SlideShare a Scribd company logo

Cybersecurity Assessment of Communication-Based Train Control systems

S
Sergey Gordeychik

The document discusses a cybersecurity assessment of communication-based train control systems, highlighting identified vulnerabilities that could compromise rail traffic safety despite compliance with existing security requirements. It recommends integrating security assessments and penetration testing into system certification procedures, employing a thorough analysis of potential vulnerabilities and threats. The proposed methodology includes a threat model, vulnerability analysis, and a structured approach for examining software and hardware weaknesses in these critical systems.

Technology
1 of 12
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
1 Cybersecurity Assessment of Communication-Based Train Control systems Sergey Gordeychik, serg.gordey@gmail.com Dmitry Kuznetsov, malotavr@gmail.com Recently published information on the cybersecurity assessment of railway computer and communication-based control systems (CBCS) identified several weaknesses and vulnerabilities, which allow threat agents to not only degrade system reliability and bypass safety mechanisms, but to carry out attacks which directly affect the rail traffic safety 1 . Despite these findings, remarkably these systems meet all relevant IT security and functional safety requirements and have the required international, national and industrial certificates. To reduce the risks associated with cyberattacks against CBCS and their components, we recommend that system certification procedures be designed to include elements of security assessment and penetration testing. Cybersecurity threats targeting transportation facilities differ from others in that attackers are typically unable to achieve their goals in one go or by exploiting a single vulnerability. This means that they usually carry out a series of attacks; each exploiting a different vulnerability to help expand their capabilities or create further conditions to give them the desired result. As such, analysis of cybersecurity threats in this sector should involve examining all vulnerabilities as well as attacks that can be carried out by exploiting these vulnerabilities. 1 http://scadastrangelove.blogspot.com/2015/12/32c3-slides.html
2 As a result, we suggest following a specific procedure to analyze vulnerabilities and cybersecurity threats, wich was adopted by Russian Ralway as cybersecurity standart STO 02.049-20142 : - build a threat model which involve transport security breaches, deterioration of economic effectiveness and functional safety; - identify software and hardware weaknesses in CBCS components; - assess the weaknesses found, identify related vulnerabilities and possible attacks exploiting these vulnerabilities; - analyze possible attack scenarios and identify threats that can be realized as a result of the above. In an ideal scenario, this checklist of vulnerabilities and threats can then be used to develop a qualitative assessment of the risks associated with possible breaches of cybersecurity, functional safety and traffic safety. Work Planning When planning work and selecting the appropriate methods of vulnerability analysis, one should bear in mind that it must be carried out for all possible CBCS operating modes, including: - normal operating mode; - all available emergency operational modes, according to CBCS design documentation; - CBCS or individual system component maintenance modes. 2 http://jd-doc.ru/2014/dekabr-2014/14238-rasporyazhenie-oao-rzhd-ot-30-12-2014-n- 3192r
3 CBCS vulnerability analysis can be carried out in the form of lab or field studies. In a lab study, vulnerability analysis is performed on a test bench that reproduces CBCS operations in conditions similar to real-life operating conditions. In laboratory research, any CBCS malfunctions arising from intrusive research methods such as fault injection being applied to it will not lead to adverse consequences. This enables researchers to employ a full range of vulnerability detection methods, providing maximum coverage. That said, the combination of CBCS software and hardware components represented on the test bench or their configurations may not exactly reproduce the CBCS in actual operation. As a consequence, analysis results may not be fully applicable to the systems in operation. Field research can be performed on a CBCS in actual operating conditions. As the CBCS being analyzed needs to operate without interruption, some vulnerability detection methods may have to be forgone, substantially reducing the comprehensiveness of the results. The main advantage of this form of research is that it makes it possible to demonstrate in practice what an attacker can do. An optimum approach is to combine laboratory research with subsequent verification in the field. Operators can select the actual analisys methods at preparation stage, after evaluating the benefits and shortcomings of both approaches. It is a common mistake to think that if attackers lack information about a system, this prevents them from finding its vulnerabilities. Unlike in a test lab environment, attackers have virtually unlimited time, and the type of information obtained during a preliminary survey can be gleaned by attackers through trial-and- error. Therefore, to ensure a thorough approach is taken, we recommend that security analysis be carried out based on a white-box approach, with the auditors having full access to design and operating documentation, as well as to the source code of each
4 system. The preliminary survey stage enables the researcher to carry out a comprehensive vulnerability analysis and reduce the time required to perform it. Below we discuss the main stages of implementing the above approach, using the computer-based interlocking (CBI) system as an example. Threat Model In this scenario, we use a three-level mission-centric classification3 of possible threats affecting CBI cybersecurity, which is based on the requirements of railway technical operation rules and other fundamental documents: 1. breaches of train movement safety; 2. reduced efficiency; 3. other breaches of device functional safety and reliability. Threats resulting in railway safety breaches are usually the most difficult to put into practice and require the greatest effort by the perpetrators. This is primarily due to the fact that the attackers need to bypass the CBI's functional safety mechanisms. If object controllers cannot be manipulated directly, for example by exploiting vulnerabilities in the radio channel, such attacks require modification of the operating logic of the main CBI modules to change the rules of switch and signal interlocking, which is a complicated task. However, if this is possible, an attacker can perform such actions as: 1.1 Setting a clear entry signal light on a route leading to an occupied track (false clear); 3 http://www.railjournal.com/index.php/signalling/signalling-cyber-security-the-need-for- a-mission-centric-approach.html
