Securing the Business of Payments: Stepping Up Protection Against Cyber Threats
A Cyber-Physical Approach to Securing Urban ...securify.sce.ntu.edu.sg/SGCRC2018/slides/SG-CRC...
Transcript of A Cyber-Physical Approach to Securing Urban ...securify.sce.ntu.edu.sg/SGCRC2018/slides/SG-CRC...
A Cyber-Physical Approach to Securing Urban Transportation Systems
Lead PI: Prof. Jianying Zhou (SUTD)
SG-CRC’18, 28 March 2018
Cyber-Physical Systems
Transportation
Rail Auto Aviation Maritime
Urban Transportation Systems
Challenges: Complexity inherent in the
cyber-physical nature Deep involvement of
humans
…Energy Water
Urban Transportation System Security
Project Framework
Modeling with Cyber-Physical Constraints & Human Factors
Model-based Tools for Resilience Evaluation & Safety-Security Reconciliation
ModelingLegacy System Protection
Model-driven Security Measures
Adaptive Attack Mitigation
Persistent Access Control
Secure Communications SMRT
Integrated Supervisory Control System (ISCS)
Case Study
Selected Security Technologies
1. ATS log analysis tools (Testing and trial in SMRT)– Context-aware ATS log diagnosis tool– Ontology-driven alarm prediction tool
2. Two-factor authentication for ITS devices using historical data
3. Virtually isolated network4. Controllable secure configuration of network devices (Testing
and trial in SMRT)
5. Low-cost location integrity protection for railway systems6. SecureRails: an open simulation platform for analysing cyber-
physical attacks in railways
7. Advanced SCADA firewall (Testing and trial in SMRT)
5
• Anomalies in Automatic Train Supervision (ATS) system- ATS system supervises all important assets in a metro system- Asset anomalies are recorded as alarms and mixed with huge amount of other
logs
• Diagnosis of the alarms- Log data is complex and high-dimensional- Manual investigation into log data is inefficient and error-prone
• Prediction of the alarms- There are huge number of assets with various functionalities at different geo-
locations in a metro system- It is unrealistic to maintain all assets frequently- Alarm prediction is important for preventive maintenance and provides
suggestions on the priority of these assets to be maintained
ATS Log Analysis Tools
Refine Event Categorization
Raw Logs
Preprocessing
Model System Context
Feature vector Extraction
Analyze Correlation
Correlated Assets/Events
Statistical analysis
Asset ID Category Description Duration
Asset ID Category Refined
Category DT Duration
feature1 feature2 … featurem
CorrelatedAsset/event1
CorrelatedAsset/event2
… CorrelatedAsset/eventn
• Expedite diagnosis process
– Without relying on substantial prior knowledge or accurate process model of subsystems
• System context awareness
– Model system context by a series of features based on system logs
• Identify assets and events correlated with target alarms
– Find out potential causes of the target alarms
Context-Aware Diagnosis Tool
• Prediction of alarms for assets
– When a given asset A will have what alarm
– Without relying on substantial prior knowledge or accurate process model of subsystems
• Ontology-driven modeling– Model behaviors of assets
based on ontology information
• System context and temporal awareness
– Model system context by a series of features based on system logs
Ontology-Driven Alarm Prediction Tool
Context Aware Diagnosis Tool Ontology-Driven Alarm Prediction Tool
• The two tools are tested on real-world ATS log dataset provided by Circle Line of SMRT• The tools will be improved based the experts’ suggestions and tested on more ATS log
dataset
Current Status of the Tools
9
Train Location Integrity Protection
Eurobalise Spot Transmission• Between on-board Balise Transmission
Module (BTM) and balise
• Transmit location data via wireless links
• Use coding to protect data integrity and detect corruption
• Widely deployed– Europe, China, Australia, Malaysia, Singapore,
etc.– Vendors: Alstom, Siemens, Thales, etc.
baliseTrack
10
Threats and Challenges
• Threats to Eurobalise– Modification of location data – Installation of rogue balises
• Potential consequences– Disruptions of train service– Passenger alarm (e.g., sudden stop)
• Challenges– Short telegram, short latency– No hand-shake is allowed, ruling out challenge-response– Legacy support (Eurobalise telegrams have fixed data format and structure)
11• Bind user data to scrambling bits (sb) and LFSR key (S)• Binding is based on secret keys (k0 , k1)• Set authentication tag as (sb, S)
Low-cost Location Integrity Protection
Shaped data(913 or 231 bits)
cb(3 bits)
sb(12 bits)
esb(10 bits)
Check bits(85 bits)
Generate Authentication Tag (sb, S) Verify Authentication Tag (sb, S)
12
• Embed two-level authentication code into two parameters used for scrambling user data
• Only small update to existing encoding scheme- No data expansion or modification to current telegram format
• Low-cost and lightweight method to improve integrity of location data- Does not require additional hardware or sensors- Resistant to false data injection or data modification
• Suitable for subway or underground railway systems which rely on passive transponders
Features of Our Solution
13
• ITS applies information and communication technologies to transport.
• Many field devices are deployed as a part of the ITS infrastructure.
• ITS infrastructure is subject to cyber attacks.
How to secure ITS field devices to provide the first line of defense to the ITS infrastructure?
Two-Factor Authentication for ITS Devices
Historical Data as Authentication Factor:Tag Generation for Data
Verifier
Prover
(K, K’)
Tag Ti = K⋅ h(Di ) + fK’ (i)
D1 T1
D2 T2
: :
Di Ti
: :
DL TL
Data Di
h (): a cryptographic hash functionf (): a PRF (Pseudorandom Function)
Arithmetic in binary extension field with minimal polynomial:
(K)
ITS DeviceITS Server
Historical Data as Authentication Factor: Verification
Verifier
To generate (X, Y), Prover must have knowledge of all Di and Ti
X = ∑ fr’ (i)⋅h(Di)
Y = ∑ fr’ (i)⋅Tii∈I
i∈I
Y = K⋅X+∑ fr’ (i) ⋅ fK’ (i)?
i∈I
D1 T1
D2 T2
: :
Di Ti
: :
DL TL
Prover
Verify: Verification only needs K, K’, r’, I. No need to store Di and Ti
r’= fK(c)
(K, K’)
(K)
17
Features of Our Solution
• Effectively prevent unauthorized remote control of ITS field devices- Device is secure as long as one of the authentication factors is not
compromised
• Fully automation- Support machine-to-machine authentication without human involvement
• Highly scalable and lightweight for various ITS devices with resource constraints- Only small and constant amount of data (two secret keys) need to be stored
on ITS device
Thank You !
Prof. Jianying Zhou (SUTD)
Email: [email protected]
Thanks to the support from NRF.
Thanks to all the project team members.