Visit to download the full and correct content document: https://textbookfull.com/product/measurable-and-composable-security-privacy-and-de pendability-for-cyberphysical-systems-the-shield-methodology-1st-edition-andrea-fias chetti/
More products digital (pdf, epub, mobi) instant download maybe you interests ...
Security and Privacy in Cyber-Physical Systems First Edition Houbing Song
https://textbookfull.com/product/security-and-privacy-in-cyberphysical-systems-first-edition-houbing-song/
Security And Privacy Joseph Savirimuthu
https://textbookfull.com/product/security-and-privacy-josephsavirimuthu/
Security and Privacy for Next-Generation Wireless Networks Sheng Zhong
https://textbookfull.com/product/security-and-privacy-for-nextgeneration-wireless-networks-sheng-zhong/
Fog/Edge Computing For Security, Privacy, And Applications Wei Chang
https://textbookfull.com/product/fog-edge-computing-for-securityprivacy-and-applications-wei-chang/
Security Privacy and Forensics Issues in Big Data
Advances in Information Security Privacy and Ethics 1st Edition
Ramesh C. Joshi
https://textbookfull.com/product/security-privacy-and-forensicsissues-in-big-data-advances-in-information-security-privacy-andethics-1st-edition-ramesh-c-joshi/
Beyond the Algorithm AI Security Privacy and Ethics 1st Edition Santos
https://textbookfull.com/product/beyond-the-algorithm-aisecurity-privacy-and-ethics-1st-edition-santos/
Engineering in Dependability of Computer Systems and Networks: Proceedings of the Fourteenth International Conference on Dependability of Computer Systems DepCoSRELCOMEX, July 1–5, 2019, Brunów, Poland Wojciech
Zamojski
https://textbookfull.com/product/engineering-in-dependability-ofcomputer-systems-and-networks-proceedings-of-the-fourteenthinternational-conference-on-dependability-of-computer-systemsdepcos-relcomex-july-1-5-2019-brun/
Security and Privacy Applications for Smart City Development Sharvari Chandrashekhar Tamane
https://textbookfull.com/product/security-and-privacyapplications-for-smart-city-development-sharvari-chandrashekhartamane/
Secure and Trustworthy Cyberphysical Microfluidic
Biochips: A practical guide to cutting-edge design techniques for implementing secure and trustworthy cyberphysical microfluidic biochips Jack Tang
https://textbookfull.com/product/secure-and-trustworthycyberphysical-microfluidic-biochips-a-practical-guide-to-cuttingedge-design-techniques-for-implementing-secure-and-trustworthy-
Measurable and Composable Security, Privacy, and Dependability for Cyberphysical Systems
The SHIELD Methodology
Measurable and Composable Security, Privacy, and Dependability for Cyberphysical Systems
The SHIELD Methodology
Edited by Andrea Fiaschetti, Josef Noll, Paolo Azzoni, and Roberto Uribeetxeberria
MATLAB® and Simulink® are trademarks of the MathWorks, Inc. and are used with permission. The MathWorks does not warrant the accuracy of the text or exercises in this book. This book’s use or discussion of MATLAB® and Simulink® software or related products does not constitute endorsement or sponsorship by the MathWorks of a particular pedagogical approach or particular use of the MATLAB® and Simulink® software.
CRC Press
Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742
© 2018 by Taylor & Francis Group, LLC
CRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Printed on acid-free paper
International Standard Book Number-13: 978-1-138-04275-9 (Hardback)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com
and the CRC Press Web site at http://www.crcpress.com
Foreword vii
Preface xi
Editors xv
Contributors xix
1. Introduction ..................................................................................................... 1
Andrea Fiaschetti, Josef Noll, Paolo Azzoni, and Roberto Uribeetxeberria
Section I SHIELD Technologies and Methodology for Security, Privacy, and Dependability
2. Security, Privacy, and Dependability Concepts ..................................... 17
Andrea Fiaschetti, Paolo Azzoni, Josef Noll, Roberto Uribeetxeberria, John Gialelis, Kyriakos Stefanidis, Dimitrios Serpanos, and Andreas Papalambrou
3. Security, Privacy, and Dependability Technologies.............................. 29 Paolo Azzoni, Luca Geretti, Antonio Abramo, Kyriakos Stefanidis, John Gialelis, Andreas Papalambrou, Dimitrios Serpanos, Konstantinos Rantos, Andrea Toma, Nawaz Tassadaq, Kresimir Dabcevic, Carlo Regazzoni, Lucio Marcenaro, Massimo Traversone, Marco Cesena, and Silvano Mignanti
4. The SHIELD Approach ............................................................................. 105
Andrea Fiaschetti, Paolo Azzoni, Josef Noll, Roberto Uribeetxeberria, Antonio Pietrabissa, Francesco Delli Priscoli, Vincenzo Suraci, Silvano Mignanti, Francesco Liberati, Martina Panfili, Alessandro Di Giorgio, and Andrea Morgagni
5. Security, Privacy, and Dependability Metrics ...................................... 159 Andrea Morgagni, Andrea Fiaschetti, Josef Noll, Ignacio Arenaza-Nuño, and Javier Del Ser
Section II SHIELD Application Scenarios, New Domains, and Perspectives
6. Airborne Domain ....................................................................................... 195
Cecilia Coveri, Massimo Traversone, Marina Silvia Guzzetti, and Paolo Azzoni
7. Railway Domain ......................................................................................... 243
Paolo Azzoni, Francesco Rogo, and Andrea Fiaschetti
8. Biometric Security Domain ...................................................................... 283
Paolo Azzoni, Konstantinos Rantos, Luca Geretti, Antonio Abramo, and Stefano Gosetti
9. Perspectives in Secure SMART Environments .................................... 337
Josef Noll, Iñaki Garitano, Christian Johansen, Javier Del Ser, and Ignacio Arenaza-Nuño
10. SHIELD Technology Demonstrators ...................................................... 359
Marco Cesena, Carlo Regazzoni, Lucio Marcenaro, Andrea Toma, Nawaz Tassadaq, Kresimir Dabcevic, George Hatzivasilis, Konstantinos Fysarakis, Charalampos Manifavas, Ioannis Papaefstathiou, Paolo Azzoni, and Kyriakos Stefanidis
11. Applying SHIELD in New Domains ...................................................... 413
Paolo Azzoni, Francesco Rogo, Cecilia Coveri, Marco Steger, Werner Rom, Andrea Fiaschetti, Francesco Liberati, and Josef Noll
Foreword
The Internet of Things (IoT), cyber-physical systems (CPSs), Industry 4.0, Swarm Systems, and the Human Intranet are all based on similar principles: interaction between the physical world and cyberspace, and the massive use of distributed, wireless devices, machine to machine, and machine to humans. They are all safety critical, heterogeneous, and of a scale never seen before. The technical hurdles to overcome are many, but possibly the most serious challenge to the vision of the instrumented world is security. We need to guarantee protection from intrusion or unauthorized access so that we can help prevent an adversary from affecting safety and bringing a level of chaos to human society of unimaginable consequences as the following examples show.
On October 21, 2016, the domain name service provider Dyn suffered a distributed denial of service (DDoS) attack leading to a significant collapse of fundamental infrastructures comprising the Internet. In a DDoS attack, a number of compromised or zombie computers, forming a botnet, send a flood of traffic to the target server, causing a denial of service by exhausting computation and/or communication resources. The relevance of this attack for our arguments is the fact that many of the compromised computers launching the attack were relatively small devices including printers, webcams, residential gateways, and baby monitors, that is, the IoT.
On February 23, 2017, many of Google’s smart gateway (router) devices called OnHub failed for about 45 minutes mainly because of the failure of the connection of the devices to the cloud, making it impossible to authenticate them on Google’s servers. This led to Internet connection problems to major websites including Twitter, Netflix, Spotify, and the Financial Times. The lesson learned in the Google OnHub case is that depending on remote cloud servers for authentication and authorization may be a liability.
The first known example of an attack on a physical plant was a uranium enrichment plant in Iran whose centrifuges were monitored and controlled with Siemens process control systems (PCS). This attack was perpetrated via a worm named Stuxnet. Stuxnet consisted of two parts: one part of the program was designed to lie dormant for long periods, then speed up the centrifuges so that the spinning rotors in the centrifuges wobbled and then destroyed themselves. The other part sent out false sensor signals to make the system believe everything was running smoothly. This part prevented a safety system from kicking in, which would have shut down the plant before it could self-destruct. This attack did not use the Internet to spread the worm inside the plant since the plant was physically isolated. The point of entry was memory sticks containing apparently innocuous data that were read inside the plant perimeter by unaware workers.
