Security analysis and assessment of threats in European signalling systems? New Challenges in Railway Operations Dr. Thomas Störtkuhl, Dr. Kai Wollenweber TÜV SÜD Rail Copenhagen, 20 November 2014 Slide 1
Agenda The challenge: Security for Electric Signalling Systems Security Standards Security Analysis using IEC 62443 Steps for Security Inspection or Certification Summary Slide 2
Day-to-day experience with vulnerabilities General Application Password No or only a minimum of network segmentation Assets are not known, no network plan No periodic IT security audits No security monitoring No or weak processes (e.g. security incident handling) Employees with no security skills Possibility of attacks (DoS, Cross Site Scripting, code execution) Security is not integrated into the development process No security tests, incl. 3rd party software Incorrect implementation of cryptographic algorithms Default passwords Weak/trivial passwords Password in clear text Passwords on post-it Generic password for user groups Root passwords are group passwords for suppliers Slide 3
Day-to-day experience with vulnerabilities Use of Engineering Workstations Remote Access & Maintenance Any accessible interfaces in the industrial IT infrastructure is used EWS is used in different networks for different customers EWS is often used as a standard computer Different solutions of the suppliers are implemented and allowed For Remote Access no DMZ is implemented Remote access is always enabled and therefore can be used at any time without control Group accounts Multi-factor authentication are not used Slide 4
Day-to-day experience with vulnerabilities Protocols USB-Token Unprotected communications TLS/SSL: use of weak cipher suites Wireless communication without authentication and encryption Incorrect implementation of cryptographic algorithms No regulations for the use of USB Tokens Uncontrolled USB tokens are used by suppliers No virus scanning for USB tokens (not to think about Bad USB ) Slide 5
80% of Malware cannot be Detected by Anti-Virus Software Digitization becomes increasingly complex entry points for attacks grow exponentially Slide 6
Our Industrial IT Security Services Consulting Security Management & Organisation Threat & Risk Analysis IT Security Processes (Development, Operation, Maintenance) Technical & Process Audits Security Handbook Testing Communication Robustness Testing Penetration Testing Assessment & Certification (DAkkS accredited) IT Security Management Systems, Industrial Control Systems & Products Process & Product Assessments (Development, Operation, Maintenance) Communication Robustness & Penetration Testing Lab Slide 7
Agenda The challenge: Security for Electric Signalling Systems Security Standards Security Analysis using IEC 62443 Steps for Security Inspection or Certification Summary Slide 8
Content and Structure of relevant Security Standards & Guidelines Processes Security Guidelines IEC 62443-4-1 IEC 62443-2-4 IEC 62443-3-2 IEC 62443-2-1 Best Practices Coding Standards DIN VDE V 0831-104 EN 50159 Safety Communication only No implementation recommendations How Security Objectives / Requirements IEC 62443-3-3 IEC 62443-4-2 Implementation Standards & Guidelines BSI TR-02102-2 Cryptography: Recommendations and Key Lengths FIPS 140-3 Security Requirements for Cryptographic Modules What Slide 9
Current status of relevant standards for electric signalling systems DIN EN 50159 Railway applications Communication, signalling and processing systems Safety-related communication in transmission systems DIN VDE V 0831-104 Electric signalling systems for railways Part 104: IT Security Guideline based on IEC 62443 DIN VDE V 0831-102 Electric signalling systems for railways Part 102: Protection profile for technical functions in railway signalling They all have in common: Focus only on safety relevant threats Internal attackers are out of scope Slide 10
IEC 62443: Overview IEC 62443 Industrial communication networks Network and system security General Policies & Procedures System Component / Product 1-1 Terminology, concepts and models 2-1 Requirements for an IACS security management system 3-1 Security technologies for IACS 4-1 Product development requirements 1-2 Master glossary of terms and abbreviations 2-2 Implementation guidance for an IACS security management system 3-2 Security levels for zones and conduits 4-2 Technical security requirements for IACS components 1-3 System security compliance metrics 2-3 Patch management in the IACS environment 3-3 System security requirements and security levels 1-4 IACS security lifecycle and use-case 2-4 Installation and maintenance requirements for IACS suppliers Basis for DIN VDE V 0831-104 Published Versions Draft Versions Slide 11
Threats for a electric Signalling System Slide 12
Agenda The challenge: Security for Electric Signalling Systems Security Standards Security Analysis using IEC 62443 Steps for Security Inspection or Certification Summary Slide 13
Frequency Classical risk analysis approach Risk model R = D* F R Risk ( / year ) D Damage F Frequency of Occurrence Negligible Marginal Critical Catastrophic Frequent Probable Minor Improbable Damage Slide 14
Impact of Cyber Security Risks on classical Risk Management Process Probabilities for attacks are not available and are difficult / impossible to calculate Threat probabilities and the resulting risks are not quantifiable, only qualifiable As a result IEC 62443 and derived DIN VDE V 0831-104 define the characteristics of an attacker through parameters (skill, means, resources, motivation) Definition of risk-based Security Levels [IEC 62443-3-3:2013]: Security Level 1 (SL1) Prevent the unauthorized disclosure of information via eavesdropping or casual exposure. Security Level 2 (SL2) Prevent the unauthorized disclosure of information to an entity actively searching for it using simple means with low resources, generic skills and low motivation. Security Level 3 (SL3) Prevent the unauthorized disclosure of information to an entity actively searching for it using sophisticated means with moderate resources, IACS specific skills and moderate motivation. Security Level 4 (SL4) Prevent the unauthorized disclosure of information to an entity actively searching for it using sophisticated means with extended resources, IACS specific skills and high motivation. Slide 15
Approach for Cyber Security Risk Management (DIN VDE V 0831-104) Approach for the cyber security risk management (risk = damage x probability) Establishing the context i.e. scope definition, structure analysis of the target system, defining risk criteria, protection level based on defined attacker characteristics (e.g. security level) Risk identification i.e. identification of all relevant threats with impact on safety Risk analysis and evaluation i.e. estimation of damages & attacker characteristics, risk categorization based on defined risk criteria Risk treatment i.e. deriving relevant countermeasures to withstand the defined characteristics of an attacker Prerequisites Methodology to estimate the characteristics of an attacker Parameters to define characteristics of an attacker Threat analysis methodology (e.g. threat modeling, threat catalogue) Slide 16
Security Level Modified Security Risk Matrix Negligible Marginal Critical Catastrophic SL1 ( frequent ) SL2 ( probable ) SL3 ( minor ) SL4 ( improbable ) Damage Slide 17
Example: Threats to an Electric Signalling System Threat Short description IAC UC SI RDF TRE Malicious Software (1) Unauthorized access to communication (2) Exploit of vulnerabilities (3) Escalation of access rights (4) Virus, worms, trojans which use vulnerabilities in some software Weak passwords, default passwords used for applications and components, even worse for administration or remote access Development process which does not integrate IT security User and rights management has low maturity level X X X X X X X X X X X X X X From IEC 62443-3-3 and DIN VDE V 0831-104: IAC Identification and Authentication Control UC Use Control SI System Integrity RDF Restricted Data Flow TRE Timely Response to Events Slide 18
Example: Threats to an Electric Signalling System Slide 19
Example: Threats to an Electric Signalling System Malicious Software (1) Threat Short description Covered by DIN EN 50159 Virus, worms, trojans which use vulnerabilities in some software Covered by IEC 62443-3-3 X Unauthorized access to communication (2) Weak passwords, default passwords used for applications and components, even worse for administration or remote access X X Exploit of vulnerabilities (3) Escalation of access rights (4) Development process which does not integrate IT security User and rights management has low maturity level X X Slide 20
Example: Threats to an Electric Signalling System Malicious Software (1) Threat Requirement from IEC 62443-3-3 Covered by DIN EN 50159 SR 3.2 Malicious code protection The control system shall provide the capability to employ protection mechanisms to prevent, detect, report and mitigate the effects of malicious code or unauthorized software. The control system shall provide the capability to update the protection mechanisms. Covered by IEC 62443-3-3 X Exploit of vulnerabilities (3) SR 3.4 Software and information integrity The control system shall provide the capability to detect, record, report and protect against unauthorized changes to software and information at rest. X Slide 21
Example: Threats to an Electric Signalling System Threat Requirement from IEC 62443-3-3 Covered by DIN EN 50159 Escalation of access rights (4) SR 2.1 Authorization enforcement On all interfaces, the control system shall provide the capability to enforce authorizations assigned to all human users for controlling use of the control system to support segregation of duties and least privilege. SR 6.2 Continuous monitoring The control system shall provide the capability to continuously monitor all security mechanism performance using commonly accepted security industry practices and recommendations to detect, characterize and report security breaches in a timely manner. Covered by IEC 62443-3-3 X X Slide 22
Agenda The challenge: Security for Electric Signalling Systems Security Standards Security Analysis using IEC 62443 Steps for Security Inspection or Certification Summary Slide 23
Identification of Security Requirements on System Level RAMS- Lifecycle, IEC 62443-2-4 Quality/ Processes System Safety Requirements Functional / Non-Functional Requirements Security Requirements Electric Signalling System DIN VDE V 0831-104 + Security Features Specification Architecture Validation IEC 62443-3-3 Foundational Requirements DIN VDE V 0831-102 Design Implementation Verification Capabilities # Sec. Req. SL1 SL2 SL3 SL4 1 Authentication X 2 Confidentiality X 3 Error Handling X Documentation Security Manual Security Guidelines Report, referencing Product Documentation Slide 24
Agenda The challenge: Security for Electric Signalling Systems Security Standards Security Analysis using IEC 62443 Steps for Security Inspection or Certification Summary Slide 25
Agenda 1 The Challenge Security for Electric Signalling Systems 2 Security Standards 3 Security Analysis using IEC 62443 4 Steps for Security Inspection or Certification 5 Summary Slide 26
Benefits of IEC 62443 The benefits of IEC 62443 are Risk based approach Process oriented Combination with other standards possible Defined requirements Basis for assessment and certification Best Practice approach Slide 27
Status IEC 62443 Slide 28
Contact Dr. Thomas Störtkuhl thomas.stoertkuhl@tuev-sued.de Phone: +49 89 5791-1930 Fax: +49 89 5791-2933 Dr. Kai Wollenweber kai.wollenweber@tuev-sued.de Phone: +49 89 5791-3856 Fax: +49 89 5791-2933 TÜV SÜD Rail GmbH Barthstr. 16 80339 Munich Germany www.tuev-sued.de/rail Slide 29