resourceful reliable responsible computer security web firewalls viruses passwords internet banking...

RESOURCEFUL RELIABLE RESPONSIBLE

Computer Security

Web

Firewalls

Viruses

Passwords

Internet Banking

Online Shopping

Privacy

Industrial Espionage

Hackers


Computer Security


Your Life

RESOURCEFUL RELIABLE RESPONSIBLERESOURCEFUL RELIABLE RESPONSIBLE

Computer Security As If Your Life Depended On It

Katherine Eastaughffe


OUTLINE

• Westinghouse Rail Systems – What do we

do?

• Safety Critical Systems on the Railway

• How do we develop Safety Critical

Systems?

• Where does Security fit in?

• Looking to the future


COMPANY OVERVIEW

• Company established in 1862

• Offices in Birmingham, Crawley, Croydon, Glasgow,

Swanley, York, Beijing, Germany and Singapore

with HQ in Chippenham

• 1390 employees

• Part of Invensys Rail Systems (Australia, US and

Spain)


WHAT IS OUR BUSINESS?

• Design, manufacture, installation,

commissioning

and maintenance of:

– Railway signalling systems and

equipment

– Train control systems

– Railway monitoring systems & control

centres

• Supplying Main Line and Mass Transit

operators in the UK, Europe and Far East


UNDERG ROUND

PAC

LSC

PLATFORM ATOCOMMUNICATOR

FBP

Door IndicationsService BrakesMotors

Emergency BrakesDoor Side EnableTraction Inhibit

Driver Indications

APR Transponder

Leaky Feeder

TMSDrivingData

Train Information

Tx

Tx

Rx

FIXEDCOMMUNICATIONS

UNIT &RADIO BASE STATIONS

MCUs

ATP

ATO

APR Reader

Tachogenerator(Speed Sensor)

ATO Rx Antenna

FCU& RBS

FIXEDBLOCK

PROCESSOR

OUTPUTS TO TRAIN

LOCALSITECOMPUTER(LSC)

Doppler

KEY:AUTOMATIC TRAIN PROTECTION EQUIPMENT

AUTOMATIC TRAIN OPERATION EQUIPMENT

INTERLOCKING EQUIPMENT

AUTOMATIC TRAIN SUPERVISION EQUIPMENT

EQUIPMENT SUPPLIED BY OTHERS

UNDERGROUND

State of Railway

To ATO Tx Antenna

FIBRE OPTIC LINK BETWEEN WESTRACES

ATPAntennas

Tachogenerator(Speed Sensor)

DIVERSE MONITORCONTROLLER

SIGNALLING EQUIPMENT ROOM

SER

Train Information

Train Information

Control Data

Control DataPoint Machines, Track Circuits,

Position Detectors, Signals

WESTRACEINTERLOCKING

FIBRE OPTIC LINK BETWEEN WESTRACES

DUAL RUNNING INTERFACE TO EXISTING SIGNALLING(OVERLAY SYSTEM)

NEW INTERLOCKINGS IN CONTROL(FINAL SYSTEM)

T e c h n i c a l P u b l ic a t i o n s

To rear DopplerTo rear

APR Reader

ODR

PPP SYSTEM

Driver's Display

Equipped TrainReport

State of Railway

Equipped Train Reports

MCTDMC

CONTROL CENTRE

STATIONMANAGEMENTSYSTEM(SMS)

SMS

WESTRACE

S2IMR

For Information Purposes Only Issue: Draft Date 15 May 2003

EXISTING I/L

CountDownClock

P I Display

WRSLScope

Scopeof

Others

Westinghouse Brake and Signal Holdings Limited 2003C

MAINTAINER'SCONTROL TERMINAL

(incl Operational Data Recorder)


LONDON’S PPP – PUBLIC PRIVATE PARTNERSHIP

• Westinghouse supplying

resignalling projects to

Metronet consortium

through Bombardier

• Resignalling Victoria,

District, Circle,

Hammersmith,

Metropolitan lines over

14 years (>1/2 of the

Tube)


Victoria Line/SSL ResignallingStatistics

• ~ $850 million contract

• Resignalling of more than ½ of Tube

• 150 000 people enter the system each hour

• About 400 km of track

• About 160 stations

• Victoria line to provide > 30 trains per hour

• London Underground has 2.7 million passenger

journeys/day


AUTOMATIC TRAIN CONTROL

Protection Profile

Line Speed = 80 km/h

Trackside Equipment

Location

Basic Operation


Train Control Systems

• ERTMS (European Rail Traffic Management

System)

– To be deployed across Europe

• DTG-R (Distance To Go- Radio)

– Aimed at Metro systems

– To be deployed on London Undeground


ERTMS

• Recommended by the Uff-Cullen Inquiry for

Automatic Train Protection on UK Mainline railway

• Common specifications to which suppliers provide

equipment

• Radio Block Centre derives and sends “movement

authorities” to trains via a GSM-R radio system

• A movement authority specifies how far a train can

travel along the route ahead

• Train-borne computer calculates a safe speed

based on its received movement authority


DTG-R

• Processors send “Signalling States” from

the interlocking to the train via a radio

system

• Train-borne computer calculates a

movement authority and from that a safe

speed


What if something interferes with the data?