5 1.2 setting a signal to a less-restrictive aspect such as a green entry signal for a section with track divergence on a switch; 1.3 operating a switch with a train passing over it; 1.4 guiding trains over split points; 1.5 setting conflicting routes. Threats aimed at disrupting freight traffic do not usually require the attackers to be highly professional and can be put into practice using standard malware. This increases the chance of this type of threat being deployed, since it does not involve the development of dedicated tools to carry out an attack. Examples of such threats include: 2.1 putting the CBI system out of operation; 2.2 blocking control for an extended period of time; 2.3 displaying incorrect train positions on the yardmaster’s workstation; 2.4 false occupancy. Putting non-redundant components such as the CP/CPU out of operation, will lead to the CBI system becoming non-operational, forcing a switch to manual operation, which would reduce the efficiency of freight traffic management. Spoofing or blocking network interaction between the yardmaster's workstation and CP/CPU or continually rebooting these components can result in blocking the system’s ability to send commands for an extended period of time. This would require a switch to manual operation, reducing freight traffic management efficiency. Spoofed interactions between the CP/CPU and the yardmaster’s workstation can be used to indicate false occupancy of a track circuit or display incorrect train positions on the yardmaster’s workstation, requiring additional control from the yardmaster. The following threats reduce the system’s overall reliability. 3.1 putting CBI out of operation temporarily;
6 3.2 putting auxiliary equipment out of operation; 3.3 displaying false diagnostic results on the electrical mechanic’s workstation. Temporarily putting the CBI out of operation by rebooting the CP/CPU or the yardmaster’s workstation reduces the mean time between failures, which is defined for software products as the time until completely restarting a program or rebooting an operating system. This can be achieved through a variety of attacks, including attacks designed to exhaust network or computational resources (Denial of Service or DoS), attacks on networking equipment designed to change configuration, TCP/IP or Ethernet parameters, or to remove/replace the firmware of networking devices. In order to carry out attacks, perpetrators take advantage of vulnerabilities and weaknesses in CBI components. As a rule, several attacks need to be carried out to put a threat into practice. Identifying Weaknesses and Vulnerabilities To identify CBCS weaknesses and vulnerabilities, lab and/or field research should be carried out using a methodology based on the threat model, in order to find as many vulnerabilities and defects as possible. A variety of methods are used, such as: - Analyzing the physical security of the facility, the CBCS and its components; - Detecting known vulnerabilities using vulnerability scanners; - Performing manual and automated analysis of component configurations (networking equipment, OS, DBMS) to determine whether they are in line with the vendors’ recommendations and best-practice configuration standards;
7 - Analyzing authentication and access control mechanisms, analyzing the password policy, identifying storage of standard and fixed passwords and encryption keys, key distribution process; - Surveying the work of operators to identify any violation of security requirements in their established practices (bypassing the limitations of the graphical interface, connecting external devices, etc.). It is recommended that this stage be carried out at the actual workplaces; - Identifying vulnerabilities using source code analysis, fuzzing and other methods; - Analyzing network communication, including those carried out over wireless connections, such as Wi-Fi and GSM-R; - Analyzing system maintenance procedures and tools, including those which use remote management tools; - Identifying security mechanisms and testing their effectiveness; - Verifying technical security compliance. The source code and network communication analysis stages are described in more detail below. Source code analysis should be carried out in accordance with industrial best practice, suh as OWASP Code Review Guide4 methodology and combines two areas of analysis: – searching for typical programming errors; – searching for typical errors in the implementation of specific security features. Searching for typical programming errors involves searching code for fragments that contain programming errors which give rise to vulnerabilities. The 4 https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf
8 search is performed purposefully using criteria designed to identify certain classes of programming errors. Generally, the following errors are searched for: – buffer overflow errors; – errors in using language constructs (operating system commands, SQL operators, programing language operators, etc.); – parallel computing synchronization errors (race conditions, TOCTOU5 ) wich are critical for logic of interlocking process; – runtime error and exception handling errors; – typical web application errors (cross-site scripting, session identification errors, etc.). Searching for typical errors is performed using automated source code analysis tools and manual analysis. Searching for typical errors in the implementation of security functions is based on a combination of automated and expert analysis methods. This includes: – identifying the source code fragments that implement the main security functions; – performing static analysis of the algorithms implementing security functions; – performing dynamic analysis of algorithm execution by emulating object code execution or debugging using test data, including the use of standard methods for exploiting vulnerabilities. When defining the scope of work and evaluating what needs to be performed in the process of analyzing object code, keep in mind that the applicability of this method of identifying vulnerabilities has the following limitations: 5 https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use