In 2010, an important study by the University of California, San Diego, and the University of Washington outlined the many points of attack in the electronic control system of automobiles. Examples of hijacked cars abound on YouTube. Intruders could create havoc in transportation systems (trains and ships are as amenable to intrusion), yielding catastrophic events that may jeopardize the lives of many people.
On December 23, 2015, a cyberattack on the Ukrainian power grid demonstrated another instance of the gravity of security issues in networks of things. The attackers gained control over the supervisory control and data acquisition (SCADA) system of the Ukrainian power grid and caused a blackout for several hours across a large area of Ukraine’s Ivano-Frankivsk region populated by 1.4 million residents.
These last three cases show that, unlike cyberattacks in the past, the consequences from attacks on the IoT could be much more devastating than information theft or financial loss.
The safety and security characteristics of a CPS and the IoT are quite different from those of “standard” Internet applications. Indeed, in the CPS community, it is widely agreed that the main challenges to the security of a CPS/IoT include heterogeneity, scarce computing and power resources, scalability and operation in open environments
It is impractical to adopt security measures that are successfully used in the Internet such as transport layer security/secure sockets layer (SSL/TLS), and in the wireless sensor network (WSN) and the mobile ad hoc network (MANET) due to their heavy computational burden. For sensor networks, for example, performance is not at a premium as in mobile payment applications, but being able to connect thousands, if not millions, of devices and to keep them “alive” for a long time is (this is related to the scarce computing and power resources issue).
Many expect that there will be tens of billions of connected devices by 2020, far exceeding the world population, and billions of terabytes (1012 bytes) of Internet Protocol (IP) traffic, a significant portion of which will be generated by the instrumented world. Hence, the security solution must scale accordingly; in particular, the overhead of adding and removing devices to/ from the security solution should be minimal.
In CPSs and the IoT, the lifetime and availability of the devices and of their interconnections are as important as data security, if not more. For some sensors such as environment data, privacy is of no interest, in others such as medical data it is of paramount importance. This heterogeneity requires different privacy and security mechanisms for the same network while traditional security mechanisms are valid for homogeneous networks.
CPSs and the IoT must support safety-critical components in open, untrusted, and even hostile environments. Due to their open nature, CPS and IoT networks are susceptible to entirely new classes of attacks, which may include illegitimate access through mediums other than traditional networks (e.g., physical access, Bluetooth, and radios). For instance, an attack on a traffic controller
on the streets of Ann Arbor, Michigan, including the manipulation of actual traffic lights was demonstrated; this attack was made possible via direct radio communication with the traffic controller. Jamming attacks on wireless communication channels can also be a threat to the availability of the IoT operating over wireless networks.
To the best of my knowledge, integrated security solutions for CPS/IoT have not been widely accepted; only a few have carried out research on the topic. This book is an important step to fill this gap in research: it presents a methodology, called SHIELD, and an innovative, modular, composable, expandable, and highly dependable architectural framework conceived and designed with this methodology. This framework allows to achieve the desired security, privacy, and dependability (SPD) level in the context of integrated and interoperating heterogeneous services, applications, systems, and devices in a CPS framework.
Alberto Sangiovanni Vincentelli
The Edgar L. and Harold H. Buttner Chair Department of EECS, University of California, Berkeley
Preface
We are at the beginning of a new age of business, where dynamic interaction is the driving force for whatever kind of business. To draw from a known analogy, “bring your own device” (BYOD) exemplifies the trends of devices accessing processes and information on enterprises. In the upcoming years, not only phones, tablets, and computers will demand access, but also sensors and embedded systems will deliver and request information. In the traditional way of handling dynamic interaction, the attempt was to secure the whole infrastructure of a company. To follow the analogy, BYOD is often seen as a threat, and answered in the classical way by preventing employees from using their devices, as security cannot be ensured. A second variant of counteracting classic threats such as insufficient authentication and loss of devices is addressed through an approach of integrating, managing, and securing mobile devices. But these strategies cannot be applied to sensors and other kinds of cyber-physical systems. Companies cannot stop integrating embedded systems into their infrastructures, as their businesses and processes need them to remain competitive. So, they need to be able to assess the dynamic interaction impact of integrating a new system into their infrastructure in a manageable way, which conventionally suffers from two aspects:
i. Secure interaction issues in current systems are described through an integrated approach, and do not open for scalability.
ii. Measurable security in terms of quantifiable results is not industry.
A paradigm shift in handling dynamic interaction is required, addressing the need for securing information instead of securing infrastructure. The paradigm shift includes the need for a security methodology definition, first, and for the consequent measurability
SHIELD addresses both these shortcomings, providing the methodology and the means of integrating new infrastructures, new ways of communication, and new devices. It thereby answers the upcoming trends of wireless sensors, sensor networks, and automated processes. Though the focus of SHIELD is on introducing security for cyber-physical systems, we see that these security measures need to be the basis for running automated processes. Consequently, the solution proposed in this book addresses a metrics-based approach for a quantitative assessment of both the potential attack scenario and the security measures of the information, and outlines the methodology of measurable security for systems of cyber-physical systems.
Measurable security is often misinterpreted as a good risk analysis. The SHIELD approach works toward measuring security in terms of cardinal
numbers, representing the application of specific security methods as compared to the specific threat scenario. The approach is based on the semantic description of a potential attack scenario, the security-related aspects of sensors/systems, and security policies that should be applied irrespective of the scenario.
Through SHIELD, we address measurable security and introduce countable numbers for the security components of systems. We also address the scalability aspect by using composition techniques that are able to build a security representation of the composed system (system of systems) based on the individual security representations of each individual element. This simplifies the process of measuring the security of the composed system, and opens up the opportunity to build the system in an incremental way.
This approach is particularly indicated to manage all the security aspects of cyber-physical systems, embedded systems that are interconnected, interdependent, collaborative, and smart. They provide computing and communication, monitoring, and control of physical components and processes in various applications. Many of the products and services that we use in our daily lives are increasingly determined by cyber-physical systems and, the software that is built into them is the connection between the real physical world and the built-in intelligence. The SHIELD approach also represents an answer to dependability aspects.
Dependability is a key aspect of cyber-physical systems, in particular in safety-critical environments that may often require 24/7 reliability, 100% availability, and 100% connectivity, in addition to real-time response. Moreover, security and privacy are both important criteria that affect the dependability of a system; therefore, this book focuses on security, privacy, and dependability issues within the context of embedded cyber-physical systems, considering security, privacy, and dependability both as distinct properties of a cyber-physical system and as a single property by composition.
Increasing security, privacy, and dependability requirements introduce new challenges in emerging Internet of Things and Machine to Machine scenarios, where heterogeneous cyber-physical systems are massively deployed to pervasively collect, store, process, and transmit data of a sensitive nature. Industry demands solutions to these challenges—solutions that will provide measurable security, privacy, and dependability, risk assessment of security critical products, and configurable/composable security. Security is frequently misconstrued as the hardware or software implementation of cryptographic algorithms and security protocols. On the contrary, security, privacy, and dependability represent a new and challenging set of requirements that should be considered in the design process, along with cost, performance, power, and so on.
The SHIELD methodology addresses security, privacy, and dependability in the context of cyber-physical systems as “built in” rather than as “addon” functionalities, proposing and perceiving with this strategy the first step
toward security, privacy, and dependability certification for future cyberphysical systems.
The SHIELD general framework consists of a four-layered system architecture and an application layer in which four scenarios are considered: (1) airborne domain, (2) railways, (3) biometric-based surveillance, and (4) smart environments.
Starting from the current security, privacy, and dependability solutions in cyber-physical systems, new technologies have been developed and the existing ones have been consolidated in a solid basement that is expected to become the reference milestone for a new generation of “security, privacy, and dependability-ready” cyber-physical systems. SHIELD approaches security, privacy, and dependability at four different levels: node, network, middleware, and overlay. For each level, the state of the art in security, privacy, and dependability of individual technologies and solutions has been improved and integrated (hardware and communication technologies, cryptography, middleware, smart security, privacy, and dependability applications).
The leading concept has been the demonstration of the composability of security, privacy, and dependability technologies and the composition of security, depending on the application need or the attack surrounding.
