Professional Documents
Culture Documents
KiwiRail
Rail Technology System
Author:
30/06/14
Version:
0.1
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 1 of 47
Customer Logo
DELIVERABLE NUMBER:
Siemens Approval
NAME
DEPARTMENT
SIGNATURE
DATE
POSITION
SIGNATURE
DATE
COMMENTS
REVISED BY
DATE
Initial draft
Phil Cook
30/06/14
Released by:
Reviewed by:
Prepared by:
KiwiRail Approval
NAME
Version Control
VERSION
REFERENCE
0.1
Document Distribution
NAME
POSITION
References
NO
[1]
TITLE
VERSION
0.1
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 2 of 47
Customer Logo
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 3 of 47
Customer Logo
Table of Contents
1
1.1
1.2
Introduction ...........................................................................................................................5
Scope and Purpose of this Document ....................................................................................5
Abbreviations & Definitions.....................................................................................................5
Background ...........................................................................................................................6
Workshop Methodology.......................................................................................................7
4
4.1
4.2
4.3
5
5.1
5.2
5.3
Actions................................................................................................................................ 27
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 4 of 47
Customer Logo
Introduction
1.1
1.2
Table 1
Abbreviations
Abbreviation Explanation
ARS
ESB
ICT
KR
KiwiRail
PIDS
REST
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 5 of 47
Customer Logo
Background
KiwiRail, New Zealands Rail Infrastructure Manager, employ Siemens train
control and signalling technologies to safely manage rolling stock movements
throughout New Zealand. In particular, KiwiRail operate the Rail 9000 system,
which provides train control and Automatic Route Setting (ARS) functionality. The
Rail 9000 system, as well as the interlocking and object controller devices with
which it communicates, are interconnected via a dedicated Signalling Network.
This network currently has no physical connection to any other network, with the
exception of an external connection provided to enable Siemens staff to provide
support services to KiwiRail.
Auckland Transport are interested in obtaining real-time train movement
information from the Rail 9000 system:
The technical solution required to achieve this goal will, necessarily, create a
connection between the KiwiRail Signalling Network and the KiwiRail Corporate
Network. Introducing such a connection has ICT security implications: it could
provide a path for an attacker to access and/or manipulate the data being
communicated on the KiwiRail Signalling Network, which could in turn threaten
the safety and/or operational availability of the railway.
Siemens were asked by KiwiRail to facilitate a Threat and Risk Assessment
Workshop to address this concern. The outcomes of this workshop are the
subject of the current report.
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 6 of 47
Customer Logo
Workshop Methodology
The methodology employed in the workshop was based on a standard Siemens
process for analysis of ICT security threats. The analysis process was as follows.
1. A description of the proposed solution (see Section 4.1) was reviewed by
the workshop facilitators prior to the workshop. From this, the facilitators
identified five assets which required protection. These assets were all
related to critical functions performed by the Rail 9000 and signalling
systems (protecting the functionality of PIDS itself was assumed to be
outside the scope of the workshop).
2. During the workshop, this initial list of assets was reviewed by the
participants, and a number of additional assets were proposed. The list of
assets is presented in Section 4.2.
3. A standard list of attackers was used (see Slide 10 in Appendix A). This
list was presented to the participants in the workshop and used to guide
the analysis.
4. The assets and attackers (or threat sources) were used to identify
potential threats. This exercise was carried out during the workshop, with
all participants present. For the purposes of this exercise, it was assumed
that no design controls were in place to manage the security of the
connection between the KiwiRail Signalling Network and KiwiRail
Corporate Network.
5. The likelihood and impact of each threat were rated according to the
tables on slides 13, 16, and 17 in Appendix A, resulting in an initial risk
rating, according to the risk matrix shown on slide 20 in Appendix A.
Again, it was assumed that no design controls were in place during this
exercise. However, existing mitigations (e.g., existing firewalls employed
on the KiwiRail corporate network) were taken into account. The results of
this phase of the workshop are documented in Section 4.3.
6. The participants discussed a number of potential mitigations that could be
introduced to reduce risk. These potential mitigations were noted on a
whiteboard and each was given a rough score in terms of its cost impact
and anticipated effectiveness in reducing risk. Some of the mitigations
were competing alternatives, whereas others were mitigations that could
or should be used in concert with others.
