Launched in June 2016, The Technological Research Institute (IRT) SystemX announces the closure of its Cybersecurity of Intelligent Transport (CTI) project. Conducted in collaboration with the French National Agency for Information Systems Security (ANSSI) and the Gendarmerie Nationale’s Central Observatory for Intelligent Transport Systems (OCSTI), this initiative brought together eight major industrialists with the aim of guaranteeing the operational security of transport in a context of increasing cybercrime threats.
A project to guarantee the operational security of the transport sector in the face of cyber threats
The ambition of the CTI project was to address the common challenges of the automotive, rail and aviation sectors to ensure the operational security of new transport systems in the face of growing cyber threats. There were 12 partners in the project. In addition to IRT SystemX, ANSSI and OCSTI, they include: Airbus Defence and Space, Alstom, APSYS, Groupe Renault, RATP, ProvenRun, Stellantis, Trialog and Valeo as well as the University of Paris-Saclay.
All these players have pooled their skills to help define design methods and tools, as well as cyber protection mechanisms installed on board vehicles. All these approaches and technologies have been brought together in a “Hardware in the Loop” research and experimentation platform.
This platform, named “Cybersecurity Hardening Environment for Systems of Systems (CHESS) for Transport”, offers advanced access control and isolation functionalities and a powerful attack detection engine connected to a Security Operation Center (SOC) to define responses to security incidents.
Witold Klaudel, CTI project manager spoke about the project and the five years of work:
“The CTI project launched in 2016 was very ambitious. It has enabled significant progress in understanding the new threats of an increasingly complex cyberspace, but also in protecting transport systems, by pooling the thoughts and skills of 3 sectors with common issues. The computer-assisted risk analysis method proposed by the project makes it possible to enrich design approaches and avoid the oversights that, for example, have been the cause of vehicle security problems in the past.”
A project that focuses on four main areas
For five years, the project has focused on different axes:
- the study of standardization and regulatory initiatives to take the measure of current and future regulatory requirements,
- the specification of 3 use cases (autonomous car, autonomous metro and parcel delivery drones) to guide all research work and define the quality measures of the results,
- the design and experimental development of a computer-assisted risk analysis tool covering the cybersecurity of architectures and the robustness of control algorithms,
- the design and experimental development of a reference architecture for autonomous vehicles following a secure-by-design approach, based on the state of the art in security and integrating access control, network and software isolation and supervision solutions.
The promising results of the CTI project that lead to the creation of the RTI project.
After five years, several results have emerged from the CTI project:
- The risk analysis method developed is particularly advanced. In the design phase, it allows to specify the desired requirements for the security solutions in order to reduce the risks to an acceptable level. It is also used in production to assess the risks if the initial assumptions change with the discovery of new flaws in the components. The originality of the approach consists in the automatic search for attack paths, in an architecture defined using standardized components and classified by experts.
- Thanks to the distributed supervision functions developed, the discovery of violation attempts is carried out by rule engines (temporal logic) and by models from machine learning. The embedded systems then communicate with the Security Operation Center to define responses to the security incident. A large part of this work comes from the thesis “Machine Learning for Intrusion Detection Systems in Autonomous Transportation” conducted in collaboration with the IBISC laboratory of the University of Paris-Saclay.
- The “Hardware in the Loop” model in the CHESS for Transport platform, which has allowed the validation of all the project’s proposals by proof of concept (PoC). It allows, thanks to the simulation of the environment, to test and validate the behaviour of the electronics in a very large number of dangerous situations, and thus to eliminate many defects before the road tests. The usefulness of the supervision was demonstrated through a campaign of intrusion tests carried out by the project team. Risk analysis was used to verify the adequacy of access control and isolation mechanisms against business requirements
Witold Klaudel gives more details on these results:
“The demonstration of the efficiency of the security mechanisms developed by the project, thanks to the CHESS for Transport platform, allowed us to convince industrial partners of the potential of technological (e.g. Kerberos, TEE) and scientific (e.g. light cryptography, artificial intelligence for anomaly detection) advances. Most of the partners of the CTI project have decided to continue their collaboration in the framework of the RTI project, which started on June 1, 2010, in order to address other challenges and underlying scientific and technological barriers.
The RTI project is an indirect continuation of the CTI project and will lead to solutions that can be used by industry. The verification methods developed will aim to demonstrate the accuracy and completeness of risk analyses (safety and security) through experimentation and intrusion tests.
Translated from L’IRT SystemX annonce les résultats de son projet dédié à la cybersécurité du transport intelligent