To achieve these challenging goals, we developed and evaluated an innovative, modular, composable, expandable, and highly dependable architectural framework, concrete tools, and common security, privacy, and dependability metrics capable of improving the overall security, privacy, and dependability level in any specific application domain, with minimum engineering effort.
Through SHIELD, we have (i) achieved a de facto standard for measurable security, privacy, and dependability; (ii) developed, implemented, and tested roughly 40 security-enhancing prototypes in response to specific industrial requests; and (iii) applied the methodology in four different domains, proving how generic the approach is.
The book’s main objective is to provide an innovative, modular, composable, expandable and high-dependable architectural framework conceived and designed with the SHIELD methodology, which allows to achieve the desired security, privacy, and dependability level in the context of integrated and interoperating heterogeneous services, applications, systems, and devices; and to develop concrete solutions capable of achieving this objective in specific application scenarios with minimum engineering effort.
The book is organized in two parts:
Section I: SHIELD Technologies and Methodology for Security, Privacy, and Dependability is dedicated to the SHIELD methodology, to technical aspects of new and innovative security, privacy, and dependability technologies and solutions, and to the SHIELD framework.
Section II: SHIELD Application Scenarios, New Domains, and Perspectives covers four different application scenarios for SHIELD in the airborne domain, railway domain, biometric security, and smart environments security (smart grid, smart vehicles, smart cities, etc.). This section
also describes some domain-independent technology demonstrators and provides an overview of the industrial perspectives of security, privacy, and dependability and of the results obtained by adopting the SHIELD methodology in other European research projects.
This book is foreseen for system integrators, software engineers, security engineers, electronics engineers, and many other engineering disciplines involved in the extremely rapidly digitalizing world. But also, managers and policy makers in industry and public administration can make use of it to get awareness on the security challenges of this massive digitalization. The book is intended to be written in a language as plain as possible to reach a wide audience. The goal is to raise awareness on security aspects of the cyber-physical systems that are increasingly being connected to the rest of the world. Systems are often responsible for critical infrastructures that provide the foundations of our modern society. It provides the shortcomings of current approaches, indicates the advances coming from the distributed approach as suggested by SHIELD, and addresses the state of the art in security in various market segments.
Finally, it must be acknowledged that Measurable and Composable Security, Privacy, and Dependability for Cyberphysical Systems: The SHIELD Methodology is the result of the two SHIELD projects co-funded by the ARTEMIS Joint Undertaking (https://www.artemis-ju.eu/). Several institutions of different European countries have participated in SHIELD and this book would not have been possible without all the work carried out during all those years by this team of highly professional researchers. The participation by major European industry players in embedded systems security, privacy, and dependability, also made possible the commercial exploitation of the results developed in the SHIELD projects.
MATLAB® is a registered trademark of The MathWorks, Inc. For product information, please contact:
The MathWorks, Inc.
3 Apple Hill Drive
Natick, MA 01760-2098 USA
Tel: 508 647 7000
Fax: 508-647-7001
E-mail: info@mathworks.com
Web: www.mathworks.com
Editors
Andrea Fiaschetti is honorary fellow (Cultore della Materia) at the University of Rome “La Sapienza” in the Department of Computer, Control, and Management Engineering “A. Ruberti,” promoting research and teaching activities in the field of automatic control. He is teaching assistant in several courses within the control engineering, system engineering, and computer science degrees, as well as supervisor of dozens of BSc/MSc thesis on innovative topics.
Since 2007, he has been actively involved in several European projects, mainly in the security domain, including but not limited to SatSix, MICIE, MONET, and TASS, as well as pSHIELD and nSHIELD (on which this book is based). His main research interests are in the field of applied automatic control, pursuing a cross-fertilization between control theory and computer science, with a particular focus on innovative solutions for security and manufacturing domains; in this perspective, his major achievement is the formalization of the so-called composable security theory, an innovative methodology born from a collaboration with a restricted pool of academic and industrial experts, which represents the foundation of the SHIELD roadmap.
He is author of several papers on these topics. On an industrial perspective, Andrea Fiaschetti is a certified Project Management Professional (PMP®) and works as R&D project manager at Thales Alenia Space Italia S.p.A. (a Thales/Leonardo company), within the observation and navigation business domain. Last, but not least, he is actively involved in the Engineers Association of Rome, where he has recently been appointed as president of the Smart Cities and Internet of Things Committee.
Josef Noll is visionary at the Basic Internet Foundation and professor at the University of Oslo (UiO). Through the foundation, he addresses “information for all” as the basis for sustainable development and digital inclusion. Regarding sustainable infrastructures, where communication and security are key topics for the transfer to a digital society, he leads the national initiative “Security in IoT for Smart Grids” (IoTSec.no), Norway’s largest research project within IoT security. In 2017, the 20 partner opened the Smart Grid Security Centre to contribute to trusted and more secure power grids and smart home/city services.
He is also head of research in Movation, Norway’s open innovation company for mobile services. The company supported more than 200 start-ups in the last 10 years. He is co-founder of the Center for Wireless Innovation and Mobile Monday in Norway. He is IARIA fellow, reviewer of EU FP7/H2020 projects, and evaluator of national and EU research programs.
Previously, he was senior advisor at Telenor R&I in the products and markets group, and project leader of the JU ARTEMIS pSHIELD project on “Measurable Security for Embedded Systems,” Eurescom’s “Broadband Services in the Intelligent Home,” and use-case leader in the EU FP6 “Adaptive Services Grid (ASG)” projects, and has initiated a.o. the EU’s 6th FP ePerSpace and several Eurescom projects.
He joined UiO in 2005 and Telenor R&D in 1997, coming from the European Space Agency, where he was staff member (1993–1997) in the Electromagnetics Division of ESA ESTEC. He received his Diplom-Ingenieur and PhD degree in electrical engineering from the University of Bochum in 1985 and 1993. He worked as an integrated circuit designer in 1985 with Siemens in Munich, Germany, and returned to the Institute for Radio Frequency at the University of Bochum as a research assistant from 1986 to 1990.
Paolo Azzoni is the research program manager at Eurotech Group. He is responsible for planning and directing industrial research projects, investigating technologies beyond the state of the art in computer science, developing a wide network of academic research groups, and providing the financial support to company research activities. His main working areas include cyber-physical systems (CPSs), intelligent systems, machine-tomachine distributed systems, device to cloud solutions, and Internet of Things. He has participated in several European research projects in the contexts of FP7, ARTEMIS, Aeneas, ECSEL, and H2020, and he is a European Community independent expert.
He is one of the founders and promoters of the SHIELD initiative (pSHIELD and nSHIELD ARTEMIS projects), from the early stage of concepts definition to the development of the entire roadmap. He has represented Eurotech in the ARTEMIS Industrial Association (ARTEMIS-IA) since 2007. He is currently a member of the ARTEMIS-IA steering board and was recently appointed to the ARTEMIS-IA presidium as guest member.
Previously, he was involved in academic lecturing and research in the areas of hardware formal verification, hardware/software co-design and cosimulation, and advanced hardware architectures and operating systems. In 2006, he joined ETHLab (Eurotech Research Center) as research project manager and he has been responsible for the research projects in the area of embedded systems.
He is an accomplished researcher and author of publications focusing on the latest trends in IoT, intelligent systems, and CPSs, with a wide experience
matured over more than 20 years of direct involvement in European research, technology transfer, and ICT innovation. He holds a master’s degree in computer science and a second master’s degree in intelligent systems, both from the University of Verona.
Roberto Uribeetxeberria is currently the head of research at the Faculty of Engineering, Mondragon University. He has participated in several European projects in the cyber-physical systems domain (eDIANA, pSHIELD, nSHIELD, ARROWHEAD, CITYFIED, DEWI, MANTIS [leader], MC-SUITE, PRODUCTIVE4.0). He has also participated in over 35 public-funded research projects and authored more than 30 publications. He has supervised three PhD theses, and he is currently supervising two PhD students. Dr. Uribeetxeberria obtained his PhD in Mobile Communications at Staffordshire University (UK) in 2001. Since then, he has combined lecturing and research at Mondragon University. He also directed the PhD program in New Information and Communication Technologies for several years and actively participated in the creation of the new Research Centre on Embedded Systems of the Faculty of Engineering, as well as designing the Masters in Embedded Systems. His research interests are in the fields of networking, information and network security, embedded system security, and data mining. He has represented Mondragon University in the ARTEMIS Industrial Association, the association for actors in Embedded Intelligent Systems within Europe, since 2007, and he is currently a member of the steering board of ARTEMIS-IA, representing Chamber B. He was also appointed to the presidium by the steering board, and thus, he has been vice-president of ARTEMIS-IA since March 2014.
