1 / 37

Computer Security

Computer Security. Passwords. Web. Online Shopping. Industrial Espionage. Internet Banking. Viruses. Hackers. Privacy. Firewalls. Computer Security. Your Life. Computer Security As If Your Life Depended On It Katherine Eastaughffe. RESOURCEFUL RELIABLE RESPONSIBLE. OUTLINE.

papina
Télécharger la présentation

Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Security Passwords Web Online Shopping Industrial Espionage Internet Banking Viruses Hackers Privacy Firewalls

  2. Computer Security

  3. Your Life

  4. Computer Security As If Your Life Depended On It Katherine Eastaughffe RESOURCEFUL RELIABLE RESPONSIBLE

  5. OUTLINE • Westinghouse Rail Systems – What do we do? • Safety Critical Systems on the Railway • How do we develop Safety Critical Systems? • Where does Security fit in? • Looking to the future

  6. COMPANY OVERVIEW • Company established in 1862 • Offices in Birmingham, Crawley, Croydon, Glasgow, Swanley, York, Beijing, Germany and Singapore with HQ in Chippenham • 1390 employees • Part of Invensys Rail Systems (Australia, US and Spain)

  7. WHAT IS OUR BUSINESS? • Design, manufacture, installation, commissioning and maintenance of: • Railway signalling systems and equipment • Train control systems • Railway monitoring systems & control centres • Supplying Main Line and Mass Transit operators in the UK, Europe and Far East

  8. LONDON’S PPP – PUBLIC PRIVATE PARTNERSHIP • Westinghouse supplying resignalling projects to Metronet consortium through Bombardier • Resignalling Victoria, District, Circle, Hammersmith, Metropolitan lines over 14 years (>1/2 of the Tube)

  9. Victoria Line/SSL ResignallingStatistics • ~ $850 million contract • Resignalling of more than ½ of Tube • 150 000 people enter the system each hour • About 400 km of track • About 160 stations • Victoria line to provide > 30 trains per hour • London Underground has 2.7 million passenger journeys/day

  10. AUTOMATIC TRAIN CONTROL Basic Operation Line Speed = 80 km/h Protection Profile Location Trackside Equipment

  11. Train Control Systems • ERTMS (European Rail Traffic Management System) • To be deployed across Europe • DTG-R (Distance To Go- Radio) • Aimed at Metro systems • To be deployed on London Undeground

  12. ERTMS • Recommended by the Uff-Cullen Inquiry for Automatic Train Protection on UK Mainline railway • Common specifications to which suppliers provide equipment • Radio Block Centre derives and sends “movement authorities” to trains via a GSM-R radio system • A movement authority specifies how far a train can travel along the route ahead • Train-borne computer calculates a safe speed based on its received movement authority

  13. DTG-R • Processors send “Signalling States” from the interlocking to the train via a radio system • Train-borne computer calculates a movement authority and from that a safe speed

  14. What if something interferes with the data? Basic Operation Line Speed = 80 km/h Protection Profile Location Trackside Equipment

  15. What if something interferes with the data? Line Speed = 80 km/h Protection Profile Location Trackside Equipment

  16. What if something interferes with the data? Line Speed = 80 km/h Protection Profile Location Trackside Equipment

  17. What if something interferes with the data? Line Speed = 80 km/h Protection Profile Location Trackside Equipment

  18. How do we prove our systems are safe? • Try and identify all the ways that something can go wrong • Make sure we have ways for protecting against these threats • We construct a Safety Case • One part of the Safety Case for Automatic Train Control addresses the questions: • What can go wrong with messages sent from the trackside to trains (either accidentally or deliberately) • How do protect against failures of message transmission?

  19. What may go wrong with messages? • Repetition of Messages • Deletion of Messages • Insertion of Messages • Resequencing of Messages • Corruption of Messages • Delay of Messages • Masquerade of Messages

  20. Repetition of Messages • Due to failure of equipment eg message buffer is not properly flushed • Due to deliberate storage and replay of messages • Sequence Numbers and Timestamps

  21. Sequence Numbers • Add a running number to each message exchanged between a transmitter and a receiver • Receiver checks that number is within suitable range of number of previous message • Suitable range means: • Eg between 1 and 30 greater than previous number (module 255) for an 8 bit number • Suitable range depends on the expected frequency of transmission. • This ensure message in specified range is no older than x seconds/minutes • Except that if the message is really old, then it might be in range, because sequence numbers have gone right the way round!!

  22. Timestamps • Timestamps can plug the hole that sequence numbering technique has • Transmitter adds a timestamp to message • Receiver checks that timestamp is within given tolerance of the timestamp of previous message • Bandwidth may prevent timestamp being sent with all messages • Need to be careful about the 1st message received from a transmitter – how do you know its clock is right and the message is not years old.

  23. Deletion of Messages • May be the result of equipment failure • Or Denial of Service attack • Most likely source of disruption of message transmission • Design the system to be “fail-safe” – if messages are not received it will not cause a hazard • Timeout on receipt of messages. If a train does not receive any messages after a given period of time, braking will be applied • In emergency situations, you may want to know that a message has been received, in which case there must be an acknowledgement

  24. Insertion of Messages • Due to cross-talk • Due to deliberate insertion of messages • Sequence numbers will protect against a large number of false messages because the sequence number is unlikely to be within the expected range • Otherwise see masquerading of messages

  25. Resequencing of Messages • Messages received in different order to that transmitted • Sequence Numbers and Timestamps

  26. Corruption of Messages • Accidental changes eg from Electromagnetic Interference or collision of messages • Deliberate changes • Safety Codes • CRC (Cyclic Redundancy Codes) • Hash Codes • Cryptographic Block Codes (Message Authentication Code)

  27. ERTMS – Encryption • Uses a MAC – a function of the whole message and a secret key • A private key for each train • Block Cipher used is single DES with modified MAC algorithm 3

  28. Delay of Messages • Timestamps • Timeouts – if you don’t receive a message within a given period, enter a fail-safe state, that is, shut-down and apply braking

  29. Masquerading of Messages • Use of identifiers • Use of cryptographic techniques

  30. Security of Rail Networks • Of course, there are easier ways of deliberately disrupting railways than spoofing/deleting messages from trackside to train • Difficult to gain physical access to network

  31. An Interesting Website • www.atcsmon.com • Allows you to graphically monitor train traffic on railroads that use the Association of American Railroad’s Advanced Train Control System (ATCS) Specification 200 protocol (among others) • All you need is a radio scanner! That is when you’re not listening to the police, or baby monitors

  32. Some other Security Issues • Security of map data and software loaded into train control units • Management of private keys for each train • The future will involve satellite positioning systems (Galileo) and use of more and more COTS products, which increase the security risk

  33. Summary • Security issues can be safety issues too • To get approval for systems, you have to show that you have considered threats from message integrity and protected against them • Real applications for cryptographic techniques

  34. Further Information • www.westinghouserail.co.uk • Railway Safety Standards • BS EN 50159: Railway Applications – Communication, Signalling and Processing Systems • ERTMS Standards - www.aeif.org/ccm/doclist.asp • Lots of information about Communications Systems for train control, US focussed, no future maintenance, www.tsd.org • “Safeware: System Safety and Computers” by Nancy Leveson. Addison Wesley 1995 • IEE Website (Institute of Electrical Engineers) – www.iee.org • Railway Professional Network • Functional Safety Professional Network

  35. WESTINGHOUSE RAIL SYSTEMS RESOURCEFUL RELIABLE RESPONSIBLE

More Related