A Cyber-Physical Approach to Securing Urban Transportation Systems - PowerPoint PPT Presentation

A Cyber-Physical Approach to Securing Urban Transportation Systems Lead PI: Prof. Jianying Zhou (SUTD) SG-CRC’18, 28 March 2018

Urban Transportation System Security Cyber-Physical Systems … Transportation Energy Water Rail Auto Aviation Maritime Urban Transportation Systems Challenges:  Complexity inherent in the cyber-physical nature  Deep involvement of humans

Project Framework Model-driven Security Measures Modeling Legacy System Protection Modeling with Cyber-Physical Persistent Constraints & Access Control Case Study Human Factors Secure Communications SMRT Model-based Tools Integrated for Resilience Adaptive Attack Supervisory Evaluation & Mitigation Control System Safety-Security (ISCS) Reconciliation

Selected Security Technologies 1. ATS log analysis tools (Testing and trial in SMRT) – Context-aware ATS log diagnosis tool – Ontology-driven alarm prediction tool 2. Two-factor authentication for ITS devices using historical data 3. Virtually isolated network 4. Controllable secure configuration of network devices (Testing and trial in SMRT) 5. Low-cost location integrity protection for railway systems 6. SecureRails: an open simulation platform for analysing cyber- physical attacks in railways 7. Advanced SCADA firewall (Testing and trial in SMRT)

ATS Log Analysis Tools • Anomalies in Automatic Train Supervision (ATS) system - ATS system supervises all important assets in a metro system - Asset anomalies are recorded as alarms and mixed with huge amount of other logs • Diagnosis of the alarms - Log data is complex and high-dimensional - Manual investigation into log data is inefficient and error-prone • Prediction of the alarms - There are huge number of assets with various functionalities at different geo- locations in a metro system - It is unrealistic to maintain all assets frequently - Alarm prediction is important for preventive maintenance and provides suggestions on the priority of these assets to be maintained 5

Context-Aware Diagnosis Tool • Expedite diagnosis process Raw Logs – Without relying on Asset Category Description Duration substantial prior ID knowledge or accurate Refine Event process model of Preprocessing Categorization subsystems Asset Refined Category Duration ID Category DT • System context Model System Feature vector Context Extraction awareness feature 1 feature 2 … feature m – Model system context by a series of features Statistical Analyze based on system logs Correlation analysis Correlated Correlated Correlated Identify assets and • … Correlated Asset/event 1 Asset/event 2 Asset/event n events correlated with Assets/Events target alarms – Find out potential causes of the target alarms

Ontology-Driven Alarm Prediction Tool • Prediction of alarms for assets – When a given asset A will have what alarm – Without relying on substantial prior knowledge or accurate process model of subsystems • Ontology-driven modeling – Model behaviors of assets based on ontology information • System context and temporal awareness – Model system context by a series of features based on system logs

Current Status of the Tools Context Aware Diagnosis Tool Ontology-Driven Alarm Prediction Tool • The two tools are tested on real-world ATS log dataset provided by Circle Line of SMRT • The tools will be improved based the experts’ suggestions and tested on more ATS log dataset

Train Location Integrity Protection Eurobalise Spot Transmission Between on-board Balise Transmission • Module (BTM) and balise • Transmit location data via wireless links • Use coding to protect data integrity and detect corruption Widely deployed • – Europe, China, Australia, Malaysia, Singapore, etc. – Vendors: Alstom, Siemens, Thales, etc. 9 balise Track

Threats and Challenges • Threats to Eurobalise – Modification of location data – Installation of rogue balises • Potential consequences – Disruptions of train service – Passenger alarm (e.g., sudden stop) • Challenges – Short telegram, short latency – No hand-shake is allowed, ruling out challenge-response 10 – Legacy support (Eurobalise telegrams have fixed data format and structure)

Low-cost Location Integrity Protection Verify Authentication Tag ( sb , S ) Generate Authentication Tag ( sb , S ) Shaped data cb sb esb Check bits (913 or 231 bits) (3 bits) (12 bits) (10 bits) (85 bits) • Bind user data to scrambling bits ( sb ) and LFSR key ( S ) 11 • Binding is based on secret keys ( k 0 , k 1 ) • Set authentication tag as ( sb , S )

Features of Our Solution • Embed two-level authentication code into two parameters used for scrambling user data • Only small update to existing encoding scheme - No data expansion or modification to current telegram format • Low-cost and lightweight method to improve integrity of location data - Does not require additional hardware or sensors - Resistant to false data injection or data modification • Suitable for subway or underground railway systems which 12 rely on passive transponders

Two-Factor Authentication for ITS Devices • ITS applies information and communication technologies to transport. • Many field devices are deployed as a part of the ITS infrastructure. • ITS infrastructure is subject to cyber attacks. How to secure ITS field devices to provide the first line of defense to the ITS infrastructure? 13

Historical Data as Authentication Factor: Tag Generation for Data ITS Server ITS Device D 1 T 1 D 2 T 2 : : D i T i Verifier : : D L T L ( K, K’) Data D i Tag T i = K ⋅ h(D i ) + f K’ (i) Prover ( K ) h (): a cryptographic hash function f (): a PRF (Pseudorandom Function) Arithmetic in binary extension field with minimal polynomial:

Historical Data as Authentication Factor: Verification Verification only needs K , K’ , r’, I . Verify: No need to store D i and T i ? Y = K ⋅ X+ ∑ f r’ (i) ⋅ f K’ (i) i ∈ I D 1 T 1 D 2 T 2 r’= f K (c ) : : D i T i Verifier : : ( K, K’) D L T L Prover ( K ) X = ∑ f r’ (i) ⋅ h(D i ) To generate (X, Y) , Prover must i ∈ I Y = ∑ f r’ (i) ⋅ T i have knowledge of all D i and T i i ∈ I

Features of Our Solution • Effectively prevent unauthorized remote control of ITS field devices - Device is secure as long as one of the authentication factors is not compromised • Fully automation - Support machine-to-machine authentication without human involvement • Highly scalable and lightweight for various ITS devices with resource constraints - Only small and constant amount of data (two secret keys) need to be stored on ITS device 17

Thank You ! Prof. Jianying Zhou (SUTD) Email: jianying_zhou@sutd.edu.sg Thanks to the support from NRF. Thanks to all the project team members.