Abstract
System safety is based on the implementation of technical and organisational principles to ensure that a feared event cannot occur more frequently than expected. Such a demonstration, so-called safety case, relies on domain specific standards which capitalise on experience gained after decades of development and operation. For more than a decade, the threat of human attacks aimed at disrupting the operation of such systems has become more acute. In the railways, communications between on board and track-side equipment are naturally subject to targeted attacks aimed at reducing the availability of the equipment or disrupting its operational safety to the point of creating accidents. This paper aims to sketch the range of logical and hardware attacks practised today that could be used in the future to attack railway systems to make them less available or less secure. It also presents a combination of techniques and technologies that, assisted by formal methods, can reduce the chances of success of such attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
It is a type of security exploit that aims to extract secret information from a system by analysing its physical characteristics, such as power consumption, electromagnetic emissions, or even the sound or vibration it produces, rather than by attempting to directly access the data stored on it. One of the most common forms of side-channel attacks is the power analysis attack, which relies on measuring the power consumed by a device as it performs cryptographic operations. By analysing the fluctuations in power consumption, an attacker can extract information about the secret key used in the encryption. Timing analysis is another popular side-channel attack which relies on measuring the time it takes a device to perform a specific operation, an attacker can extract information about the secret key and operations.
- 2.
With reverse-engineering in mind for vulnerability analysis or with the idea of making copies.
- 3.
They are not robust to collision attacks, meaning that somebody can take a given CRC and easily find a second input that matches it.
- 4.
A TPM contains a hardware random number generator, facilities for the secure generation of cryptographic keys for limited uses, a generator of unforgeable hash key summary of a configuration, and a data encryptor/decryptor.
- 5.
A HSM is similar to a TPM. HSMs are focused on performance and key storage space, where as TPMs are only designed to keep a few values and a single key in memory and don’t put much effort into performance.
- 6.
Certification de Sécurité de Premier Niveau - https://www.ssi.gouv.fr/administration/produits-certifies/cspn/.
- 7.
A PKI has to implemented on the network. If not, security is degraded as it is only based on fixed pre-shared secrets on all equipment.
- 8.
See https://www.ssi.gouv.fr/administration/produits-certifies/cc/produits-certifies-cc to get access to the up-to-date list of certified products.
- 9.
Corresponding to a successful authentication or code integrity verification.
- 10.
- 11.
A major breakdown of Denmark’s train network in October 2022 was the result of a malicious hacker attack on an IT subcontractor’s software testing environment. The attack prompted subcontractor Supeo to shut down its servers, which in turn affected locomotive drivers’ ability to operate the trains for several hours.
References
de Almeida Pereira, D.I., Deharbe, D., Perin, M., Bon, P.: B-specification of relay-based railway interlocking systems based on the propositional logic of the system state evolution. In: Collart-Dutilleul, S., Lecomte, T., Romanovsky, A. (eds.) RSSRail 2019. LNCS, vol. 11495, pp. 242–258. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-18744-6_16
Banach, R.: Issues in automated urban train control: ‘tackling’ the rugby club problem. In: Butler, M., Raschke, A., Hoang, T.S., Reichl, K. (eds.) Abstract State Machines, Alloy, B, TLA, VDM, and Z, pp. 171–186. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-91271-4_12
Baro, S.: A high availability vital computer for railway applications: architecture & safety principles. In: Embedded Real Time Software and Systems (ERTS2008), Toulouse, France, January 2008. https://hal.archives-ouvertes.fr/hal-02269811
Barthe, G., Grégoire, B., Laporte, V., Priya, S.: Structured leakage and applications to cryptographic constant-time and cost. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS 2021, pp. 462–476. Association for Computing Machinery, New York, NY, USA (2021). https://doi.org/10.1145/3460120.3484761
Behm, P., Benoit, P., Faivre, A., Meynadier, J.-M.: Météor: a successful application of B in a large project. In: Wing, J.M., Woodcock, J., Davies, J. (eds.) FM 1999. LNCS, vol. 1708, pp. 369–387. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48119-2_22
Bendovschi, A.: Cyber-attacks - trends, patterns and security countermeasures. Procedia Econ. Finance 28, 24–31 (2015)
Benveniste, M.V.: On using B in the design of secure micro-controllers: an experience report. Electr. Notes Theor. Comput. Sci. 280, 3–22 (2011)
Blanchet, B., Smyth, B., Cheval, V., Sylvestre, M.: ProVerif 2.04: automatic cryptographic protocol verifier, user manual and tutorial, November 2021
Burdy, L., Meynadier, J.M.: Experience on the use of a formal method in a railway company. IFAC Proc. Vol. 33, 193–197 (2000)
Comptier, M., Leuschel, M., Mejia, L.F., Perez, J., Mutz, M.: Property-based modelling and validation of a CBTC zone controller in Event-B, pp. 202–212, January 2019
Falampin, J., Le-Dang, H., Leuschel, M., Mokrani, M., Plagge, D.: Improving railway data validation with ProB. In: Romanovsky, A., Thomas, M. (eds.) Industrial Deployment of System Engineering Methods, pp. 27–43. Springer, Cham (2013). https://doi.org/10.1007/978-3-642-33170-1_4
Fanjas, C., Gaine, C., Driss Aboulkassimi, D., Pontié, S., Potin, O.: Combined fault injection and real-time side-channel analysis for android secure-boot bypassing, November 2022
Fantechi, A.: The role of formal methods in software development for railway applications (2012)
Fantechi, A., Gnesi, S., Haxthausen, A.: Formal methods for distributed computing in future railway systems, pp. 389–392, October 2020
Ferrari, A., et al.: Survey on formal methods and tools in railways: the ASTRail approach. In: International Conference on Reliability, Safety, and Security of Railway Systems (2019)
Ferrari, A., et al.: Survey on formal methods and tools in railways: the ASTRail approach. In: Collart-Dutilleul, Simon, Lecomte, Thierry, Romanovsky, Alexander (eds.) RSSRail 2019. LNCS, vol. 11495, pp. 226–241. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-18744-6_15
Ferrari, A., Magnani, G., Grasso, D., Fantechi, A.: Model checking interlocking control tables. In: Schnieder, E., Tarnai, G. (eds.) FORMS/FORMAT 2010, pp. 107–115. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-14261-1_11
Forin, P.: Vital coded microprocessor principles and application for various transit systems. IFAC Proc. Volumes 23(2), 79–84 (1990). IFAC/IFIP/IFORS Symposium on Control, Computers, Communications in Transportation, Paris, France, 19–21 September. http://www.sciencedirect.com/science/article/pii/S1474667017526531
Geisler, S., Haxthausen, A.: Stepwise development and model checking of a distributed interlocking system using raise. Formal Aspects Comput. (2020)
Gordeychik, S., Timorin, A.: The great train cyber robbery, December 2015
Halchin, A., Feliachi, A., Singh, N.K., Aït-Ameur, Y., Ordioni, J.: B-PERFect - applying the PERF approach to B based system developments. In: International Conference Reliability, Safety, and Security of Railway Systems. Modelling, Analysis, Verification, and Certification (RSSRail 2017), vol. 10598, pp. 160–172, Pristoia, Italy, November 2017. https://hal.archives-ouvertes.fr/hal-02451007
Hansen, D., et al.: Validation and real-life demonstration of ETCS hybrid level 3 principles using a formal B model. Int. J. Softw. Tools Technol. Transfer 22, 315–332 (2020)
Hansen, D., Schneider, D., Leuschel, M.: Using B and ProB for data validation projects. In: Butler, M., Schewe, K.-D., Mashkoor, A., Biro, M. (eds.) ABZ 2016. LNCS, vol. 9675, pp. 167–182. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33600-8_10
Lecomte, T.: Safe and reliable metro platform screen doors control/command systems. In: Cuellar, J., Maibaum, T., Sere, K. (eds.) FM 2008. LNCS, vol. 5014, pp. 430–434. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68237-0_32
Lecomte, T.: Applying a formal method in industry: a 15-year trajectory. In: Alpuente, M., Cook, B., Joubert, C. (eds.) FMICS 2009. LNCS, vol. 5825, pp. 26–34. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04570-7_3
Lecomte, T., Burdy, L., Leuschel, M.: Formally checking large data sets in the railways. CoRR abs/1210.6815 (2012)
Leino, K.R.M.: Developing verified programs with Dafny. In: Proceedings of the 2012 ACM Conference on High Integrity Language Technology, HILT 2012, pp. 9–10. Association for Computing Machinery, New York, NY, USA (2012). https://doi.org/10.1145/2402676.2402682
Martin, T., Kosmatov, N., Prevosto, V.: Verifying redundant-check based countermeasures: a case study, pp. 1849–1852, April 2022
Metayer, C., Clabaut, M.: DIR 41 case study. In: Börger, E., Butler, M., Bowen, J.P., Boca, P. (eds.) ABZ 2008. LNCS, vol. 5238, pp. 357–357. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-87603-8_44
Peleska, J., Krafczyk, N., Haxthausen, A.E., Pinger, R.: Efficient data validation for geographical interlocking systems. In: Collart-Dutilleul, S., Lecomte, T., Romanovsky, A. (eds.) RSSRail 2019. LNCS, vol. 11495, pp. 142–158. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-18744-6_9
Sabatier, D.: Using formal proof and B method at system level for industrial projects. In: Lecomte, T., Pinger, R., Romanovsky, A. (eds.) RSSRail 2016. LNCS, vol. 9707, pp. 20–31. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33951-1_2
Sabatier, D., Burdy, L., Requet, A., Guéry, J.: Formal proofs for the NYCT line 7 (Flushing) modernization project. In: Derrick, J., et al. (eds.) ABZ 2012. LNCS, vol. 7316, pp. 369–372. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30885-7_34
Shepherd, C., et al.: Physical fault injection and side-channel attacks on mobile devices: a comprehensive analysis. Comput. Secur. 111, 102471 (2021)
Stankaitis, P., Iliasov, A.: Theories, techniques and tools for engineering heterogeneous railway networks, In: Fantechi, A., Lecomte, T., Romanovsky, A. (eds.) Reliability, Safety, and Security of Railway Systems. Modelling, Analysis, Verification, and Certification, RSSRail 2017. LNCS, vol. 10598, pp. 241–250. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68499-4_16
Zheng, S., Cao, Y., Zhang, Y., Jing, H., Hu, H.: Design and verification of general train control system’s safety computer 38, 128–134+145 (2014)
Acknowledgements
The work and results described in this article were partly funded by BPI-France (Banque Publique d’Investissement) as part of the project CASES (Calculateur Sûr et Sécuritaire) selected for the call “Stratégie Cyber 2021 - Développement de technologies innovantes critiques”.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Lecomte, T. (2023). Formal Modelling to Improve Safety and Security. In: Haxthausen, A.E., Huang, Wl., Roggenbach, M. (eds) Applicable Formal Methods for Safe Industrial Products. Lecture Notes in Computer Science, vol 14165. Springer, Cham. https://doi.org/10.1007/978-3-031-40132-9_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-40132-9_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-40131-2
Online ISBN: 978-3-031-40132-9
eBook Packages: Computer ScienceComputer Science (R0)