threats to software security integrated with the safety planning process phil cooke battlespace...
TRANSCRIPT
![Page 1: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/1.jpg)
Threats to Software SecurityIntegrated with the Safety Planning
Process
Phil Cooke
Battlespace Management - Safety Policy
Royal Air Force
![Page 2: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/2.jpg)
Contents
• Introduction• Stuxnet – the first of many• Latest ‘Mask’ Malware• A Need to Do More• Safety vs Security, Failure vs Attack• Attack Trees and Guide Words• Simple Case Studies
![Page 3: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/3.jpg)
Safety in the Traditional Sense
• FSSE – Nature of accidents– Flixborough 1974
• Health and Safety at Work etc Act 1974
![Page 4: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/4.jpg)
Safety in the Traditional Sense
• FSSE – Nature of accidents– Challenger 1986
• Leakage issue on previous flights
![Page 5: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/5.jpg)
Safety in the Traditional Sense
• FSSE – Nature of accidents– Bexley 1997
• Maintenance issues, Overloading wagons and excess speed
![Page 6: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/6.jpg)
Background and Motivation
• Pervious working environment• Stuxnet Virus 2009/2010• Interest in Supervisory Control and Data Acquisition
(SCADA) systems including Programmable Logic Controllers (PLCs)
• New Role working in ATM environment• Desire to combine knowledge of Security and Safety as
little exists on this subject
![Page 7: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/7.jpg)
Stuxnet – The First (?) of Many (?)
• Virus discovered in Jun 2010, origin back in Jun 09• Targets a very specific hardware/software configuration at
Natanz, Iran – Uranium reprocessing facility• Executes by re-programming the PLC out of specified
boundaries• Virus deployed via USB pen drive on maintenance laptop• Duqu discovered in Sep 11 thought to be connected to
Stuxnet• Flame discovered in May 2012 thought to be connected
to Stuxnet
![Page 8: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/8.jpg)
Stuxnet 0.5
• Stuxnet 1.0 discovered in Jun 2010• Variants later discovered but traced back as early as Nov
2007 and development as early as 2005• Similar attack vector but closed valves instead of
changing the rotation speed of centrifuges• More versions known to exist but code has never been
recovered• Many other SCADA systems vulnerable to attack
![Page 9: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/9.jpg)
RAS Gas computer systems taken off line
days after a similar attack on Aramco (Aug 12)
Saudi Arabia’s national oil company was attacked by the Shamoon virus, which
targets energy sector infrastructure (Aug 12)
![Page 10: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/10.jpg)
Mask Malware
• Aimed at Gov’ts and Finance Firms• Probably created by a Nation State• Reported by Kaspersky/BBC
Technology website on 11 Feb 2014• Involved in cyber espionage
operations since at least 2007• Ahead of Duqu in terms of
sophistication• Is this just the tip of the Iceberg?
![Page 11: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/11.jpg)
How Skilled Do You Need To Be?
![Page 12: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/12.jpg)
A Need to Do More
• Security and Safety need to be considered as a unity of specialisations and not just bolt-on’s to each other.
