systems & Products Process & Product Assessments (Development, Operation, Maintenance) Communication Robustness & Penetration Testing Lab Slide 7

8 Agenda The challenge: Security for Electric Signalling Systems Security Standards Security Analysis using IEC Steps for Security Inspection or Certification Summary Slide 8

9 Content and Structure of relevant Security Standards & Guidelines Processes Security Guidelines IEC IEC IEC IEC Best Practices Coding Standards DIN VDE V EN Safety Communication only No implementation recommendations How Security Objectives / Requirements IEC IEC Implementation Standards & Guidelines BSI TR Cryptography: Recommendations and Key Lengths FIPS Security Requirements for Cryptographic Modules What Slide 9

10 Current status of relevant standards for electric signalling systems DIN EN Railway applications Communication, signalling and processing systems Safety-related communication in transmission systems DIN VDE V Electric signalling systems for railways Part 104: IT Security Guideline based on IEC DIN VDE V Electric signalling systems for railways Part 102: Protection profile for technical functions in railway signalling They all have in common: Focus only on safety relevant threats Internal attackers are out of scope Slide 10

11 IEC 62443: Overview IEC Industrial communication networks Network and system security General Policies & Procedures System Component / Product 1-1 Terminology, concepts and models 2-1 Requirements for an IACS security management system 3-1 Security technologies for IACS 4-1 Product development requirements 1-2 Master glossary of terms and abbreviations 2-2 Implementation guidance for an IACS security management system 3-2 Security levels for zones and conduits 4-2 Technical security requirements for IACS components 1-3 System security compliance metrics 2-3 Patch management in the IACS environment 3-3 System security requirements and security levels 1-4 IACS security lifecycle and use-case 2-4 Installation and maintenance requirements for IACS suppliers Basis for DIN VDE V Published Versions Draft Versions Slide 11

12 Threats for a electric Signalling System Slide 12

13 Agenda The challenge: Security for Electric Signalling Systems Security Standards Security Analysis using IEC Steps for Security Inspection or Certification Summary Slide 13

14 Frequency Classical risk analysis approach Risk model R = D* F R Risk ( / year ) D Damage F Frequency of Occurrence Negligible Marginal Critical Catastrophic Frequent Probable Minor Improbable Damage Slide 14

15 Impact of Cyber Security Risks on classical Risk Management Process Probabilities for attacks are not available and are difficult / impossible to calculate Threat probabilities and the resulting risks are not quantifiable, only qualifiable As a result IEC and derived DIN VDE V define the characteristics of an attacker through parameters (skill, means, resources, motivation) Definition of risk-based Security Levels [IEC :2013]: Security Level 1 (SL1) Prevent the unauthorized disclosure of information via eavesdropping or casual exposure. Security Level 2 (SL2) Prevent the unauthorized disclosure of information to an entity actively searching for it using simple means with low resources, generic skills and low motivation. Security Level 3 (SL3) Prevent the unauthorized disclosure of information to an entity actively searching for it using sophisticated means with moderate resources, IACS specific skills and moderate motivation. Security Level 4 (SL4) Prevent the unauthorized disclosure of information to an entity actively searching for it using sophisticated means with extended resources, IACS specific skills and high motivation. Slide 15

16 Approach for Cyber Security Risk Management (DIN VDE V ) Approach for the cyber security risk management (risk = damage x probability) Establishing the context i.e. scope definition, structure analysis of the target system, defining risk criteria, protection level based on defined attacker characteristics (e.g. security level) Risk identification i.e. identification of all relevant threats with impact on safety Risk analysis and evaluation i.e. estimation of damages & attacker characteristics, risk categorization based on defined risk criteria Risk treatment i.e. deriving relevant countermeasures to withstand the defined characteristics of an attacker Prerequisites Methodology to estimate the characteristics of an attacker Parameters to define characteristics of an attacker Threat analysis methodology (e.g. threat modeling, threat catalogue) Slide 16