Contributors
Antonio Abramo
Dipartimento Politecnico di Ingegneria e Architettura University of Udine Udine, Italy
Ignacio Arenaza-Nu ño Electronics and Computing Department Faculty of Engineering Mondragon Unibertsitatea Mondragon, Spain
Paolo Azzoni
Research & Development Department Eurotech Group Trento, Italy
Marco Cesena Leonardo Company Rome, Italy
Cecilia Coveri Leonardo Company Rome, Italy
Kresimir Dabcevic Department of Electrical, Electronic, Telecommunications Engineering and Naval Architecture (DITEN) Università di Genova Genoa, Italy
Javier Del Ser OPTIMA Research Area
TECNALIA Zamudio, Spain
Alessandro Di Giorgio
Ingegneria Informatica Automatica e Gestionale
“Sapienza” Università di Roma Rome, Italy
Andrea Fiaschetti
Ingegneria Informatica Automatica e Gestionale
“Sapienza” Università di Roma Rome, Italy
Konstantinos Fysarakis Institute of Computer Science Foundation for Research and Technology - Hellas (FORTH) Heraklion, Greece
I ñ aki Garitano
Electronics and Computing Department Faculty of Engineering Mondragon Unibertsitatea Mondragon, Spain
Luca Geretti
Dipartimento di Informatica Università di Verona Verona, Italy
John Gialelis ATHENA/Industrial Systems Institute Patra, Greece
Stefano Gosetti Research and Development Department Vigilate Vision Brescia, Italy
Marina Silvia Guzzetti
Leonardo Company Rome, Italy
George Hatzivasilis
School of Electrical & Computer Engineering
Technical University of Crete Chania, Greece
Christian Johansen
Department of Informatics
University of Oslo Oslo, Norway
Francesco Liberati
Ingegneria Informatica Automatica e Gestionale
“Sapienza” Università di Roma Rome, Italy
Charalampos Manifavas
Rochester Institute of Technology Rochester, Dubai
Lucio Marcenaro
Department of Electrical, Electronic, Telecommunications Engineering and Naval Architecture (DITEN)
Università di Genova Genoa, Italy
Silvano Mignanti
“Sapienza” Università di Roma Rome, Italy
Andrea Morgagni
Leonardo Company Rome, Italy
Josef Noll
Department of Technology Systems (ITS)
University of Oslo Oslo, Norway
Martina Panfili
Ingegneria Informatica Automatica e Gestionale
“Sapienza” Università di Roma Rome, Italy
Ioannis Papaefstathiou
School of Electrical & Computer Engineering
Technical University of Crete Chania, Greece
Andreas Papalambrou
ATHENA/Industrial Systems Institute
Patra, Greece
Antonio Pietrabissa
Ingegneria Informatica Automatica e Gestionale
“Sapienza” Università di Roma Rome, Italy
Francesco Delli Priscoli
Ingegneria Informatica Automatica e Gestionale
“Sapienza” Università di Roma Rome, Italy
Konstantinos Rantos
Computer and Informatics
Engineering Department Eastern Macedonia and Thrace Institute of Technology Chania, Greece
Carlo Regazzoni
Department of Electrical, Electronic, Telecommunications Engineering and Naval Architecture (DITEN)
Università di Genova
Genoa, Italy
Francesco Rogo
Innovation and Technology Governance Unit
Leonardo Company Rome, Italy
Werner Rom Virtual Vehicle Graz, Austria
Dimitrios Serpanos
ATHENA/Industrial Systems Institute
Patra, Greece
Kyriakos Stefanidis
ATHENA/Industrial Systems Institute
Patra, Greece
Marco Steger Virtual Vehicle Graz, Austria
Vincenzo Suraci Università eCampus Novedrate, Italy
Nawaz Tassadaq Department of Electrical, Electronic, Telecommunications Engineering and Naval Architecture (DITEN) Università di Genova Genoa, Italy
Andrea Toma Department of Electrical, Electronic, Telecommunications Engineering and Naval Architecture (DITEN) Università di Genova Genoa, Italy
Massimo Traversone Leonardo Company Rome, Italy
Roberto Uribeetxeberria Electronics and Computing Department Faculty of Engineering Mondragon Unibertsitatea Mondragon, Spain
1 Introduction
Andrea Fiaschetti, Josef Noll, Paolo Azzoni, and Roberto Uribeetxeberria
In the new era of cyber-physical systems (CPSs) and Internet of Things (IoT), the driving force for new business opportunities is the dynamic interaction between the entities involved in the business. The Internet-based service world is currently based on collaborations between entities in order to optimize the delivery of goods or services to the customer as shown in Figure 1.1a. The evolution toward the dynamic interaction between entities, as indicated in Figure 1.1b, represents the ongoing evolution.
One of the real challenges to the way ahead is the disappearing borders between companies, and the automatic exchange of sensor- and process-based information between the entities. Given the second trend of dynamic modeling implies the creation of autonomous decisions, one of the big challenges is the lack of a measurable security when exchanging information. “Is the information that your system receives from one of the suppliers (or competitors) reliable?”: this is one of the key questions which you need to answer if your process or business model depends on those data.
Security has traditionally been a subject of intensive research in the area of computing and networking. However, security of CPSs is often ignored during the design and development period of the product, thus leaving many devices vulnerable to attacks. The growing number of CPSs today (mobile phones, pay-TV devices, household appliances, home automation products, industrial monitoring, control systems, etc.) are subjected to an increasing number of threats as the hacker community is already paying attention to these systems. On the other hand, the implementation of security measures is not easy due to the complexity and constraints on resources of these kinds of devices.
The upcoming business world of dynamic interaction between entities.
One of the biggest challenges in security today is related to the software of operating systems and applications. While traditional software avoid word breaking onto next line if poss have made (some) headway in developing more resilient applications, experts say embedded device and systems makers—from those who create implanted medical devices to industrial control systems—are way behind in secure system design and development maturity. There are a number of aspects that are different when it comes to embedded and industrial control system security. First, the consequences of poor system design can create substantially more risk to society than the risks created by insecure traditional software applications. Second, software being implemented on an embedded design will normally reside there for the lifetime of the device. Third, secure software on embedded devices is much more costly—if it is reasonably possible at all—if you also consider the need to update these systems (Hulme, 2012).
While computer software is undergoing version updates to react to malfunctions and new security threats, embedded devices like actuators, sensors, and gateways come with integrated software and, most of the time, non-upgradeable hardware. Maintenance costs for upgrading the software, and vulnerabilities during the upgrade process, make it practically impossible to upgrade an embedded device. Taking the example of Java, where computer systems were upgraded several times during the first months of 2013, no such upgrades were available for Java on embedded devices.
Thus, if the business depends on data and information originating from or going through CPSs, you should have an opinion on the quality of those data. Consider a simple example of a heating system: assume that it solely depends on temperature readings from an outdoor thermometer. Manipulating this outdoor temperature sensor, or malfunctions due to reflected sunlight, might
Upcoming—dynamic interaction
busyness
(b)
Internet today—collaboration based (a)
FIGURE 1.1
Typical view on security architecture.
alter the collected value of temperature, which can turn the heating system off and provide inconvenient indoor temperatures.
The traditional approach to security, as shown in Figure 1.2, is often addressed through an integrated approach. The integrated approach describes assets like the system and the organization, threats like the environment and attack scenarios, vulnerability, and control mechanisms. This traditional approach suffers mainly from two weaknesses:
1. Security issues in current systems are described through an integrated approach, and do not open for scalability.
2. Measurable security in terms of quantifiable results is not industry.
Security has impacted on the way of doing business. We expect that security will become a major factor for the ongoing business evolution cycle in several domains, including:
• Avionics: Where safety was the main driver for developing formalized methods and models for software developments, needed for the “fly-by-wire operation” of modern aircrafts.
• Automotive: Where the complexity of modern cars that integrate CPSs containing millions of lines of software codes, exposes cars to many new vulnerabilities and attacks.
• e-Health: Healthcare applications have a clear demand for privacy and reliability.
FIGURE 1.2
• Energy: Where renewables are the drivers of a smart electric grid that currently lacks security.
