Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

WESTINGHOUSE RAIL SYSTEMS

advertisement 
Passwords
Web
Online Shopping
Computer Security
Industrial Espionage
Internet Banking
Viruses
Privacy
Hackers
Firewalls
RESOURCEFUL
RELIABLE
RESPONSIBLE
Computer Security
RESOURCEFUL
RELIABLE
RESPONSIBLE
Your Life
RESOURCEFUL
RELIABLE
RESPONSIBLE
Computer Security As If Your Life Depended On It
Katherine Eastaughffe
RESOURCEFUL
RELIABLE
RESPONSIBLE
OUTLINE
• Westinghouse Rail Systems – What do we do?
• Safety Critical Systems on the Railway
• How do we develop Safety Critical Systems?
• Where does Security fit in?
• Looking to the future
RESOURCEFUL
RELIABLE
RESPONSIBLE
COMPANY OVERVIEW
• Company established in 1862
• Offices in Birmingham, Crawley, Croydon, Glasgow,
Swanley, York, Beijing, Germany and Singapore with HQ
in Chippenham
• 1390 employees
• Part of Invensys Rail Systems (Australia, US and Spain)
RESOURCEFUL
RELIABLE
RESPONSIBLE
WHAT IS OUR BUSINESS?
• Design, manufacture, installation,
commissioning
and maintenance of:
– Railway signalling systems and equipment
– Train control systems
– Railway monitoring systems & control
centres
• Supplying Main Line and Mass Transit
operators in the UK, Europe and Far East
RESOURCEFUL
RELIABLE
RESPONSIBLE
NEW INTERLOCKINGS IN CONTROL
DUAL RUNNING INTERFACE TO EXISTING SIGNALLING
(FINAL SYSTEM)
(OVERLAY SYSTEM)
UNDERG ROUND
UNDERGROUND
IMR
S2
OUTPUTS TO TRAIN
Emergency Brakes
Door Side Enable
Traction Inhibit
Door Indications
Service Brakes
Motors
Tx
Driver Indications
Tx
RE
FIB
ATP
TO T
a
tenn
x An
ATO
APR Transponder
MCT
FBP
PLATFORM ATO
COMMUNICATOR
Driver's Display
DMC
FCU
& RBS
Rx
To A
PAC
EXISTING I/L
WESTRACE
T
OP
IC
K
LIN
TW
BE
N
EE
T
ES
W
S
CE
RA
LSC
SMS
SER
Control Data
Point Machines, Track Circuits,
Position Detectors, Signals
Train Information
Doppler
TMS
r
opple
ar D
To re o rear
T
ader
e
R
APR
ODR
Driving
Data
ATO Rx Antenna
WESTRACE
INTERLOCKING
Tachogenerator
(Speed Sensor)
CONTROL CENTRE
WRSL
Scope
Train Information
MCUs
APR Reader
ATP
Antennas
Eq
uip
p
Re ed Tr
por ain
t
Tachogenerator
(Speed Sensor)
Sta
y
eak
FIXED
COMMUNICATIONS
UNIT &
RADIO BASE STATIONS
te o
f Ra
ilwa
y
rts
po
y
Re
in
wa
ra
ail
T
R
d
f
pe
eo
uip Stat
q
E
LOCAL
SITE
COMPUTER
(LSC)
Scope
of
Others
Train Information
er
eed
F
L
K
RE
FIB
OP
TIC
LIN
TW
BE
N
EE
ST
WE
S
CE
RA
FIXED
BLOCK
PROCESSOR
Control Data
MAINTAINER'S
CONTROL TERMINAL
(incl Operational Data Recorder)
KEY:
AUTOMATIC TRAIN PROTECTION EQUIPMENT
DIVERSE MONITOR
CONTROLLER
STATION
MANAGEMENT
SYSTEM
(SMS)
SIGNALLING EQUIPMENT ROOM
T e c h n ic a l P u b lic a tio n s
PPP SYSTEM
C Westinghouse Brake and Signal Holdings Limited 2003
For Information Purposes Only
Count
Down
Clock
P I Display
AUTOMATIC TRAIN OPERATION EQUIPMENT
INTERLOCKING EQUIPMENT
AUTOMATIC TRAIN SUPERVISION EQUIPMENT
EQUIPMENT SUPPLIED BY OTHERS
Issue: Draft
RESOURCEFUL
Date
15 May 2003
RELIABLE
RESPONSIBLE
LONDON’S PPP –
PUBLIC PRIVATE PARTNERSHIP
• Westinghouse supplying
resignalling projects to
Metronet consortium
through Bombardier
• Resignalling Victoria,
District, Circle,
Hammersmith,
Metropolitan lines over 14
years (>1/2 of the Tube)
RESOURCEFUL
RELIABLE
RESPONSIBLE
Victoria Line/SSL Resignalling
Statistics
• ~ $850 million contract
• Resignalling of more than ½ of Tube
• 150 000 people enter the system each hour
• About 400 km of track
• About 160 stations
• Victoria line to provide > 30 trains per hour
• London Underground has 2.7 million passenger
journeys/day
RESOURCEFUL
RELIABLE
RESPONSIBLE
RESOURCEFUL
RELIABLE
RESPONSIBLE
AUTOMATIC TRAIN CONTROL
Basic Operation
Line Speed = 80 km/h
Protection Profile
Location
Trackside Equipment
RESOURCEFUL
RELIABLE
RESPONSIBLE
Train Control Systems
• ERTMS (European Rail Traffic Management
System)
– To be deployed across Europe
•
DTG-R (Distance To Go- Radio)
– Aimed at Metro systems
– To be deployed on London Undeground
RESOURCEFUL
RELIABLE
RESPONSIBLE
ERTMS
• Recommended by the Uff-Cullen Inquiry for Automatic Train
Protection on UK Mainline railway
• Common specifications to which suppliers provide
equipment
• Radio Block Centre derives and sends “movement
authorities” to trains via a GSM-R radio system
• A movement authority specifies how far a train can travel
along the route ahead
• Train-borne computer calculates a safe speed based on
its received movement authority
RESOURCEFUL
RELIABLE
RESPONSIBLE
DTG-R
• Processors send “Signalling States” from the
interlocking to the train via a radio system
• Train-borne computer calculates a movement
authority and from that a safe speed
RESOURCEFUL
RELIABLE
RESPONSIBLE
What if something interferes with the data?
Basic Operation
Line Speed = 80 km/h
Protection Profile
Location
Trackside Equipment
RESOURCEFUL
RELIABLE
RESPONSIBLE
What if something interferes with the data?
Line Speed = 80 km/h
Protection Profile
Location
Trackside Equipment
RESOURCEFUL
RELIABLE
RESPONSIBLE
What if something interferes with the data?
Line Speed = 80 km/h
Protection Profile
Location
Trackside Equipment
RESOURCEFUL
RELIABLE
RESPONSIBLE
What if something interferes with the data?
Line Speed = 80 km/h
Protection Profile
Location
Trackside Equipment
RESOURCEFUL
RELIABLE
RESPONSIBLE
How do we prove our systems are safe?
• Try and identify all the ways that something can go wrong
• Make sure we have ways for protecting against these threats
• We construct a Safety Case
• One part of the Safety Case for Automatic Train Control
addresses the questions:
– What can go wrong with messages sent from the trackside
to trains (either accidentally or deliberately)
– How do protect against failures of message transmission?
RESOURCEFUL
RELIABLE
RESPONSIBLE
What may go wrong with messages?
• Repetition of Messages
• Deletion of Messages
• Insertion of Messages
• Resequencing of Messages
• Corruption of Messages
• Delay of Messages
• Masquerade of Messages
RESOURCEFUL
RELIABLE
RESPONSIBLE
Repetition of Messages
• Due to failure of equipment eg message buffer is
not properly flushed
• Due to deliberate storage and replay of
messages
• Sequence Numbers and Timestamps
RESOURCEFUL
RELIABLE
RESPONSIBLE
Sequence Numbers
• Add a running number to each message exchanged between a
transmitter and a receiver
• Receiver checks that number is within suitable range of number
of previous message
• Suitable range means:
– Eg between 1 and 30 greater than previous number (module 255) for
an 8 bit number
– Suitable range depends on the expected frequency of transmission.
• This ensure message in specified range is no older than x
seconds/minutes
• Except that if the message is really old, then it might be in range,
because sequence numbers have gone right the way round!!
RESOURCEFUL
RELIABLE
RESPONSIBLE
Timestamps
• Timestamps can plug the hole that sequence
numbering technique has
• Transmitter adds a timestamp to message
• Receiver checks that timestamp is within given
tolerance of the timestamp of previous message
• Bandwidth may prevent timestamp being sent with
all messages
• Need to be careful about the 1st message received
from a transmitter – how do you know its clock is
right and the message is not years old.