• Similarities with Safety a number of years ago?• Develop a methodology to integrate security aspects into
the safety analysis process• Cross domain applicability• Ability to apply at any stage of the safety lifecycle to
capture legacy projects
![Page 13: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/13.jpg)
Safety vs Security, Failure vs Attack
• Systems need to operate in a safe manner• Systems need to be maintainable by many different and
disparate parties• Systems need to fail safe• Systems need to be resilient and resistant to attack
![Page 14: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/14.jpg)
What Previously Existed
• Security Processes or Tools– Casals et al, 2012– 6 Step Process
• 1st 3 Steps considered and developed– Context establishment– Preliminary Risk Assessment– Vulnerability Assessment
![Page 15: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/15.jpg)
What Previously Existed
• Attack Trees– Schneier, 1999– Used within the US DoD Defense Acquisition Guidebook (US
DoD 2012)• Simple example is an activity such as trying to open or
break into a safe.• Helpful to have Guide Words to assist in the process
![Page 16: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/16.jpg)
Open safe
Learn combination
Cut open safePick lockInstall
improperly
Find written combination
Get combination from target
Get target to state
combination
Listen to conversation
Blackmail EavesdropThreaten Bribe
![Page 17: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/17.jpg)
Log in to UNIX account
Learn password
Guess password
No password required
Use widely known
passwords
Find written password
Get password from target
Obtain sniffer output file
Install keyboard
sniffer
Blackmail StealThreaten Bribe
![Page 18: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/18.jpg)
Log in to UNIX account
Learn password
Guess password
No password required
Use widely known
passwords
Find written password
Get password from target
Obtain sniffer output file
Install keyboard
sniffer
Blackmail StealThreaten Bribe
Open safe
Learn combination
Cut open safePick lockInstall
improperly
Find written combination
Get combination from target
Get target to state
combination
Listen to conversation
Blackmail EavesdropThreaten Bribe
![Page 19: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/19.jpg)
Guide (Threat) Words
• Prof McDermott– Art rather than a Science
• Opdahl and Sindre– Brainstorming activity
• Use process similar to FHA– SHARD guidewords – Omission. Commission, Early, Late,
Value• Look for Threat Words rather than Guide Words
– Configuration, Authentication, Jamming, Replay, Lifecycle (learning)
![Page 20: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/20.jpg)
Methodology Development
• Context Establishment
• Preliminary Risk Assessment
• Vulnerability Assessment
Define Initial Security Context
Define Threat Words
Obtain Preliminary System FTA
Develop Attack Trees to enable further Context establishment
Identify Primary Assets
IdentifyThreats to Security
Define Scenarios affecting Safety
Establish Likelihood of Occurrence
Define Severityof Outcome
Identify Vulnerabilities
Identify Vulnerable Assets
Develop Vulnerabilities
using Attack Trees
![Page 21: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/21.jpg)
Case Study 1 – Implantable Medical Device
• Devices able to administer medication at varying rates• Read patients state and report back to a physician• Remote diagnostic/treatment
– Implantable Cardiac Defibrillators (ICDs)– Drug Delivery Systems (eg Insulin Pumps)– Neurostimulators (eg for Parkinson’s Disease)
![Page 22: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/22.jpg)
Context Establishment
• Considers IMDs in general, no FTA• Threat words:
– Access– Identification or Privacy– Configuration– Authorisation– Availability– Distance– Frequency– Safety
![Page 23: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/23.jpg)
Context Establishment
• Define Initial Security Context– Passive or active or coordinated adversaries, Insider attack.
• Active Adversary Attack Tree Active adversary interferes with
communications
Has capability to receive and decode
signals
Has capability to transmit signals
Can transmit incorrectly encoded
signals
Can transmit correctly encoded
signals
Passiveadversary
eavesdrops on signals
AttemptingDDoSattack
Attemptingmalicious
attack
![Page 24: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/24.jpg)
Preliminary Risk Assessment
• Identify Primary Assets– IMD, programming devices, management devices
• Identify Threats to Security– From research, encryption is not used between IMDs and
supporting equipment, however the signalling format could be spoofed allowing unauthorised transmissions to be sent.
– Devices transmit when a magnet is placed nearby– Device programmable or readable 24hrs per day?
• Define Scenarios Affecting Safety– Patient entering a treatment room in a non-local environment– Important or influential figure fitted with IMD– Organised Crime gangs seeking to steal device
![Page 25: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/25.jpg)
Preliminary Risk Assessment
• Patient in a non-local environmentPatient requires
emergency treatment in a foreign location
Foreign denotes away from their normal
medical staff
Medical Staff aware, but unable to communicate
correctly with IMD
Medical staff unaware of IMD
constraints or special requirements
IMD requires authorisation or authentication
Medical staff unable to deactivate IMD to allow other surgical
procedure
Medical Staff unable to get patient history
IMD damaged by medical treatment
Patient harmed by medication or by IMD
working against medication
Patient incapacitatedor unable to
communicate presence of IMD
Medical staff treat patient without
knowledge of IMD
Medical Staff need to know to scan for
device
Authenticationor encryption prevents
access to IMD
Authenticationor encryption prevents
access to IMD
Authenticationor encryption prevents
access to IMD
Authenticationor encryption prevents
access to IMD
IMD shouldemit tone or vibration
when magnet is placed nearby
Treatmentcould be contra toIMD medication
requirements
![Page 26: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/26.jpg)
Preliminary Risk Assessment
• Establish Likelihood of Occurrence– As of 2012, no evidence could be found regarding attacks on
IMDs– Kramer et al, 2012, states “there are no known case reports of
malevolent interference that specifically target medical device function”
![Page 27: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/27.jpg)
Preliminary Risk Assessment
• Severity of Outcome– Worst case is death– Least is possible early failure of device
• Most devices are 5-7 years so replacement is always assumed necessary at some future point
![Page 28: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/28.jpg)
Vulnerability Assessment
• Identify Vulnerable Assets– IMD and supporting equipment
• Identify Vulnerabilities– Replay Attack– Electromagnetic interference– Malware on supporting PC– DoS attack
• Develop Attacks using Attack Trees
![Page 29: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/29.jpg)
Evaluation and Further Work
• IMD use and proliferation is growing• Technology is outpacing Security, not Safety
– Possibly security through ambiguity– Stuxnet was directed at 2 specific targets worldwide
• IMDs must have high security but ease of access• Consider a dual approach – threat in one direction,
vulnerability in the other
![Page 30: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/30.jpg)
Case Study 2 – European Railway Traffic Management System - ERTMS
• The ERTMS aims to replace the many different national train control and command systems in Europe with a standardised system.
