Positive Train Control (PTC) is a combination of systems and protocols that provide wireless communication between railroad operations, locomotives, and wayside equipment. Its original purpose is to ensure that trains comply with track speed restrictions and signals by providing this information to a control system inside the locomotive that can take corrective action. Because the main PTC communication channel is 220 MHz radio, an attacker can observe and tamper with all PTC communications. To prevent an attacker from tampering with PTC messages, the current implementation authenticates them using Message Authentication Codes (MACs). MACs are a form of symmetric cryptography where all parties share a common secret key: if the key is compromised, an attacker can forge apparently authentic messages. This is particularly problematic in the rail setting, where the communicating parties include all locomotives operating on a section of track as well as all wayside equipment along the track. If any of these systems are compromised, an attacker can gain access to the secret key.
Modern cryptographic protocols, including the HTTPS protocol used to secure the Web, use asymmetric cryptography, which does not require a common secret key. The primary goal of this proposal is to develop a scheme for authenticating PTC communications using asymmetric cryptography, and to do so in line with current communication security best practices, including public key infrastructure and robust mechanisms to mitigate key compromise.
Today, the PTC communication channel is used more broadly, as a general-purpose communication link between the railroad, its locomotives, and its wayside equipment. The security implications of other applications using the PTC link are not well understood. Indeed, past experience with system security (and its painful lessons) have taught us that security problems occur when systems are pushed beyond their original design goals. The second aim of the project is to identify other uses of PTC communications and assess their security requirements, providing recommendations for additional security mechanisms or practices as needed.
In line with computer security community best practices, the project will make its proposed scheme and implementation open, in order to invite public scrutiny and vulnerability assessment.