HASELNUSS: Hardware-based Security ... - ifev.rz.tu-bs.de
Transcript of HASELNUSS: Hardware-based Security ... - ifev.rz.tu-bs.de
1
HASELNUSS:Hardware-based Security Platform for Railway Command and Control Systems
Prof. Dr. Stefan Katzenbeisser
Security Engineering Group
TU Darmstadt
2
Motivation
§ Digitalization of railway command and control systems
§ Use of standardized components and networks
§ Higher risk of cyberattacks on interconnected command and control devices
§ Regulation of critical infrastructures by national and European law
§ Homologation (admission) through National Safety Authority: may take months to years, but security features may require frequent updates
3
Project Goal
§ Develop a hardware-based IT security platform for railway command and control systems
§ Multi-layered IT security architecture for enhanced resilience
§ Consideration of railway-specific and critical infrastructure-specific requirements
§ Security for safety: no interference
§ Implementation of demonstrators to show real-world applicability
System Definition
RiskAnalysis
AttackerModel
RequirementsElicitation
4
System Definition:Two Application Scenarios
Interlocking System (ILS)
Object Controller (OC)
Haselnuss Box
Legacy Support
Secure Object Controller (SecOC)
(Safety) Object Controller
Haselnuss Box
Secure Object Controller
Haselnuss Box
Network
Network SecurityEnhancer
§ Network Security Enhancer:
Platform to implement IDS &
firewalls
§ Secure communication between
ILS and field elements
5
Risk analysis (1)
§ Use of German prestandard DIN VDE V 0831-104
§ Guideline for applying IEC 62443
§ Threat-based derivation of requirements
Z.OC
Z.ILS
ILS: InterlockingSystem
Z.MDM
MDM: Maintenance andData Management
System
Object Controller (OC)
InterlockingLayer
Field Element Layer
Network
6
Risk analysis (2)
§ 67 threats were identified
§ Attacker capabilities:
§ Resources
§ Knowledge
§ Specific mitigation factors:
§ LOC, TRA, EXT
Attacker types:§ Novice or script kiddie§ Cyber punk (fame)§ Hacktivist (e.g., block trains)§ Criminal (no real interest)§ Cyberterrorist (destruction) § Malware author (e.g., Wannacry)§ Ethical hacker or white hat
hacker or researcher§ Black hat hacker (bot-net, etc.) § Malicious insider (revenge)§ Supplier § Nation state (control over CI)
7
Security Requirements
§ 14 security requirements derived
§ Common IT security requirements:§ Protect software and firmware integrity
§ Confidentiality of cryptographic keys
§ …
§ Railway specific requirements:§ Obey EN 50159, limit of network latency
§ Physical access protection/detection
§ …
8
Security Architecture (1)
Key features:
§ Multiple Independent Levels of Security (MILS)architecture, Separation kernel
§ Trusted Platform Module, Trusted Software Stack, Remote Attestation
§ Anomaly DetectionHardware Platform
I/F-1 I/F-2
SecurityKernel
I/F-3
Secure Boot
Secure Update
Part
ition
/Co
mpa
rtm
ent
TPM Software Stack (TSS) 2.0
TPM2.0
Security-Functions
Netw
ork
IDS
FW/D
ata
Filte
r
Heal
th M
onito
r
SIL4
Obj
ect
Cont
rolle
r
Safety-Functions
Security Monitor
EthBus
EthBus
9
Security Architecture (2)
§ MILS: supports the coexistence of untrusted and trusted components, based on verifiable separation mechanisms and controlled information flow.
§ Enables modularized evaluation and certification of a complex system.
§ Allows the security critical part of system to be certified to high assurance levels.
§ Separation kernel: separation of applications, information flow control.
Security Apps 2(IDS, Health Mon,
Remote Attestation)Security App 1
(Firewall)SIL4 SafetyApplication
(Object Controller)
Application plane
10
Trusted Platform Modules (TPMs)
§ TPM and TSS 2.0 profiles for railway command and control systems (CSS)
§ Technique to verify and assure trustworthiness of CSS components
§ Technique to control integrity and detect manipulations § Authenticated boot
ü Assure software integrity of CCS components during boot- and runtime
ü Enable secure identification of CCS components for secure networking
ü Integrate a hardware security anchor (Trusted PlatformModule TPM 2.0) while fulfilling safety requirements
11
Anomaly Detection
§ Distributed anomaly detection, tailored to signalling networks
§ Leverage physical context of train operation§ Neighbor relation between field elements
§ Consider train speed
§ Train movement through area
§ Training data from real world used to learn normal communication pattern of field elements
ü Detect adverse configuration of infrastructure (points, signals)
ü Detect and exclude source of malicious traffic
12
Demonstrator for both use cases
§ Core i7, 8 GB RAM
§ Safety certification
§ Redundant processors
§ Redundant Gigabit Ethernet
§ Environmental conditions
§ TPM 2.0
§ Interface to controlfield elements
Interlocking System (ILS)
Object Controller (OC)
Haselnuss Box
Legacy Support
Secure Object Controller (SecOC)
(Safety) Object Controller
Haselnuss Box
Secure Object Controller
Haselnuss Box
Network
Network SecurityEnhancer
13
Testing Facilities: Eisenbahnbetriebsfeld Darmstadt
§ 90 km track
§ 14 stations
§ Scale 1:87 (H0)
§ Around 480 controllable signals
§ Around 450 controllable points
§ Use of real world protocols: RaSTA, SCI-PM, SCI-LS
§ Run test scenarios including attacks
14
Conclusions
HASELNUSS: Hardware-based Security Platform for Railway Command and Control Systems
Key features:§ Safety and security integrated on one platform
§ MILS Architecture, separation kernel, PikeOS
§ Hardware device authentication, remote attestation
§ Anomaly detection
Working prototype expected in 2019