9 – analysis can only be performed for a certain set of programming languages that is determined by the tools used and the existing analysis methods; – this type of analysis is designed to identify certain classes of vulnerabilities and specific standard security function implementation errors; – analysis is performed locally, at program function and module level and may not cover architectural vulnerabilities or security function implementation vulnerabilities and errors at the information technology level. Experts will need to make independent decisions as to which security features are to be analyzed in the process of assessing the implementation of security features. These decisions are made based on the programming language used, the architecture of the computing devices on which the program code is executed, the availability of suitable analysis methods and tools, and other factors. Typically, the implementation of the following security features is assessed: – identification and authentication; – access control; – session management; – network communication and critical system components integrity control; – input data validation; – handling runtime errors and exceptions – generation and storage of audit reports; – cryptographic functions and management of encryption keys. Analysis of network communication is used as an auxiliary method of passive vulnerability analysis in the process of solving the following problems: – creating an inventory of CBCS components using passive methods, including the nomenclature and versions of operating systems and other software components; – identifying information flows for the purposes of analyzing CBCS topology;
10 – detecting prohibited types of interaction, as well as information flows which may be indicative of the presence of malware; – detecting events in which confidential or sensitive information, including login credentials, is communicated insecurely. In addition, research should include the analysis of communications hardware such as network modems, (U)SIM cards, GSM-R and SDR radio stations. Such devices are sophisticated computer systems in which vulnerabilities have been previously detected. Such vulnerabilities can be exploited in attacks against the entire CBCS infrastructure6 . Attack scenarios These processes will result in a list of CBCS weaknesses, some of which could be potential vulnerabilities. To confirm, detected weaknesses need to be assessed and identified as vulnerabilities. This can be done in one of several ways: - practical demonstration of how the vulnerability can be used to pose a real threat to cyber security; - description of the theoretical possibility of the vulnerability being used to pose a threat to cyber security that raises no objections from CBCS specialists; - for known vulnerabilities in the code – presence of the vulnerability in the database of one or more resources used for identifying vulnerabilities or a security bulletin from the software developer confirming the release of a security update that eliminates the vulnerability and availability of exploits; - for unknown or unpublished vulnerabilities in the code – a message in the software developer notes confirming that a defect is a vulnerability; 6 http://securityaffairs.co/wordpress/31663/hacking/hacking-4g-usb-modems.html
11 - in the event of obsolete and unsupported software being used – a press release or other statements confirming the termination of software support; - configuration errors – a publication by the software developer, or other authoritative sources, recognizing the negative impact of this configuration on the overall security of CBCS or on an individual component of the system. The severity of confirmed vulnerabilities can then be assessed and recommendations formulated to address them. If a previously unknown vulnerability is revealed in the course of the work, the testing laboratory informs the CBCS developer, notifying them about the vulnerabilities in conventional form, in line with the policy of ‘responsible disclosure’7 . Threat Analisys The collected data is then used to analyze cyber security threats. This involves the construction of a sequence of attacks (attack graphs) that meet the following conditions: - for each attack on the CBCS, the vulnerability that enables that attack is identified; - by virtue of the initial conditions and/or as a result of previous attacks, at the time a specific attack is carried out, the intruder has acquired the capabilities required to perform the attack; - carrying out the final attack results in an objective being fulfilled. To create a directed graph of attack, the initial vertex needs to be the ultimate goal of the attacker. At the first stage of analysis, the vulnerable CBCS components 7 https://en.wikipedia.org/wiki/Responsible_disclosure
12 are determined. An attack on these components then leads to one or more of these objectives being attained. At this point, the capabilities needed by an attacker to carry out the identified attacks can be determined. Vulnerable CBCS components are then defined for every capability the attacker possesses. These are the components that, if successfully attacked, will give the intruder the required access level. The process is then repeated until such time that the CBCS vulnerabilities are exhausted or until the set of CBCS component vulnerabilities required to carry out all of the analyzed attacks are determined, taking into account the subsequent acquisition by the intruder of new capabilities as a result of each attack. Conclusions The cyberassesment and threat modelling approach outlined in this paper can help to identify the most likely attack vectors, security mechanisms that counteract them and the weaknesses in the system’s cybersecurity. This data can then be used to develop a qualitative risk analysis associated with possible breaches of cybersecurity, functional and traffic safety.

