Joint Safety and Security Analysis for Complex Systems. Sergey Bezzateev, Natalia Voloshina, Petr Sankin

Similar documents
R H I N O S Railway High Integrity Navigation Overlay System. RHINOS On Board Subsystem Reference Architecture

The contribution of UNIFE: NGTC and STARS projects. Peter Gurník Technical Affairs Manager

ETCS INTERFACE WITH THE EXISTING SIGNALLING SYSTEMS

INTERFACING ETCS WITH LEGACY CC-SYSTEMS TRACK - SIDE

AN ECONOMIC MODEL FOR THE EVALUATION OF DIFFERENT TECHNOLOGICAL SCENARIOS IN THE RAIL SECTOR

Dimensioning and Engineering rules

ERTMS line certification using mobile diagnostic solutions. Vito Caliandro Product Line Manager, Signalling Solutions

Interface 'G' Specification

67. LEVEL TRANSITION FROM LEVEL NTC TO LEVEL 1 (SYSTEM VERSION 2.Y)

ANNEX. to the COMMISSION DECISION

Contents INFORMATION FLOW TRACK - TRAIN

UIC ERTMS Conference 2003

Siemens Industry Online Support

Efficient use of multi-constellation EGNOS for the European Train Control System

Securing Balise-based Train Control Systems using Cryptographic Random Fountains

Securing Balise-based Train Control Systems using Cryptographic Random Fountains

GSM-R Interoperability - Technical Perspective

Siemens Industry Online Support

D3.5.4 Appendix: Dynamic ETCS Track Model. Use Case: Amsterdam- Utrecht ETCS L2 Reference Line

D5.3 EGNSS Target Performances to meet railway safety requirements

RAILWAY SIGNALING & COMMUNICATION

Dimming actuators GDA-4K KNX GDA-8K KNX

Agilent E4430B 1 GHz, E4431B 2 GHz, E4432B 3 GHz, E4433B 4 GHz Measuring Bit Error Rate Using the ESG-D Series RF Signal Generators, Option UN7

IP Telephony and Some Factors that Influence Speech Quality

Dimming actuators of the FIX series DM 4-2 T, DM 8-2 T

Basics of BISS scrambling. Newtec. Innovative solutions for satellite communications

10 Gigabit Ethernet Consortium Optical Interoperability Test Suite version 1.1

Industriefunkuhren. Technical Manual. OEM Sync-Module FE1000 (IRIG-B) ENGLISH

Block System Interface Requirements

PLC Control Unit for a CSM-E Electrical Compact Clean Steam Generator

OECD COMMUNICATIONS OUTLOOK 2001 Broadcasting Section

Intelsat-29e Interference Mitigation Testing Interference Scenarios and Mitigation Techniques Enabled by the Intelsat Epic NG Class Satellites

PROMAX NEWSLETTER Nº 25. Ready to unveil it?

Arc Detector for Remote Detection of Dangerous Arcs on the DC Side of PV Plants

Lip Sync of Audio/Video Distribution and Display

Atlas SCR. User Guide. Thyristor and Triac Analyser Model SCR100

Be sure to run the vehicle engine while using this unit to avoid battery exhaustion.

Co-location of PMP 450 and PMP 100 systems in the 900 MHz band and migration recommendations

Instruction manual. DALI Gateway art Installation manual

Intelsat-29e Interference Mitigation Testing. Interference Scenarios and Mitigation Techniques Enabled by the Intelsat Epic NG Class Satellites

of Switzerland of Switzerland Re:source FM Tuner Module Dominating Entertainment. Revox of Switzerland.

Six-Channel TDM Multiplexers for 3G, HD, SDI, and ASI. Installation and Operations. Manual

KNX Technical Reference Manual Busch-EnergyControl

Roadmap for the MHz frequency band in the Slovak Republic

ex 800 Series ematrix System

AUDIOVISUAL COMMUNICATION

Committed to connecting the World ITU ACTIVITIES IN DIGITAL BROADCASTING TRANSITION. JO, GueJo

KNX Dimmer RGBW - User Manual

EC5415B. B-Tronic EasyControl. Assembly and Operating Instructions. Wall/hand-held transmitter, 15-channel, bidirectional

Electrical connection

Industriefunkuhren. Technical Manual. IRIG-B Generator-Module for analogue / digital Signals of Type: IRIG-B / IEEE C / AFNOR NF S87-500

Tebis application software

GPS4000. GPS Time Receiver System. User Manual Version 1.1. World Time Solutions. World Time Solutions Limited

Electrical connection

Transportation Engineering - II Dr. Rajat Rastogi Department of Civil Engineering Indian Institute of Technology - Roorkee

Status Date Prepared Reviewed Endorsed Approved

STX Stairs lighting controller.

Cisco Spectrum Expert Software Overview

Scan. This is a sample of the first 15 pages of the Scan chapter.

