How to assess the risks? Irene Arsuaga CYRAIL Final Conference Paris, 18.09.2018 How to assess the risks? Irene Arsuaga

Index Introduction Overview on existing methodologies Recommended cybersecurity risk assessment methodology for the railway sector Conclusions

Introduction SECURITY ASSESSMENT METHODOLOGY More connected systems, open standards, open networks Security New risks associated to system security How to identify main risks? How to identify the most critical assets? How to identify the most appropriate countermeasures? SECURITY ASSESSMENT METHODOLOGY

Overview on existing methodologies Overview of Cybersecurity standards (I) ISO/IEC 27005: Guidelines for Information Security Risk Management 4 phases: Context establishment Risk assessment: identification, analysis and evaluation Risk treatment Risk acceptance List with examples of typical threats and vulnerabilities NIST SP 800-30 3 processes: Risk assessment Risk mitigation Evaluation and assessment

Overview on existing methodologies Overview of Cybersecurity standards (II) CENELEC: EN 50126, EN 50129, EN 50159 French Security Standards ETSI TS 102 165 TVRA method ISA/IEC 62443 series Security Risk Assessment and System Design: ISA/IEC 62443-3-2 System Security Requirements and Security Levels: ISA/IEC 62443-3-3 DIN VDE V 0831-104 ISA/IEC 62443 series applied to railway sector APTA: Cybersecurity Considerations for Public Transport Methodologies used in related industries Aeronautics: ED-202/EUROCAE

Recommended cybersecurity risk assessment methodology for the railway sector Selection of the security assessment framework CYRail methodology based on ISA/IEC 62443 (under development) Worldwide scope Completeness of the standard and detailed overview of the different phases Already exists a tailoring of the norm to the railway signalling context (DIN VDE V 0831- 104) Harmonised with X2Rail-1 Includes assumptions from DIN VDE V 0831-104 norm Includes concepts from ETSI TVRA method to complement steps not defined by ISA/IEC 62443

Recommended cybersecurity risk assessment methodology for the railway sector Overview of ISA/IEC 62443 Three Security Levels (SL): Target SL, Achieved SL and Capability SL Seven Foundational Requirements (FR) IAC: Identification and Authentication Control UC: Use Control SI: System Integrity DC: Data Confidentiality RDF: Restricted Data Flow TRE: Timely Response to Events RA: Resource Availability SL value defined with a vector which value corresponds to the FRs DIN VDE assumption: no need to distinguish between different FRs of the same zone. The worst case considered.

Recommended cybersecurity risk assessment methodology for the railway sector ZCR 1 - Identification of the System under Consideration (SuC) ZCR 2 - Perform a high-level cybersecurity assessment ZCR 3 - Partition of the SuC into zones and conduits Perform a detailed cybersecurity risk assessment to zones and conduits ZCR 4 - Documentation of the process

Recommended cybersecurity risk assessment methodology for the railway sector ZCR 1 – Identification of the SuC Railway communication scenario Supporting ERTMS level 1 and 2 Architecture diagrams and complete list of assests

Recommended cybersecurity risk assessment methodology for the railway sector ZCR 2 – Perform a high-level cybersecurity assessment Identification of the worst-case unmitigated risks Threats List of typical threats in ISO 27005  Grouped in the seven FRs Quantification of the high-level risk Impact Likelihood

Recommended cybersecurity risk assessment methodology for the railway sector ZCR 3 – Partition of the SuC into zones and conduits Separation of safety-critical zones Wireless communications Business and control systems Temporarily connected devices Location, functionality Zone and conduit drawings

Recommended cybersecurity risk assessment methodology for the railway sector Detailed cybersecurity risk assessment to zones and conduits (I)

Recommended cybersecurity risk assessment methodology for the railway sector Detailed cybersecurity risk assessment to zones and conduits (II) DRAR 1 – Identify threats Cyber threats in ISO 27005 grouped in the Foundational Requirements Threats gotten by analysing past incidents in rail and other transportation sectors 76 threats identified DRAR 2 – Identify vulnerabilities Cyber vulnerabilities in ISO 27005 Example: Onboard equipment Threat: Remote access and control via wireless communication Vulnerability: Poor authentication practices Example: Onboard equipment

Recommended cybersecurity risk assessment methodology for the railway sector Damage category Damage reference Factor Safety Life-threatening injuries 10000 Severe and life-threatening injuries 1000 Light and moderate injuries 100 No injuries Finance Existence-threatening damage Substantial damage Undesirable financial damage 10 No or tolerable damage Operational Vehicles unusable Service affected Comfort affected 1 No relevant effect Detailed cybersecurity risk assessment to zones and conduits (III) DRAR 3 – Determine consequences and impact (I) Safety, finance and operational

Recommended cybersecurity risk assessment methodology for the railway sector Detailed cybersecurity risk assessment to zones and conduits (IV) DRAR 3 – Determine consequences and impact (II) Quantitative measurement to calculate the Damage Potential (DP) Estimations made in the worst-case scenario (without cyber security countermeasures) DPtotal = DPsafety + DPfinance + DPoperation Damage Potential Impact Category 0 – 2 Minor 3 – 21 Moderate 22 – 210 Major > 210 Critical

Recommended cybersecurity risk assessment methodology for the railway sector Detailed cybersecurity risk assessment to zones and conduits (V) DRAR 3 – Determine consequences and impact (III) Example: Onboard equipment Threat: Remote access and control via wireless communication Impact area DP (0-4) DP Resulting DP Impact category Impact level Safety 4 10000 11100 Critical Financial 1000 Operational 100 Threat