• Control and automation industry: Where current applications are mainly based on corporate implementations, in which only suppliers and users might share the sensor data.
This book will address the challenges of measurable security arising in the communication within and between enterprises, with the focus on information provided by sensor systems. We address the challenges of new infrastructures, new ways of communication, and new devices. The two dominant trends in this domain are (1) wireless sensors contributing to automated processes and (2) the migration of processing and control into mobile devices.
In addition to phones, tablets, and computers, sensors and embedded systems (ES) will deliver and request information too, contributing to automated processes. The traditional way of handling security, by securing the whole infrastructure of a company, leads to declining to allow employees to use their own devices. Control is based on an approach of integrating, managing, and securing all mobile devices in the organization in a traditional way and such a short-sighted approach, as suggested by leading IT companies, is deemed to fail. These strategies cannot be applied to sensors, sensor networks, or other kinds of embedded systems: security must be guaranteed by design as the integration of such devices must be seamless.
A paradigm shift in handling security is required, addressing the need for securing information instead of securing infrastructure. The paradigm shift includes the need for measurable security, privacy, and dependability (SPD), and is the core of this book. It addresses a metrics-based approach for a quantitative assessment of both the potential attack scenario and the security measures of the information, and will outline the methodology of measurable security for systems of embedded systems, or the so-called IoT.
Measurable SPD is often misinterpreted as a good risk analysis. When “banks are secure,” it means that they have a decent risk analysis, calculating the loss against the costs of increased security. Hereby, loss does not only mean financial loss, but also loss of customers due to bad reputation or press releases. Likewise, costs of increased SPD are not only the costs of applying new security mechanisms, but also a loss of customers, as customers might find the additional security mechanisms too cumbersome.
What Can Go Wrong?
Security has often been considered as mitigating the vulnerabilities of systems by introducing specifications on how to design, implement, and operate a system. A good example of such an approach was introduced by the
National Institute of Standards and Technology in their Special Publication 800-12, focusing on IT systems (Guttman and Roback, 2005).
Confidentiality, integrity, and availability compose the core principles of information security. These three security attributes or security goals are the basic building blocks of the rest of security goals. There are other classifications and the community debates about including other security objectives in the core group, but this is irrelevant for this book. We can summarize the security objectives as
• Confidentiality
• Integrity
• Availability
• Authenticity
• Accountability
• Non-repudiation
Some or all of these objectives must be fulfilled (depending on the specific application requirements) in order to offer security services such as access control, which can be divided in three steps: identification, authentication, and authorization or privacy. To achieve these goals, different techniques such as encryption and anonymization are used. For example, information security uses cryptography to transform usable information into a form that renders it unusable by anyone other than an authorized user; this process is called encryption. It is possible to classify the attacks based on their final goal and functional objective and on the method used to execute them. Our classification is based on Ravi et al.’s (2004) taxonomy of attacks.
At the top level, attacks are classified into four main categories based on the final goal of the attack (Grand, 2004): cloning, theft-of-service, spoofing, and feature unlocking. The second level of classification is the functional objective of the attack. Here, we would distinguish between attacks against privacy (the goal of these attacks will be to gain knowledge of sensitive information; manipulated, stored, or communicated by an ES); attacks against integrity (these attacks will try to change data or code within an ES); attacks against availability (a.k.a. “denial of service” attack, these attacks disrupt the normal operation of the system). The third level of classification is based on the method used to execute the attack. These methods are grouped into three categories: physical attacks, side-channel attacks, and software attacks.
How Secure Are Cyber-Physical Systems?
Bruce Schneier (2014) in his blog talks about the Security Risks of Connected Embedded Systems, saying that
The industries producing these devices (embedded systems connected to the internet) are even less capable of fixing the problem than the PC and software industries were. Typically, these systems are powered by specialized computer chips. These chips are cheap, and the profit margins slim. The system manufacturers choose a chip based on price and features, and then build a router, server, or whatever.
The problem with this process is that no one entity has any incentive, expertise, or even ability to patch the software once it is shipped. And the software is old, even when the device is new even if they may have had all the security patches applied, but most likely not. Some of the components are so old that they’re no longer being patched. This patching is especially important because security vulnerabilities are found “more easily” as systems age.
The result is hundreds of millions of devices that have been sitting on the Internet, unpatched and insecure, for the last five to ten years. Hackers are starting to notice and this is only the beginning. All it will take is some easy-to-use hacker tools for the script kiddies to get into the game. The last time, the problem was computers, ones mostly not connected to the Internet, and slow-spreading viruses.
The scale is different today: more devices, more vulnerability, viruses spreading faster on the Internet, and less technical expertise on both the vendor and the user sides. Plus vulnerabilities that are impossible to patch. Paying the cost up front for better embedded systems is much cheaper than paying the costs of the resultant security disasters.
What Are the Consequences of This?
Taking all this into account, it is clear that poorly designed CPSs are a threat to the domain where they are being used. CPSs are used in medical devices, aircraft, and nuclear plants. Attacking any of these systems can have terrible consequences, including the loss of human lives. CPSs are usually interconnected as well as connected to the Internet. A vulnerable CPS from a third party included in a larger system can be the entry point to the whole system for hackers. The market will put pressure on CPS vendors to design their systems better and, if this is not taken into consideration, business will certainly be affected.
What Can We Do About It? The SHIELD Approach
Still, there is very little work concerning the full integration of security and systems engineering from the earliest phases of software development. Although several approaches have been proposed for some integration of
Another random document with no related content on Scribd:
immense progress that socialism had made in all lands since the year 1893. Towns as important as Lille, Roubaix, Calais, Montluçon, Narbonne, re-elected socialist majorities to administer their affairs; and even where there was only a socialist minority, a socialist mayor was elected, as in the case of Dr. Flaissières at Marseilles, and Cousteau at Bordeaux. But in the small towns and the villages our victories have been especially remarkable. The Parti Ouvrier alone can reckon more than eighteen hundred m municipal councillors elected upon its collectivist programme; and at the Lille Congress, which was held a few days before the International Congress in London, thirty-eight socialist municipal councils and twenty-one socialist minorities of municipal councils were represented by their mayors or by delegates chosen by the party."
P. Lafargue, Socialism in France (Fortnightly Review, September, 1897).
FRANCE: A. D. 1897. Industrial combinations.
See (in this volume) TRUSTS: IN EUROPEAN COUNTRIES.
FRANCE: A. D. 1897 (May-June). Cessions and concessions from China.
See (in this volume) CHINA: A. D. 1897 (MAY-JUNE).
FRANCE: A. D. 1897 (June). Renewal of the privileges of the Bank of France.
See (in this volume) MONETARY QUESTIONS: A. D. 1897.
FRANCE: A. D. 1897 (July).
Co-operation with American envoys in negotiations for a bi-metallic agreement with Great Britain.
See (in this volume) MONETARY QUESTIONS: A. D. 1897 (APRIL-OCTOBER).
FRANCE: A. D. 1897-1899. The Dreyfus Affair.
Although Captain Alfred Dreyfus, of the French army, was arrested, tried by court-martial, convicted of treasonable practices, in the betrayal of military secrets to a foreign power, and thereupon degraded and imprisoned, in 1894, it was not until 1897 that his case became historically important, by reason of the unparalleled agitations to which it gave rise, threatening the very life of the French Republic, and exciting the whole civilized world. Accordingly we date the whole extraordinary story of Captain Dreyfus and his unscrupulous enemies in the French Army Staff from that year, in order to place it in proper chronological relations with other events. As told here, the story is largely borrowed from a singularly clear review of its complicated incidents by Sir Godfrey Lushington, formerly Permanent Under Secretary in the British Home Office, which appeared in the "London Times," while the question of a revision of the Dreyfus trial was pending in the Court of Cassation. We are indebted to the publisher of "The Times" for permission to make use of it:
"In October, 1894, Captain Alfred Dreyfus, an artillery officer on the staff, was arrested for treason. He belonged to a respected and highly loyal Jewish family in Alsace, his military character was unblemished, and he was in easy circumstances. At this time General Mercier was Minister of War, General de Boisdeffre Chief of the Staff (practically
Commander-in-Chief of the French army), General Gonse, Assistant-Chief. Colonel Sandherr, well known as an Anti-Semite, was head of the Intelligence Department, under him were Commandants Picquart, Henry, and Lauth, also the Archivist Griblin. Commandant Du Paty de Clam was an officer attached to the general staff. Commandant Esterhazy was serving with his regiment. On October 15, on the order of the Minister of War, Captain Dreyfus was arrested by Commandant Du Paty de Clam, and taken in the charge of Commandant Henry to the Cherche-Midi Prison, of which Commandant Forzinetti was governor. For a fortnight extraordinary precautions were taken to keep his arrest an absolute secret from the public and even from his own family. His wife alone knew of it, but dared not speak. … So harsh was his treatment that Commandant Forzinetti felt it his duty to take the strong step of making a formal representation to the Minister of War and also to the Governor of Paris, at the same time declaring his own conviction that Captain Dreyfus was an innocent man.