RESOURCEFUL
RELIABLE
RESPONSIBLE
Deletion of Messages
• May be the result of equipment failure
• Or Denial of Service attack
• Most likely source of disruption of message transmission
• Design the system to be “fail-safe” – if messages are not
received it will not cause a hazard
• Timeout on receipt of messages. If a train does not
receive any messages after a given period of time,
braking will be applied
• In emergency situations, you may want to know that a
message has been received, in which case there must be
an acknowledgement
RESOURCEFUL
RELIABLE
RESPONSIBLE
Insertion of Messages
• Due to cross-talk
• Due to deliberate insertion of messages
• Sequence numbers will protect against a large
number of false messages because the
sequence number is unlikely to be within the
expected range
• Otherwise see masquerading of messages
RESOURCEFUL
RELIABLE
RESPONSIBLE
Resequencing of Messages
• Messages received in different order to that
transmitted
• Sequence Numbers and Timestamps
RESOURCEFUL
RELIABLE
RESPONSIBLE
Corruption of Messages
• Accidental changes eg from Electromagnetic Interference
or collision of messages
• Deliberate changes
• Safety Codes
– CRC (Cyclic Redundancy Codes)
– Hash Codes
– Cryptographic Block Codes (Message Authentication
Code)
RESOURCEFUL
RELIABLE
RESPONSIBLE
ERTMS – Encryption
• Uses a MAC – a function of the whole message
and a secret key
• A private key for each train
• Block Cipher used is single DES with modified
MAC algorithm 3
RESOURCEFUL
RELIABLE
RESPONSIBLE
Delay of Messages
• Timestamps
• Timeouts – if you don’t receive a message within
a given period, enter a fail-safe state, that is,
shut-down and apply braking
RESOURCEFUL
RELIABLE
RESPONSIBLE
Masquerading of Messages
• Use of identifiers
• Use of cryptographic techniques
RESOURCEFUL
RELIABLE
RESPONSIBLE
Security of Rail Networks
• Of course, there are easier ways of deliberately
disrupting railways than spoofing/deleting
messages from trackside to train
• Difficult to gain physical access to network
RESOURCEFUL
RELIABLE
RESPONSIBLE
An Interesting Website
• www.atcsmon.com
• Allows you to graphically monitor train traffic on railroads
that use the Association of American Railroad’s Advanced
Train Control System (ATCS) Specification 200 protocol
(among others)
• All you need is a radio scanner! That is when you’re not
listening to the police, or baby monitors
RESOURCEFUL
RELIABLE
RESPONSIBLE
Some other Security Issues
• Security of map data and software loaded into
train control units
• Management of private keys for each train
• The future will involve satellite positioning
systems (Galileo) and use of more and more
COTS products, which increase the security risk
RESOURCEFUL
RELIABLE
RESPONSIBLE
Summary
• Security issues can be safety issues too
• To get approval for systems, you have to show
that you have considered threats from message
integrity and protected against them
• Real applications for cryptographic techniques
RESOURCEFUL
RELIABLE
RESPONSIBLE
Further Information
•
www.westinghouserail.co.uk
•
Railway Safety Standards
– BS EN 50159: Railway Applications – Communication, Signalling and
Processing Systems
•
ERTMS Standards - www.aeif.org/ccm/doclist.asp
•
Lots of information about Communications Systems for train control,
US focussed, no future maintenance, www.tsd.org
•
“Safeware: System Safety and Computers” by Nancy Leveson.
Addison Wesley 1995
•
IEE Website (Institute of Electrical Engineers) – www.iee.org
– Railway Professional Network
– Functional Safety Professional Network
RESOURCEFUL
RELIABLE
RESPONSIBLE
WESTINGHOUSE RAIL SYSTEMS
RESOURCEFUL
RELIABLE
RESPONSIBLE
Related documents
Our vision for every child and young person in Lanarkshire is that
Our vision for every child and young person in Lanarkshire is that
( - 2.3mb) - Conservation Action Trust
( - 2.3mb) - Conservation Action Trust
Classroom Daily Powerpoint
Classroom Daily Powerpoint
Budget Presentation - Schiller Park School District 81
Budget Presentation - Schiller Park School District 81
Level 3 Award in Leadership and Management Workshop 5
Level 3 Award in Leadership and Management Workshop 5
National Honor Society Beavercreek High School Advisors: Mrs
National Honor Society Beavercreek High School Advisors: Mrs
Comparing the eCPR Approach vs. Conventional
Comparing the eCPR Approach vs. Conventional
File - Talking About teaching
File - Talking About teaching
TRANS_SIBERIANRailroad
TRANS_SIBERIANRailroad
Download
advertisement