1 Addressing the challenges Cyber Security of ETCS Simon Tonks
2 Background The UK rail network is currently being upgraded to use new signalling technology (ERTMS) The ROSCOs are delivering the First in Class (FiC) fitment of ETCS to the trains under the National Joint ROSCO Programme (NJRP) UK rail and Government have previously sponsored work to investigate the security implications of the technology Information Security Audit of the European Railway Traffic Management System (Adelard) ERTMS Specification Security Audit Analysis of Attack Scenarios (Adelard) ERTMS Cyber Security Risk Assessment (Adelard) IT Security Threat identification, Risk Analysis and Recommendations (KPMG for ERTMS Users Group) Security Considerations for the implementation of ERTMS (KPMG for Network Rail) General philosophy If it s not secure, it s not safe
Cyberspace (UK Cyber Security Strategy) Cyberspace is an interactive domain made up of digital networks that is used to store, modify and communicate information. It includes the internet, but also the other information systems that support our businesses, infrastructure and services. Cyber Security (DfT Land Transport Cyber Security (Rail) - Guidance to Industry) Cyber security is concerned with the security of cyberspace, which encompasses all forms of networked, digital activities For the purposes of the Rail Industry, the scope of this guidance is any system that is used to operate the railway where safety and / or reliability are important. Vulnerabilities Vulnerabilities are weaknesses in information systems, system procedures, controls, or implementations that can be exploited by a threat source. Cyber attack Definitions Cyber systems used on GB rail networks may be subject to unauthorised access through various means: Remotely, via the Internet, or unsecured telecom networks. At close hand, through direct contact with infrastructure (e.g. through a USB port). Locally, through unauthorised access to physical infrastructure, or insider threat (infiltration). 3
Initial Observations Little focus given to Cyber Security National Onboard Subsytem Requirements Specification (NOSS) v2.0 Areas for development (Appendix C) The current NOSS document makes reference to the need for cyber security, however the detailed requirements concerning how to achieve this overall aim are currently in development. Baseline 3 Maintenance Release 2 ETCS systems are in development Specifications for certain change requests are being drafted, e.g. Online Key Management ETCS systems embody a closed network assumption in the context of EN 50159 Requires the use of protocols that only guarantee integrity and not authenticity Is the assumption valid? What impact might COTS technologies have upon it? What emphasis exists is given to Prevent, rather than Detect or Respond There is a current lack of an industry strategy and governance model for Cyber Security No uniform view on what good looks like 4
High-level Approach to ETCS Cyber Security Secured support and funding Delivered security awareness training to NJRP (Adelard) Included Engineering, Operations and IT functions from the ROSCOs The focus of the assessment was to encourage Suppliers to develop their knowledge of cyber security and apply it to ETCS. It was not a pass/fail exercise Agreed a 4-party NDA acceptable to the Suppliers Supplier, Porterbrook (on the behalf of NJRP), Adelard and MWR InfoSecurity List of Permitted Third Parties provides a limited industry cascade Developed a security-informed procurement model Perform an initial risk assessment to identify potential vulnerabilities and document in an Initial Report Focus upon those potential vulnerabilities in Penetration testing Consolidate findings and associated recommendations in a Final Report (pre-contract) Require the Supplier to resolve and/or provide assurance against the recommendations and also fully comply with the applicable requirements of the DHS Cyber Security Procurement Language for Control Systems, Sep 2009 (in-contract) 5
6 For Each Supplier.. Phase 1 Initial cyber security risk assessment (Adelard) Kick-off meeting Release of documents Access to Supplier s experts Establish points of contact Analysis of system architecture and safety case Security-informed HAZOP study Initial report 4 weeks duration Phase 2 Security testing (MWR InfoSecurity) Pre-test preparation of tools On-site penetration testing and security assessment Report on findings and recommendations 3 weeks duration (1 week on-site) Phase 3 Consolidation and final report (Adelard) Final report 2 weeks duration
7 Phase 1 - Risk Assessment (Adelard) Goal Identify potential cyber security risks associated with ETCS on-board systems and suggest possible mitigations Additional technical controls Additional assurance activities Security robustness tests Threat source Capable with significant resources and some inside knowledge (Level D) well organised terrorist or criminal gang moderately well resourced foreign intelligence service Means of attack Remotely, via the Internet, or unsecured telecom networks. At close hand, through direct contact with the system, e.g. through an open port Locally, via unauthorised access to closed networks Primarily electronic rather than physical attacks