7. From this discussion, a single mitigation technique stood out as being
highly effective and of moderate cost. The likelihood and risk ratings
associated with each threat were re-assessed taking this mitigation into
account to confirm its effectiveness. This mitigation and its resulting effect
on the risk ratings are presented in Section 5.
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 7 of 47
Customer Logo
8. Once this mitigation was settled on, the participants discussed potential
business requirements that could be applied to adequately characterise a
solution based on this mitigation. The results of this discussion are
captured in Section 6.
As the workshop included participants from all the key stakeholders of the project
(Siemens, KiwiRail, Auckland Transport, and Transdev), there were a number of
topics discussed that were not strictly related to the security of the design.
Actions resulting from these discussions, as well as actions following the security
assessment itself, are captured in Section 7.
Slides presented during the workshop describing this methodology are shown in
Appendix A.
Appendix B lists the attendees at the workshop.
Detailed notes capturing what was discussed during the workshop are presented
in Appendix C.
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 8 of 47
Customer Logo
4.1
System Overview
The following figure illustrates the conceptual architecture that was considered
during the initial risk assessment. The blocks in this figure are primarily functional
in nature physical servers, network switches, etc. are not shown.
Figure 1
Note: This architecture differs slightly from that shown in the presentation slides
in Appendix A the figure above represents the architecture following discussion
with the workshop participants.
4.2
Assets
The main security concern in the workshop was protecting operation of the train
control and signalling systems. As such, the assets considered in the assessment
primarily relate to the functions of these systems, rather than to concrete data,
software, or hardware assets.
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 9 of 47
Customer Logo
The following table lists the assets considered in the risk assessment. Items 1
through 5 were identified by the facilitators prior to the workshop. Items 6 through
11 were proposed as additional assets to consider by the workshop participants.
Table 2
Asset
Description
Safety of routes
Efficiency of routes
Supports above.
Proposed by facilitators prior to workshop.
Working timetable
Reputation / public
confidence
Obscurity of design
10
Operational confidence
11
Control of operator workload Relied upon to ensure operational staff are able to
effectively discharge their safe-working duties.
Proposed by participants during workshop.
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 10 of 47
Customer Logo
relating to the Working timetable asset were all equivalent to threats relating to
the Efficiency of routes asset).
4.3
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 11 of 47
Customer Logo
Table 3
#
Asset
Threat Explanation
Threat Source
Rating
Impact
Comment
Risk
Rating
Safety of routes
Skilled Hacker
Attacker accesses
signalling network from
outside KR corporate
network (or inject
malware) and manipulates
vital protocol between
interlocking sites to
manipulate routes.
Existing mitigations:
Knowledge of vital
protocol required
Firewall(s) around KR
corporate network
Core switches logically
separate networks
Possible
Intermediate
Safety of routes
KR corporate network
administrator infiltrates
signalling network and
manipulates vital protocol
between interlocking sites
to manipulate routes.
Existing mitigations:
Knowledge of vital
protocol required
Core switches logically
separate networks
Possible
Intermediate
Safety of routes
Attacker accesses
Skilled Hacker
signalling network from
outside KR corporate
network (or inject
malware) and manipulates
ATP telegrams
transmitted from LEUs
Existing mitigations:
Knowledge of vital
protocol required
Firewall(s) around KR
corporate network
Core switches logically
separate networks
Two proprietary
protocols would need to
be hijacked
Driver would notice
discrepancy betwee incab and lineside
signalling
Possible
Intermediate
Administrator
KiwiRail
AZ6-, Version
SIG##TES&EDB000
Restricted
Comments
30/06/14