Maintenance and upgrade of a BARCO video wall installed in the Crisis Room of the ECML

MULTI CHANNEL VOICE LOGGER MODEL PCVL - 4/8/10/16/32/64. ORIGINAL EQUIPMENT MANUFACTURER OF VOICE LOGGING SYSTEMS Radio and CTI Expert Organisation

Introduction to HSR&PRP. HSR&PRP Basics

FP-QUAD-510. Features. Power Requirement OPERATING INSTRUCTIONS. 4-Axis, Quadrature Input Module

The user manual of LED display screen and RH-32G control card.

FRAME ERROR RATE EVALUATION OF A C-ARQ PROTOCOL WITH MAXIMUM-LIKELIHOOD FRAME COMBINING

ModuMAX SSPA Systems. C, X, and Ku Bands. Completely modular solid-state power amplifier systems for world-wide satellite communications

of Switzerland FM Tuner MK2 E 2.01

for Television ---- Formatting AES/EBU Audio and Auxiliary Data into Digital Video Ancillary Data Space

Multi-Media Card (MMC) DLL Tuning

Novel Correction and Detection for Memory Applications 1 B.Pujita, 2 SK.Sahir

With Export all setting information (preferences, user setttings) can be exported into a text file.

EbNaut LF Reception of K3RWR using SDR-IQ. Garry Hess, K3SIW August 25, 2018

V6153 HD 1:8 SDI Distribution Amplifier V6154 HD 1:16 SDI Distribution Amplifier

CDV07. Analog video distribution amplifier(s)

ETSI TS V6.0.0 ( )

GEOSYNC. CAPABILITIES and PRODUCTS CATALOG. Outdoor Mounted. Rack Mounted. Converter Module. Block Converters, L-Band to Transponder Frequency

Improving Frame FEC Efficiency. Improving Frame FEC Efficiency. Using Frame Bursts. Lior Khermosh, Passave. Ariel Maislos, Passave

Check our knowledge base at

Daily use, 6 How to bring up and use the menus on the screen. First-time setup, 15 See what the first-time setup sequence consists of.

PACSystems* RX3i. Isolated Thermocouple Input Module, 6 Channels, IC695ALG306-EB Isolated Thermocouple Input Module, 12 Channels, IC695ALG312-EB

1. General principles for injection of beam into the LHC

Tenow Steps Up Product Rollout

Measuring Radio Network Performance

Impact of Intermittent Faults on Nanocomputing Devices

SIGNALING PRACTICES ON PROTOTYPE AND MODEL RAILROADS

Content regionalization and Targeted Ad Insertion in DTT SFN networks. Berry Eskes Regional Director EMEA North, Russia & CIS

PRODUCT MANUAL LUMENTO X3 LED. LED Controller ZN1DI-RGBX3. Program Version: 1.0 Manual Edition: a

G1-M1 (Protection Relay)

A. All equipment and materials used shall be standard components that are regularly manufactured and used in the manufacturer s system.

Digital Transmission System Signaling Protocol EVLA Memorandum No. 33 Version 3

DATA SHEET. Four (4) fibers Detachable HDMI Extender, HDFX-150-TR

BER Measurements on GSM Receivers under Conditions of Fading

Dual Power and Control. Backup System. Armor. SUT43X Series. Ideal Solution For Control Room

CROCODILE AUSTRIA VIDEOSYSTEM

An MFA Binary Counter for Low Power Application

Lecture 18 Design For Test (DFT)

Multi-functional safety relay modules PROTECT SRB-E

45LM Series Modules. Features. Specifications. Plug-in Logic and Display Modules for Q45 Series Photoelectric Sensors

ITU-T Y.4552/Y.2078 (02/2016) Application support models of the Internet of things

STSW1001T STSW1001R STSW1001 INSTALLATION / USER'S MANUAL

Transcription:

Joint Safety and Analysis for Complex Systems Sergey Bezzateev, Natalia Voloshina, Petr Sankin 1

Safety vs. Information security is a Hot point of any Critical System 18.05.2013 2

ERTMS One of the most critical systems is European Rail Traffic Management System (ERTMS) Is an EU major European industrial project to enhance cross-border interoperability and signalling procurement by creating a single Europe-wide standard for railway signalling with the final aim of improving the competitiveness of the rail sector. 18.05.2013 3

Safety vs. for ERTMS It is critical to ensure the high level of ERTMS Safety Safety level depends on Information 18.05.2013 4

Eurobalise Transmission System Eurobalise 1. stores infrastructure data as pre-formatted telegrams' : position reference, speed limits, line gradient, works on the line, etc. 2. sends to train movement authorities and trackside data (telegrams selected by LEU) when energised by power from train's antenna. 18.05.2013 5

How to balise work? GSM-R ETML 18.05.2013 6

Hazards for Eurobalise Safety Analysis defines hazardous events for balise system in ETRC: HAZARDOUS EVENTS TRANSBALISE-1(Corruption) Incorrect balise group message received by the on-board kernel functions as consistent TRANSBALISE-2(Deletion) Balise group not detected by on-board kernel functions (deletion) TRANSBALISE-3(Insertion) Inserted balise group message received the on-board kernel functions as consistent 18.05.2013 7