More Related Content

PDF
Security Testing Report Hitachi Application Q1 Sep 2015
Hitachi Solutions America, Ltd.
 
PDF
Vulnerability scanners a proactive approach to assess web application security
ijcsa
 
PDF
Penetration Security Testing
Sanjulika Rastogi
 
PDF
Vulnerability Assessment and Penetration Testing Report
Rishabh Upadhyay
 
PDF
A web application detecting dos attack using mca and tam
eSAT Journals
 
PDF
Cyber intrusion analyst occupational brief
Enda Crossan
 
PDF
Vulnerability Assessment Report
Harshit Singh Bhatia
 
PPT
The Security Vulnerability Assessment Process & Best Practices
Kellep Charles
 
Security Testing Report Hitachi Application Q1 Sep 2015
Hitachi Solutions America, Ltd.
 
Vulnerability scanners a proactive approach to assess web application security
ijcsa
 
Penetration Security Testing
Sanjulika Rastogi
 
Vulnerability Assessment and Penetration Testing Report
Rishabh Upadhyay
 
A web application detecting dos attack using mca and tam
eSAT Journals
 
Cyber intrusion analyst occupational brief
Enda Crossan
 
Vulnerability Assessment Report
Harshit Singh Bhatia
 
The Security Vulnerability Assessment Process & Best Practices
Kellep Charles
 

What's hot (20)

PPT
Concepts in Software Safety
dalesanders
 
ODP
Pen test methodology
Cahyo Darujati
 
PDF
Btpsec Sample Penetration Test Report
btpsec
 
PDF
SRE Tools
Gurbakash Phonsa
 
PPTX
Network Vulnerability Assessment: Key Decision Points
PivotPointSecurity
 
PDF
Nss labs-breach-detection
Michael Kurzidim
 
PPT
Software safety in embedded systems & software safety why, what, and how
bdemchak
 
PDF
AUTOMATED PENETRATION TESTING: AN OVERVIEW
cscpconf
 
PDF
IRJET - Buffer Overflows Attacks & Defense
IRJET Journal
 
PDF
IRJET- False Data Injection Attacks in Insider Attack
IRJET Journal
 
PDF
Methods of determining_safety_integrity_level
Mowaten Masry
 
PDF
A fault tolerance approach to computer viruses
UltraUploader
 
PDF
A Security Analysis Framework Powered by an Expert System
CSCJournals
 
PDF
C0931115
IOSR Journals
 
PDF
Web PenTest Sample Report
Octogence
 
PDF
Sample penetration testing agreement for core infrastructure
David Sweigert
 
PDF
J1803067477
IOSR Journals
 
DOCX
Ids 013 detection approaches
jyoti_lakhani
 
PPTX
MCS2SIM - Method Allowing Application of PSA Results in Simulators
GSE Systems, Inc.
 
PDF
A Smart Fuzzing Approach for Integer Overflow Detection
ITIIIndustries
 
Concepts in Software Safety
dalesanders
 
Pen test methodology
Cahyo Darujati
 
Btpsec Sample Penetration Test Report
btpsec
 
SRE Tools
Gurbakash Phonsa
 
Network Vulnerability Assessment: Key Decision Points
PivotPointSecurity
 
Nss labs-breach-detection
Michael Kurzidim
 
Software safety in embedded systems & software safety why, what, and how
bdemchak
 
AUTOMATED PENETRATION TESTING: AN OVERVIEW
cscpconf
 
IRJET - Buffer Overflows Attacks & Defense
IRJET Journal
 
IRJET- False Data Injection Attacks in Insider Attack
IRJET Journal
 
Methods of determining_safety_integrity_level
Mowaten Masry
 
A fault tolerance approach to computer viruses
UltraUploader
 
A Security Analysis Framework Powered by an Expert System
CSCJournals
 
C0931115
IOSR Journals
 
Web PenTest Sample Report
Octogence
 
Sample penetration testing agreement for core infrastructure
David Sweigert
 
J1803067477
IOSR Journals
 
Ids 013 detection approaches
jyoti_lakhani
 
MCS2SIM - Method Allowing Application of PSA Results in Simulators
GSE Systems, Inc.
 
A Smart Fuzzing Approach for Integer Overflow Detection
ITIIIndustries
 
Ad

Similar to Cybersecurity Assessment of Communication-Based Train Control systems (20)

PDF
A Survey on Hidden Markov Model (HMM) Based Intention Prediction Techniques
IJERA Editor
 
PDF
A Survey on Hidden Markov Model (HMM) Based Intention Prediction Techniques
IJERA Editor
 
PDF
Iaetsd a survey on detecting denial-of-service attacks
Iaetsd Iaetsd
 
DOCX
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
IEEEGLOBALSOFTSTUDENTSPROJECTS
 
DOCX
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
IEEEMEMTECHSTUDENTPROJECTS
 
PDF
A Novel Exploit Traffic Traceback Method Based on Session Relationship
AIRCC Publishing Corporation
 
PDF
A LIGHTWEIGHT METHOD FOR DETECTING CYBER ATTACKS IN HIGH-TRAFFIC LARGE NETWOR...
IJCNCJournal
 
PDF
A Lightweight Method for Detecting Cyber Attacks in High-traffic Large Networ...
IJCNCJournal
 