Recommended cybersecurity risk assessment methodology for the railway sector Detailed cybersecurity risk assessment to zones and conduits (VI) DRAR 4 – Determine unmitigated likelihood (I) TVRA method: time, expertise, knowledge, opportunity and equipment Factor Range Value Time =< 1 day =< 1 week 1 =< 1 month 4 =< 3 months 13 =< 6 months 26 > 6 months 27 Factor Range Value Expertise Layman Proficient 2 Expert 5 Knowledge Public Restricted 1 Sensitive 4 Critical 10 Factor Range Value Equipment Standard Specialized 3 Bespoke 7 Opportunity Unnecessary Easy 1 Moderate 4 Difficult 12 None 27

Recommended cybersecurity risk assessment methodology for the railway sector Detailed cybersecurity risk assessment to zones and conduits (VII) DRAR 4 – Determine unmitigated likelihood (II) Quantitative measurement to calculate the Attack Potential (AP) Estimations made in the worst-case scenario (without cybersecurity countermeasures) APtotal = APtime + APexpertise + APknowledge + APopportunity + APequipment AP value AP level Likelihood level < 3 No rating Certain 3 – 6 Basic Likely 7 – 14 Moderate Possible 15 – 26 High Unlikely > 26 Beyond high Remote

Recommended cybersecurity risk assessment methodology for the railway sector Detailed cybersecurity risk assessment to zones and conduits (VIII) DRAR 4 – Determine unmitigated likelihood (III) Example: Onboard equipment Threat: Remote access and control via wireless communication Factor AP Resulting AP AP level Likelihood Likelihood level Time 1 11 Moderate Possible 3 Expertise 5 Knowledge 4 Opportunity Equipment

Recommended cybersecurity risk assessment methodology for the railway sector Detailed cybersecurity risk assessment to zones and conduits (IX) DRAR 5 – Calculate unmitigated risk (I) Risk = Impact x Likelihood Tolerable risk = 3 Likelihood  Certain (5) 5 10 15 20 Likely (4) 4 8 12 16 Possible (3) 3 6 9 Unlikely (2) 2 Remote (1) 1 Minor (1) Moderate (2) Major (3) Critical (4) Impact  Marcar ejemplo

Recommended cybersecurity risk assessment methodology for the railway sector Detailed cybersecurity risk assessment to zones and conduits (X) DRAR 5 – Calculate unmitigated risk (II) Example: Onboard equipment Threat: Remote access and control via wireless communication Likelihood  Certain (5) 5 10 15 20 Likely (4) 4 8 12 16 Possible (3) 3 6 9 Unlikely (2) 2 Remote (1) 1 Minor (1) Moderate (2) Major (3) Critical (4) Impact  Impact = 4 Likelihood = 3 Risk = 12 Marcar ejemplo

Recommended cybersecurity risk assessment methodology for the railway sector Detailed cybersecurity risk assessment to zones and conduits (XI) DRAR 6 – Determine Security Level Target Cyber Risk Reduction Factor (CRRF): defined by the ISA/IEC 62443 Example: Onboard equipment Threat: Remote access and control via wireless communication Risk = 12 Tolerable risk = 3 SL-T = 4

Recommended cybersecurity risk assessment methodology for the railway sector Detailed cybersecurity risk assessment to zones and conduits (XII) DRAR 7 – Identify and evaluate existing countermeasures Determine existing countermeasures in the SuC Determine their effectiveness to reduce the impact and likelihood of the threats by calculating their SL-C Worst case considered  no existing countermeasures DRAR 8 – Re-evaluate the likelihood and impact Considering the countermeasures identified in DRAR 7 DRAR 9 – Calculate residual risk Considering the impact and likelihood values of DRAR 8 With the same risk matrix

Recommended cybersecurity risk assessment methodology for the railway sector Detailed cybersecurity risk assessment to zones and conduits (XIII) DRAR 10 – Determine if residual risks are below tolerable risk Residual risk (DRAR 9) vs. Tolerable risk (DRAR 5) If Residual Risk > Tolerable Risk  DRAR 11 DRAR 11 – Apply additional cybersecurity countermeasures (I) Iterative process  DRAR 8

Resiliency techniques Recommended cybersecurity risk assessment methodology for the railway sector Detailed cybersecurity risk assessment to zones and conduits (XIV) DRAR 11 – Apply additional cybersecurity countermeasures (II) Example: Onboard equipment Threat: Remote access and control via wireless communication Countermeasures Resiliency techniques Impact Likelihood Risk Area DP IL Factor AP LL Logging and monitor device. Define a management policy for patches (systematic, periodic or ad hoc) that is suited to the functional constraints. For example, define priorities for deployment of patches, verify ascending compatibility, and interoperability. Safety 2 3 Time 4 1 Financial Expertise 5 Operational Knowledge Secure connection with the authentication server. Log security and administration events. The identity and the permissions of the user account are systematically checked before any privileged action Opportunity 12 Equipment

Conclusions Cybersecurity risk assessment methodology proposed Most critical zones identified with the implementation of the cybersecurity risk assessment Risk of zones assessed determining likelihood and impact Countermeasures evaluated Most appropriate countermeasures implemented to reduce risk All zones risk below the tolerable risk

How to assess the risks? Irene Arsuaga CYRAIL Final Conference Paris, 18.09.2018 How to assess the risks? Irene Arsuaga