Page 12 of 47
Customer Logo
Asset
Threat Explanation
Threat Source
Rating
Impact
Risk
Comment
Rating
Efficiency of
routes
Hacker
(curious)
Skilled Hacker
Competitor
Existing mitigations:
Firewall(s) around KR
corporate network
Passwords
Web Service only
operates over HTTPS to
AT network
Firewall monitoring and
malware protection on
KR corporate network
Possible
Disruption of 1-4 hr
Critical
Intermediate
Efficiency of
routes
Skilled Hacker
Competitor
Existing mitigations:
Firewall(s) around KR
corporate network
Passwords
Possible
Critical
Intermediate
Efficiency of
routes
Existing mitigations:
Firewall(s) around KR
corporate network
Passwords
Possible
Disruption of up to 12
hrs
May not have ready
access to pristine
configuration data
Disastrous
Intermediate
Existing mitigations:
Firewall(s) around KR
corporate network
Passwords
Possible
Disruption of up to 12
hrs
Disastrous
Intermediate
Efficiency of
routes
Skilled Hacker
Competitor
Password management
on R9K side is not up to
same standard as KR
corporate network
KiwiRail
AZ6-, Version
SIG##TES&EDB000
Restricted
Comments
30/06/14
Page 13 of 47
Customer Logo
Asset
Threat Explanation
Threat Source
Impact
Rating
Comment
Risk
Rating
Efficiency of
routes
Likely
Disruption of up to 12
hrs
May not have ready
access to pristine
configuration data
Disastrous
Major
Efficiency of
routes
Likely
Disruption of up to 12
hrs
May not have ready
access to pristine
configuration data
Disastrous
Major
Axle counter
reset
management
n/a
n/a
10
Track block
management
Administrator
n/a
Skilled Hacker
Competitor
Existing mitigations:
Firewall(s) around KR
corporate network
Passwords
Safe-working
procedures followed by
track workers, Hi-Rail
operators, train drivers,
etc.
Train Controller
situational awareness
Possible
KiwiRail
AZ6-, Version
SIG##TES&EDB000
Restricted
Comments
No specific
threats were
identified for this
asset - covered
by other assets
above.
Intermediate
30/06/14
Page 14 of 47
Customer Logo
Asset
Threat Explanation
Threat Source
Rating
Impact
Comment
Risk
Rating
11
Track block
management
Administrator
Existing mitigations:
Safe-working
procedures followed by
track workers, Hi-Rail
operators, train drivers,
etc.
Train Controller
situational awareness
Possible
12
Train location
information
Skilled Hacker
Existing mitigations:
Firewall(s) around KR
corporate network
Passwords
Possible
Moderate
Minor
13
Train location
information
Administrator
Possible
Moderate
Minor
Working
timetable
n/a
n/a
n/a
KiwiRail
AZ6-, Version
SIG##TES&EDB000
Restricted
Comments
Intermediate
No specific
threats were
identified for this
asset - covered
by other assets
above.
30/06/14
Page 15 of 47
Customer Logo
Asset
Threat Explanation
Threat Source
Rating
Impact
Comment
Risk
Comments
Rating
Reputation /
public confidence
n/a
n/a
n/a
No specific
threats were
identified for this
asset - covered
by other assets
above.
Level crossing
operation
n/a
n/a
n/a
No specific
threats were
identified for this
asset - covered
by other assets
above.
Obscurity of
design
n/a
n/a
n/a
No specific
threats were
identified for this
asset - covered
by other assets
above.
Operational
confidence
n/a
n/a
n/a
No specific
threats were
identified for this
asset - covered
by other assets
above.
Control of
operator
workload
n/a
n/a
n/a
No specific
threats were
identified for this
asset - covered
by other assets
above.
KiwiRail
AZ6-, Version
SIG##TES&EDB000
Restricted
30/06/14
Page 16 of 47
Customer Logo
5.1
Table 4
5.2
Mitigations Considered
Mitigation
Effectiveness
(1 to 5)
Cost
(1 to 5)
Unidirectional SOAP
Diverse firewalls
Unidirectional UDP
Intrusion detection
Proposed Design
Of the mitigation strategies discussed in the previous section, the option that
provided the most effective risk reduction was the Unidirectional, non-IP
interconnect option. This is depicted in the following figure.
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 17 of 47
Customer Logo
Figure 2
Proposed Design
The key element of this design is the use of a unidirectional serial link to
interconnect the two networks. The serial link could be either copper (e.g., RS422) or optical fibre. In either case, however, the design rests upon the
assumption that the receive line(s) are physically severed to prevent any
possibility of communication from the KiwiRail Corporate Network to the KiwiRail
Signalling Network.