17 Security Level Modified Security Risk Matrix Negligible Marginal Critical Catastrophic SL1 ( frequent ) SL2 ( probable ) SL3 ( minor ) SL4 ( improbable ) Damage Slide 17

18 Example: Threats to an Electric Signalling System Threat Short description IAC UC SI RDF TRE Malicious Software (1) Unauthorized access to communication (2) Exploit of vulnerabilities (3) Escalation of access rights (4) Virus, worms, trojans which use vulnerabilities in some software Weak passwords, default passwords used for applications and components, even worse for administration or remote access Development process which does not integrate IT security User and rights management has low maturity level X X X X X X X X X X X X X X From IEC and DIN VDE V : IAC Identification and Authentication Control UC Use Control SI System Integrity RDF Restricted Data Flow TRE Timely Response to Events Slide 18

19 Example: Threats to an Electric Signalling System Slide 19

20 Example: Threats to an Electric Signalling System Malicious Software (1) Threat Short description Covered by DIN EN Virus, worms, trojans which use vulnerabilities in some software Covered by IEC X Unauthorized access to communication (2) Weak passwords, default passwords used for applications and components, even worse for administration or remote access X X Exploit of vulnerabilities (3) Escalation of access rights (4) Development process which does not integrate IT security User and rights management has low maturity level X X Slide 20

21 Example: Threats to an Electric Signalling System Malicious Software (1) Threat Requirement from IEC Covered by DIN EN SR 3.2 Malicious code protection The control system shall provide the capability to employ protection mechanisms to prevent, detect, report and mitigate the effects of malicious code or unauthorized software. The control system shall provide the capability to update the protection mechanisms. Covered by IEC X Exploit of vulnerabilities (3) SR 3.4 Software and information integrity The control system shall provide the capability to detect, record, report and protect against unauthorized changes to software and information at rest. X Slide 21

22 Example: Threats to an Electric Signalling System Threat Requirement from IEC Covered by DIN EN Escalation of access rights (4) SR 2.1 Authorization enforcement On all interfaces, the control system shall provide the capability to enforce authorizations assigned to all human users for controlling use of the control system to support segregation of duties and least privilege. SR 6.2 Continuous monitoring The control system shall provide the capability to continuously monitor all security mechanism performance using commonly accepted security industry practices and recommendations to detect, characterize and report security breaches in a timely manner. Covered by IEC X X Slide 22

23 Agenda The challenge: Security for Electric Signalling Systems Security Standards Security Analysis using IEC Steps for Security Inspection or Certification Summary Slide 23

24 Identification of Security Requirements on System Level RAMS- Lifecycle, IEC Quality/ Processes System Safety Requirements Functional / Non-Functional Requirements Security Requirements Electric Signalling System DIN VDE V Security Features Specification Architecture Validation IEC Foundational Requirements DIN VDE V Design Implementation Verification Capabilities # Sec. Req. SL1 SL2 SL3 SL4 1 Authentication X 2 Confidentiality X 3 Error Handling X Documentation Security Manual Security Guidelines Report, referencing Product Documentation Slide 24

25 Agenda The challenge: Security for Electric Signalling Systems Security Standards Security Analysis using IEC Steps for Security Inspection or Certification Summary Slide 25

26 Agenda 1 The Challenge Security for Electric Signalling Systems 2 Security Standards 3 Security Analysis using IEC Steps for Security Inspection or Certification 5 Summary Slide 26

27 Benefits of IEC The benefits of IEC are Risk based approach Process oriented Combination with other standards possible Defined requirements Basis for assessment and certification Best Practice approach Slide 27

28 Status IEC Slide 28

29 Contact Dr. Thomas Störtkuhl Phone: Fax: Dr. Kai Wollenweber Phone: Fax: TÜV SÜD Rail GmbH Barthstr Munich Germany Slide 29