Cyber Security in Railways Systems, Ansaldo STS experience
About us: Finmeccanica
CP EXPO Workshop - «Risks and Security Management in
Logistics and Transports»
Cyber Security in Railways Systems, Ansaldo STS
experience – Part 2: Cyber Security Strategy and Design
Joint work with:
Daniele Debertol, PhD.
Ermete Meda, InfoSec Manager
Finmeccanica is Italy’s leading manufacturer in the high technology sector.
Genova, 29 October 2013
Finmeccanica is the largest shareholder in Ansaldo STS with a 40% stake.
Signaling Systems: Safety-to-Security relationships
• RBC (Radio Block Center)
Proprietary Infrastructure that
ensures Railway Safety is not
subject to computer attack
• Centralized Traffic Control
Systems (e.g. TMS), Automation
• Commercial ICT Infrastructure
undergoing Cyber Security Risks
(Operational Continuity, Financial
losses, Reputational damage)
… and between vital and non-vital layers
Train Management System (TMS)
RBC: Radio-Block Center
Evolution and Characteristics of Railway Signaling Systems
In the Past
Commercial low cost HW/SW
Heterogeneous Services (E-mail, Info-web,
VoIP, CCTV, …)
Structured and unstructured Information
Distributed ICT infrastructure spread over long distances, and unattended systems
Connections between safety critical and non-safety critical layers
External systems connected to signaling infrastructure
Human factor (operators, maintainers and… passengers)
Cyber Space calling, Cyber Security knocking
Cyber Security: protection of Cyber Space. But what is Cyber Space?
Yesterday: many different
Today: one single, big environment
Consequences: Dynamic Threat Landscape in unique Cyber Domain
Strategic & Tactical Cyber War
Vandalism & Hacktivism
Report, AET attacks,
Botnets, Phishing email
ICT Security Activities and Governance: Best Practices
ICT Security Activities and Governance: real life
… and guess what?
… and Monitoring…
Cyber Security: taking advantage of IT
Building on top of Information
Technology infrastructures, means
that you get both its weaknesses,
true, but its strenghts as well…
… putting it the other way round:
if a system is not secure by design
– and they are not –,
it will leave plenty of traces for
you to follow!
Leaving trace-routes behind
Strategy: enhance monitoring and correlate
So many eyes… giving a very broad view (say, at 365°degrees… to stay safe)… OK…
But where to look for? And for what? And who?
Content Filtering: the do’s and the dont’s
Operating system is static, meaning that you can’t change it too often (good…),
but that you won’t be able to patch (at all) either, which is NO GOOD!
Analysis: find critical vulnerabilities directly exposed to possible attacks
Remediation: identify (& block) specific packets for the above vulnerabilities
Solution: adding Virtual Patching
Near Realtime Asset Control
• not a performance- or availability-driven tool, though it may help
• based on static asset database loaded offline at project time
Repeat as needed
• perform differential discovery onsite for database tuning
• acknowledge variations that should be allowed
• what is left, deal with: either a missing sheep, or a mismatched one,
or… go, bark, there’s a wolf!
Know your flock, and beware of wolves! Barkin’, at the very least
The russian peasant of SIEMs at work: fast and light
Minimize False Positives
Realtime response (no archiving)
Novelty detection for scheme-in-the-chaos
The 11th hour (a.m.?)
Do we simply wait for
vulnerabilities to become
Can we advance from here, and
provide for new services?
Cyber Security = Defense line
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.