The PIDS Interface and Listener Server elements consist of software
developed by Siemens to translate messages from the Rail 9000 External
Interface (JMS) to a form that can be consumed by the Mule ESB and, ultimately,
Auckland Transport. COTS Terminal Servers would be used to form the serial
interconnect in order to ease implementation (e.g., by removing the need to
specialised serial interfaces on the rack mounted servers hosting the PIDS
Interface and Listener Server elements.
5.3
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 18 of 47
Customer Logo
actuality, each risk is no longer credible under the proposed design) and, as a
result, the overall rating of each risk was reduced to Minor.
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 19 of 47
Customer Logo
Business Requirements
#
Requirement
Priority
The Rail 9000 Data Feed shall connect the KiwiRail Signalling
Network to the KiwiRail Corporate Network via physically
unidirectional, non-IP-based serial interface.
Mandatory
The Rail 9000 Data Feed shall enable software executing within Mandatory
the Auckland Transport Network to detect and isolate loss of the
Rail 9000 Feed within two (2) minutes.
The PIDS interface software could potentially execute within the existing Rail 9000
virtualisation platform.
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 20 of 47
Customer Logo
Requirement
Priority
N/A
The Rail 9000 Data Feed shall transmit event data to the
KiwiRail Mule ESB system in REST format with the KiwiRail
Mule ESB system acting as the RESTful service.
Mandatory
The Rail 9000 Data Feed shall transmit event data to the
RESTful service provided by the KiwiRail Mule ESB system via
an HTTPS transport with Basic Authentication.
Mandatory
The Rail 9000 Data Feed shall transmit event data detailed in
requirements 1.1, 1.2, 1.3, and 1.6 of Rail 9000 Project
Detailed Business Requirements [1] to the RESTful service
provided by the KiwiRail Mule ESB system.
Mandatory
Mandatory
The Rail 9000 Data Feed shall provide sufficient throughput and Mandatory
latency to transmit events for eighty (80) trains within five (5)
seconds.
The Rail 9000 Data Feed shall support a Mean Time to Restore Mandatory
no greater than four (4) hours.
10
11
The Rail 9000 Data Feed shall enable software executing within Desirable
the Auckland Transport Network to detect if events are lost
between the PIDS Interface and the Auckland Transport
Network.
12
13
Mandatory
14
Mandatory
15
N/A
Mandatory
The following table traces the requirements documented in the Rail 9000 Project
Detailed Business Requirements [1] to the requirements in Table 5.
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 21 of 47
Customer Logo
Table 6
Trace to Table 5
Requirement Text
Requirement Text
1.1
1.2
1.3
1.4
KiwiRail
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
Remarks
30/06/14
Page 22 of 47
Customer Logo
Trace to Table 5
Requirement Text
1.5
1.6
1.7
2.1
Requirement Text
Table 5 contains no requirement
equivalent to this. However,
implementation of this requirement is
not precluded by the proposed solution
(it would need to be implemented by
software on the KiwiRail side).
KiwiRail
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
Remarks
30/06/14
Page 23 of 47
Customer Logo
Trace to Table 5
Requirement Text
2.2
2.3
3.1
Requirement Text
Table 5 contains no requirement
equivalent to this. However,
implementation of this requirement is
not precluded by the proposed solution
(it would need to be implemented by
software on the KiwiRail side).
AZ6-, Version
SIG##TES&EDB000
KiwiRail
PIDS Threat and Risk Assessment
Remarks
30/06/14
Page 24 of 47
Customer Logo
Trace to Table 5
Requirement Text
Requirement Text
3.2
4.1
4.2
4.3
4.4
KiwiRail
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
Remarks
30/06/14
Page 25 of 47
Customer Logo
Trace to Table 5
Requirement Text
4.5
Requirement Text
Requirement 15 in Table 5 contradicts
this statement.
KiwiRail
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
Remarks
30/06/14
Page 26 of 47
Customer Logo
Actions
The following table summarises actions raised during the workshop (some of
which were incidental to the subject of the workshop).
