Friday, July 31, 2009

PTC NPRM and Cyber Security

Since Positive Train Control is, at its most basic, a cyber control system, it is heartening to see that FRA is actively addressing security measures in this NPRM. While this does not have any direct affect on the chemical security community, I do believe that a brief look at how FRA treats the control system security issue provides a good look at methodologies that could be appropriate for chemical process control systems.

Design Criteria 

In the discussion of §236.1003 FRA explains that security must be considered as one of the design parameters of the system. They note that security “is an important element in the design and development of PTC systems and covers issues such as developing measures to prevent hackers from gaining access to software and to preclude sudden system shutdown, mechanisms to provide message integrity, and means to authenticate the communicating parties” (74 FR 35984).

These should also be part of the design criteria for any industrial control system, but they particularly important for critical control systems at high-risk chemical facilities. Later in the same discussion the FRA notes that another design element, integrated security, “recognizes that optimum protection comes from three mutually supporting elements: physical security measures, operational procedures, and procedural security measures”. Physical security includes measures that “prevent or deter attackers from accessing a facility, resource, or information stored on physical media and guidance on how to design structures to resist various hostile acts” (74 FR 75985).

Finally, since PTC systems are based upon communications between operational units and fixed activities, communications security measures need to be an integral part of system design parameters. In this context communications security measures include systems designed to “deny unauthorized persons information derived from telecommunications and ensure the authenticity of such telecommunications”.

Cryptography Requirements 

One of the key communications security measures that the PTC NPRM is considering requiring where communications confidentiality is required is the use cryptography to both prevent message interception and spoofing as well as provide for communication authentication. It is interesting to note that FRA recognizes that there are no reasonably unbreakable cryptographic techniques. They note that “modern cryptographic practice has discarded the notion of perfect secrecy as a requirement for encryption, and instead focuses on computational security. Under this definition, the computational requirements of breaking an encrypted text must be infeasible for an attacker” (74 FR 35999).

All cryptographic systems use some sort of ‘key’ to share the encryption-decryption procedures between the sender and receiver of the encrypted message. Management of those keys “includes ordering, generating, distributing, storing, loading, escrowing, archiving, auditing, and destroying the different types of material”. Appropriate attention must be paid to each step of this process to protect the keys from inappropriate disclosure.

The NPRM also takes a pragmatic approach to the physical security requirements of the cryptographic equipment. Instead of requiring a ‘tamper-proof’ standard for the physical protection of equipment, the FRA is recommending that the equipment be made ‘tamper-resistant’ and ‘tamper-evident’. To provide an additional level of security, they will require that the equipment be installed in a readily visible location so that the physical evidence of tampering would reasonably be expected to be detected in normal operations of the equipment.

As with most of the requirements found in this NPRM, FRA does not specify the specific cryptographic techniques or equipment that must be used. What it does require is that the railroad must specify the techniques to be used in their PTC Development Plan (PTCDP). While most high-risk chemical facilities do not typically consider communications security in their cyber security plan, any facility that allows off-site communications with their control systems does need to consider protecting that communication with cryptographic techniques. Those communications would not be limited to off-site human access to those systems, but could include system-to-system communications with enterprise information systems.

All-in-all this is an interesting discussion of cyber security measures. It is not comprehensive, but it does provide a perspective that has been missing from many discussions of control systems security. It would certainly be interesting to see what comments cyber security professionals provide in the public discussion of this NPRM.

No comments:

/* Use this with templates/template-twocol.html */