Technical material, e.g.: Supplier Resources Required System Architecture Specification System Safety Case Software Validation Report Installation Manual Maintenance Manual Operating Instructions Technical staff, e.g.: System Architect Software Designer Safety / Assurance Manager System Test Designer 8
Supplier Resources Required (cont.) Answers to technical questions: Overview of system which components are in scope for the assessment Safety platform / operating system / programming language Software architecture Maintenance / software updates / data entry Crypto / key management Undocumented / private interfaces Access to ETCS equipment 9
A hazard and operability study (HAZOP) is: A structured approach to the identification of potential hazards and deviations from design and operating intention Qualitative and aims to stimulate the imagination of participants to identify potential hazards and operability problems Carried out by a suitably experienced multi-disciplinary team during a set of meetings Facilitators Security-informed HAZOP Study Supplier technical resources Penetration testers Based on an architectural model of the ETCS with a systematic review of each element of the system 10
Security-informed HAZOP Study (cont.) Guidewords are used to prompt the Supplier experts to identify security-related causes for potential hazards For example: No, Invalid, Wrong etc. The experts have to identify: security-related causes for a potential malfunction the potential consequences any system features that can detect or mitigate the malfunction any additional security controls to reduce the risk The findings are recorded in a standardised table format and presented in the Initial Report Used to direct the Phase 2 penetration testing 11
12 Phase 2 Penetration Test (MWR InfoSecurity) Testing performed against on-site test-bench ETCS configurations Simulated trackside components Standard test set Areas of assessment Euroradio messages to the ETCS on-board system Balise telegrams to the ETCS on-board system Direct connections to the EVC ETCS components from a network and system perspective Source code (application of secure coding principles) System maintenance interfaces and procedures Testing for anomalous effects Safety and Reliability (Denial of Service) Penetration test findings were discussed with the Supplier
Phase 3 Final Report (Adelard) The Final Report contains: An update to the Initial Report The Penetration Test results Associated recommendations at various levels: The Supplier: Security Controls Assurance Activities National implementation ERA and the ERTMS specifications Disseminated in accordance with the NDA and list of Permitted Third Parties 13
Delivering the Recommendations Via FiC contracts, NJRP will then require the Supplier to: Implement the recommendations of the Final Report Commission a competent third party to: Review the architecture, design and implementation of the Supplier s ETCS and eco-system; Provide advice and guidance to the Supplier on the incorporation of cyber security best practice in its ETCS; and Support the supplier in identifying and agreeing with the ROSCO: the applicable requirements of the DHS Cyber Security Procurement Language for Control Systems, Sep 2009, (and the applicable requirements of any further document agreed to be relevant by the Contractor, ROSCO and the competent independent third-party), with which the Contractor shall then fully comply Deliver a cyber security-informed safety case for the GB application of the ETCS on-board system to be submitted to and approved by ORR Fully and transparently engage the ROSCO in the process Effect all remedial activities prior to the return to passenger service of the vehicle. 14
NJRP Next Steps Procure the implementation of the Security Controls and Assurance Activities by Suppliers in accordance with the FiC programme As an industry, determine how to: Maintain the security of the system, once established Ensure that the delivered ETCS system is secure Ensure that the integration of the ETCS system with other train systems does not compromise its security Ensure that the ETCS system remains secure during operation and maintenance Appropriately track the configuration of the system Holding an ETCS configuration at the level of the Line Replaceable Unit (LRU) would be like an IT department only knowing that its machines run a particular version of Windows.. 15
Next Steps (cont.) As an industry, determine how to: Manage risk for unpatched vulnerabilities in SIL4 systems and determine appropriate patch deployment arrangements Establish mechanisms to Detect and Respond to security threats Strengthen system resilience and facilitate recovery from cyber attack to limit disruption Consider the implementation of an integrated, security operations centre for UK rail Develop an industry-wide cyber security strategy, information sharing and governance model (and implement) Effect the recommendations against the national implementation and European specifications e.g. update the ERTMS specifications to enhance the security of the system 16
17 Contacts Simon Tonks (NJRP/Porterbrook) www.porterbrook.co.uk simon.tonks@porterbrook.co.uk Prof. Robin Bloomfield (Adelard) www.adelard.com reb@adelard.com Ian Ewers (MWR InfoSecurity) www.mwrinfosecurity.com ian.ewers@mwrinfosecurity.com