Hazardous Events for Balise System in ETRC The subordinate hazards to TRANS-BALISES are defined as: EUB-H1 A balise group is not detected, due to failure of a balise group to transmit a detectable signal EUB-H4 Transmission of an erroneous telegram interpretable as correct, due to failure within a Balise EUB-H7 Erroneous localisation of a Balise Group, with reception of valid telegrams, due to failure within Balises (too strong up-link signal) EUB-H8 The order of reported Balises, with reception of valid telegram, is erroneous due to failure within a Balise (too strong up-link signal) EUB-H9 Erroneous reporting of a Balise Group in a different track, with reception of valid telegrams, due to failures within Balises (too strong up-link signal) BTM-H1 A balise group is not detected, due to failure within the onboard BTM(Balise Transmission Module) function BTM-H4 Transmission to the on-board kernel of an erroneous telegram, interpretable as correct, due to failure within the onboard BTM function BTM-H7 Erroneous localisation of a Balise Group, with reception of valid telegrams, due to failure within the on-board BTM function (erroneous threshold function or significantly excessive Tele-powering signal) BTM-H8 The order of reported Balises, with reception of valid telegrams, is erroneous due to failure within the on-board BTM function (erroneous threshold function or significantly excessive Tele-powering signal BTM-H9 Erroneous reporting of a Balise Group in a different track, with reception of valid telegrams, due to failure within the on-board BTM function (erroneous threshold function or significantly excessive Tele-powering signal) 18.05.2013 8

Fault Tree Analysis 18.05.2013 9

problems of Safety Analysis Currently Safety Analysis and Information Analysis are made separately 18.05.2013 10

The goal of the research To find the method how to take into account the Information problems while Safety Analysis based on existing Safety and standards 18.05.2013 11

Hazards List SEC-H1 A Balise is not detected due to the attacker. SEC-H4 Transmission of an erroneous telegram interpretable as correct due to the attacker. SEC-H7 Erroneous localisation of a Balise with reception of valid telegram due to the attacker. SEC-H8 The order of reported Balises, with reception of valid telegram, is erroneous due to the attacker. SEC-H9 Erroneous reporting of a Balise in a different track, with reception of valid telegram due to the attacker. 18.05.2013 12

Fault Tree with Hazards Without implementation of special information security methods the probability of successful attack is equal to 1! 18.05.2013 13

Module Approach Safety Hazards Module Hazards of Module 18.05.2013 14

Graphical representation of the hazardous events of ETCS 18.05.2013 15

Module Safety Hazards Module Hazards of Module Hazards of Module 18.05.2013 16

The List of Module Hazards: SMB-H1 A balise group is not detected, due to the failure of security module. SMB-H4 Transmission of an erroneous telegram interpretable as correct, due to failure of security module. SMB-H7 Erroneous localization of a Balise Group, with reception of valid telegrams, due to failure of security module. SMB-H8 The order of reported Balises, with reception of valid telegram, is erroneous due to failure of security module. SMB-H9 Erroneous reporting of a Balise Group in a different track, with reception of valid telegrams, due to failure of security module. 18.05.2013 17

Fault Trees with Module Corruption Deletion 18.05.2013 18

Fault Tree for Insertion/Cross Talk Insertion 18.05.2013 19

Example attack on Eurobalise Insertion Masquerade attack on Eurobalise > Integrity security problem 18.05.2013 20

Module Safety Hazards Module of Authentication (SMA) LMAP++ Hazards of SMA Hazards of SMA 18.05.2013 21

Hazards List for Authentication Module Type of Module Hazard Safety hazards of Module hazards of Module No. Hazard Description Origin of failure SMAB-H1 The Balise is not detected module SMAB-H2 Wrong authentication module SMAB-H3 Delay module SMAB-H4 SMAB-H5 Successful Brute force Attack Successful Desynchronization Attack Attacker Attacker 18.05.2013 22

FTA for TRANS-BALISE-1 with SMAB P<<2 -n P>=2 -n 18.05.2013 23

FTA for TRANS-BALISE-2 with SMAB P<<2 -n P>=(1/16) m-1 18.05.2013 24

FTA for TRANS-BALISE-3 with SMAB 18.05.2013 25

Conclusion It was found that there is no concerted method to develop safe and secure systems by using actual safety and security standards. The safety standards for ETCS were analyzed. It was found that for ETCS there is no consideration of security hazards. It was suggested to add a special Module to take into account a Hazards for standard fault tree analyses of safety. It was shown that total level of System Safety can be increased by using Module. 18.05.2013 26

Q&A Thank your for attention! 18.05.2013 27

2024 © artsdocbox.com Privacy Policy | Terms of Service | Feedback