Modern railroad movable bridge systems control physical equipment using hardware and software for communications and signaling. In these systems, unforeseen security vulnerabilities in the underlying system components could be exploited to cause service disruptions and degradations. These in turn can cause failures, resulting in unsafe operational conditions. Conversely, control systems have built in failure tolerant mechanisms (such as service degradations and terminations) that are called in response to impending or observed failures. An attacker that is aware of such mechanisms can exploit these designs to cause the triggering of service degradations and terminations, causing safety concerns. A motivated attacker can exploit the intertwined nature of these two phenomena and create complex attacks that would cause unsafe operational conditions. In this paper, we introduce a model called Attack-Fault Trees with Reliability (AFTeR), which was designed to qualitatively and quantitatively measure the intertwined ways of violating safety and cyber security objectives of a cyber-physical system design. By incorporating probabilistic estimates of fault rates, component maintenance and repair, exploitability of known security vulnerabilities in existing equipment, attacker effort and capability estimates with kill-chains that are executed by potential misbehaving agents to cause safety and security concerns, we derive operational risks and cost-minimizing mitigations strategies against them. We show the capabilities of our methods by applying it to a detailed model of a fail-safe movable railroad bridge system. This work is sponsored by FRA and conducted in collaboration with one freight railroad.
展开▼
