An Overview of my Papers and Publications which have been accepted and published.

Research at Birmingham Profile » Google Scholar Page »

Publication List

RSSRAIL 2016 - “A Formal Security Analysis of ERTMS Train to Trackside Protocols”

Tom Chothia, Joeri de Ruiter and Richard J. Thomas.

This paper works to provide a formal security analysis of not only the EuroRadio protocol but also models the counter-based timestamps and assesses the relative security of it, making recommendations where required.

More information on this paper can be found here.

ASIACCS 2017 - “An Attack Against Message Authentication in the ERTMS Train to Trackside Communication Protocols”

Tom Chothia, Mihai Ordean, Joeri de Ruiter and Richard J. Thomas

This paper details an attack against the ERTMS MAC Algorithm, a modified DES-based version of the ISO9797 MAC Algorithm 3. We analyse this MAC algorithm in detail, and provide details on potential weaknesses, and makes appropriate recommendations.

More information on this paper can be found here.

USENIX ASE 2017 - “Jail, Hero or Drug Lord? Turning a Cyber Security Course Into a 11 Week Choose Your Own Adventure Story”

Tom Chothia, Sam Holdcroft, Andreea-Ina Radu and Richard J. Thomas

This paper presents the results of running a gamified story as part of the teaching of undergraduate students in an introductory cybersecurity course taught at the University. We show how results improved for those taking part in the story and how it may be applied to other courses.

More information on this paper can be found here.

ACSAC 2017 - “TRAKS: A Universal Key Management Scheme for ERTMS”

Richard J. Thomas, Mihai Ordean, Tom Chothia and Joeri de Ruiter

This paper presents a new Key Management Scheme for use in ERTMS and wider applications on the railways. Here, we present TRAKS, a backwards-compatible, post-quantum key management scheme that reduces the complexity of key management on the railways, while enabling Infrastructure Managers to protect EuroBalise payloads which are currently unauthenticated. To our knowledge, we provide the first formal definition of ERTMS Key Generation and define TRAKS as a framework for implementation on the railways and in ICS Settings.

More information on this paper can be found here.

Transactions on Edutainment IV - “Choose Your Pwn Adventure: Adding Competition and Storytelling to an Introductory Cybersecurity Course”

Tom Chothia, Chris Novakovic, Andreea-Ina Radu and Richard J. Thomas

This article describes the development of a framework which adds a narrative to an 11-week cybersecurity course. The students play the part of a new IT security employee at a company and are asked to complete a number of security tasks, for which they receive flags. As the story unfolds they find deceit, corruption and ultimately murder, and their choices lead them to one of three different endings. Our framework for running the story and the exercises is completely self-contained in a single virtual machine, which the students each download at the start of the course; this means that no resource-consuming backend or cloud support is required. We report on the results of qualitative and quantitative evaluations of the course that provide evidence that both the VM and the story contained within it increased student engagement and improved their course results.

More information on this article can be found here.

Ph.D. Thesis - A Systematic Development of a Secure Architecture for the European Rail Traffic Management System

Thesis submitted and defended at the University of Bimringham

In this thesis, a systematic security analysis of parts of the ERTMS standard is presented, firstly reviewing the security offered by the protocols used in ERTMS using the ProVerif tool. It then assesses the custom MAC algorithm used by the platform and identify issues that exist in each of the ERTMS protocol layers, and aims to propose solutions to those issues. It also identifies a challenge presented by the introduction of ERTMS to National Infrastructure Managers surrounding key management, a novel key management scheme, TRAKS, is proposed, which reduces its complexity. A holistic process for asset owners is defined to carry out their own security assessments for their architectures and consider the unique challenges that are presented by Industrial Control Systems and how these can be mitigated to ensure security of these systems.

Drawing conclusions from these analyses, the notion of a ‘secure architecture’ is introduced, reviewing the current compliance of ERTMS against this definition, identifying the changes required in order for it to have a secure architecture, both now and also in the future.

More information about the Thesis can be found here.

ESORICS CyberICPS 2020 - “Learning From Vulnerabilities - Categorising, Understanding and Detecting Weaknesses in Industrial Control Systems”

Richard J. Thomas and Tom Chothia

Industrial Control Systems are very different to traditional IT, where these often closed-source, proprietorial systems have different requirements placed upon them, and intended asset lifecycles. This paper assesses over 10 years of ICS vulnerabilities and identifies priority areas for the supply chain to resolve and proposes testing techniques based on 8 detectable categories which can be used by asset owners to verify the security claims and assure the security of their assets.

Some key highlights:

More information about this paper, and datasets we share with the research community can be found here.

ACM CCS CPSIOTSec 2020 - “Catch Me If You Can: An In-Depth Study of CVE Discovery Time and Inconsistencies for Managing Risk in Critical Infrastructures”

Richard J. Thomas, Joseph Gardiner, Tom Chothia, Awais Rashid, Emmanouil Samanis and Joshua Perrett

This paper presents an analysis of the time a vulnerability in Industrial Control Systems is ‘in the wild’ and the correctness of CVE information given to asset owners, using Siemens as a case study. The result of this work identifies that there is an unacceptable delay incurred in updating CVE information, increasing risk to asset owners, and that vulnerabilities are typically ‘in the wild’ for longer periods of time to traditional IT.

More information about this paper, and datasets we share with the research community can be found here.