{226}
On October 31 Commandant Du Paty de Clam made his report, which has not seen the light, and on November 3 Commandant d'Ormescheville was appointed 'rapporteur' to conduct a further inquiry, and in due course to draw up a formal report, which practically constitutes the case for the prosecution. Not till then was Captain Dreyfus informed of the particulars of the charge about to be laid against him. From this report of Commandant d'Ormescheville's we learn that the basis of the accusation against Captain Dreyfus was a document known by the name of the 'bordereau' [memorandum]. Neither Commandant d'Ormescheville's report nor the 'bordereau' has been officially published by the Government, but both ultimately found their way into the newspapers. The bordereau was a communication not dated, nor addressed, nor signed. It began: 'Sans nouvelles m'indiquant que vous désirez me voir, je vous adresse cependant, Monsieur, quelques renseignemcnts intéressants.' ['Without news indicating that you wish to see me, I send you, nevertheless, monsieur, some important
information.'] (Then followed the titles of various military documents, 1, 2, &c.) The report stated that the bordereau had fallen into the hands of the Minister of War, but how the Minister declined to say, beyond making a general statement that the circumstances showed that it had been sent to an agent of a foreign Power. It is now generally accepted that it had been brought to the War Office by a spy an Alsatian porter who was in the service of Colonel von Schwarzkoppen, then the military attache to the German Embassy in Paris. The report contained nothing to show that Captain Dreyfus had been following treasonable practices or to connect him in any manner with the bordereau. The sole question for the Court-martial was whether the bordereau was in his handwriting. On this the experts were divided, three being of opinion that it was, two that it was not, in his handwriting.
"The Court-martial was duly held, and Captain Dreyfus had the aid of counsel, Maître Demange; but the first act of the Court was, at the instance of the Government representative, to declare the 'huis cols,' so that none but those concerned were present. After the evidence had been taken the Court, according to custom, adjourned to consider their verdict in private. Ultimately they found Captain Dreyfus guilty, and he was sentenced to be publicly expelled from the army and imprisoned for life. Not till after his conviction was he allowed to communicate with his wife and family. The sentence has been carried out with the utmost rigour. Captain Dreyfus was transported to the Isle du Diable [off the coast of French Guiana], where he lives in solitary confinement. … The Court-martial having been held within closed doors, the public at large knew nothing … beyond the fact that Captain Dreyfus had been convicted of betraying military secrets to a foreign Power, and they had no suspicion that there had been any irregularity at the Court-martial or that the verdict was a mistaken one. … For two years the Dreyfus question may be said to have slumbered. In the course of this time Colonel Sandherr, who died in January, 1897, had been compelled to
retire from ill-health, and Commandant Picquart became head of the Intelligence Department. … In May, 1896, there were brought to the Intelligence Department of the War Office some more sweepings from Colonel von Schwarzkoppen's waste-paper basket by the same Alsatian porter who had brought the bordereau. These were put by Commandant Henry into a packet, and given by him (according to the usual custom) to Commandant Picquart. Commandant Picquart swears that amongst these were about 60 small pieces of paper. These (also according to custom) he gave to Commandant Lauth to piece together. When pieced together they were found to constitute the document which is known by the name of 'Petit bleu, à carte télégramme' for transmission through the Post-office, but which had never been posted. It was addressed to Commandant Esterhazy, and ran as follows:
"'J'attendsavant tout une explication plus détaillée que celle que vous m'avez donnée, l'autre jour, sur la question en suspens. En conséquence, je vous prie de me la donner par écrit, pour pouvoir juger si je puis continuer mes relations avec la maison R … ou non. [I await, before anything farther, a more detailed explanation than you gave me the other day on the question now in suspense. In consequence, I request you to give this to me in writing, that I may judge whether I can continue my relations with the house of R. or not.] M. le Commandant Esterhazy, 27, Rue de la Bienfaisance, Paris.'
"At this time Commandant Esterhazy was a stranger to Commandant Picquart, and the first step which Commandant Picquart took was to make inquiry as to who and what he was. His character proved most disreputable, and he was in money difficulties. The next was to obtain a specimen of his handwriting in order to compare it with other writings which had been brought by spies to the office and were kept there. In this way it came about that it was compared with the facsimile of the bordereau, when, lo and behold, the writings of the two appeared identical. It was Commandant Esterhazy,
then, who had written the bordereau, and if Commandant Esterhazy, then not Captain Dreyfus. … Commandant Picquart acquainted his chiefs with what had been done namely, General de Boisdeffre in July, and his own immediate superior, General Gonse, in September. …
"On September 15 of the same year, 1896, took place the first explosion. This solely concerned the Dreyfus trial. On that day the 'Éclair,' an anti-Semite newspaper, published an article headed 'Le Traitre,' in which they stated that at the Court-martial the 'pièce d'accusation' on which Captain Dreyfus was tried was the bordereau; but that after the Court had retired to the 'chamber of deliberation,' there was communicated to them from the War Office, in the absence of the prisoner and his counsel, a document purporting to be addressed by the German military attaché to his colleague at the Italian Embassy in Paris, and ending with a postscript, 'Cet animal de Dreyfus devient trop exigcant'; further, that this document was the only one in which appeared the name Dreyfus. This at once had removed all doubts from the minds of the Court-martial, who thereupon had unanimously brought the prisoner in guilty; and the 'Eclair' called upon the Government to produce this document and thus satisfy the public conscience. This document has, for sufficient reasons hereinafter appearing, come to be known as 'le document libérateur,' and by this name we will distinguish it. {227}
As to the article in the 'Eclair,' it must have proceeded either from a member of the Court-martial or from some one in the War Office; but whether its contents were true is a matter which to this day has not been fully cleared up. This much, however, is known. We have the authority of Maître Demange (Captain Dreyfus's advocate) that no such document was brought before the Court-martial during the proceedings at which he was present. On the other hand, it has now been admitted that at the date of Captain Dreyfus's trial there was, and that there had been for some months previously, in the archives of
the War Office a similar document, not in the Dreyfus' dossier' proper, but in a secret dossier, only that the words therein are not 'Cet animal de Dreyfus,' but 'Ce (sic) canaille de D ' (initial only) 'devient trop exigeant.' … The Government have never yet either admitted or denied that General Mercier went down to the Court-martial and made to them a secret communication. …
"As might have been expected, the article in the 'Eclair' occasioned a considerable stir; both parties welcomed it, the one as showing Captain Dreyfus to have been really a traitor and therefore justly deserving his sentence; the other as a proof that whether guilty or not he had been condemned illegally on a document used behind his back. The public excitement was increased when on the 10th of November the 'Matin' a War Office journal published what purported to be a fac-simile of the bordereau, and a host of experts and others set to work to compare it with the accused's handwriting. The reproduction was no doubt made, not from the original bordereau, which was in the sealed-up Dreyfus dossier, but from a photograph of it. And the photograph must have been obtained surreptitiously from some one in the War Office or from some one who had attended the secret Court-martial. … The natural sequel to these revelations was an interpellation in the Chamber the 'interpellation Castelin' of November 18, 1896. On that day, M. Castelin, an anti-Semite deputy, by asking some question as to the safe custody of Dreyfus, gave the Government an opportunity. General Billot, then Minister of War, replied in general terms 'L'instruction de l'affaire, les débats, le jugement, ont eu lieu conformément aux règles de la procédure militaire. Le Conseil de Guerre regulièrement compose, a regulièrement déliberé,' &c. ['The instructions, the debates, the verdict, have all taken place conformably to the rules of military procedure. The Court-martial, regularly composed, has deliberated regularly,' etc.] … On November 14, 1896, on the eve of the Interpellation Castelin, Commandant Picquart was sent on a secret mission, which has not been
disclosed. He left his duties as head of the Intelligence Department nominally in the hands of General Gonse, his superior, but practically to be discharged by Commandant Henry, who was Commandant Picquart's subordinate. He requested his family to address their private letters for him to the War Office, whence they would be forwarded. His secret mission, or missions, took him first to Nancy, then to Besançon (permission being refused to him to return to Paris even for a night to renew his wardrobe), later on to Algeria and Tunisia, with instructions to proceed to the frontier. … In March, 1897, Commandant Picquart was appointed Lieutenant-Colonel of the 4th Tirailleurs, the appointment being represented to him as a favour. He was the youngest Colonel in the service. In his stead Commandant Henry became Chief of the Intelligence Department. … From the first Colonel Picquart had, of course, felt some uneasiness at being sent on these missions away from his ordinary duties, and various little circumstances occurred to increase it, and in May, 1897, having occasion to write unofficially to Commandant Henry, now Chief of the Intelligence Department, he expressed himself strongly as to the mystery and falsities with which his departure had been surrounded; and he received a reply dated June 3, in which Commandant Henry said that the mystery he could well enough explain by what had come to his knowledge after some inquiry, and he alluded in general to three circumstances (1) Opening letters in the post; (2) attempt to suborn two officers in the service to speak to a certain writing as being that of a certain person; and (3) the opening of a secret dossier. The first Colonel Picquart knew to refer to his having intercepted Commandant Esterhazy's letters; the other two allusions he did not at the time (June, 1897) fully understand; but the letter, couched in such terms and coming from one who had until lately been his subordinate, and was now the head of the Department, convinced him that he was the object of serious and secret machinations in the War Office. He immediately applied for leave and came to Paris. There he determined, with a view to his self-defence, to obtain legal advice from an advocate, M.