Table 7
Actions
#
Action
Party Responsible
Auckland Transport
Auckland Transport
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 27 of 47
Customer Logo
List of Figures
Figure 1
Figure 2
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 28 of 47
Customer Logo
List of Tables
Table 1
Table 2
Table 3
Table 4
Table 5
Table 6
Table 7
Abbreviations .....................................................................................................5
Assets Considered in Risk Assessment ..........................................................10
Initial Risk Assessment ....................................................................................12
Mitigations Considered ....................................................................................17
Business Requirements ...................................................................................20
Business Requirements Traceability................................................................22
Actions .............................................................................................................27
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 29 of 47
Customer Logo
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 30 of 47
Customer Logo
TRA - PIDS
TRA - PIDS
PIDS Architecture
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 31 of 47
Customer Logo
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 32 of 47
Customer Logo
PIDS Assets
TRA - PIDS
PIDS Assets
For discussion.
Safety of routes
Provides train separation
Efficiency of routes
Keeps rail services running on time
Requires that routes be set:
Correctly / optimally
On time
Axle counter reset management
Supports above
Track block management
Protect track workers
Train location information
Provides situational awareness to Train Controllers to support above
TRA - PIDS
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 33 of 47
Customer Logo
Attackers
Attacker
Capabilities
Adversary Goals
Level of Access
no targeted attack
just "looking around"
Skilled Hacker
Administrator
Customer (operator)
revenge
hired by someone else
Hacker (curious)
User
Competitor
Internet
unprotected physical interfaces
TRA - PIDS
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 34 of 47
Customer Logo
Threat analysis
System
inventory
and Asset
identification
Attacker
and
Threat
Identification
Threat
Evaluation
TRA - PIDS
TRA - PIDS
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 35 of 47
Customer Logo
Very likely
Likely
Possible
Attackers
Vulnerability, Exploitability
Improbable
TRA - PIDS
Threat analysis
System
inventory
and Asset
identification
Attacker
and
Threat
Identification
Threat
Evaluation
Impact
Identification
and
Evaluation
TRA - PIDS
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 36 of 47
Customer Logo
TRA - PIDS
Impact
Rating (Text)
Disastrous
Critical
Moderate
Disruption of operation at customer site for short period (the actual value depends on the product)
Breakdown of several systems, also for a short period of time
Negligible
No adverse effects to the system as effects are compensated by safety mechanisms, e.g. one channel of
two parallel breaks down
TRA - PIDS
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 37 of 47
Customer Logo
Rating (Text)
Costs
Impact Rating
Disruption of
customer
service
Duration
Unavailability of
systems or
components
Duration
Physical damage
Costs to restore
functionality
including loss of
income
May be direct
description of
damage is
easier to map to
a threat
Train damaged
Safety impact
possible yes/no
Disastrous
> 12h
Critical
> 1/2 h
> 12 h
No
Moderate
> NZ $150,000
<= 1/2 h
<= 12h
No
Negligible
<= NZ $150,000
Minor component
damaged
Loss of
Reputation
Legal
Impacts
Public
attention
Potential
for future
business
loss
Violation
of laws
Violation
of
standards
Bad world
wide
press
Personal
liability,
jail, or
fines > NZ
$7.5
million
Hazard
Yes
Fines >
NZ $1.5
million
known by
insiders
Fines >
NZ
$150,000
Fines <=
NZ
$150,000
no
TRA - PIDS
Threat analysis
System
inventory
and Asset
identification
Attacker
and
Threat
Identification
Risk analysis
Threat
Evaluation
Impact
Identification
and
Evaluation
Risk
Calculation
Risk Mitigation
Restricted Siemens AG 2014 All rights reserved.
Page 18
TRA - PIDS
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 38 of 47
Customer Logo
Risk Rating
Within the workshop, we use a predefined risk management metric to calculate the
risk:
Risk
Risk Rating (Text)
Critical
Major
Intermediate
Minor
Description
Controls for critical risks are required with highest priority.
TRA - PIDS
Risk Matrix
The threat & risk analysis results are displayed in the following risk matrix:
Risk Mapping
Impact
Overall Likelihood
Improbable
Possible
Likely
Very likely
Negligible
Minor
Minor
Minor
Minor
Moderate
Minor
Minor
Intermediate
Intermediate
Critical
Minor
Intermediate
Major
Major
Disastrous
Minor
Intermediate
Major
Critical
TRA - PIDS
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 39 of 47
Customer Logo
TRA - PIDS
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 40 of 47
Customer Logo
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 41 of 47
Customer Logo
Day 2
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 42 of 47
Customer Logo
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 43 of 47
Customer Logo
10. The following comments were mentioned as the discussion around the slides
ensued:
a. Phil Cook explained the concept of a clean architecture, and how it
was important to perform the initial assessment without assuming the
existence of firewalls and the like (other than those that already exist).
