Mark Hartong

Executable misuse cases for modeling security concerns

Misuse cases are a way of modeling negative requirements, that is, behaviors that should not occur in a system. In particular, they can be used to model attacks on a system as well as the security mechanisms needed to avoid them. However, like use cases, misuse cases describe requirements in a high-level and informal manner. This means that, whilst they are easy to understand, they do not lend themselves to testing or analysis. In this paper, we present an executable misuse case modeling language which allows modelers to specify misuse case scenarios in a formal yet intuitive way and to execute the misuse case model in tandem with a corresponding use case model. Misuse scenarios are given in executable form and mitigations are captured using aspect-oriented modeling. The technique is useful for brainstorming potential attacks and their mitigations. Furthermore, the use of aspects allows mitigations to be maintained separately from the core system model. The paper, supported by a UML-based modeling tool, describes an application to two case studies, providing evidence that the technique can support red-teaming of security requirements for realistic systems.

Security and the US rail infrastructure

Abstract Railroads play a significant role in the United States economy, transporting a wide variety of goods across a geographical disperse network. Hardening this network against all forms of attack is not possible. This paper will address the role of freight and passenger rail in the United States, provide an unclassified set of relatively easy attacks that can be used to disrupt rail traffic, outline actions by industry and government to reduce the probability of an attack occurring or mitigate the consequences of a successful attack, and identify shortcomings in the current rail security program.

Meta-models for misuse cases

Misuse Cases are recent UML constructs that can be used to specify the mal-acts against which a requirements engineer seeks guarantees from the designer. However, Misuse Cases have not been formally adopted in UML, and therefore lack a formal meta-model. This paper proposes a meta-model that covers graphical, textual and OCL models for Misuse Cases that augments the existing UML 2.0 Use Case meta-models.

A Framework for Investigating Railroad Accidents

Positive train control (PTC) or communication-based control systems (CBTC) control trains using wireless network infrastructures. Consequently, investigations of accidents involving PTCor CBTC-controlled trains require network forensic analysis. This paper describes a forensic analysis framework that leverages the communications capabilities of PTC systems. The framework incorporates a centralized database architecture that securely stores PTC-related and other digital data, and provides for efficient and flexible querying of the data during accident analysis.

Use-Misuse Case Driven Analysis of Positive Train Control

Forensic analysis helps identify the causes of crimes and accidents. Determination of cause, however, requires detailed knowledge of a system’s design and operational characteristics. This paper advocates that “use cases,” which specify operational interactions and requirements, and “misuse cases,” which specify potential misuse or abuse scenarios, can be used to analyze and link forensic evidence and create postincident reconstructions. Use-misuse case analysis techniques involving non-probabilistic and probabilistic methods are described and applied to Positive Train Control (PTC) Systems — a network-based automated system that controls the movements of passenger and freight trains.

Security requirement derivation by noun---verb analysis of use---misuse case relationships: a case study using positive train control

Use cases and misuse cases, respectively, state the interactions that an actor can have and a mal-actor be prevented from having with a system. The cases do not specify either the security requirements or the associated attributes that a system must possess to operate in a secure manner. We present an algorithmic, domain-independent approach rooted in verb–noun analysis of use cases and misuse cases to generate system requirements and the associated security attributes. We illustrate the utility of this general five-step method using Positive train control (PTC) (a command and control system used to navigate trains in a railway grid) as a case study. This approach allows the designer to protect against the effect of wireless vulnerabilities on the safety of PTC systems.

Positive Train Control and the Rail Safety Improvement Act of 2008

A series of high profile rail accidents, culminating in a head on collision on September 12, 2008 between a Union Pacific freight train and a METROLINK passenger train in Chatsworth, California, provided the impetus for the passage of the Rail Safety Improvement Act (RSIA) of 2008 (Public Law 110–432). The RSIA mandated the installation of Positive Train Control Systems across the US rail system by December 31, 2015. These new statutory requirements represent one of the most significant changes in US signal and train control systems since the introduction of track circuits and Centralized Traffic Control in the 1920’s. This paper discusses the background which led to the passage of the RSIA, the new PTC requirements imposed by the law, and highlights the significant changes from existing federal safety regulations associated with voluntary PTC implementations that are being adopted by the to meet the law’s requirement.Copyright

Regulatory Risk Evaluation of Positive Train Control Systems

In February of 2005, the Federal Railroad Administration of the U.S. Department of Transportation issued a set of new performance-based regulations governing the development and use of microprocessor-based signal and train control systems. The new standard, effective March 2005, requires that replacement systems be at least as safe as the existing condition. Among the key elements used in evaluating the compliance of products to the new performance standard are quantitative and qualitative risk assessments. This paper explains the performance standard that must be followed, the regulatory background behind it, various quantitative and qualitative risk modeling techniques that can be used to support claims of compliance, and issues associated with their implementation.