Leblois; saw him, and showed him Colonel Henry's letter, and, whilst abstaining (according to his own account and that of M. Leblois) from touching on the third matter, the secret dossier, spoke freely on the other two on the 'affaires' Dreyfus and Esterhazy generally; also, in order to explain how far he had acted with the sanction or cognizance of his superiors, he placed in his hands the correspondence not official but confidential about Commandant Esterhazy which he had had with General Gonse in 1896. He left it to M. Leblois to take what course he might think necessary, and returned to Sousse. In the course of the autumn he was summoned to Tunis and asked by the military authority there whether he had been robbed of a secret document by a woman. The question seemed a strange one and was answered by him with a simple negative. Later on he received at Sousse two telegrams from Paris, dated November 10. One: 'Arretez Bondieu. Tout est découvert. Affaire très grave. Speranza.' This was addressed to Tunis and forwarded to Sousse. The other: 'On a des preuves que le bleu est fabriqué par Georges. Blanche.' This was addressed to Sousse. And two days after he received a letter, likewise of November 10, from Esterhazy, an abusive one, charging him with conspiring against him, &c. He felt certain that the telegrams were sent in order to compromise him. … Colonel Picquart suspected Commandant Esterhazy to be the author of the telegrams, the more so that in Commandant Esterhazy's letter and in one of the telegrams his own name Picquart was spelt without a c. He at once telegraphed to Tunis for leave to come and see the General there. {228}
He did see him and through him forwarded to the Minister of War the three documents, with a covering letter in which he demanded an inquiry. He then obtained leave to go to Paris, but the condition was imposed on him that he should see no one before presenting himself to General de Pellieux. When he saw the General he learnt for the first time and to his surprise that ever since he left Paris in November, 1896, his letters had been intercepted and examined at the War Office and he was
called upon to explain various letters and documents. …
"Before June, 1897, Commandant Esterhazy's name had not been breathed to the public; it is now to come out, and from two independent sources. Some little time after seeing Colonel Picquart, in June, 1897, M. Leblois had determined, in his interest, to consult M. Scheurer-Kestner, who was well known to have taken an interest in the 'affaire Dreyfus,' because of the suspicion that Captain Dreyfus had been condemned on a document which he had never seen and because of the discrepancies between Captain Dreyfus's handwriting and that of the bordereau. He was Vice-President of the Senate and a personal friend of General Billot, the Minister of War. M. Leblois communicated to him what he knew about Commandant Esterhazy and showed him General Gonse's letters to Colonel Picquart. In October M. Scheurer-Kestner communicated on the subject both with General Billot and with the President of the Council, M. Méline. He was now to learn the name of Commandant Esterhazy from another quarter. One afternoon in the end of October a M. de Castro, a stock-broker, was seated in a cafe in Paris, and a boy from the street came up with copies of the facsimile of the bordereau, which had then been on sale for more than a year. M. de Castro bought a copy, and at once recognized, as he thought, the handwriting of the bordereau to be that of Commandant Esterhazy, who was a client of his. He took the copy home, compared it with letters of Commandant Esterhazy, and all doubts vanished. His friends told M. Matthieu Dreyfus, who begged him to take the letters to M. Scheurer-Kestner, and he did so on November 12, 1897, and M. Scheurer-Kestner advised that M. Matthieu Dreyfus should go to General Billot and denounce Commandant Esterhazy as the author of the bordereau. And now to turn to Commandant Esterhazy. His own statement is this. In the month of October, 1897, when in the country, he received a letter from 'Speranza' giving minute details of a plot against himself, the instigator of which was, Speranza said, a colonel named Picquart (without the c). He at once went to Paris, saw the Minister of War, and gave
him Speranza's letter. Shortly afterwards he received a telegram asking him to be behind the palisades of the bridge Alexander III. at 11.30 p.m. He would there meet a person who would give him important information. He kept his appointment, met a veiled woman, who, first binding him over under oath to respect her incognito, gave him long details of the plot of the 'band' against himself. Afterwards he had three similar interviews, but not at the same place. At the second of these four interviews the unknown woman gave him a letter, saying: 'Prenez la pièce contenue dans cette enveloppe, elle prouve votre innocence, et si le torchon brûle, n'hésitez pas it vous en servir.' ['Take the piece contained in this envelope, it proves your innocence, and if there is trouble do not hesitate to use it.'] This document, henceforward called 'le document libérateur,' was no other than the letter referred to in the 'Eclair' (ce canaille de D.), which, of course, ought to have been safe in the archives of the Intelligence Department. On November 14 Commandant Esterhazy returned this document to the Minister of War under a covering letter in which he called upon his chief to defend his honour thus menaced. The Minister of War sent Commandant Esterhazy a receipt. The next day the Minister received a letter from M. Matthieu Dreyfus denouncing Commandant Esterhazy as the author of the bordereau. The letter of Speranza to Commandant Esterhazy has not yet been divulged to the public; and the War Office, after diligent inquiries, have not been able to find the veiled woman. Very different was the interpretation put on this narrative by M. Trarieux, ex-Minister of Justice, and others interested in revision. Their suggestion was that Commandant Esterhazy was in the first instance apprised beforehand by his friends in the War Office of the coming danger and was for flying across the frontier, but that subsequently these same friends, finding that the chiefs of the army were fearful of being compromised by his flight from justice and would make common cause with him, wished to recall him, and with this view, took from the archives the 'document libérateur,' and sent it to him as an assurance that he might
safely return and stand his trial, and also with a view to his claiming the credit of having restored to the office a document which it was now intended to charge Colonel Picquart with abstracting. On November 16, 1897, on a question being asked in the Chamber, General Billot, Minister of War, replied that he had made inquiries, and the result 'n'ébranlait nullement dans lion esprit l'autorité de la chose jugée,' but that as a formal denunciation of an officer of the army had been made by the 'famille Dreyfus,' there would be a military investigation. A fortnight or so afterwards he 'repeated that the Government considered the 'affaire Dreyfus comme régulièrement et justement jugée.' Here, as elsewhere, the reader will remember that the question at issue was who was the author of the bordereau, and that if Captain Dreyfus was, Commandant Esterhazy could not be. Consequently, a public declaration by the Minister of War that Captain Dreyfus had been justly condemned was as much as to say that Commandant Esterhazy must be acquitted. … Commandant Esterhazy was acquitted.
"On the morrow of Commandant Esterhazy's acquittal M Zola launched his letter of January 13, 1898, which was addressed to the President, of the Republic, and wound up with a series of formal accusations attributing the gravest iniquities to all concerned in either of the Courts-martial, each officer being in turn pointedly mentioned by name. M. Zola's avowed object was to get himself prosecuted for defamation and so obtain an opportunity for bringing out 'la lumière' on the whole situation. The Minister of War so far accepted the challenge as to institute a prosecution at the Assizes; but resolving to maintain the 'chose jugée' as to the 'affaire Dreyfus,' he carefully chose his own ground so as to avoid that subject, selecting from the whole letter only 15 lines as constituting the defamation.
