Cybersecurity and Communications Based Train Control

Transcription

1 Cybersecurity and Communications Based Train Control RAHEEL QURESHI CYBERSECURITY AUTHORITY URBAN RAIL SIGNALLING (URS) 2016 Thales Canada, Transportation Solutions. All rights reserved. Passing on or copying of this document, use or communication of its content in whole or in part is not permitted without Thales express prior written authorization.

2 Presentation Agenda Overview of the Cybersecurity Threat Landscape Enabling secure by design principles Meeting challenges in a digital and mobile communication environment 2

3 3

4 The Cybersecurity Landscape Cyberattacks on the Rise getting bigger attacks are The 4

5 How About Cyberattacks against Signalling Networks? The Tip of the Iceberg : January 2008: a teenage hacked into a Polish tram system using an adapted television remote control, derailing four vehicles as a prank. 12 people were injured in one such derailment. The boy had trespassed at tram depots to gather information and equipment. - December 2011: a Pacific Northwest transportation entity reported that hackers remotely attacked computers from three IPs, disrupting railway signals for two days. - July 2012: At DefCon, MIT researchers presented a series of steps against wireless access points and antennas that yielded the theft of an invalid certificates and Siemens login credentials. The team also cloned RFID badges of transportation staff. - May 2015: System passwords attached on top of a station controller s monitor at one of London s busiest railway stations were exposed to TV viewers during a BBC documentary broadcast. - October 2015: North Korea is suspected of hacking into a Seoul subway operator in 2014 for several months. Over 210 terminals of control centre and power supplier employees were infected with 58 instances of malware. - Many instances involve software/hardware updates being shipped out by suppliers with malware embedded 5

6 But I have a Firewall! 6

7 Cybersecurity Drivers What does it mean to the CBTC? Security Objectives Prevent Impact to operations (localized virus infection) to complete shutdown (e.g. self propagating worm, full hacking compromise) Safety Protection against EN 50159Threats: Repetition, Masquerading, etc, Availability Integrity Confidentiality Protect Thales and customer reputation and public trust 7

8 We Are No Longer Confined to the 4 Walls! Functional Requirements Driving Cybersecurity Needs o o o Use of Open wireless networks instead of closed WiFi (LTE or WiMAX) - LTE and WiMAX native security is not enough to protect safety critical systems Auxiliary functions where there is no coverage to the CBTC WiFi network. Fallback functions use a redundant fall back link to the WiFI network Primary link replacing the WiFi network China mandates the use of LTE View only from Untrusted Networks (remote ATS consoles) Dedicated workstation in the Client Data Network (CDN) that needs to VPN to the CBTC Mobile ATS terminals (e.g. Light Client for maintainer) that connect to the DCS via a public radio network (Internet) with secure command capabilities. Read-only web-based Remote ATS terminals and Universal terminals that reside on a public network ATS Interfaces to External Systems in Untrusted Networks (SCADA, Passenger Information System, Master Clock) 8

9 Secure By Design Cybersecurity Solution Secure Gateway (SG) Provides secure application level filtering for interfacing with external system such as SCADA and PIS. Security Information and Event Management Solution (SIEM) Provide logging and monitoring services and threat detection and prevention (multilayer): cyberattacks, malware. A searchable central log repository with alerting capabilities to the NMS. Onboard Internet Security Device (OISD) Additional SD (Encryption) functions such as multi-layer firewall and Hosting Intrusion Detection Prevention and remote logging to protect against public wireless networks 9

10 Adopting Industry Standards Control Frameworks IEC View NIST View Technical Security Controls Control Framework Thales Engineering Product Non-technical Security Controls IEC IEC NIST r4 Controls and Control Enhancements Mapping NIST r4 Establishing a Cybersecurity Assurance Process Adopting a Cybersecurity Standards Framework Embedding Cybersecurity in the Development Lifecycle Secure by Design Establishing Design Standards and Principles Creating Building Blocks and Deployment Patterns 10

11 Embedding cybersecurity in the development lifecycle Cybersecurity Management Plan Cybersecurity Requirement Gap Analysis DEFINITION & DECOMPOSITION Cybersecurity Architecture and Design Cybersecurity Risk Assessment Configure and Unit Test Cybersecurity Comp CBTC Cybersecurity Policy and Process Penetration Testing (FAT) Cybersecurity Configuration Verification (SAT) Development Lifecycle Cybersecurity Operations Procedure INTEGRATION & VERIFICATION SOR SSR SFR PDR CDR TRR TQR TRR FQR Orient Design Develop Integrate and Verify Validate 11

12 Secure By Design Cybersecurity Design Principles The following cyber security design principles are applied to the development of CBTC cyber security controls: Defense in Depth Multiple layers of defense are applied. Even if a layer of defense is breach, e.g. due to a zero-day-vulnerability the system will be resilient and prevent a cybersecurity breach. Incorporate Preventive, Detective, and Recovery Controls To succeed in addressing today s sophisticated cyber security attacks, the security solution must incorporate strong preventive mechanisms but also the ability to detect and quickly recover from cyber security attacks without affecting safety and system availability. Design Patterns Use of proven design patterns and protocols when available. CBTC will leverage tools and techniques that are de-facto industry standards. Risk based Approach Subsystem requirements, and design trade-off are based on cost benefit analysis from threat and risk assessments. 12

13 Meeting challenges in a digital and mobile communication environment Securing CBTC in the digital and mobile communication environment Ensuring cybersecurity and the ability of leveraging public networks in a secured way is embedded in the CBTC.Examples Include: Remote ATS Terminal web browser viewing of status information Light Client Use of tablets by maintainers Use of WiMAX and LTE as a secondary link to the private wireless network Cloud Computing Providing regular security health check Risk assessment and remediation of existing install base are the systems still secure? Monitoring, patching of Internet facing systems Providing cybersecurity monitoring solutions and services 13

14 Thank you! Questions? THALES GROUP INTERNAL