The aim of this project, which was completed at the end of June 2021, was to bring together the cybersecurity skills and experience of manufacturers in the automotive, rail transport and aeronautics industries to develop a research and experimentation platform dedicated to the protection of Intelligent Transport Systems (ITS) architectures and the data they carry. The aim is to guarantee operational security in a context of increasing cybercrime threats.
SystemX announces the closure of its Cybersecurity of Intelligent Transport (CTI) project launched in June 2016. Bringing together 8 companies (Airbus Defence and Space, Alstom, APSYS, Groupe Renault, RATP, ProvenRun, Stellantis, Trialog and Valeo) as well as an academic institution (University of Paris-Saclay), this project was carried out in collaboration with the French National Agency for Information Systems Security (ANSSI) and the Gendarmerie Nationale’s Central Observatory for Intelligent Transport Systems (OCSTI).
The ambition of the CTI project was to meet the common challenges of the automotive, rail and aeronautics sectors to guarantee the operational security of new transport systems in the face of the increasing scale of cyber threats. Intelligent Transport Systems (ITS) architectures are particularly exposed due to the greater number of connected services, the increasing autonomy of on-board control systems and the impact of cyberattacks on operational security. New regulatory requirements, both current and future, are leading manufacturers to integrate cyber security into their product development as soon as possible.
The project partners have pooled their skills to contribute to the definition of design methods and tools, as well as cyber-protection mechanisms installed on board vehicles. All these approaches and technologies have been brought together in a “Hardware in the Loop” research and experimentation platform. This platform, called CHESS (Cybersecurity Hardening Environment for Systems of Systems) for Transport, offers advanced access control and isolation functionalities and a powerful attack detection engine connected to a Security Operation Center (SOC) to define responses to security incidents. The hardening of execution environments through the generation of controlled images of operating systems and the introduction of certified partitions dedicated to security functions completed the proposals of the CTI project.
The main results of the CTI project include:
- The risk analysis method developed is particularly advanced. In the design phase, it is used to specify the desired requirements for security solutions for the reduction of risks to an acceptable level. It is also used in production to assess the risks if the initial assumptions change with the discovery of new flaws in the components. The originality of the approach consists in the automatic search for attack paths, in an architecture defined using standardized components and classified by experts.
- Thanks to the distributed supervision functions developed, the discovery of attempted violations is carried out by rule engines (temporal logic) and by models derived from machine learning. The embedded systems then communicate with the Security Operation Center to define the responses to the security incident. A large part of this work comes from the thesis “Machine learning for intrusion detection systems in autonomous transport” carried out in collaboration with the IBISC laboratory of the University of Paris-Saclay.
- The “Hardware in the Loop” model in the CHESS for Transport platform, which has enabled the proof-of-concept (PoC) validation of all the project’s proposals. It allows, thanks to the simulation of the environment, to test and validate the behaviour of the electronics in a very large number of dangerous situations, and thus to eliminate many defects before the road tests. The usefulness of the supervision was demonstrated through a campaign of intrusion tests carried out by the project team. Risk analysis was used to verify the adequacy of access control and isolation mechanisms with respect to business requirements.
For further information: