A Cyber-Physical Approach to Securing Urban Transportation Systems

Lead PI: Prof. Jianying Zhou (SUTD)

SG-CRC’18, 28 March 2018

Cyber-Physical Systems

Transportation

Rail Auto Aviation Maritime

Urban Transportation Systems

Challenges: Complexity inherent in the

cyber-physical nature Deep involvement of

humans

…Energy Water

Urban Transportation System Security

Project Framework

Modeling with Cyber-Physical Constraints & Human Factors

Model-based Tools for Resilience Evaluation & Safety-Security Reconciliation

ModelingLegacy System Protection

Model-driven Security Measures

Adaptive Attack Mitigation

Persistent Access Control

Secure Communications SMRT

Integrated Supervisory Control System (ISCS)

Case Study

Selected Security Technologies

1. ATS log analysis tools (Testing and trial in SMRT)– Context-aware ATS log diagnosis tool– Ontology-driven alarm prediction tool

2. Two-factor authentication for ITS devices using historical data

3. Virtually isolated network4. Controllable secure configuration of network devices (Testing

and trial in SMRT)

5. Low-cost location integrity protection for railway systems6. SecureRails: an open simulation platform for analysing cyber-

physical attacks in railways

7. Advanced SCADA firewall (Testing and trial in SMRT)

5

• Anomalies in Automatic Train Supervision (ATS) system- ATS system supervises all important assets in a metro system- Asset anomalies are recorded as alarms and mixed with huge amount of other

logs

• Diagnosis of the alarms- Log data is complex and high-dimensional- Manual investigation into log data is inefficient and error-prone

• Prediction of the alarms- There are huge number of assets with various functionalities at different geo-

locations in a metro system- It is unrealistic to maintain all assets frequently- Alarm prediction is important for preventive maintenance and provides

suggestions on the priority of these assets to be maintained

ATS Log Analysis Tools

Refine Event Categorization

Raw Logs

Preprocessing

Model System Context

Feature vector Extraction

Analyze Correlation

Correlated Assets/Events

Statistical analysis

Asset ID Category Description Duration

Asset ID Category Refined

Category DT Duration

feature1 feature2 … featurem

CorrelatedAsset/event1

CorrelatedAsset/event2

… CorrelatedAsset/eventn

• Expedite diagnosis process

– Without relying on substantial prior knowledge or accurate process model of subsystems

• System context awareness

– Model system context by a series of features based on system logs

• Identify assets and events correlated with target alarms

– Find out potential causes of the target alarms

Context-Aware Diagnosis Tool

• Prediction of alarms for assets

– When a given asset A will have what alarm

– Without relying on substantial prior knowledge or accurate process model of subsystems

• Ontology-driven modeling– Model behaviors of assets

based on ontology information

• System context and temporal awareness

– Model system context by a series of features based on system logs

Ontology-Driven Alarm Prediction Tool

Context Aware Diagnosis Tool Ontology-Driven Alarm Prediction Tool

• The two tools are tested on real-world ATS log dataset provided by Circle Line of SMRT• The tools will be improved based the experts’ suggestions and tested on more ATS log

dataset

Current Status of the Tools

9

Train Location Integrity Protection

Eurobalise Spot Transmission• Between on-board Balise Transmission

Module (BTM) and balise

• Transmit location data via wireless links

• Use coding to protect data integrity and detect corruption

• Widely deployed– Europe, China, Australia, Malaysia, Singapore,

etc.– Vendors: Alstom, Siemens, Thales, etc.

baliseTrack

10

Threats and Challenges

• Threats to Eurobalise– Modification of location data – Installation of rogue balises

• Potential consequences– Disruptions of train service– Passenger alarm (e.g., sudden stop)

• Challenges– Short telegram, short latency– No hand-shake is allowed, ruling out challenge-response– Legacy support (Eurobalise telegrams have fixed data format and structure)

11• Bind user data to scrambling bits (sb) and LFSR key (S)• Binding is based on secret keys (k0 , k1)• Set authentication tag as (sb, S)

Low-cost Location Integrity Protection

Shaped data(913 or 231 bits)

cb(3 bits)

sb(12 bits)

esb(10 bits)

Check bits(85 bits)

Generate Authentication Tag (sb, S) Verify Authentication Tag (sb, S)

12

• Embed two-level authentication code into two parameters used for scrambling user data

• Only small update to existing encoding scheme- No data expansion or modification to current telegram format

• Low-cost and lightweight method to improve integrity of location data- Does not require additional hardware or sensors- Resistant to false data injection or data modification

• Suitable for subway or underground railway systems which rely on passive transponders

Features of Our Solution

13

• ITS applies information and communication technologies to transport.

• Many field devices are deployed as a part of the ITS infrastructure.

• ITS infrastructure is subject to cyber attacks.

How to secure ITS field devices to provide the first line of defense to the ITS infrastructure?

Two-Factor Authentication for ITS Devices

Historical Data as Authentication Factor:Tag Generation for Data

Verifier

Prover

(K, K’)

Tag Ti = K⋅ h(Di ) + fK’ (i)

D1 T1

D2 T2

: :

Di Ti

: :

DL TL

Data Di

h (): a cryptographic hash functionf (): a PRF (Pseudorandom Function)

Arithmetic in binary extension field with minimal polynomial:

(K)

ITS DeviceITS Server

Historical Data as Authentication Factor: Verification

Verifier

To generate (X, Y), Prover must have knowledge of all Di and Ti

X = ∑ fr’ (i)⋅h(Di)

Y = ∑ fr’ (i)⋅Tii∈I

i∈I

Y = K⋅X+∑ fr’ (i) ⋅ fK’ (i)?

i∈I

D1 T1

D2 T2

: :

Di Ti

: :

DL TL

Prover

Verify: Verification only needs K, K’, r’, I. No need to store Di and Ti

r’= fK(c)

(K, K’)

(K)

17

Features of Our Solution

• Effectively prevent unauthorized remote control of ITS field devices- Device is secure as long as one of the authentication factors is not

compromised

• Fully automation- Support machine-to-machine authentication without human involvement

• Highly scalable and lightweight for various ITS devices with resource constraints- Only small and constant amount of data (two secret keys) need to be stored

on ITS device

Thank You !

Prof. Jianying Zhou (SUTD)

Email: jianying_zhou@sutd.edu.sg

Thanks to the support from NRF.

Thanks to all the project team members.