DOCX
JPD1424 A System for Denial-of-Service Attack Detection Based on Multivariat...
chennaijp
 
PDF
A Study on Vulnerability Management
IRJET Journal
 
PDF
Survey on Security Aspects Related to DOIP
IRJET Journal
 
PDF
IRJET- A Review of the Concept of Smart Grid
IRJET Journal
 
PDF
IRJET- Privacy Enhancing Routing Algorithm using Backbone Flooding Schemes
IRJET Journal
 
PDF
sensors-23-05645-version123455555553.pdf
nasrpooya
 
PDF
sensors-23-05645-version123455555553.pdf
nasrpooya
 
PDF
Icssea 2013 arrl_final_08102013
Vincenzo De Florio
 
PDF
DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...
IJCNCJournal
 
PDF
DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...
IJCNCJournal
 
PDF
PREDICTIVE DETECTION OF KNOWN SECURITY CRITICALITIES IN CYBER PHYSICAL SYSTEM...
cscpconf
 
PDF
Secure intrusion detection and countermeasure selection in virtual system usi...
eSAT Publishing House
 
A Survey on Hidden Markov Model (HMM) Based Intention Prediction Techniques
IJERA Editor
 
A Survey on Hidden Markov Model (HMM) Based Intention Prediction Techniques
IJERA Editor
 
Iaetsd a survey on detecting denial-of-service attacks
Iaetsd Iaetsd
 
2014 IEEE DOTNET PARALLEL DISTRIBUTED PROJECT A system-for-denial-of-service-...
IEEEGLOBALSOFTSTUDENTSPROJECTS
 
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...
IEEEMEMTECHSTUDENTPROJECTS
 
A Novel Exploit Traffic Traceback Method Based on Session Relationship
AIRCC Publishing Corporation
 
A LIGHTWEIGHT METHOD FOR DETECTING CYBER ATTACKS IN HIGH-TRAFFIC LARGE NETWOR...
IJCNCJournal
 
A Lightweight Method for Detecting Cyber Attacks in High-traffic Large Networ...
IJCNCJournal
 
JPD1424 A System for Denial-of-Service Attack Detection Based on Multivariat...
chennaijp
 
A Study on Vulnerability Management
IRJET Journal
 
Survey on Security Aspects Related to DOIP
IRJET Journal
 
IRJET- A Review of the Concept of Smart Grid
IRJET Journal
 
IRJET- Privacy Enhancing Routing Algorithm using Backbone Flooding Schemes
IRJET Journal
 
sensors-23-05645-version123455555553.pdf
nasrpooya
 
sensors-23-05645-version123455555553.pdf
nasrpooya
 
Icssea 2013 arrl_final_08102013
Vincenzo De Florio
 
DDoS Attacks Detection using Dynamic Entropy in Software-Defined Network Prac...
IJCNCJournal
 
DDOS ATTACKS DETECTION USING DYNAMIC ENTROPY INSOFTWARE-DEFINED NETWORK PRACT...
IJCNCJournal
 
PREDICTIVE DETECTION OF KNOWN SECURITY CRITICALITIES IN CYBER PHYSICAL SYSTEM...
cscpconf
 
Secure intrusion detection and countermeasure selection in virtual system usi...
eSAT Publishing House
 
Ad

More from Sergey Gordeychik (13)

PPTX
Vulnerabilities of machine learning infrastructure
Sergey Gordeychik
 
PDF
MALIGN MACHINE LEARNING MODELS
Sergey Gordeychik
 
PDF
AI for security or security for AI - Sergey Gordeychik
Sergey Gordeychik
 
PDF
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
PDF
Practical analysis of the cybersecurity of European smart grids
Sergey Gordeychik
 
PDF
SD-WAN Internet Census, Zeronighst 2018
Sergey Gordeychik
 
PDF
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
 
PDF
Too soft[ware defined] networks SD-Wan vulnerability assessment
Sergey Gordeychik
 
PPTX
Root via sms. 4G security assessment
Sergey Gordeychik
 
PPTX
Recon: Hopeless relay protection for substation automation
Sergey Gordeychik
 
PDF
The Great Train Robbery: Fast and Furious
Sergey Gordeychik
 
PDF
Greater China Cyber Threat Landscape - ISC 2016
Sergey Gordeychik
 
PDF
SCADA StrangeLove Practical security assessment of European Smartgrid
Sergey Gordeychik
 
Vulnerabilities of machine learning infrastructure
Sergey Gordeychik
 
MALIGN MACHINE LEARNING MODELS
Sergey Gordeychik
 
AI for security or security for AI - Sergey Gordeychik
Sergey Gordeychik
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
Practical analysis of the cybersecurity of European smart grids
Sergey Gordeychik
 
SD-WAN Internet Census, Zeronighst 2018
Sergey Gordeychik
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Sergey Gordeychik
 