Protection Profile


Trackside Equipment

Location

Basic Operation


What if something interferes with the data?

Protection Profile


Trackside Equipment

Location


How do we prove our systems are safe?• Try and identify all the ways that something can go wrong

• Make sure we have ways for protecting against these

threats

• We construct a Safety Case

• One part of the Safety Case for Automatic Train Control

addresses the questions:

– What can go wrong with messages sent from the

trackside to trains (either accidentally or deliberately)

– How do protect against failures of message

transmission?


What may go wrong with messages?

• Repetition of Messages

• Deletion of Messages

• Insertion of Messages

• Resequencing of Messages

• Corruption of Messages

• Delay of Messages

• Masquerade of Messages


Repetition of Messages

• Due to failure of equipment eg message

buffer is not properly flushed

• Due to deliberate storage and replay of

messages

• Sequence Numbers and Timestamps


Sequence Numbers

• Add a running number to each message exchanged between a

transmitter and a receiver

• Receiver checks that number is within suitable range of number

of previous message

• Suitable range means:

– Eg between 1 and 30 greater than previous number (module 255)

for an 8 bit number

– Suitable range depends on the expected frequency of transmission.

• This ensure message in specified range is no older than x

seconds/minutes

• Except that if the message is really old, then it might be in

range, because sequence numbers have gone right the way

round!!


Timestamps• Timestamps can plug the hole that sequence

numbering technique has

• Transmitter adds a timestamp to message

• Receiver checks that timestamp is within given

tolerance of the timestamp of previous message

• Bandwidth may prevent timestamp being sent

with all messages

• Need to be careful about the 1st message

received from a transmitter – how do you know

its clock is right and the message is not years

old.


Deletion of Messages

• May be the result of equipment failure

• Or Denial of Service attack

• Most likely source of disruption of message

transmission

• Design the system to be “fail-safe” – if messages are

not received it will not cause a hazard

• Timeout on receipt of messages. If a train does not

receive any messages after a given period of time,

braking will be applied

• In emergency situations, you may want to know that

a message has been received, in which case there

must be an acknowledgement


Insertion of Messages

• Due to cross-talk

• Due to deliberate insertion of messages

• Sequence numbers will protect against a

large number of false messages because

the sequence number is unlikely to be

within the expected range

• Otherwise see masquerading of messages


Resequencing of Messages

• Messages received in different order to

that transmitted

• Sequence Numbers and Timestamps


Corruption of Messages

• Accidental changes eg from Electromagnetic

Interference or collision of messages

• Deliberate changes

• Safety Codes

– CRC (Cyclic Redundancy Codes)

– Hash Codes

– Cryptographic Block Codes (Message

Authentication Code)


ERTMS – Encryption

• Uses a MAC – a function of the whole

message and a secret key

• A private key for each train

• Block Cipher used is single DES with

modified MAC algorithm 3


Delay of Messages

• Timestamps• Timeouts – if you don’t receive a message

within a given period, enter a fail-safe state, that is, shut-down and apply braking


Masquerading of Messages

• Use of identifiers• Use of cryptographic techniques


Security of Rail Networks

• Of course, there are easier ways of

deliberately disrupting railways than

spoofing/deleting messages from trackside

to train

• Difficult to gain physical access to network


An Interesting Website

• www.atcsmon.com

• Allows you to graphically monitor train traffic on

railroads that use the Association of American

Railroad’s Advanced Train Control System (ATCS)

Specification 200 protocol (among others)

• All you need is a radio scanner! That is when

you’re not listening to the police, or baby monitors


Some other Security Issues

• Security of map data and software loaded

into train control units

• Management of private keys for each train

• The future will involve satellite positioning

systems (Galileo) and use of more and

more COTS products, which increase the

security risk


Summary

• Security issues can be safety issues too

• To get approval for systems, you have to

show that you have considered threats

from message integrity and protected

against them

• Real applications for cryptographic

techniques


Further Information• www.westinghouserail.co.uk

• Railway Safety Standards

– BS EN 50159: Railway Applications – Communication, Signalling

and Processing Systems

• ERTMS Standards - www.aeif.org/ccm/doclist.asp

• Lots of information about Communications Systems for train

control, US focussed, no future maintenance, www.tsd.org

• “Safeware: System Safety and Computers” by Nancy

Leveson. Addison Wesley 1995

• IEE Website (Institute of Electrical Engineers) – www.iee.org

– Railway Professional Network

– Functional Safety Professional Network


WESTINGHOUSE RAIL SYSTEMS


resourceful reliable responsible computer security web firewalls viruses passwords internet banking...

Documents

life slide

tube slide

spain slide

east slide

future slide

safe speed slide

london undeground slide

passenger journeysday