1

HASELNUSS:Hardware-based Security Platform for Railway Command and Control Systems

Prof. Dr. Stefan Katzenbeisser

Security Engineering Group

TU Darmstadt

skatzenbeisser@acm.org...

2

Motivation

§ Digitalization of railway command and control systems

§ Use of standardized components and networks

§ Higher risk of cyberattacks on interconnected command and control devices

§ Regulation of critical infrastructures by national and European law

§ Homologation (admission) through National Safety Authority: may take months to years, but security features may require frequent updates

3

Project Goal

§ Develop a hardware-based IT security platform for railway command and control systems

§ Multi-layered IT security architecture for enhanced resilience

§ Consideration of railway-specific and critical infrastructure-specific requirements

§ Security for safety: no interference

§ Implementation of demonstrators to show real-world applicability

System Definition

RiskAnalysis

AttackerModel

RequirementsElicitation

4

System Definition:Two Application Scenarios

Interlocking System (ILS)

Object Controller (OC)

Haselnuss Box

Legacy Support

Secure Object Controller (SecOC)

(Safety) Object Controller

Haselnuss Box

Secure Object Controller

Haselnuss Box

Network

Network SecurityEnhancer

§ Network Security Enhancer:

Platform to implement IDS &

firewalls

§ Secure communication between

ILS and field elements

5

Risk analysis (1)

§ Use of German prestandard DIN VDE V 0831-104

§ Guideline for applying IEC 62443

§ Threat-based derivation of requirements

Z.OC

Z.ILS

ILS: InterlockingSystem

Z.MDM

MDM: Maintenance andData Management

System

Object Controller (OC)

InterlockingLayer

Field Element Layer

Network

6

Risk analysis (2)

§ 67 threats were identified

§ Attacker capabilities:

§ Resources

§ Knowledge

§ Specific mitigation factors:

§ LOC, TRA, EXT

Attacker types:§ Novice or script kiddie§ Cyber punk (fame)§ Hacktivist (e.g., block trains)§ Criminal (no real interest)§ Cyberterrorist (destruction) § Malware author (e.g., Wannacry)§ Ethical hacker or white hat

hacker or researcher§ Black hat hacker (bot-net, etc.) § Malicious insider (revenge)§ Supplier § Nation state (control over CI)

7

Security Requirements

§ 14 security requirements derived

§ Common IT security requirements:§ Protect software and firmware integrity

§ Confidentiality of cryptographic keys

§ …

§ Railway specific requirements:§ Obey EN 50159, limit of network latency

§ Physical access protection/detection

§ …

8

Security Architecture (1)

Key features:

§ Multiple Independent Levels of Security (MILS)architecture, Separation kernel

§ Trusted Platform Module, Trusted Software Stack, Remote Attestation

§ Anomaly DetectionHardware Platform

I/F-1 I/F-2

SecurityKernel

I/F-3

Secure Boot

Secure Update

Part

ition

/Co

mpa

rtm

ent

TPM Software Stack (TSS) 2.0

TPM2.0

Security-Functions

Netw

ork

IDS

FW/D

ata

Filte

r

Heal

th M

onito

r

SIL4

Obj

ect

Cont

rolle

r

Safety-Functions

Security Monitor

EthBus

EthBus

9

Security Architecture (2)

§ MILS: supports the coexistence of untrusted and trusted components, based on verifiable separation mechanisms and controlled information flow.

§ Enables modularized evaluation and certification of a complex system.

§ Allows the security critical part of system to be certified to high assurance levels.

§ Separation kernel: separation of applications, information flow control.

Security Apps 2(IDS, Health Mon,

Remote Attestation)Security App 1

(Firewall)SIL4 SafetyApplication

(Object Controller)

Application plane

10

Trusted Platform Modules (TPMs)

§ TPM and TSS 2.0 profiles for railway command and control systems (CSS)

§ Technique to verify and assure trustworthiness of CSS components

§ Technique to control integrity and detect manipulations § Authenticated boot

ü Assure software integrity of CCS components during boot- and runtime

ü Enable secure identification of CCS components for secure networking

ü Integrate a hardware security anchor (Trusted PlatformModule TPM 2.0) while fulfilling safety requirements

11

Anomaly Detection

§ Distributed anomaly detection, tailored to signalling networks

§ Leverage physical context of train operation§ Neighbor relation between field elements

§ Consider train speed

§ Train movement through area

§ Training data from real world used to learn normal communication pattern of field elements

ü Detect adverse configuration of infrastructure (points, signals)

ü Detect and exclude source of malicious traffic

12

Demonstrator for both use cases

§ Core i7, 8 GB RAM

§ Safety certification

§ Redundant processors

§ Redundant Gigabit Ethernet

§ Environmental conditions

§ TPM 2.0

§ Interface to controlfield elements

Interlocking System (ILS)

Object Controller (OC)

Haselnuss Box

Legacy Support

Secure Object Controller (SecOC)

(Safety) Object Controller

Haselnuss Box

Secure Object Controller

Haselnuss Box

Network

Network SecurityEnhancer

13

Testing Facilities: Eisenbahnbetriebsfeld Darmstadt

§ 90 km track

§ 14 stations

§ Scale 1:87 (H0)

§ Around 480 controllable signals

§ Around 450 controllable points

§ Use of real world protocols: RaSTA, SCI-PM, SCI-LS

§ Run test scenarios including attacks

14

Conclusions

HASELNUSS: Hardware-based Security Platform for Railway Command and Control Systems

Key features:§ Safety and security integrated on one platform

§ MILS Architecture, separation kernel, PikeOS

§ Hardware device authentication, remote attestation

§ Anomaly detection

Working prototype expected in 2019