Root via sms. 4G security assessment
Sergey Gordeychik
 
Recon: Hopeless relay protection for substation automation
Sergey Gordeychik
 
The Great Train Robbery: Fast and Furious
Sergey Gordeychik
 
Greater China Cyber Threat Landscape - ISC 2016
Sergey Gordeychik
 
SCADA StrangeLove Practical security assessment of European Smartgrid
Sergey Gordeychik
 

Recently uploaded (20)

PPTX
A Presentation on Touch Screen Technology
memembruh336
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
A Presentation on Touch Screen Technology
memembruh336
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
project resource management chapter-09.pdf
ssuser00e6e21
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Encapsulation theory and applications.pdf
gurumoop
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 

Cybersecurity Assessment of Communication-Based Train Control systems

  • 1. 1 Cybersecurity Assessment of Communication-Based Train Control systems Sergey Gordeychik, serg.gordey@gmail.com Dmitry Kuznetsov, malotavr@gmail.com Recently published information on the cybersecurity assessment of railway computer and communication-based control systems (CBCS) identified several weaknesses and vulnerabilities, which allow threat agents to not only degrade system reliability and bypass safety mechanisms, but to carry out attacks which directly affect the rail traffic safety 1 . Despite these findings, remarkably these systems meet all relevant IT security and functional safety requirements and have the required international, national and industrial certificates. To reduce the risks associated with cyberattacks against CBCS and their components, we recommend that system certification procedures be designed to include elements of security assessment and penetration testing. Cybersecurity threats targeting transportation facilities differ from others in that attackers are typically unable to achieve their goals in one go or by exploiting a single vulnerability. This means that they usually carry out a series of attacks; each exploiting a different vulnerability to help expand their capabilities or create further conditions to give them the desired result. As such, analysis of cybersecurity threats in this sector should involve examining all vulnerabilities as well as attacks that can be carried out by exploiting these vulnerabilities. 1 http://scadastrangelove.blogspot.com/2015/12/32c3-slides.html
  • 2. 2 As a result, we suggest following a specific procedure to analyze vulnerabilities and cybersecurity threats, wich was adopted by Russian Ralway as cybersecurity standart STO 02.049-20142 : - build a threat model which involve transport security breaches, deterioration of economic effectiveness and functional safety; - identify software and hardware weaknesses in CBCS components; - assess the weaknesses found, identify related vulnerabilities and possible attacks exploiting these vulnerabilities; - analyze possible attack scenarios and identify threats that can be realized as a result of the above. In an ideal scenario, this checklist of vulnerabilities and threats can then be used to develop a qualitative assessment of the risks associated with possible breaches of cybersecurity, functional safety and traffic safety. Work Planning When planning work and selecting the appropriate methods of vulnerability analysis, one should bear in mind that it must be carried out for all possible CBCS operating modes, including: - normal operating mode; - all available emergency operational modes, according to CBCS design documentation; - CBCS or individual system component maintenance modes. 2 http://jd-doc.ru/2014/dekabr-2014/14238-rasporyazhenie-oao-rzhd-ot-30-12-2014-n- 3192r
  • 3. 3 CBCS vulnerability analysis can be carried out in the form of lab or field studies. In a lab study, vulnerability analysis is performed on a test bench that reproduces CBCS operations in conditions similar to real-life operating conditions. In laboratory research, any CBCS malfunctions arising from intrusive research methods such as fault injection being applied to it will not lead to adverse consequences. This enables researchers to employ a full range of vulnerability detection methods, providing maximum coverage. That said, the combination of CBCS software and hardware components represented on the test bench or their configurations may not exactly reproduce the CBCS in actual operation. As a consequence, analysis results may not be fully applicable to the systems in operation. Field research can be performed on a CBCS in actual operating conditions. As the CBCS being analyzed needs to operate without interruption, some vulnerability detection methods may have to be forgone, substantially reducing the comprehensiveness of the results. The main advantage of this form of research is that it makes it possible to demonstrate in practice what an attacker can do. An optimum approach is to combine laboratory research with subsequent verification in the field. Operators can select the actual analisys methods at preparation stage, after evaluating the benefits and shortcomings of both approaches. It is a common mistake to think that if attackers lack information about a system, this prevents them from finding its vulnerabilities. Unlike in a test lab environment, attackers have virtually unlimited time, and the type of information obtained during a preliminary survey can be gleaned by attackers through trial-and- error. Therefore, to ensure a thorough approach is taken, we recommend that security analysis be carried out based on a white-box approach, with the auditors having full access to design and operating documentation, as well as to the source code of each
  • 4. 4 system. The preliminary survey stage enables the researcher to carry out a comprehensive vulnerability analysis and reduce the time required to perform it. Below we discuss the main stages of implementing the above approach, using the computer-based interlocking (CBI) system as an example. Threat Model In this scenario, we use a three-level mission-centric classification3 of possible threats affecting CBI cybersecurity, which is based on the requirements of railway technical operation rules and other fundamental documents: 1. breaches of train movement safety; 2. reduced efficiency; 3. other breaches of device functional safety and reliability. Threats resulting in railway safety breaches are usually the most difficult to put into practice and require the greatest effort by the perpetrators. This is primarily due to the fact that the attackers need to bypass the CBI's functional safety mechanisms. If object controllers cannot be manipulated directly, for example by exploiting vulnerabilities in the radio channel, such attacks require modification of the operating logic of the main CBI modules to change the rules of switch and signal interlocking, which is a complicated task. However, if this is possible, an attacker can perform such actions as: 1.1 Setting a clear entry signal light on a route leading to an occupied track (false clear); 3 http://www.railjournal.com/index.php/signalling/signalling-cyber-security-the-need-for- a-mission-centric-approach.html
