a cyber physical approach to securing urban
play

A Cyber-Physical Approach to Securing Urban Transportation Systems - PowerPoint PPT Presentation

A Cyber-Physical Approach to Securing Urban Transportation Systems Lead PI: Prof. Jianying Zhou (SUTD) SG-CRC18, 28 March 2018 Urban Transportation System Security Cyber-Physical Systems Transportation Energy Water Rail Auto


  1. A Cyber-Physical Approach to Securing Urban Transportation Systems Lead PI: Prof. Jianying Zhou (SUTD) SG-CRC’18, 28 March 2018

  2. Urban Transportation System Security Cyber-Physical Systems … Transportation Energy Water Rail Auto Aviation Maritime Urban Transportation Systems Challenges:  Complexity inherent in the cyber-physical nature  Deep involvement of humans

  3. Project Framework Model-driven Security Measures Modeling Legacy System Protection Modeling with Cyber-Physical Persistent Constraints & Access Control Case Study Human Factors Secure Communications SMRT Model-based Tools Integrated for Resilience Adaptive Attack Supervisory Evaluation & Mitigation Control System Safety-Security (ISCS) Reconciliation

  4. Selected Security Technologies 1. ATS log analysis tools (Testing and trial in SMRT) – Context-aware ATS log diagnosis tool – Ontology-driven alarm prediction tool 2. Two-factor authentication for ITS devices using historical data 3. Virtually isolated network 4. Controllable secure configuration of network devices (Testing and trial in SMRT) 5. Low-cost location integrity protection for railway systems 6. SecureRails: an open simulation platform for analysing cyber- physical attacks in railways 7. Advanced SCADA firewall (Testing and trial in SMRT)

  5. ATS Log Analysis Tools • Anomalies in Automatic Train Supervision (ATS) system - ATS system supervises all important assets in a metro system - Asset anomalies are recorded as alarms and mixed with huge amount of other logs • Diagnosis of the alarms - Log data is complex and high-dimensional - Manual investigation into log data is inefficient and error-prone • Prediction of the alarms - There are huge number of assets with various functionalities at different geo- locations in a metro system - It is unrealistic to maintain all assets frequently - Alarm prediction is important for preventive maintenance and provides suggestions on the priority of these assets to be maintained 5

  6. Context-Aware Diagnosis Tool • Expedite diagnosis process Raw Logs – Without relying on Asset Category Description Duration substantial prior ID knowledge or accurate Refine Event process model of Preprocessing Categorization subsystems Asset Refined Category Duration ID Category DT • System context Model System Feature vector Context Extraction awareness feature 1 feature 2 … feature m – Model system context by a series of features Statistical Analyze based on system logs Correlation analysis Correlated Correlated Correlated Identify assets and • … Correlated Asset/event 1 Asset/event 2 Asset/event n events correlated with Assets/Events target alarms – Find out potential causes of the target alarms

  7. Ontology-Driven Alarm Prediction Tool • Prediction of alarms for assets – When a given asset A will have what alarm – Without relying on substantial prior knowledge or accurate process model of subsystems • Ontology-driven modeling – Model behaviors of assets based on ontology information • System context and temporal awareness – Model system context by a series of features based on system logs

  8. Current Status of the Tools Context Aware Diagnosis Tool Ontology-Driven Alarm Prediction Tool • The two tools are tested on real-world ATS log dataset provided by Circle Line of SMRT • The tools will be improved based the experts’ suggestions and tested on more ATS log dataset

  9. Train Location Integrity Protection Eurobalise Spot Transmission Between on-board Balise Transmission • Module (BTM) and balise • Transmit location data via wireless links • Use coding to protect data integrity and detect corruption Widely deployed • – Europe, China, Australia, Malaysia, Singapore, etc. – Vendors: Alstom, Siemens, Thales, etc. 9 balise Track

  10. Threats and Challenges • Threats to Eurobalise – Modification of location data – Installation of rogue balises • Potential consequences – Disruptions of train service – Passenger alarm (e.g., sudden stop) • Challenges – Short telegram, short latency – No hand-shake is allowed, ruling out challenge-response 10 – Legacy support (Eurobalise telegrams have fixed data format and structure)

  11. Low-cost Location Integrity Protection Verify Authentication Tag ( sb , S ) Generate Authentication Tag ( sb , S ) Shaped data cb sb esb Check bits (913 or 231 bits) (3 bits) (12 bits) (10 bits) (85 bits) • Bind user data to scrambling bits ( sb ) and LFSR key ( S ) 11 • Binding is based on secret keys ( k 0 , k 1 ) • Set authentication tag as ( sb , S )

  12. Features of Our Solution • Embed two-level authentication code into two parameters used for scrambling user data • Only small update to existing encoding scheme - No data expansion or modification to current telegram format • Low-cost and lightweight method to improve integrity of location data - Does not require additional hardware or sensors - Resistant to false data injection or data modification • Suitable for subway or underground railway systems which 12 rely on passive transponders

  13. Two-Factor Authentication for ITS Devices • ITS applies information and communication technologies to transport. • Many field devices are deployed as a part of the ITS infrastructure. • ITS infrastructure is subject to cyber attacks. How to secure ITS field devices to provide the first line of defense to the ITS infrastructure? 13

  14. Historical Data as Authentication Factor: Tag Generation for Data ITS Server ITS Device D 1 T 1 D 2 T 2 : : D i T i Verifier : : D L T L ( K, K’) Data D i Tag T i = K ⋅ h(D i ) + f K’ (i) Prover ( K ) h (): a cryptographic hash function f (): a PRF (Pseudorandom Function) Arithmetic in binary extension field with minimal polynomial:

  15. Historical Data as Authentication Factor: Verification Verification only needs K , K’ , r’, I . Verify: No need to store D i and T i ? Y = K ⋅ X+ ∑ f r’ (i) ⋅ f K’ (i) i ∈ I D 1 T 1 D 2 T 2 r’= f K (c ) : : D i T i Verifier : : ( K, K’) D L T L Prover ( K ) X = ∑ f r’ (i) ⋅ h(D i ) To generate (X, Y) , Prover must i ∈ I Y = ∑ f r’ (i) ⋅ T i have knowledge of all D i and T i i ∈ I

  16. Features of Our Solution • Effectively prevent unauthorized remote control of ITS field devices - Device is secure as long as one of the authentication factors is not compromised • Fully automation - Support machine-to-machine authentication without human involvement • Highly scalable and lightweight for various ITS devices with resource constraints - Only small and constant amount of data (two secret keys) need to be stored on ITS device 17

  17. Thank You ! Prof. Jianying Zhou (SUTD) Email: jianying_zhou@sutd.edu.sg Thanks to the support from NRF. Thanks to all the project team members.

Recommend


More recommend