Upload
phungthuy
View
216
Download
1
Embed Size (px)
Citation preview
TÜV SÜD Rail GmbH Slide 1 20.11.2014
Security analysis and
assessment of threats in
European signalling systems?
New Challenges in Railway Operations
Dr. Thomas Störtkuhl, Dr. Kai Wollenweber
TÜV SÜD Rail
Copenhagen, 20 November 2014
TÜV SÜD Rail GmbH Slide 2
Agenda
20.11.2014
The challenge: Security for Electric
Signalling Systems
Security Standards
Security Analysis using IEC 62443
Steps for Security Inspection or
Certification
Summary
Day-to-day experience with vulnerabilities
General
• No or only a minimum of network segmentation
• Assets are not known, no network plan
• No periodic IT security audits
• No security monitoring
• No or weak processes (e.g. security incident handling)
• Employees with no security skills
Application
• Possibility of attacks (DoS, Cross
Site Scripting, code execution)
• Security is not integrated into the
development process
• No security tests, incl. 3rd party
software
• Incorrect implementation of
cryptographic algorithms
Password
• Default passwords
• Weak/trivial passwords
• Password in clear text
• Passwords on post-it
• Generic password for user groups
• Root passwords are group passwords for suppliers
TÜV SÜD Rail GmbH Slide 3 20.11.2014
Day-to-day experience with vulnerabilities
Use of Engineering Workstations
• Any accessible interfaces in the industrial IT
infrastructure is used
• EWS is used in different networks for different
customers
• EWS is often used as a standard computer
Remote Access & Maintenance
• Different solutions of the suppliers are
implemented and allowed
• For Remote Access no DMZ is implemented
• Remote access is always enabled and therefore
can be used at any time without control
• Group accounts
• Multi-factor authentication are not used
TÜV SÜD Rail GmbH Slide 4 20.11.2014
Day-to-day experience with vulnerabilities
Protocols
• Unprotected communications
• TLS/SSL: use of weak cipher suites
• Wireless communication without authentication
and encryption
• Incorrect implementation of cryptographic
algorithms
USB-Token
• No regulations for the use of USB Tokens
• Uncontrolled USB tokens are used by suppliers
• No virus scanning for USB tokens
(not to think about “Bad USB”)
TÜV SÜD Rail GmbH Slide 5 20.11.2014
TÜV SÜD Rail GmbH Slide 6 20.11.2014
80% of Malware cannot be Detected by Anti-Virus Software
Digitization becomes increasingly complex –
entry points for attacks grow exponentially
Our Industrial IT Security Services
TÜV SÜD Rail GmbH Slide 7 20.11.2014
Consulting
Security Management & Organisation
Threat & Risk Analysis
IT Security Processes (Development, Operation, Maintenance)
Technical & Process Audits
Security Handbook
Testing
Communication Robustness Testing
Penetration Testing
Assessment & Certification (DAkkS accredited)
IT Security Management Systems, Industrial Control Systems & Products
Process & Product Assessments (Development, Operation, Maintenance)
Communication Robustness & Penetration Testing Lab
TÜV SÜD Rail GmbH Slide 8
Agenda
20.11.2014
The challenge: Security for Electric
Signalling Systems
Security Standards
Security Analysis using IEC 62443
Steps for Security Inspection or
Certification
Summary
Content and Structure of relevant Security Standards & Guidelines
Processes
Security
Guidelines
Security
Objectives /
Requirements
Implementation
Standards &
Guidelines
• „Best Practices“
• Coding Standards
• … • IEC 62443-3-2
• …
• IEC 62443-4-1
• IEC 62443-2-4
• IEC 62443-3-3
• IEC 62443-4-2
How
What BSI TR-02102-2
Cryptography:
Recommendations and
Key Lengths
FIPS 140-3
Security Requirements
for
Cryptographic Modules
IEC 62443-2-1
EN 50159 • Safety
• Communication only
• No implementation
recommendations
DIN VDE V 0831-104
TÜV SÜD Rail GmbH Slide 9 20.11.2014
Current status of relevant standards for electric signalling systems
TÜV SÜD Rail GmbH Slide 10 20.11.2014
DIN EN 50159
Railway applications – Communication, signalling and processing systems – Safety-related communication in
transmission systems
DIN VDE V 0831-104
Electric signalling systems for railways – Part 104: IT Security Guideline based on IEC 62443
DIN VDE V 0831-102
Electric signalling systems for railways – Part 102: Protection profile for technical functions in railway
signalling
They all have in common:
Focus only on safety relevant threats
Internal attackers are out of scope
IEC 62443: Overview
TÜV SÜD Rail GmbH Slide 11 20.11.2014
1-1 Terminology,
concepts and models
1-2 Master glossary of
terms and abbreviations
1-3 System security
compliance metrics
2-1 Requirements for an
IACS security
management system
2-2 Implementation guidan-
ce for an IACS security
management system
2-3 Patch management in
the IACS environment
2-4 Installation and main-
tenance requirements
for IACS suppliers
3-1 Security technologies
for IACS
3-2 Security levels for
zones and conduits
3-3 System security
requirements and
security levels
4-1 Product development
requirements
4-2 Technical security
requirements for
IACS components
General Policies & Procedures System Component / Product
IEC 62443 Industrial communication networks – Network and system security
1-4 IACS security
lifecycle and use-case
Published Versions
Draft Versions
Basis for
DIN VDE V 0831-104
Threats for a electric Signalling System
TÜV SÜD Rail GmbH Slide 12 20.11.2014
TÜV SÜD Rail GmbH Slide 13
Agenda
20.11.2014
The challenge: Security for Electric
Signalling Systems
Security Standards
Security Analysis using IEC 62443
Steps for Security Inspection or
Certification
Summary
Risk model
R = D* F
Classical risk analysis approach
TÜV SÜD Rail GmbH Slide 14 20.11.2014
R Risk ( € / year )
D Damage
F Frequency of Occurrence
Negligible Marginal Critical Catastrophic
Frequent
Probable
Minor
Improbable
Fre
quen
cy
Damage
Impact of Cyber Security Risks on classical Risk Management Process
TÜV SÜD Rail GmbH Slide 15 20.11.2014
Probabilities for attacks are not available and are difficult / impossible to calculate
Threat probabilities and the resulting risks are not quantifiable, only qualifiable
As a result IEC 62443 and derived DIN VDE V 0831-104 define the characteristics of an attacker
through parameters (skill, means, resources, motivation)
Definition of risk-based Security Levels [IEC 62443-3-3:2013]:
Security Level 1 (SL1)
Prevent the unauthorized disclosure of information via eavesdropping or casual exposure.
Security Level 2 (SL2)
Prevent the unauthorized disclosure of information to an entity actively searching for it using
simple means with low resources, generic skills and low motivation.
Security Level 3 (SL3)
Prevent the unauthorized disclosure of information to an entity actively searching for it using
sophisticated means with moderate resources, IACS specific skills and moderate motivation.
Security Level 4 (SL4)
Prevent the unauthorized disclosure of information to an entity actively searching for it using
sophisticated means with extended resources, IACS specific skills and high motivation.
Approach for Cyber Security Risk Management (DIN VDE V 0831-104)
TÜV SÜD Rail GmbH Slide 16 20.11.2014
Approach for the cyber security risk management (risk = damage x probability)
Establishing the context
i.e. scope definition, structure analysis of the target system, defining risk criteria,
protection level based on defined attacker characteristics (e.g. security level)
Risk identification
i.e. identification of all relevant threats with impact on safety
Risk analysis and evaluation
i.e. estimation of damages & attacker characteristics, risk categorization based on defined risk criteria
Risk treatment
i.e. deriving relevant countermeasures to withstand the defined characteristics of an attacker
Prerequisites
Methodology to estimate the characteristics of an attacker
Parameters to define characteristics of an attacker
Threat analysis methodology (e.g. threat modeling, threat catalogue)
Modified Security Risk Matrix
TÜV SÜD Rail GmbH Slide 17 20.11.2014
Negligible Marginal Critical Catastrophic
SL1 (“frequent”)
SL2 (“probable”)
SL3 (“minor”)
SL4 (“improbable”)
Sec
urity
Lev
el
Damage
Example: Threats to an Electric Signalling System
TÜV SÜD Rail GmbH Slide 18 20.11.2014
Threat Short description IAC UC SI RDF TRE
Malicious Software (1) Virus, worms, trojans which use vulnerabilities in some software
X X X X X
Unauthorized access to communication (2)
Weak passwords, default passwords used for applications and components, even worse for administration or remote access
X X X
Exploit of vulnerabilities (3) Development process which does not integrate IT security
X X X
Escalation of access rights (4) User and rights management has low maturity level
X X X
From IEC 62443-3-3 and DIN VDE V 0831-104:
IAC Identification and Authentication Control
UC Use Control
SI System Integrity
RDF Restricted Data Flow
TRE Timely Response to Events
Example: Threats to an Electric Signalling System
TÜV SÜD Rail GmbH Slide 19 20.11.2014
Example: Threats to an Electric Signalling System
TÜV SÜD Rail GmbH Slide 20 20.11.2014
Threat Short description Covered by DIN EN 50159
Covered by IEC 62443-3-3
Malicious Software (1) Virus, worms, trojans which use vulnerabilities in some software X
Unauthorized access to communication (2)
Weak passwords, default passwords used for applications and components, even worse for administration or remote access X X
Exploit of vulnerabilities (3) Development process which does not integrate IT security X
Escalation of access rights (4) User and rights management has low maturity level X
Example: Threats to an Electric Signalling System
TÜV SÜD Rail GmbH Slide 21 20.11.2014
Threat Requirement from IEC 62443-3-3 Covered by DIN EN 50159
Covered by IEC 62443-3-3
Malicious Software (1) SR 3.2 – Malicious code protection The control system shall provide the capability to employ protection mechanisms to prevent, detect, report and mitigate the effects of malicious code or unauthorized software. The control system shall provide the capability to update the protection mechanisms.