  • 5. 5 1.2 setting a signal to a less-restrictive aspect such as a green entry signal for a section with track divergence on a switch; 1.3 operating a switch with a train passing over it; 1.4 guiding trains over split points; 1.5 setting conflicting routes. Threats aimed at disrupting freight traffic do not usually require the attackers to be highly professional and can be put into practice using standard malware. This increases the chance of this type of threat being deployed, since it does not involve the development of dedicated tools to carry out an attack. Examples of such threats include: 2.1 putting the CBI system out of operation; 2.2 blocking control for an extended period of time; 2.3 displaying incorrect train positions on the yardmaster’s workstation; 2.4 false occupancy. Putting non-redundant components such as the CP/CPU out of operation, will lead to the CBI system becoming non-operational, forcing a switch to manual operation, which would reduce the efficiency of freight traffic management. Spoofing or blocking network interaction between the yardmaster's workstation and CP/CPU or continually rebooting these components can result in blocking the system’s ability to send commands for an extended period of time. This would require a switch to manual operation, reducing freight traffic management efficiency. Spoofed interactions between the CP/CPU and the yardmaster’s workstation can be used to indicate false occupancy of a track circuit or display incorrect train positions on the yardmaster’s workstation, requiring additional control from the yardmaster. The following threats reduce the system’s overall reliability. 3.1 putting CBI out of operation temporarily;
  • 6. 6 3.2 putting auxiliary equipment out of operation; 3.3 displaying false diagnostic results on the electrical mechanic’s workstation. Temporarily putting the CBI out of operation by rebooting the CP/CPU or the yardmaster’s workstation reduces the mean time between failures, which is defined for software products as the time until completely restarting a program or rebooting an operating system. This can be achieved through a variety of attacks, including attacks designed to exhaust network or computational resources (Denial of Service or DoS), attacks on networking equipment designed to change configuration, TCP/IP or Ethernet parameters, or to remove/replace the firmware of networking devices. In order to carry out attacks, perpetrators take advantage of vulnerabilities and weaknesses in CBI components. As a rule, several attacks need to be carried out to put a threat into practice. Identifying Weaknesses and Vulnerabilities To identify CBCS weaknesses and vulnerabilities, lab and/or field research should be carried out using a methodology based on the threat model, in order to find as many vulnerabilities and defects as possible. A variety of methods are used, such as: - Analyzing the physical security of the facility, the CBCS and its components; - Detecting known vulnerabilities using vulnerability scanners; - Performing manual and automated analysis of component configurations (networking equipment, OS, DBMS) to determine whether they are in line with the vendors’ recommendations and best-practice configuration standards;
  • 7. 7 - Analyzing authentication and access control mechanisms, analyzing the password policy, identifying storage of standard and fixed passwords and encryption keys, key distribution process; - Surveying the work of operators to identify any violation of security requirements in their established practices (bypassing the limitations of the graphical interface, connecting external devices, etc.). It is recommended that this stage be carried out at the actual workplaces; - Identifying vulnerabilities using source code analysis, fuzzing and other methods; - Analyzing network communication, including those carried out over wireless connections, such as Wi-Fi and GSM-R; - Analyzing system maintenance procedures and tools, including those which use remote management tools; - Identifying security mechanisms and testing their effectiveness; - Verifying technical security compliance. The source code and network communication analysis stages are described in more detail below. Source code analysis should be carried out in accordance with industrial best practice, suh as OWASP Code Review Guide4 methodology and combines two areas of analysis: – searching for typical programming errors; – searching for typical errors in the implementation of specific security features. Searching for typical programming errors involves searching code for fragments that contain programming errors which give rise to vulnerabilities. The 4 https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf
  • 8. 8 search is performed purposefully using criteria designed to identify certain classes of programming errors. Generally, the following errors are searched for: – buffer overflow errors; – errors in using language constructs (operating system commands, SQL operators, programing language operators, etc.); – parallel computing synchronization errors (race conditions, TOCTOU5 ) wich are critical for logic of interlocking process; – runtime error and exception handling errors; – typical web application errors (cross-site scripting, session identification errors, etc.). Searching for typical errors is performed using automated source code analysis tools and manual analysis. Searching for typical errors in the implementation of security functions is based on a combination of automated and expert analysis methods. This includes: – identifying the source code fragments that implement the main security functions; – performing static analysis of the algorithms implementing security functions; – performing dynamic analysis of algorithm execution by emulating object code execution or debugging using test data, including the use of standard methods for exploiting vulnerabilities. When defining the scope of work and evaluating what needs to be performed in the process of analyzing object code, keep in mind that the applicability of this method of identifying vulnerabilities has the following limitations: 5 https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use