b. It was pointed out that there was already a link between Siemens and
KiwiRail, because Siemens support personnel could remotely dial in to
the R9K network for support purposes. However, this connection is
stand-alone, limited, and outside the scope of this workshop.
c. A question was raised as to whether the workshop should consider
threats in the reverse direction, e.g. risk that an R9K operator or rogue
software process could inadvertently push bad data or malware back
onto the KiwiRail that could result in outcomes such as displaying
inappropriate content on passenger displayed. It was agreed that this
was outside the scope of the workshop.
d. Given that the methodology involved considering the risk delta
involved in the introduction of a live data feed from R9K to KiwiRail,
the question was asked about whether there was a security
assessment of the original R9K system that could be leveraged for
this workshop? It was explained that while security was closely
considered during R9K deployment, the consideration took a different
form (i.e. assess the Class of system; agree it is a Class 5 Open
System; check the compliance of the communications protocols and
infrastructure against requirements for that Class of system).
e. Consideration turned to the identification of assets. A number of new
assets were identified (refer main body of this report).
f. Consideration then turned to the threat assessment. The results of
this are in general captured in <ref to place in the report where the
assessment lives>.
g. A number of recommendations / follow-up actions were noted
throughout the workshop. These are noted here for convenience:
i. Need to check that KiwiRails administration of the R9K system
is adhering to the KiwiRail Security Policy (audit requirement),
and implement corrective action if not.
ii. Need to check on password management for the R9K system
(may be covered by previous point)
iii. Need to acknowledge that there are two different administrator
groups one for R9K and one for KiwiRail similar
administrative procedures/protocols should apply to all?
h. In considering the threat assessment, a number of factors influencing
the findings and assessments were made. These included:
i. At present, none of Siemens competitors have access to the
R9K network. Siemens may want to consider applying a
caveat to their security/safety guarantees. Permitting
competitor access to this network would create a new
vulnerability that is currently not present.
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 44 of 47
Customer Logo
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 45 of 47
Customer Logo
likelihood consideration for the first mitigation (i.e. the likelihood ranking scale
is relatively coarse).
18. Based on this outcome, there was general consensus that the solution
involving uni-directional communications (either serial or fibre with return wire
snipped), was the solution that should be adopted.
19. There followed a general discussion around this solution space, with the
following points being noted:
a. Options for duplication should be considered. It was agreed that
KiwiRail/Auckland Transport were prepared to take care of merging
two streams of messages (and removing duplicates if necessary).
Based on this, a design comprising an interface involving the A
version of R9K talking to one instance of the PIDS Interface, and the
B version talking to a second instance, was conceived.
b. It was agreed that during times when no trigger events were received
by the PIDS interface, heartbeat message should still be sent.
c. It was agreed that if the two terminal servers in the solution were
physically proximate, copper could be used, but for longer distances
fibre would be needed.
20. At this point, the workshop broke for the day.
Day 2
1. The second day of the workshop commenced at 9am, Wednesday 25th June.
All participants from the previous day were in attendance.
2. Brett Sumner opened the meeting stating that his desires for the workshop
were to find a solution that (i) solved our problem; and (ii) was sufficiently well
specified so that contributors to the solution had enough information to
estimate a cost and a delivery date.
3. Brett mentioned that from KiwiRails perspective, they had hoped to have the
PIDS interface in place and working by the 28th September, implying that a
delivery from Siemens in the latter half of August was needed.
4. Other aspirations for the day were mentioned. One participant said that it
would be good to have a RACI2 established for the tasks that need to happen
to enable a solution to go live.
5. Another participant said it would be good to perform a schedule risk
assessment on the various tasks.
6. It was agreed by all that the first task should be to specify a set of
requirements.
A RACI is a tool that shows, for each particular activity or task, who is to be
Responsible for the task, Accountable for it, Consulted about it, or Informed about
it.
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 46 of 47
Customer Logo
KiwiRail
Rail Technology System
PIDS Threat and Risk Assessment
AZ6-, Version
SIG##TES&EDB000
<Project document No RT>
Restricted
30/06/14
Page 47 of 47