Cyber Security of ETCS

Similar documents
External Supplier Control Obligations. Cyber Security

CYBER INCIDENT REPORTING GUIDANCE. Industry Reporting Arrangements for Incident Response

Remit Issue April 2016

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Digital Health Cyber Security Centre

MEETING: RSSB Board Meeting DATE: 03 November 2016 SUBJECT: Rail Industry Cyber Security Strategy SPONSOR: Mark Phillips AUTHOR: Tom Lee

Information Technology Branch Organization of Cyber Security Technical Standard

Business Continuity and Disaster Recovery

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Cyber Security Program

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

Information Security Controls Policy

Cybersecurity, safety and resilience - Airline perspective

Cyber Security. Building and assuring defence in depth

13th Florence Rail Forum: Cyber Security in Railways Systems. Immacolata Lamberti Andrea Pepato

AUTHORITY FOR ELECTRICITY REGULATION

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

IoT & SCADA Cyber Security Services

Bradford J. Willke. 19 September 2007

Heavy Vehicle Cyber Security Bulletin

Unit 3 Cyber security

Memorandum of Understanding

Business Continuity Policy

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

National Policy and Guiding Principles

Overview of the Federal Interagency Operational Plans

Defence services. Independent systems and technology advice that delivers real value. Systems and Engineering Technology

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Manchester Metropolitan University Information Security Strategy

Long-Term Power Outage Response and Recovery Tabletop Exercise

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Port Facility Cyber Security

Medical Device Cybersecurity: FDA Perspective

CYBER RESILIENCE & INCIDENT RESPONSE

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

Cyber security tips and self-assessment for business

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

Cloud Security Standards Supplier Survey. Version 1

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

Section One of the Order: The Cybersecurity of Federal Networks.

Eco Web Hosting Security and Data Processing Agreement

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Cyber security. Strategic delivery: Setting standards Increasing and. Details: Output:

ENISA s Position on the NIS Directive

How AlienVault ICS SIEM Supports Compliance with CFATS

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Cyber Security Strategy

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Checklist: Credit Union Information Security and Privacy Policies

Directive on security of network and information systems (NIS): State of Play

A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management

The Common Controls Framework BY ADOBE

Infosec Europe 2009 Business Strategy Theatre. Giving Executives the Security Management Information that they Really Need

Port Facility Cyber Security

The NIS Directive and Cybersecurity in

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

ASSURANCE PENETRATION TESTING

NIS Standardisation ENISA view

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Policy. Business Resilience MB2010.P.119

Unit 2 Essentials of cyber security

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Presentation to the ITU on the Q-CERT Incident Management Team. Ian M Dowdeswell Incident Manager, Q-CERT

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Scope Cyber Attack Task Force (CATF)

Security and resilience in Information Society: the European approach

IS Audit and Assurance Guideline 2002 Organisational Independence

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

What every IT professional needs to know about penetration tests

Emergency Support Function #12 Energy Annex. ESF Coordinator: Support Agencies:

SECURITY & PRIVACY DOCUMENTATION

Statement for the Record

Google Cloud & the General Data Protection Regulation (GDPR)

Guide to cyber security/cip specifications and requirements for suppliers. September 2016

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

Science & Technology Directorate: R&D Overview

John Snare Chair Standards Australia Committee IT/12/4

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

INFORMATION SECURITY PRINCIPLES OF THE UNIVERSITY OF JYVÄSKYLÄ

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

Critical Information Infrastructure Protection. Role of CIRTs and Cooperation at National Level

Consolidation of the Specifications

Malpractice and Maladministration Policy

The Office of Infrastructure Protection

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Are we breached? Deloitte's Cyber Threat Hunting

Data Protection and GDPR

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

The New Government Security Classification System -

Procurement Language for Supply Chain Cyber Assurance

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

Security and resilience in the Information Society: the role of CERTs/CSIRTs in the context of the EU CIIP policy

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Transcription:

1 Addressing the challenges Cyber Security of ETCS Simon Tonks

2 Background The UK rail network is currently being upgraded to use new signalling technology (ERTMS) The ROSCOs are delivering the First in Class (FiC) fitment of ETCS to the trains under the National Joint ROSCO Programme (NJRP) UK rail and Government have previously sponsored work to investigate the security implications of the technology Information Security Audit of the European Railway Traffic Management System (Adelard) ERTMS Specification Security Audit Analysis of Attack Scenarios (Adelard) ERTMS Cyber Security Risk Assessment (Adelard) IT Security Threat identification, Risk Analysis and Recommendations (KPMG for ERTMS Users Group) Security Considerations for the implementation of ERTMS (KPMG for Network Rail) General philosophy If it s not secure, it s not safe

Cyberspace (UK Cyber Security Strategy) Cyberspace is an interactive domain made up of digital networks that is used to store, modify and communicate information. It includes the internet, but also the other information systems that support our businesses, infrastructure and services. Cyber Security (DfT Land Transport Cyber Security (Rail) - Guidance to Industry) Cyber security is concerned with the security of cyberspace, which encompasses all forms of networked, digital activities For the purposes of the Rail Industry, the scope of this guidance is any system that is used to operate the railway where safety and / or reliability are important. Vulnerabilities Vulnerabilities are weaknesses in information systems, system procedures, controls, or implementations that can be exploited by a threat source. Cyber attack Definitions Cyber systems used on GB rail networks may be subject to unauthorised access through various means: Remotely, via the Internet, or unsecured telecom networks. At close hand, through direct contact with infrastructure (e.g. through a USB port). Locally, through unauthorised access to physical infrastructure, or insider threat (infiltration). 3

Initial Observations Little focus given to Cyber Security National Onboard Subsytem Requirements Specification (NOSS) v2.0 Areas for development (Appendix C) The current NOSS document makes reference to the need for cyber security, however the detailed requirements concerning how to achieve this overall aim are currently in development. Baseline 3 Maintenance Release 2 ETCS systems are in development Specifications for certain change requests are being drafted, e.g. Online Key Management ETCS systems embody a closed network assumption in the context of EN 50159 Requires the use of protocols that only guarantee integrity and not authenticity Is the assumption valid? What impact might COTS technologies have upon it? What emphasis exists is given to Prevent, rather than Detect or Respond There is a current lack of an industry strategy and governance model for Cyber Security No uniform view on what good looks like 4

High-level Approach to ETCS Cyber Security Secured support and funding Delivered security awareness training to NJRP (Adelard) Included Engineering, Operations and IT functions from the ROSCOs The focus of the assessment was to encourage Suppliers to develop their knowledge of cyber security and apply it to ETCS. It was not a pass/fail exercise Agreed a 4-party NDA acceptable to the Suppliers Supplier, Porterbrook (on the behalf of NJRP), Adelard and MWR InfoSecurity List of Permitted Third Parties provides a limited industry cascade Developed a security-informed procurement model Perform an initial risk assessment to identify potential vulnerabilities and document in an Initial Report Focus upon those potential vulnerabilities in Penetration testing Consolidate findings and associated recommendations in a Final Report (pre-contract) Require the Supplier to resolve and/or provide assurance against the recommendations and also fully comply with the applicable requirements of the DHS Cyber Security Procurement Language for Control Systems, Sep 2009 (in-contract) 5

6 For Each Supplier.. Phase 1 Initial cyber security risk assessment (Adelard) Kick-off meeting Release of documents Access to Supplier s experts Establish points of contact Analysis of system architecture and safety case Security-informed HAZOP study Initial report 4 weeks duration Phase 2 Security testing (MWR InfoSecurity) Pre-test preparation of tools On-site penetration testing and security assessment Report on findings and recommendations 3 weeks duration (1 week on-site) Phase 3 Consolidation and final report (Adelard) Final report 2 weeks duration

7 Phase 1 - Risk Assessment (Adelard) Goal Identify potential cyber security risks associated with ETCS on-board systems and suggest possible mitigations Additional technical controls Additional assurance activities Security robustness tests Threat source Capable with significant resources and some inside knowledge (Level D) well organised terrorist or criminal gang moderately well resourced foreign intelligence service Means of attack Remotely, via the Internet, or unsecured telecom networks. At close hand, through direct contact with the system, e.g. through an open port Locally, via unauthorised access to closed networks Primarily electronic rather than physical attacks

Technical material, e.g.: Supplier Resources Required System Architecture Specification System Safety Case Software Validation Report Installation Manual Maintenance Manual Operating Instructions Technical staff, e.g.: System Architect Software Designer Safety / Assurance Manager System Test Designer 8

Supplier Resources Required (cont.) Answers to technical questions: Overview of system which components are in scope for the assessment Safety platform / operating system / programming language Software architecture Maintenance / software updates / data entry Crypto / key management Undocumented / private interfaces Access to ETCS equipment 9

A hazard and operability study (HAZOP) is: A structured approach to the identification of potential hazards and deviations from design and operating intention Qualitative and aims to stimulate the imagination of participants to identify potential hazards and operability problems Carried out by a suitably experienced multi-disciplinary team during a set of meetings Facilitators Security-informed HAZOP Study Supplier technical resources Penetration testers Based on an architectural model of the ETCS with a systematic review of each element of the system 10

Security-informed HAZOP Study (cont.) Guidewords are used to prompt the Supplier experts to identify security-related causes for potential hazards For example: No, Invalid, Wrong etc. The experts have to identify: security-related causes for a potential malfunction the potential consequences any system features that can detect or mitigate the malfunction any additional security controls to reduce the risk The findings are recorded in a standardised table format and presented in the Initial Report Used to direct the Phase 2 penetration testing 11

12 Phase 2 Penetration Test (MWR InfoSecurity) Testing performed against on-site test-bench ETCS configurations Simulated trackside components Standard test set Areas of assessment Euroradio messages to the ETCS on-board system Balise telegrams to the ETCS on-board system Direct connections to the EVC ETCS components from a network and system perspective Source code (application of secure coding principles) System maintenance interfaces and procedures Testing for anomalous effects Safety and Reliability (Denial of Service) Penetration test findings were discussed with the Supplier

Phase 3 Final Report (Adelard) The Final Report contains: An update to the Initial Report The Penetration Test results Associated recommendations at various levels: The Supplier: Security Controls Assurance Activities National implementation ERA and the ERTMS specifications Disseminated in accordance with the NDA and list of Permitted Third Parties 13

Delivering the Recommendations Via FiC contracts, NJRP will then require the Supplier to: Implement the recommendations of the Final Report Commission a competent third party to: Review the architecture, design and implementation of the Supplier s ETCS and eco-system; Provide advice and guidance to the Supplier on the incorporation of cyber security best practice in its ETCS; and Support the supplier in identifying and agreeing with the ROSCO: the applicable requirements of the DHS Cyber Security Procurement Language for Control Systems, Sep 2009, (and the applicable requirements of any further document agreed to be relevant by the Contractor, ROSCO and the competent independent third-party), with which the Contractor shall then fully comply Deliver a cyber security-informed safety case for the GB application of the ETCS on-board system to be submitted to and approved by ORR Fully and transparently engage the ROSCO in the process Effect all remedial activities prior to the return to passenger service of the vehicle. 14

NJRP Next Steps Procure the implementation of the Security Controls and Assurance Activities by Suppliers in accordance with the FiC programme As an industry, determine how to: Maintain the security of the system, once established Ensure that the delivered ETCS system is secure Ensure that the integration of the ETCS system with other train systems does not compromise its security Ensure that the ETCS system remains secure during operation and maintenance Appropriately track the configuration of the system Holding an ETCS configuration at the level of the Line Replaceable Unit (LRU) would be like an IT department only knowing that its machines run a particular version of Windows.. 15

Next Steps (cont.) As an industry, determine how to: Manage risk for unpatched vulnerabilities in SIL4 systems and determine appropriate patch deployment arrangements Establish mechanisms to Detect and Respond to security threats Strengthen system resilience and facilitate recovery from cyber attack to limit disruption Consider the implementation of an integrated, security operations centre for UK rail Develop an industry-wide cyber security strategy, information sharing and governance model (and implement) Effect the recommendations against the national implementation and European specifications e.g. update the ERTMS specifications to enhance the security of the system 16

17 Contacts Simon Tonks (NJRP/Porterbrook) www.porterbrook.co.uk simon.tonks@porterbrook.co.uk Prof. Robin Bloomfield (Adelard) www.adelard.com reb@adelard.com Ian Ewers (MWR InfoSecurity) www.mwrinfosecurity.com ian.ewers@mwrinfosecurity.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback