-LARS
While previous chapters have focused on explaining risk and risk reduction through general mitigation techniques, this chapter will explore international standards and their methods to parametrise risk for comparison.
Risk acceptance, unlike direct financial impacts, is not finite and countable.
A way to judge risk acceptance is how much agency the subject has and the degree of culpa from the acting part.
While the consequence is the same from a fatal rock climber accident and a murder, the lack of agency leads to a higher perceived cost for society and a willingness to pay that is larger for investigating and avoiding murders than rock climbing accidents.
Compromised IT security often have an impact on a lot of people due to the monoculture of programs/OS fostered by positive externalities and economy of scale.
Hence why the price for executing known attacks are extremely low compared to the costs it incurs on the target(s).
Given that economy of scale is a strong economic force, standardisation pays off, once a service or platform has reached critical mass the marginal cost for new users decrease for the system owners, while strengthening the positive externality for other users joining around the same platform. But with a lot of users on a
platform(monoculture) a vulnerability to that platform gives access to a lot of users(attack surface).
Figure 9 Risk acceptability by 35
Drivers assume a great deal of responsibility by being the agent in control of the vehicle both in respect to handling and maintenance, compared to boarding public transportation where the traveller has no direct influence on safety.
But culpa is not the only factor, medical response and hospitals are built to cope with an Erlang distribution of injuries36, accommodating for one car induced injury per million capita each day nationwide37, rather than hundreds of injuries from a train or airplane accident in a local area.
Lastly there is a big difference between an identified individual and a statistical life. Thomas C. Schelling puts it well in the following quote:
“Let a six-year-old girl with brown hair need thousands of dollars for an operation that will prolong her life until Christmas, and the post office will be swamped with nickels and dimes to save her. But let it be reported that without a sales tax the hospital facilities of
Massachusetts will deteriorate and cause a barely perceptible increase in preventable deaths-not many will drop a tear or reach for their checkbooks.”
- 38 PAGE 115
These are reasoning for ambiguity aversion39 and the difference in valuation of a casualty depending on the degree of culpa, number of people injured at the same time and identification to a population subgroup.
This is without accounting for the epistemic uncertainty in the Danish evaluation method40 described in chapter 2.4.2 Epistemic uncertainty in Danish VSL, page 27.
35 Adams, “The Economics and Morality of Safety Revisited.”
36 A. M. de Bruin, “Dimensioning Hospital Wards Using the Erlang Loss Model. Ann Oper Res.”
37 Statistics Denmark, “Traffic Accidents with Injuries.”
38 Schelling, Choice and Consequence.
39 Treich, “The Value of a Statistical Life under Ambiguity Aversion.”
40 Danish Ministry of Transport and COWI, “Rapport om værdisætning af transportens eksterne omkostninger.”
2.3.1 Railway Safety
-LARS
In regards to security and safety the railway historically has had a conservative and high safety approach leading trains to be one of the safest modes of transportation.
With infrastructure and rolling stock often lasting decades, it is interesting from a security perspective, as this long operational time will have to be taken into consideration going from electro-mechanic systems that can have proven safe states to a field of IT security resting on computational hard problems, where some problems during the course of 5-10 years have been downgraded to feasible41.
This chapter is predominantly based on publicly available information, using standards and reports such as the censored ERTMS IT Security Threat identification, Risk Analysis and Recommendations 42, due to the difficulty of obtaining information within the railway sector. The domain seems interested in risk analysis results, but reluctant to provide input beyond pointing to the list of ERTMS standards.
Based on the open source repository of the ERTMS Formal Specs43, the only trace of SHA-1 was that since April 10th 2015 MD5 was replaced with S HA-1 in the installation software44(LINE 177).
In 2011 a safety analysis noted the use of DES within the GSM-R standard, suggesting a replacement with AES45. The implementation of triple DES is described in 46ANNEX E, with a summary in chapter 7.2.
2.3.2 SIL & IEC 61508
-LARS
While most standards and protocols dealing with IT are trivial, IEC 61508 has a wide and complex range of specifications and requirements for documentation more akin to “what is the value of a human life?” than
“number of bits in the key”
A specific example from 47PART 3 being: “6.2.3 Software configuration management shall
c) maintain accurately and with unique identification all configuration items which are necessary to meet the safety integrity requirements of the E/E/PE safety-related system.”
Displaying how vague wording is used rather than specific examples for implementation, making it complex to implement compared to NIST standards specifying what algorithms and key lengths to use48.
A main component of IEC 61508 is the notion of security and safety not being better than the most vulnerable component, as illustrated in the previous subchapters, as well as the SIL 0-4 mentioned in chapter 2.3.1 Railway Safety, page 21.
What was not mentioned though was the perspective of dealing with failure rates less than 1 in 10’000 or once each 100’000’000 hours for Safety Integrity Level 4, 108 is 11’416 years.
As the system has to be proven to be within the specified SIL level there needs to be a buffer accounting for uncertainties, but also cutting costs by not being right below the upper bound of a SIL level, as that increase production cost, hence the mean is a good estimate for actual components.
41 Stevens et al., “Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate.”
42 KPMG IT Advisory, “ERTMS IT Security Threat Identification, Risk Analysis and Recommendations PUBLIC VERSION.”
43 “ERTMS Solutions | ERTMSFormalSpecs - Open Source - ERTMS Solutions.”
44 “ERTMSFormalSpecs InnoInstaller5/whatsnew.htm.”
45 Mária Franeková, “Safety Analysis of Cryptography Mechanisms Used in GSM for Railway.”
46 “EuroRadio FIS - SUBSET-037.”
47 International Electrotechnical Commission, “IEC 61508 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems.”
48 Barker et al., “Recommendation for Key Management SP 800-57 Part 1: General Revision 3.”
Safety
To relate SIL levels with human history:
60’000 years ago is when humanity was confined to Africa49 ~ SIL 4 5’000 years ago marked the foundation of Troy ~ SIL 3
564 years ago Christopher Columbus was born ~ SIL 2 70 years ago we had WWII ~ SIL 1
Planning for a system not to fail within the scope of humanity, not only the 5’000 years since the unification of ancient Egypt under the first pharaoh, but 10 times further back when man had a population of only 2’000 individuals50, seems illogical and impossible, but puts things in perspective.
With a production run of one million, 60’000 years of run time can be experienced each 20 days of continuous use of the whole production run.
But it leads to uncertainty for low production runs, while there may be millions of cars, TVs and smartphones, trains are quite limited in their numbers.
SIL levels apply to systems, a car could be a system, sadly, it is also unclear what the scope of the SIL systems are; if a population of 60’000 cars having 1 failure each year on a brake is needed for S IL 4 or if you just need 15’000 cars having a failure on one of their 4 wheel brakes to qualify for SIL 4.
2.3.3 European Railway Security
-LARS
The European railway is broadly sectioned in two groups: TS I and non-TSI. TSI being Technical Specifications for Interoperability.
Stretches of railway governed by TSI (part of the Trans European Network for Transportation or TEN-T) falls under ERA jurisdiction in order to ensure free flow of goods within the European Union(EU).
Part of this regulation set is the proposed harmonization of signalling standards:
ERTMS51 (European Rail Traffic Management System)
The responsibility for the IT-security of ERTMS fall upon ENISA (European Network and Information Security Agency) though52.
49 A Family Tree for Humanity.
50 Ibid.
51 “Set of Specifications # 2 (ETCS Baseline 3 and GSM-R Baseline 0).”
52 European Railway Agency Corporate Management and Evaluation, “FW: Information Request Form - Nielsen (Dec 2).”