Security analysis and assessment of threats in European ... · TÜV SÜD Rail GmbH 20.11.2014 Slide 1 Security analysis and assessment of threats in European signalling systems? New

TÜV SÜD Rail GmbH Slide 1 20.11.2014

Security analysis and

assessment of threats in

European signalling systems?

New Challenges in Railway Operations

Dr. Thomas Störtkuhl, Dr. Kai Wollenweber

TÜV SÜD Rail

Copenhagen, 20 November 2014

TÜV SÜD Rail GmbH Slide 2

Agenda

20.11.2014

The challenge: Security for Electric

Signalling Systems

Security Standards

Security Analysis using IEC 62443

Steps for Security Inspection or

Certification

Summary

Day-to-day experience with vulnerabilities

General

• No or only a minimum of network segmentation

• Assets are not known, no network plan

• No periodic IT security audits

• No security monitoring

• No or weak processes (e.g. security incident handling)

• Employees with no security skills

Application

• Possibility of attacks (DoS, Cross

Site Scripting, code execution)

• Security is not integrated into the

development process

• No security tests, incl. 3rd party

software

• Incorrect implementation of

cryptographic algorithms

Password

• Default passwords

• Weak/trivial passwords

• Password in clear text

• Passwords on post-it

• Generic password for user groups

• Root passwords are group passwords for suppliers



Use of Engineering Workstations

• Any accessible interfaces in the industrial IT

infrastructure is used

• EWS is used in different networks for different

customers

• EWS is often used as a standard computer

Remote Access & Maintenance

• Different solutions of the suppliers are

implemented and allowed

• For Remote Access no DMZ is implemented

• Remote access is always enabled and therefore

can be used at any time without control

• Group accounts

• Multi-factor authentication are not used



Protocols

• Unprotected communications

• TLS/SSL: use of weak cipher suites

• Wireless communication without authentication

and encryption

• Incorrect implementation of cryptographic

algorithms

USB-Token

• No regulations for the use of USB Tokens

• Uncontrolled USB tokens are used by suppliers

• No virus scanning for USB tokens

(not to think about “Bad USB”)



80% of Malware cannot be Detected by Anti-Virus Software

Digitization becomes increasingly complex –

entry points for attacks grow exponentially

Our Industrial IT Security Services


Consulting

Security Management & Organisation

Threat & Risk Analysis

IT Security Processes (Development, Operation, Maintenance)

Technical & Process Audits

Security Handbook

Testing

Communication Robustness Testing

Penetration Testing

Assessment & Certification (DAkkS accredited)

IT Security Management Systems, Industrial Control Systems & Products

Process & Product Assessments (Development, Operation, Maintenance)

Communication Robustness & Penetration Testing Lab


Agenda

20.11.2014


Signalling Systems

Security Standards



Certification

Summary

Content and Structure of relevant Security Standards & Guidelines

Processes

Security

Guidelines

Security

Objectives /

Requirements

Implementation

Standards &

Guidelines

• „Best Practices“

• Coding Standards

• … • IEC 62443-3-2

• …

• IEC 62443-4-1

• IEC 62443-2-4

• IEC 62443-3-3

• IEC 62443-4-2

How

What BSI TR-02102-2

Cryptography:

Recommendations and

Key Lengths

FIPS 140-3

Security Requirements

for

Cryptographic Modules

IEC 62443-2-1

EN 50159 • Safety

• Communication only

• No implementation

recommendations

DIN VDE V 0831-104


Current status of relevant standards for electric signalling systems


DIN EN 50159

Railway applications – Communication, signalling and processing systems – Safety-related communication in

transmission systems

DIN VDE V 0831-104

Electric signalling systems for railways – Part 104: IT Security Guideline based on IEC 62443

DIN VDE V 0831-102

Electric signalling systems for railways – Part 102: Protection profile for technical functions in railway

signalling

They all have in common:

Focus only on safety relevant threats

Internal attackers are out of scope

IEC 62443: Overview


1-1 Terminology,

concepts and models

1-2 Master glossary of

terms and abbreviations

1-3 System security

compliance metrics

2-1 Requirements for an

IACS security

management system

2-2 Implementation guidan-

ce for an IACS security

management system

2-3 Patch management in

the IACS environment

2-4 Installation and main-

tenance requirements

for IACS suppliers

3-1 Security technologies

for IACS

3-2 Security levels for

zones and conduits

3-3 System security

requirements and

security levels

4-1 Product development

requirements

4-2 Technical security

requirements for

IACS components

General Policies & Procedures System Component / Product

IEC 62443 Industrial communication networks – Network and system security

1-4 IACS security

lifecycle and use-case

Published Versions

Draft Versions

Basis for

DIN VDE V 0831-104

Threats for a electric Signalling System



Agenda

20.11.2014


Signalling Systems

Security Standards



Certification

Summary

Risk model

R = D* F

Classical risk analysis approach


R Risk ( € / year )

D Damage

F Frequency of Occurrence

Negligible Marginal Critical Catastrophic

Frequent

Probable

Minor

Improbable

Fre

quen

cy

Damage

Impact of Cyber Security Risks on classical Risk Management Process


Probabilities for attacks are not available and are difficult / impossible to calculate

Threat probabilities and the resulting risks are not quantifiable, only qualifiable

As a result IEC 62443 and derived DIN VDE V 0831-104 define the characteristics of an attacker

through parameters (skill, means, resources, motivation)

Definition of risk-based Security Levels [IEC 62443-3-3:2013]:

Security Level 1 (SL1)

Prevent the unauthorized disclosure of information via eavesdropping or casual exposure.


Prevent the unauthorized disclosure of information to an entity actively searching for it using

simple means with low resources, generic skills and low motivation.



sophisticated means with moderate resources, IACS specific skills and moderate motivation.



sophisticated means with extended resources, IACS specific skills and high motivation.

Approach for Cyber Security Risk Management (DIN VDE V 0831-104)


Approach for the cyber security risk management (risk = damage x probability)

Establishing the context

i.e. scope definition, structure analysis of the target system, defining risk criteria,

protection level based on defined attacker characteristics (e.g. security level)

Risk identification

i.e. identification of all relevant threats with impact on safety

Risk analysis and evaluation

i.e. estimation of damages & attacker characteristics, risk categorization based on defined risk criteria

Risk treatment

i.e. deriving relevant countermeasures to withstand the defined characteristics of an attacker

Prerequisites

Methodology to estimate the characteristics of an attacker

Parameters to define characteristics of an attacker

Threat analysis methodology (e.g. threat modeling, threat catalogue)

Modified Security Risk Matrix


Negligible Marginal Critical Catastrophic

SL1 (“frequent”)

SL2 (“probable”)

SL3 (“minor”)

SL4 (“improbable”)

Sec

urity

Lev

el

Damage

Example: Threats to an Electric Signalling System


Threat Short description IAC UC SI RDF TRE

Malicious Software (1) Virus, worms, trojans which use vulnerabilities in some software

X X X X X

Unauthorized access to communication (2)

Weak passwords, default passwords used for applications and components, even worse for administration or remote access

X X X

Exploit of vulnerabilities (3) Development process which does not integrate IT security

X X X

Escalation of access rights (4) User and rights management has low maturity level

X X X

From IEC 62443-3-3 and DIN VDE V 0831-104:

IAC Identification and Authentication Control

UC Use Control

SI System Integrity

RDF Restricted Data Flow

TRE Timely Response to Events





Threat Short description Covered by DIN EN 50159

Covered by IEC 62443-3-3

Malicious Software (1) Virus, worms, trojans which use vulnerabilities in some software X

Unauthorized access to communication (2)

Weak passwords, default passwords used for applications and components, even worse for administration or remote access X X

Exploit of vulnerabilities (3) Development process which does not integrate IT security X

Escalation of access rights (4) User and rights management has low maturity level X



Threat Requirement from IEC 62443-3-3 Covered by DIN EN 50159


Malicious Software (1) SR 3.2 – Malicious code protection The control system shall provide the capability to employ protection mechanisms to prevent, detect, report and mitigate the effects of malicious code or unauthorized software. The control system shall provide the capability to update the protection mechanisms.

X

Exploit of vulnerabilities (3) SR 3.4 – Software and information integrity The control system shall provide the capability to detect, record, report and protect against unauthorized changes to software and information at rest.

X



Threat Requirement from IEC 62443-3-3 Covered by DIN EN 50159


Escalation of access rights (4)

SR 2.1 – Authorization enforcement On all interfaces, the control system shall provide the capability to enforce authorizations assigned to all human users for controlling use of the control system to support segregation of duties and least privilege.

X

SR 6.2 – Continuous monitoring The control system shall provide the capability to continuously monitor all security mechanism performance using commonly accepted security industry practices and recommendations to detect, characterize and report security breaches in a timely manner.

X


Agenda

20.11.2014


Signalling Systems

Security Standards



Certification

Summary

Quality/

Processes

Security Features

Identification of Security Requirements on System Level


System

IEC 62443-3-3

“Foundational Requirements”

DIN VDE V 0831-102

RAMS-

Lifecycle,

IEC

62443-2-4

+

Safety Requirements

Functional / Non-Functional Requirements

Security Requirements

Architecture

Design

Implementation

Verification

Validation

Documentation

Security Manual

Security Guidelines

…

Specification

• Capabilities

• Report, referencing Product Documentation

# Sec. Req. SL1 SL2 SL3 SL4

1 Authentication X

2 Confidentiality X

3 Error Handling X

Electric Signalling

System

DIN VDE V 0831-104


Agenda

20.11.2014


Signalling Systems

Security Standards



Certification

Summary

Agenda


1 The Challenge

Security for Electric Signalling Systems

2 Security Standards

3 Security Analysis using IEC 62443

4 Steps for Security Inspection or

Certification

5 Summary

Benefits of IEC 62443


The benefits of IEC 62443 are

Risk based approach

Process oriented

Combination with other standards possible

Defined requirements

Basis for assessment and certification

Best Practice approach

Status IEC 62443


Contact


www.tuev-sued.de/rail

TÜV SÜD Rail GmbH Barthstr. 16 80339 Munich Germany

Dr. Thomas Störtkuhl [email protected]

Phone: +49 89 5791-1930

Fax: +49 89 5791-2933

Dr. Kai Wollenweber [email protected]

Phone: +49 89 5791-3856

Fax: +49 89 5791-2933

Documents

Security analysis and assessment of threats in European ... · TÜV SÜD Rail GmbH 20.11.2014 Slide 1 Security analysis and assessment of threats in European signalling systems? New