X
Exploit of vulnerabilities (3) SR 3.4 – Software and information integrity The control system shall provide the capability to detect, record, report and protect against unauthorized changes to software and information at rest.
X
Example: Threats to an Electric Signalling System
TÜV SÜD Rail GmbH Slide 22 20.11.2014
Threat Requirement from IEC 62443-3-3 Covered by DIN EN 50159
Covered by IEC 62443-3-3
Escalation of access rights (4)
SR 2.1 – Authorization enforcement On all interfaces, the control system shall provide the capability to enforce authorizations assigned to all human users for controlling use of the control system to support segregation of duties and least privilege.
X
SR 6.2 – Continuous monitoring The control system shall provide the capability to continuously monitor all security mechanism performance using commonly accepted security industry practices and recommendations to detect, characterize and report security breaches in a timely manner.
X
TÜV SÜD Rail GmbH Slide 23
Agenda
20.11.2014
The challenge: Security for Electric
Signalling Systems
Security Standards
Security Analysis using IEC 62443
Steps for Security Inspection or
Certification
Summary
Quality/
Processes
Security Features
Identification of Security Requirements on System Level
TÜV SÜD Rail GmbH Slide 24 20.11.2014
System
IEC 62443-3-3
“Foundational Requirements”
DIN VDE V 0831-102
RAMS-
Lifecycle,
IEC
62443-2-4
+
Safety Requirements
Functional / Non-Functional Requirements
Security Requirements
Architecture
Design
Implementation
Verification
Validation
Documentation
Security Manual
Security Guidelines
…
Specification
• Capabilities
• Report, referencing Product Documentation
# Sec. Req. SL1 SL2 SL3 SL4
1 Authentication X
2 Confidentiality X
3 Error Handling X
Electric Signalling
System
DIN VDE V 0831-104
TÜV SÜD Rail GmbH Slide 25
Agenda
20.11.2014
The challenge: Security for Electric
Signalling Systems
Security Standards
Security Analysis using IEC 62443
Steps for Security Inspection or
Certification
Summary
Agenda
TÜV SÜD Rail GmbH Slide 26 20.11.2014
1 The Challenge
Security for Electric Signalling Systems
2 Security Standards
3 Security Analysis using IEC 62443
4 Steps for Security Inspection or
Certification
5 Summary
Benefits of IEC 62443
TÜV SÜD Rail GmbH Slide 27 20.11.2014
The benefits of IEC 62443 are
Risk based approach
Process oriented
Combination with other standards possible
Defined requirements
Basis for assessment and certification
Best Practice approach
Status IEC 62443
TÜV SÜD Rail GmbH Slide 28 20.11.2014
Contact
TÜV SÜD Rail GmbH Slide 29 20.11.2014
www.tuev-sued.de/rail
TÜV SÜD Rail GmbH Barthstr. 16 80339 Munich Germany
Dr. Thomas Störtkuhl [email protected]
Phone: +49 89 5791-1930
Fax: +49 89 5791-2933
Dr. Kai Wollenweber [email protected]
Phone: +49 89 5791-3856
Fax: +49 89 5791-2933