  • 9. 9 – analysis can only be performed for a certain set of programming languages that is determined by the tools used and the existing analysis methods; – this type of analysis is designed to identify certain classes of vulnerabilities and specific standard security function implementation errors; – analysis is performed locally, at program function and module level and may not cover architectural vulnerabilities or security function implementation vulnerabilities and errors at the information technology level. Experts will need to make independent decisions as to which security features are to be analyzed in the process of assessing the implementation of security features. These decisions are made based on the programming language used, the architecture of the computing devices on which the program code is executed, the availability of suitable analysis methods and tools, and other factors. Typically, the implementation of the following security features is assessed: – identification and authentication; – access control; – session management; – network communication and critical system components integrity control; – input data validation; – handling runtime errors and exceptions – generation and storage of audit reports; – cryptographic functions and management of encryption keys. Analysis of network communication is used as an auxiliary method of passive vulnerability analysis in the process of solving the following problems: – creating an inventory of CBCS components using passive methods, including the nomenclature and versions of operating systems and other software components; – identifying information flows for the purposes of analyzing CBCS topology;
  • 10. 10 – detecting prohibited types of interaction, as well as information flows which may be indicative of the presence of malware; – detecting events in which confidential or sensitive information, including login credentials, is communicated insecurely. In addition, research should include the analysis of communications hardware such as network modems, (U)SIM cards, GSM-R and SDR radio stations. Such devices are sophisticated computer systems in which vulnerabilities have been previously detected. Such vulnerabilities can be exploited in attacks against the entire CBCS infrastructure6 . Attack scenarios These processes will result in a list of CBCS weaknesses, some of which could be potential vulnerabilities. To confirm, detected weaknesses need to be assessed and identified as vulnerabilities. This can be done in one of several ways: - practical demonstration of how the vulnerability can be used to pose a real threat to cyber security; - description of the theoretical possibility of the vulnerability being used to pose a threat to cyber security that raises no objections from CBCS specialists; - for known vulnerabilities in the code – presence of the vulnerability in the database of one or more resources used for identifying vulnerabilities or a security bulletin from the software developer confirming the release of a security update that eliminates the vulnerability and availability of exploits; - for unknown or unpublished vulnerabilities in the code – a message in the software developer notes confirming that a defect is a vulnerability; 6 http://securityaffairs.co/wordpress/31663/hacking/hacking-4g-usb-modems.html
  • 11. 11 - in the event of obsolete and unsupported software being used – a press release or other statements confirming the termination of software support; - configuration errors – a publication by the software developer, or other authoritative sources, recognizing the negative impact of this configuration on the overall security of CBCS or on an individual component of the system. The severity of confirmed vulnerabilities can then be assessed and recommendations formulated to address them. If a previously unknown vulnerability is revealed in the course of the work, the testing laboratory informs the CBCS developer, notifying them about the vulnerabilities in conventional form, in line with the policy of ‘responsible disclosure’7 . Threat Analisys The collected data is then used to analyze cyber security threats. This involves the construction of a sequence of attacks (attack graphs) that meet the following conditions: - for each attack on the CBCS, the vulnerability that enables that attack is identified; - by virtue of the initial conditions and/or as a result of previous attacks, at the time a specific attack is carried out, the intruder has acquired the capabilities required to perform the attack; - carrying out the final attack results in an objective being fulfilled. To create a directed graph of attack, the initial vertex needs to be the ultimate goal of the attacker. At the first stage of analysis, the vulnerable CBCS components 7 https://en.wikipedia.org/wiki/Responsible_disclosure
  • 12. 12 are determined. An attack on these components then leads to one or more of these objectives being attained. At this point, the capabilities needed by an attacker to carry out the identified attacks can be determined. Vulnerable CBCS components are then defined for every capability the attacker possesses. These are the components that, if successfully attacked, will give the intruder the required access level. The process is then repeated until such time that the CBCS vulnerabilities are exhausted or until the set of CBCS component vulnerabilities required to carry out all of the analyzed attacks are determined, taking into account the subsequent acquisition by the intruder of new capabilities as a result of each attack. Conclusions The cyberassesment and threat modelling approach outlined in this paper can help to identify the most likely attack vectors, security mechanisms that counteract them and the weaknesses in the system’s cybersecurity. This data can then be used to develop a qualitative risk analysis associated with possible breaches of cybersecurity, functional and traffic safety.