1 / 25

Goncalo Martins Sajal Bhatia

Performance Impact of Securing Railway Systems Threat Modeling – eRTM (Wireless Network for Rail Temperature Monitoring). Goncalo Martins Sajal Bhatia. NIST Meeting Sep 8 , 2014. ** http://www.evopro.hu/eng/page/ertm. Overview. Introduction Threat Modeling Approaches

alexandra-buck
Télécharger la présentation

Goncalo Martins Sajal Bhatia

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Performance Impact of Securing Railway SystemsThreat Modeling – eRTM (Wireless Network for Rail Temperature Monitoring) Goncalo Martins Sajal Bhatia NIST Meeting Sep 8, 2014 ** http://www.evopro.hu/eng/page/ertm

  2. Overview • Introduction • Threat Modeling Approaches • eRTM Threat Analysis 2

  3. Overview • Introduction • Threat Modeling Approaches • eRTM Threat Analysis 3

  4. Introduction • What is eRTM? • WSN for rail temp. monitoring (evopro) • Battery powered temperature measuring modules, connected viaradio • Communication organized via repeaters and gateways • Gateway collect data and transmit to central processing server • Monitoring data accessible via browser and smartphone apps • Clients notified according to temperature limit settings • Parameters & Applications • Max. 256 measuring points • Temp resolution +/- 0.5 deg. • Repeater-sensor distance: max 100 m • Repeater-repeater distance: max 1000 m • Radio Comm: 868 MHz ISM • Prediction of buckling • Measurement based control of speed limiting area • Measurement based control of switch heating 4

  5. Introduction • System Architecture 5

  6. Overview • Introduction • Threat Modeling Approaches • eRTM Threat Analysis 6

  7. Threat Modeling Approaches • Approaches: • Four-step Framework • Six-stage Process 7

  8. Overview • Introduction • Threat Modeling Approaches • eRTM Threat Analysis 8

  9. Threat Modeling Approaches • Four-step Framework: • Microsoft Threat Modeling Tool • GME • STRIDE Methodology • Merge STRIDE analysis with technology requirements or constraints (subject matter expertise) • Simulation or emulation based testbeds 9

  10. eRTM Threat Analysis • Model System ( Microsoft Threat Modeling Tool ) Architecture Overview – Data Flow Diagram • Identify Assets • Create an Architecture Overview 10

  11. eRTM Threat Analysis • Model System ( Microsoft Threat Modeling Tool ) Architecture Overview – Simplified Model • Decompose the Application 11

  12. eRTM Threat Analysis • Model System ( Microsoft Threat Modeling Tool ) Limitations • Can’t represent technology requirements • or constraints; • There is no notion of multiplicity; • It is confusing to track the threats state; 12

  13. eRTM Threat Analysis • Find Threats ( Microsoft Threat Modeling Tool ) STRIDE Methodology (Per-Element) Still Missing: • Technology requirements • Notion of multiplicity STRIDE Add on to the model STRIDE Add on to the model (color scheme) STRIDE STRIDE STRIDE STRIDE STRIDE Needs Investigation Not Applicable Mitigation Found STRIDE 13

  14. eRTM Threat Analysis • Model System / Find Threats ( GME ) Architecture Overview – UML Diagram 14

  15. eRTM Threat Analysis • Model System / Find Threats ( GME ) Architecture Overview – UML Diagram UML View 15

  16. eRTM Threat Analysis • Model System / Find Threats ( GME ) Architecture Overview – UML Diagram • Technology Constraints • Represent technology requirements • or constraints; • Represent multiplicity; • Track the threats state; • Non-functional requirements for Security 16

  17. eRTM Threat Analysis • Model System / Find Threats ( GME ) Architecture Overview – UML Diagram • Represent multiplicity; 17

  18. eRTM Threat Analysis • Model System / Find Threats ( GME ) Architecture Overview – UML Diagram • Technology Constraints 18

  19. eRTM Threat Analysis • Model System / Find Threats ( GME ) Technology Constraints Constraints View 19

  20. eRTM Threat Analysis • Model System / Find Threats ( GME ) Technology Constraints 20

  21. eRTM Threat Analysis • Address Threats ( GME ) Architecture Overview – UML Diagram • Track Threats State Mitigation Strategies: • Do nothing • ( NotApplicable() ) • Mitigate the risk • ( Mitigation() ) • Needs Investigation • ( Investigation ) • Non-functional requirements for Security 21

  22. eRTM Threat Analysis • Summary ( Microsoft Threat Modeling Tool ) ( GME ) Data Flow Diagrams (DFD) UML STRIDE STRIDE STRIDE Track Threats Track Threats (color scheme) • Technology Requirements • (UML Constraints) Still Missing: • Technology requirements • Notion of multiplicity • Notion of multiplicity (0..*) 22

  23. eRTM Threat Analysis • Address Threats ( GME ) Example – Sensor / Repeater / Gateway (External Entity) Mitigation Implement an authentication mechanism Spoofing (Pretending to be the Sensor) Threat Modify something on disk or memory Tampering (Modifying something on the Sensor) Mitigation Implement a logging system Repudiation (Claiming that the Sensor didn’t do something, or was not responsible) Information Disclosure (Providing information to someone not authorized to see it) Threat Run out of battery Denial of Service (Absorbing resources needed to provide service) Elevation of Privilege (Allowing someone to do something they are not authorized to do) 23

  24. eRTM Threat Analysis • Address Threats ( GME ) Example – 868 MHz / 2.4 GHz Wireless (Channels) Spoofing (Pretending to be the Channel) Threat Man-in-the-middle attack (MITM) Tampering Mitigation Implement crypto hash algorithms (Modifying something on the Channel) Repudiation (Claiming that the Sensor didn’t do something, or was not responsible) Threat Sniffing Information Disclosure Mitigation Implement encryption algorithms (Providing information to someone not authorized to see it) Threat Jamming communications Denial of Service (Absorbing resources needed to provide service) Elevation of Privilege (Allowing someone to do something they are not authorized to do) 24

  25. Future Directions • GME model for eRTM system • Research paper • Threat Modeling for Railway System • eRTM as an example • MS Threat Modeling Tool • STRIDE Methodology • Technology requirements or constraints from literature (as calculated assumption) • Study propagation effects of a node compromise • May using some graph theoretic approaches? • Quantification of the notion of security? • Update project document with a detailed case study of eRTMS 25

More Related