The Basis for Building Integrity Monitoring System of Critical Information in ALS Based on Broadcast Radio Channel Boris F. Bezrodnyi Alexander M. Korotin Cybersecurity Center Cybersecurity Center NIIAS, JSC NIIAS, JSC Moscow, Russia Moscow, Russia b.bezrodnyi@vniias.ru a.korotin@vniias.ru Abstract—The transition to the use of a radio channel for critical critical information, i.e. information, the distortion of which information transfer in automatic locomotive signaling (ALS) translates the system into a dangerous state2. systems complicates the safety of railway traffic, because in this case it becomes possible to implement computer attacks from the outside The use of radio communication systems in the ALS for of the controlled area that can lead to traffic accidents. Integrity transmission of critical information allows to increase the monitoring systems (IMS), ensuring that the received critical amount of data transferred between the station part and the information is up-to-date and sent by a legitimate traffic participant, onboard part of the system and to reduce the likelihood of their today exist only for ALS systems based on point-to-point data distortion [5]. However, such a transition to the use of ALS transfer method. That’s why the task of constructing IMS for ALS based on radio channel (ALSR) complicates the ensuring of based on broadcast radio channel is actual. The main problems that traffic safety, because in this case the communication channel need to be solved during the building of IMS are considered in this between the station part and onboard part goes beyond the article. The conditions that influence on the choice of security control zone. There is the possibility of implementing threats to mechanisms in the IMS and the development of updating procedure the security of critical information from the side of the external for security parameters of the integrity monitoring system are violator, associated with its modification and / or substitution, determined. It is concluded that the construction of a unified IMS, which can lead to the occurrence of transport incidents. As a the use of which would be possible for protection of any ALS based protection against these threats, integrity monitoring systems on a broadcast radio channel, seems to be a difficult task. Hence (IMS) can be used to guarantee that the received critical further research in this field should be related to the development of information is up-to-date and sent by the legitimate station or a technique for constructing integrity monitoring systems applicable in ALS based on broadcast radio channel. on-board part of the system [6, 7, 8, 9]. Given the fact that the use of an existing solution for Keywords— information security; transport security; protection of critical information is not always possible for ALS cybersecurity; safety of railway traffic; automatic train signalling; systems using the broadcast method of data transfer [10], the automatic locomotive signaling system; broadcast radio channel; problem of constructing integrity monitoring systems for this integrity monitoring system; critical information class of ALS is topical. In this article, the problems that need to I. INTRODUCTION be solved during the constructing of IMS for ALS systems based on a broadcast radio channel (ALS-BR) are determined and Automated control systems are widely used in the field of considered. railway transport to solve problems associated with the control of the transportation process, including, among others, the tasks II. DEFINITION OF TASKS REQUIRING SOLUTIONS of ensuring the safety of traffic and the exploitation of railway DURING THE CONSTRUCTION OF IMS transport [1, 2]. One of the control systems used to ensure traffic Let’s consider a railway section equipped with an ALS safety at stations and hauls is the automatic locomotive signaling system based on a broadcast radio channel (see Figure 1). The system (ALS), a system for transmitting information about the station part of the system for transmission of sensitive permissible speed and additional conditions for following the information to the radio channel must first obtain data about the railway rolling stock: permission for movement, speed limit, the current train situation and the state of the field devices from the route of movement along the railway station to the on-board systems of determining the free path and the location of the train locomotive devices1 [3, 4]. (SDFPLT), monitoring stations and distances. As a broadcast The information transmitted by the ALS system in the field transmission method is used, the station part sends a message to of ensuring the safety of the railway transport is attributed to the the radio channel, intended for all traffic participants at the 1 2 GOST R 53431-2009. Railway automation and telemechanics. Terms and OST 32.17-92. Railway automation and telemechanics safety. Basic definitions. concepts. Terms and Definitions. 6 section at once. At the same time, the radio communication critical information exchange, the integrity monitoring system used in ALS-BR should have a coverage area sufficient parameters must be located at the station and onboard parts of for data transmission to any participant of the traffic, regardless the ALS-BR and used to calculate and verify the DS or AC. In of its location at the section. The onboard parts of ALS-BR this case, confidentiality of the integrity monitoring parameters installed on locomotives process the received messages and use necessary for computing the verification information must be critical information to ensure the safety of the rolling stock ensured. Thus, if the intruder does not know the integrity traffic. If two-way exchange between the station part and monitoring parameters of critical information necessary to onboard part of ALS-BR is required to ensure traffic safety at calculate the DS or AC, then he will not be able to implement the section, the on-board parts of the system in turn also send the threat of sending fake information to the radio channel. messages with critical information, that are further processed by the station part, to the radio channel. As the length of section To determine the possible mechanisms of protection against increases, the coverage of the station part of ALS-BR increases. the threat of substitution of radio stations, we’ll consider a This means that the station part of the system should receive railway section equipped with an ALS-BR system, along which information about the current train situation at additional the locomotive L1 is moving. Further during analyzing this stations and hauls and transmit relevant critical information threat, for abbreviation, we’ll consider under the onboard part of the ALS-BR system only the appropriate on-board equipment of throughout the section. If for some reason this is impossible, for example, there is not enough coverage of the radio the locomotive L1. Let’s suppose that at the moment of time t0 communication system or the principle of system the onboard part of the ALS-BR establishes a connection with decentralization is used, then additional station parts should be the station part of the system and the exchange of critical installed at the section. Thus, ALS-BR at the section can have information begins between them. At time t1, the locomotive L1 several station parts. In this case, the station parts are unified and finishes the traffic on the considered section and the exchange have the same software and hardware. The onboard parts are also of the critical information between it and the station equipment unified. terminates. Then in order to neutralize the threat of sending fake information at any time t(t0,t1], the integrity monitoring parameters must be in the station part and onboard part of the ALS-BR. We introduce the function f(t):[t0,t1]{0,1}, which shows the presence of integrity monitoring parameters in the station and onboard parts of ALS-BR as a function of time t. f(t)=1, if the station and onboard parts of the ALS-BR have all necessary integrity monitoring parameters to ensure safe exchange of critical information, otherwise f(t)=0. Then,  t(t0,t1] f(t)=1, f(t0)=1 or f(t0)=0. If the substitution of the radio station occurs at time t, such that f(t)=1, then as a protection mechanism, verification information (DS or AC) can be used to ensure the integrity of application-level messages, including critical information, as well as the authenticity of traffic Fig. 1. Structural scheme of ALS based on broadcast radio channel participants, because only legitimate traffic participants know the parameters of integrity monitoring. Thus, if the intruder does The violation of traffic safety and the occurrence of traffic not know integrity monitoring parameters of critical accidents at the considered railway section are possible through information, then the substitution of radio stations will not allow the implementation of the following security threats of the him to impersonate a legitimate traffic participant, and as a critical information [11]: result, the implementation of this threat will not violate the safety of traffic. If the substitution occurs at the time t such that  Sending fake critical information to the radio channel; f(t)=0, which is possible only at the moment of establishing a  Substitution of the base and/or subscriber station; connection between the station and the onboard parts (t=t0), then the authentication procedure of the traffic participants which  Resending of previously intercepted critical information allows to determine the authenticity of participants and to in the radio channel. transmit to them authenticity of participants should be used as a protection mechanism. In the course of the research protection mechanisms against these threats were identified. When ALS-BR is used these Thus, it is enough to use DS and/or AC to protect against the mechanisms should be implemented in the IMS for traffic safety. threat of radio stations substitution during the exchange of critical information between parts of ALS-BR. To protect from To protect against the first threat, each message of critical the threat of radio station substitution during establishing a information should contain verification information that connection between ALS-BR parts, if they lack the integrity guarantees the authenticity of the transmitted data, that they monitoring parameters necessary for the safe exchange of were not unauthorized modified during the transmission. The critical information, it is required to develop an authenticating digital signature (DS) or authentication codes (AC) can be used procedure for traffic participants, which ensures the safe as verification information [12, 13]. To denote the sequence of delivery of these parameters. bits necessary for calculating and verifying DS and AC, within the framework of the IMS, the term integrity monitoring Timestamps or the sequence number of application-level parameter of the critical information is used. At the time of messages containing critical information may be applied to 7 block the threat of resending previously intercepted critical limiting the amount of information that can be transmitted information [14, 15]. within the authentication procedure. Building IMS with the use of integrity monitoring The task of safe delivery is to solve two subtasks: parameters leads to the need of solution of the problem of managing these parameters [16]. One of the key management  delivery of verification parameter for the station issues is the development of a procedure for updating parameters messages PSIM from the station part of ALS-BR to the [17], within which it is necessary to determine the order of onboard part; performed actions, to select communication channels for data  delivery of verification parameter for the onboard transmission, and to ensure the security of delivery. messages PLIM to the station part of the ALS-BR or the Thus, as a result of the research, it was found that during parameter for calculating the DS/AC PLIM to the onboard building a IMS, it is necessary to define a mechanism for part. protection against the threat of sending fake information (DS or The solution of the first subtask can become possible in two AC), to develop an authentication procedure, to choose a ways. The first, the parameter PSIM (Figure 2a) is transmitted via mechanism to protect against the threat of retransmission of the radio channel. The second, information that will allow us to information, and to develop a procedure for updating integrity calculate or determine PSIM at the onboard part of ALS-BR (see monitoring parameters. Figure 2b) is transmitted via the radio channel. In Figure 2a, III. CONDITIONS AFFECTING THE SELECTION OF [PSIM]PA means safe transfer of parameter PSIM to the onboard PROTECTION MECHANISMS IN THE IMS part of the ALS-BR using authentication parameter PA. As a result of the analysis of sending false information threat and possible protection mechanisms against it, the conditions influencing the choice of DS and AC for the protection of station and onboard messages, presented in Tables 1 and 2 respectively, were determined. The parameter TrustedL{0,1} determines the power of attorney of onboard parts of the ALS-BR; ISsec1/ILsec1 is the maximum amount of information that can be contained in the DS and/or AC to protect station/onboard messages; LDS is the size of the DS for the selected cryptographic algorithm; TSmsg/TLmsg is permissible time of calculation and verification of DS and/or AC for protection of station/onboard messages; TDS is the time of calculation and verification of the DS for the selected cryptographic algorithm; UAL{0,1} is the urgency of unauthorized access (UA) threat to the onboard side of the ALS- Fig. 2. Possible options for delivery of PSIM to the onboard part: delivery of BR and the compromise of the integrity monitoring parameters parameter PSIM (a), delivery of additional information (b) stored in it. As a result of the analysis of possible solutions, the TABLE I. CONDITIONS FOR DETERMINING THE POSSIBLE USE OF DS conditions influencing their choice, presented in Table 3, were AND AC WITHIN THE FRAMEWORK OF THE IMS FOR STATION MESSAGES PROTECTION determined. The parameter pSAC/pLAC{0,1} determines the choice of the protection mechanism against the threat of sending Fulfillment TrustedL=1 ISsec1 ≥ LDS TSmsg ≥ UAL=0 of condition TDS fake information for station/onboard messages; ISsec2/ILsec2 is the Yes DS/AC DS/AC DS/AC DS/AC maximum amount of information that can be transmitted within No DS AC AC DS the authentication from the station/onboard part of ALS-BR; LSP/LLP/LLP is the size of the parameter PSIM/PLIM /PLIM; Sync_upd{0,1} is the possibility of manual synchronous updating of the IMS parameters at the station and onboard parts TABLE II. CONDITIONS FOR DETERMINING THE POSSIBLE USE OF DS of ALS-BR; Ext_chL{0,1} is the presence of a communication AND AC WITHIN THE FRAMEWORK OF THE IMS FOR ONBOARD MESSAGES PROTECTION channel with the onboard part of the ALSR, which allows to perform the procedure of IMS parameters remote updating. Fulfillment ILsec1 ≥ LDS TLmsg ≥ TDS of condition TABLE III. CONDITIONS FOR DETERMINING THE POSSIBLE SOLUTIONS OF Yes DS/AC DS/AC PARAMETER PSAC DELIVERY TO THE ONBOARD PART OF ALS-BR No AC AC Fulfillment pSAC=1 UAL=0 ISsec2≥ Sync_upd=1 Ext_chL=1 of LSP The analysis of substitution of the base and/or subscriber condition station threat allowed to formulate the task that should be solved Yes 1st/ 1st/ 1st/ 1st/ 1st/ within the framework of the authentication procedure for the 2nd 2nd 2nd 2nd 2nd opt. opt. opt. opt. opt. traffic participants: it is necessary to ensure the safe delivery of No 1st 1st 2nd 1st 1st the integrity monitoring parameters to traffic participants while opt. opt. opt. opt. opt. 8 additional equipment at the station and onboard parts of ALS- BR to determine the exact time; Isync is the amount of information In order to solve the second subtask, the delivery of that must be transmitted via radio channel within the parameter PLIM or PLIM to the station or onboard part of ALS- authentication procedure to synchronize the values of the BR, four possible variants were identified: sequence numbers between the station and onboard parts of the  Delivery of parameter PLIM (1st option) to the station ALS-BR; ITSmin/ISEQmin is the minimum amount of information part of ALS-BR; that should be contained in the timestamp/message sequence number within the IMS; ISsec3/ILsec3 is the maximum amount of  Delivery of information that allows to calculate or information that can be contained in the timestamp/sequence determine PLIM to the station part of ALS-BR (2nd number to protect station/onboard messages; Tconn is the option); admissible time for connection establishment and the transmission to the critical information transfer.  Delivery of parameter PLIM to the onboard part of ALS- BR of the parameter (3rd option); TABLE V. CONDITIONS FOR DETERMINING THE POSSIBILITY TO USE TIME STAMPS AND SEQUENCE NUMBERS WITHIN IMS TO PROTECT STATION  Delivery of information that allows to calculate or MESSAGES determine PLIM to the onboard part of ALS-BR (4th option). Fulfillment time_equip=1 Isync≥ Kmsg(ITSmin- ISsec3≥ of condition ISEQmin)Tconn/Texh ITSmin Analysis of solution options allowed to determine the Yes TS/SEQ TS TS/ SEQ conditions that affect the choice of solution, presented in No SEQ SEQ SEQ Table 4. TABLE IV. CONDITIONS FOR DETERMINING POSSIBLE TASKS OF PARAMETERS PLIM OR PLIM TO THE STATION OR ONBOARD PARTS OF ALS-BR TABLE VI. CONDITIONS FOR DETERMINING THE POSSIBILITY TO USE RESPECTIVELY TIME STAMPS AND SEQUENCE NUMBERS WITHIN IMS TO PROTECT ONBOARD MESSAGES Fulfillment of pLAC=1 ILsec2≥ LLP ILsec2≥ LLP condition Fulfillment time_equip=1 Isync≥ Kmsg(ITSmin- ILзec3≥ Yes 1st/2nd/ 1st/2nd/ 1st/2nd/ of condition 3rd/4th opt. 3rd/4th opt. 3rd/4th opt. ISEQmin)Tconn/Texc ITSmin No 1st/3rd opt. 1st/2nd/4th 2nd/3rd/4th Yes TS/SEQ TS TS/ SEQ opt. opt. No SEQ SEQ SEQ During the analyzing of protection mechanisms against Analysis of updating the security parameters of the IMS task resending threats, an inequality (1) that specifies the minimum has made it possible to determine the ALS-BR parameters that amount of information ITS/SEQ that must be contained in the affect the development of update procedure. They included the timestamp or in the message sequence number to protect against possibility of manual synchronous updating of the IMS the specified threat, and inequality (2) defining the minimum parameters at station and onboard parts of the ALS-BR allowed frequency time tag calculations fTS were obtained: (Sync_updL{0,1}) and the presence of a communication channel with onboard part of the ALS-BR that allows to make a 𝐾𝑚𝑠𝑔 ∗ 𝑇𝐴𝐶 (1) procedure of IMS parameters (Ext_chL{0,1}) remote updating. 𝐼𝑇𝑆/𝑆𝐸𝑄 ≥ log 2 ( ), 𝑇𝑒𝑥𝑐 IV. CONCLUSION 𝐾𝑚𝑠𝑔 (2) The research showed that the integrity monitoring system 𝑓𝑇𝑆 ≥ , should contain protection mechanisms against security threats of 𝑇𝑒𝑥𝑐 critical information to ensure traffic safety during the use of ALS where Kmsg is the number of messages transmitted via the based on broadcast radio channel. Digital signature or radiochannel during the exchange period Texc; TIM is the duration authentication codes can be used to protect against the threat of of integrity monitoring parameter used to protect Kmsg messages. sending fake information. In order to protect against the threat At the same time, the value of parameter Kmsg depends on the of base and/or subscriber station substitution in the IMS the presence of mechanisms for determining the direction of authentication procedure for traffic participants which ensures message transmission and the identification of the sender in the the safe delivery of the integrity monitoring parameters to the ALS-BR. It was concluded that if the mechanism of time stamps onboard and/or station parts of the ALSR should be used. To or message sequence numbers has already been implemented at protect against the threat of resending information timestamps the application level of ALS-BR, then if inequalities (1) and (2) or sequence numbers of messages should be used. In addition, are fulfilled for it, it can be used to protect critical information as the use of DS or AC is supposed to protect critical within the IMS. information, the procedure for updating integrity monitoring parameters should be provided in the IMS. In case of ready mechanism absence, the choice between time stamps and message sequence numbers will be determined in Obtained conditions that affect the choice of protection accordance with the conditions presented in Tables 5 and 6. The mechanisms and update procedures depend on the properties and parameter time_equip{0,1} determines the availability of parameters of the ALS-BR system, determined by the operating 9 conditions of the system, the radio communication system used, [10] Konyavskiy V., Epishkina A., Korotin A. The design of integrity the software and hardware and the current normative base [17, monitoring and reliability verification system for critical information, transmitted in automatic train signaling system, based on DMR-RUS 18]. A large number of conditions that affect the process of radio channel. Procedia Computer Science, 2016, Volume 88C, pp. 318- constructing the IMS makes it possible to conclude that the 323. DOI: 10.1016/j.procs.2016.07.442. construction of a unified IMS, the use of which would be [11] Korotin A. Analiz ugroz bezopasnosti otvetstvennoy informatsii, possible to protect any ALS-BR, is a difficult task. In general, to peredavayemoy sistemoy ALS na baze radiokanala [Analysis of security ensure traffic safety when ALS-BR is being used, a IMS which threats of critical information transmitted by the ALS system based on considers its parameters and features should be built. Thereby radio channel]. Bezopasnost' informatsionnykh tekhnologiy [Security of information technology], 2017, N2, pp. 42-49. DOI: the purpose of further research on this topic should be the 10.26583/bit.2017.2.05. development of methodology for constructing the IMS that are [12] Canetti R., Garay J., Itkis G., Micciancio D., Naor M., Pinkas B. Multicast applicable in ALS-BR, which would consider the properties and security: a taxonomy and some efficient constructions. In Proc. 18th features of ALS systems of this class. Annual Joint Conf. of the IEEE Computer and Communications Societies (INFOCOM ’99), IEEE, 1999. Vol. 2, pp. 708–716. REFERENCES DOI: 10.1109/INFCOM.1999.751457. [13] Salem M.B. Towards Effective Masquerade Attack Detection. Columbia University, 2012, 187 p. [1] Flammini F. Railway Safety, Reliability and Security: Technologies and Systems Engineering. IGI Global, 2012, 487 p. [14] Aura T. Strategies against replay attacks. In Proceedings of the 10th IEEE Computer Society Foundations Workshop. IEEE, 1997, pp. 59–68. [2] Liudvinavičius l., Sładkowski A. New possibilities of railway traffic DOI: 10.1109/CSFW.1997.596787. control systems. Transport Problems, 2016, Vol. 11 , Iss. 2, pp. 133-142. DOI: 10.20858/tp.2016.11.2.13. [15] Syverson P. A taxonomy of replay attacks. In Proceedings of the Computer Security Foundations Workshop (CSFW97). IEEE, 1994, pp. [3] Flammini F. Automatic Train Protection Systems. Ind Eng Manage, 2013, 187–191. DOI: 10.1109/CSFW.1994.315935. Vol.2, Iss. 5. DOI: 10.4172/2169-0316.1000120. [16] Shubinsky I., Zamyshlyaev A. Risk Management System on the Railway [4] Theeg G. Railway Signalling & Interlocking: International Compendium. Transport. In Proc. of the 2016 Second International Symposium on Eurailpress, 2009. 448 p. Stochastic Models in Reliability Engineering, Life Science and [5] Tilk I.G. ALS s ispol’zovaniem radiokanala [ALS using radio channel]. Operations Management (15-18 Feb. 2016), IEEE, SMRLO, Beer-Sheva, Avtomatika Svyaz' Informatika [Automatics Communication Israel, 2016, pp. 481-486. DOI: 10.1109/SMRLO.2016.84. Informatics], 2010, N 7, pp. 7-9. (In Rus). [17] Schneier B. Applied Cryptography, Protocols, Algorithms, and Source [6] Bakurkin R., Bezrodnyi B., Korotin A. Protivodeystviye komp'yuternym Code in C. John Wiley & Sons, Inc., 1994. atakam v sfere zheleznodorozhnogo transporta [Counteraction to [18] Barabanov A., Markov A. Modern Trends in The Regulatory Framework computer attacks in the field of railway transport]. Voprosy of the Information Security Compliance Assessment in Russia Based on kiberbezopasnosti [Cybersecurity issues], 2016, N 4(17). pp. 29-35. DOI: Common Criteria. In Proceedings of the 8th International Conference on 10.21681/2311-3456-2016-4-29-35. Security of Information and Networks (Sochi, Russian Federation, [7] Konyavskiy V., Epishkina A., Korotin A. The design of integrity September 08-10, 2015). SIN '15. ACM New York, NY, USA, 2015, pp. monitoring and reliability verification system for critical information, 30-33. DOI: 10.1145/2799979.2799980. transmitted in automatic train signaling system, based on DMR-RUS [19] Markov, A., Luchin, D., Rautkin, Y., Tsirlov, V. (2015). Evolution of a radio channel. Procedia Computer Science, 2016, Volume 88C, pp. 318- Radio Telecommunication Hardware-Software Certification Paradigm in 323. DOI: 10.1016/j.procs.2016.07.442. Accordance with Information Security Requirements. In Proceedings of [8] Kostogryzov A., Atakishchev O., Stepanov P., Nistratov A., Grigoriev L. the 11th International Siberian Conference on Control and Probabilistic modelling processes of mutual monitoring operators actions Communications (Omsk, Russia, May 21-23, 2015). SIBCON-2015. for transport systems. In: 2017 4th International Conference on IEEE, 1-4. DOI: 10.1109/SIBCON.2015.7147139. Transportation Information and Safety (ICTIS). 8-10 Aug. 2017. IEEE, 2017. pp 865 - 871 DOI: 10.1109/ICTIS.2017.8047869. [9] Vorobiev E.G., Petrenko S.A., Kovaleva I.V., Abrosimov I.K. Organization of the entrusted calculations in crucial objects of informatization under uncertainty. In Proceedings of the 20th IEEE International Conference on Soft Computing and Measurements (24-26 May 2017, St. Petersburg, Russia). SCM 2017, 2017, pp. 299 - 300. DOI: 10.1109/SCM.2017.7970566. 10