• System relies upon the GSM networks.• A full and complete security audit was performed on the
ERTMS and in précis was:– The specs from a safety perspective were considered and
safety requirements for technical interoperations were derived– Consideration of the context in which ERTMS operates and
its trust relationships with other systems– Both top down and bottom up approaches investigated– Attack scenarios devised and graded
![Page 31: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/31.jpg)
Context Establishment
• System description available from ERTMS web page
![Page 32: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/32.jpg)
Context Establishment
• Define Threat Words:– Location
• Balise position• Cuttings, tunnels, shadowing by other trains• GPS used as a backup when GSM is lost?
– Access• Data - system uses cryptography and all users have same key• Data – GSM-R: Handsets authenticate with the network but not vice
versa• Physical – some data is entered locally
– Identification• Each train has a unique identity – spoofing?• Balises are not physically protected• GSM repeater could be spoofed and information extracted
![Page 33: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/33.jpg)
Context Establishment
• Define Threat Words:– Authorisation
• Can the driver override some or all aspects? How is this recorded?• If GSM-R is the sole source of authorisation, what happens in an
outage?
– Jamming• Passenger using small GSM jamming device – what effect to ERTMS?• What precedence is given to GSM-R traffic?
– Etc etc
![Page 34: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/34.jpg)
Context Establishment
• Define Initial Security Context– What could be gained from attacking the system– How could the system be attacked?– What capabilities would the attacker need?
![Page 35: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/35.jpg)
Context Establishment
• Develop Attack TreesERTMS open to security attack
compromising safety
Linked Balise
Radio Block Centre attack
Network attack
ECTS attack
Unlinked Balise
GSM-R attackBalise attack
Crypto attack
Information erorrPosition errorPosition error Information erorr Software radio attackSignal jamming
attack
![Page 36: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/36.jpg)
Preliminary Risk Assessment
• Identify Primary Assets– European Train Control System – ETCS– GSM-R – railway specific system built upon GSM standards
• ETCS– Onboard– Trackside
• Balises• Radio Comms System (GSM-R)• Radio Block Centres – issue movement authorisations to trains
![Page 37: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/37.jpg)
Preliminary Risk Assessment
• Identify Threats to Security– 93 page report written on the “ERTMS Specification Security
Audit Analysis of Attack Scenarios” 29 July 2011– Balise location considered for the remainder of the case study– Uses standard transmission protocol– Position or positional data could be affected– Metallic structures affecting balise signal performance
![Page 38: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/38.jpg)
Preliminary Risk Assessment
• Define Scenarios Affecting Safety– Reputational/financial attack by an active aggressor but with
limited technical knowledge of the system– Balise is moved closer to or further away from neighbour thus
changing the reported position of the train or causing an error signal to be generated
• Establish Likelihood of Occurrence– Hard to estimate without greater technical knowledge of the
system
![Page 39: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/39.jpg)
Preliminary Risk Assessment
• Define Severity of Outcome– Also hard to estimate without greater system knowledge– Train movements would be scheduled to allow for greatest
traffic flow but with sufficient time in-between trains for safety reasons similar to airport arrival and departure traffic.
– Positional errors would need to be evaluated for different areas. Busy junctions (Clapham junction) would work with a smaller error than a remote location with a low density of points
![Page 40: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/40.jpg)
Preliminary Risk AssessmentNon-technological attacker seeks to
damage reputation or finances of company
Attack route chosen is via the balises
Un-noticed access to the trackside and
balise
Physical access required to the
trackside and balise
Attack performed at night or during dawn/
dusk periods
Mount attack in tunnel or railway
cuttingMove balisePlace new balise
Disrupt balise communications
Reprogram balise
discounted due to technology
required
Obtain balisefrom anotherarea or track
Place conductoror metallic object
near balise
Remove balise completely
Reduce distance between balises
Increase distance
between balises
![Page 41: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/41.jpg)
Vulnerability Assessment
• Identify Vulnerable Assets– Large proportion of the system relies on assets outside the
control or standards of the ERTMS– GSM-R may be adaptable but GSM unlikely– Balise and programming device– Driver (always has positive control)– Network infrastructure
• Remember O2 outage in 2012 where some users affected but not others?
– Identify Vulnerabilities• Network Outages
![Page 42: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/42.jpg)
Vulnerability Assessment
• GSM_R Outage Vulnerability
ETRMS susceptible to Network Outages
Partial Network outage
Total network outageNetwork jammed or
intercepted
Attack usingsoftware radio and
software
Alltrains using
ERTMS in same situation
Non affectedtrains continue to
operate
Affected trainsuse ‘fail-safe’ and
stop
![Page 43: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/43.jpg)
Evaluation and Further Work
• 3 Aspects considered in Context evaluation– Why, How, What
• Full Set– Why, How, What, Where, When, Who
• Generation of a threat word taxonomy• External systems are vital to operation of the system yet
limited control or authority available• Partial failures must be considered (O2 Outage)
![Page 44: Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force](https://reader036.vdocuments.mx/reader036/viewer/2022062313/56649ca45503460f94964f6d/html5/thumbnails/44.jpg)
References
• ANONYMISED (2010). Information security audit of ERTMS, Technical report. This report is currently not publicly available; however, copies of the report may be made available on request, subject to approval from the relevant stakeholders.
• ANONYMISED (2011). ERTMS specification security audit – Analysis of attack scenarios, Technical report. This report is currently not publicly available; however, copies of the report may be made available on request, subject to approval from the relevant stakeholders.
• Casals, S., Owezarski, P. and Descargues, G. (2012). Risk assessment for airworthiness security. Safecomp 2012 [Online]. Available at: http://hal.archives-ouvertes.fr/docs/00/69/85/23/PDF/ Risk_Assessment_for_Airworthiness_Security_8p_.pdf [Accessed 12 June 2012].
• Falliere, N., O Murchu, L. and Chien, E. (2011). W32.Stuxnet dossier. [Online] Symantec Security Response. February 2011. Available at: http://www.symantec.com/content/en/us/enterprise/ media /security_response/whitepapers/w32_stuxnet_dossier.pdf [Accessed 22 February 2012].
• Kramer, D., Baker, M., Ransford, B., Molina-Markham, A., Stewart, Q., Fu, K and Reynolds, M. (2012). Security and privacy qualities of medical devices: An analysis of FDA postmarket surveillance. PLoS One, 7(7), e40200. doi:10.1371/journal.pone.0040200
• McDermott, J. (2000). Attack net penetration testing. New Security Paradigms Workshop 2000.• McDonald, G., Murchu, L., Doherty, S., Chien, E., (2013). Stuxnet 0.5: The Missing Link. [Online] Symantec
Security Response. February 2013. Available at: http://www.symantec.com/content/en/us/enterprise/media/ security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf [Accessed 20 February 2014].
• Opdahl, A. and Sindre, G. (2008). Experimental comparison of attack trees and misuse cases for security threat identification. Information and Software Technology, 51(5), 916-932.
• Schneier, B. Attack Trees. [Online]. Dr Dobbs Journal, December 1999. Available at: http://www.schneier.com/paper-attacktrees-ddj-ft.html [Accessed 1 July 2012].
• US DoD (2012). Defense Acquisition Guidebook. [Online]. Available at: http://at.dod.mil/docs/ DefenseAcquisitionGuidebook.pdf [Accessed 1 July 2012].