{229}
In particular as to one sentence, which ran: ['J'accuse enfin le Premier Conseil de Guerre d'avoir violé le droit en
condamnant un accuse sur une pièce restée secrète, et] j'accuse le Second Conseil de Guerre d'avoir couvert cette illegalité par ordre, en commettant à son tour le crime juridiquc d'acquitter sciemment un coupable'; ['I accuse, finally, the first Court-martial of having violated the law in its conviction of the accused on the strength of a document kept secret; and I accuse the second Court-martial of having covered this illegality, acting under orders and committing in its turn the legal crime of knowingly acquitting a guilty person.']
"The prosecution omitted the first half of the sentence, the part within brackets. By French law it is for the defendants to justify the defamatory words assigned, and to prove their good faith. But this was a difficult task even for M. Labori, the counsel for M. Zola. There were several notable obstacles to be passed before light could reach the Court:
1. The 'chose jugée' as applicable to the 'affaire Dreyfus.'
2. The 'huis clos'; the whole proceedings at the Dreyfus trial, and all the more important part of the proceedings at the Esterhazy trial, having been conducted within closed doors.
3. The 'secret d'Etat' excluding all reference to foreign Governments.
4. The 'secret professionnel,' pleaded not only by officers civil and military, but even by the experts employed by the Court for the identification of handwriting.
5. To these may be added the unwillingness of a witness for any reason whatever.
Thus Colonel Du Paty de Clam was allowed to refuse to answer questions as to his conduct in family affairs; and, as for
Commandant Esterhazy, he turned his back on the defendants and refused to answer any question whatever suggested by them, although it was put to him by the mouth of the Judge. … Of the above-mentioned obligations to silence, three were such as it was within the competence of the Government to dispense from. No dispensation was given, and hence it was that the Minister of War was seen as prosecutor pressing his legal right to call upon the defendants, under pain of conviction, to prove the truth of the alleged libel, and at the same time, by the exercise or non-exercise of his official authority, preventing the witnesses for the defence from stating the facts which were within their knowledge and most material to the truth. But the 'chose jugée' was a legal entity by which was meant not merely that the sentence could not be legally disputed, but that it was to be accepted as 'la vérité légale'; no word of evidence was to be admitted which in any way referred to any part of the proceedings the whole affair was to be eliminated. The bar thus raised was very effectual in shutting out of Court large classes of witnesses who could speak only to the 'affaire Dreyfus' … whatever was the rule as to the 'chose jugée,' it should have been enforced equally on both parties. This was not always the case. One single example of the contrary shall be given, which, as will be shown hereafter, events have proved to be of the utmost significance. General de Pellieux had completed his long evidence, but having received from 'a Juror' a private letter to the effect that the jury would not convict M. Zola unless they had some further proof of the guilt of Captain Dreyfus, on a subsequent day he asked leave to make a supplementary deposition and then said:
"'Au moment de l'interpellation Castelin [i. e., in 1896] it s'est produit un fait que je tiens à signaler. On a eu au Ministère de la Guerre (et remarquez que je ne parle pas de l'affaire Dreyfus) la preuve absolue de la culpabilité de Dreyfus, et cette preuve je l'ai vile. Au moment de cette interpellation, il est arrivé au Ministère de la Guerre un
papier dont l'origine ne peut être contestée, et qui dit je vous dirai ce qu'il y a dedans "Il va se produire une interpellation sur l'affaire Dreyfus. Ne dites jamais les relations que nous avons eues avec ce juif."' ['At the time of the Castelin interpellation (1896) there was a fact which I want to point out. The Ministry of War held remark that I am not speaking of the Dreyfus case absolute proof of the guilt of Dreyfus; and this proof I have seen. At the moment of that interpellation there arrived at the Ministry of War a paper the origin of which is incontestable, and which says, I will tell you what it says, "There is going to be an interpellation about the Dreyfus affair. You must never disclose the relations which we had with that Jew."'] And General de Pellieux called upon General de Boisdeffre and General Gonse to confirm what he said, and they did so. But when M. Labori asked to see the document and proposed to cross-examine the generals upon it, the Judge did not allow him, 'Nous n'avons pas à parler de l'affaire Dreyfus.' It may be conceived what effect such a revelation, made by the chiefs of the French army in full uniform, had upon the jury. They pronounced M. Zola guilty and found no extenuating circumstances; and he was sentenced by the Judge to the maximum penalty, viz., imprisonment for a year and a fine of 3,000 francs.
"On April 2 the Zola case is brought up before the Court of Cassation [the French Court of Appeals] and the Court quashes the verdict of the Assizes, on the technical ground that the prosecution had been instituted by the wrong person. The Minister of War was incompetent to prosecute; the only persons competent were those who could allege they had been defamed in this instance the persons constituting the Esterhazy Court-martial. … The officers who had sat at the Esterhazy Court-martial were then called together again in order to decide whether M. Zola should be reprosecuted. To put a stop to any unwillingness on their part, M. Zola published in the 'Siècle' of April 7 a declaration of Count Casella, which the Count said he would have deposed to on oath at the former
trial if the Judge had allowed him to be a witness. This declaration gave a detailed history of various interviews in Paris with Count Panizzardi, the military attaché at the Italian Embassy, and at Berlin with Colonel von Schwarzkoppen, who had been the military attache at the German Embassy. According to Count Casella, both these officers had declared positively to him that they had had nothing to do with Captain Dreyfus, but Colonel von Schwarzkoppen much with Commandant Esterhazy. It will be said that this declaration of Count Casella had not been sifted by cross-examination; but it is understood that at the end of 1896, immediately after the 'Éclair' made the revelation of 'le document libérateur,' both the German and Italian Governments made a diplomatic representation to the French Government, denying that they had had anything to do with Captain Dreyfus.
{230}
At all events, in January, 1898, official denials had been publicly made by the German Minister of Foreign Affairs to the Budget Commission of the Reichstag and by the Italian Under-Secretary for Foreign Affairs to the Parliament at Home. The officers of the Court-martial resolve to reprosecute, and the case is fixed for the May Assizes at Versailles. When the case comes on, M. Zola demurs to its being tried outside Paris; the demurrer is overruled by the Court of Cassation, and ultimately, on July 18, the case comes on again at the Versailles Assizes. The charge, however, is now cut down from what it had been on the first trial in Paris. Of the whole letter of M. Zola now only three lines are selected as defamatory viz.: 'Un conseil de guerre vient par ordre d'oser acquitter un Esterhazy, soufflet suprême à toute vérité, à toute justice.' ['The Court-martial has by order dared to acquit an Esterhazy, supreme blow to all truth, to all justice.'] This selection was manifestly designed to shut out any possibility of reference to the 'affaire Dreyfus,' and M. Labori, finding that any attempt to import it would be vain, allowed the case to go by default, and M. Zola was condemned and, as before, sentenced to a year's imprisonment and a fine
of 3,000f. He has appealed to the Com de Cassation, and the appeal may be heard in the course of the autumn. To secure his own liberty in the meantime, M. Zola has avoided personal service of the order of the Assizes by removing beyond the frontier.
"We will now go back to Colonel Picquart. During the year 1897 he had become aware that in the Intelligence Department suspicions were expressed that the 'petit-bleu' was not a genuine document and insinuations made that Colonel Picquart had forged it. … The ground on which this imputation was rested came out clearly in the evidence which was given subsequently in the Zola trial, to which reference may now be made. The sweepings of Colonel von Schwarzkoppen's basket had been brought by a spy to the Intelligence Department, and were given first into the hands of Commandant Henry, who put them into a packet or 'cornet' and passed them on to Colonel Picquart to examine. Colonel Picquart swore that on examination he had found amongst the papers a large number of fragments, fifty or sixty. These he gave to Commandant Lauth to piece together and photograph. When pieced together they were found to constitute the 'petit-bleu' addressed to Commandant Esterhazy, who at that time was a perfect stranger to Colonel Picquart. At the Zola trial Colonel Henry had sworn that the pieces were not in the 'cornet' when he gave it, to Colonel Picquart, and the insinuation was that Colonel Picquart had forged the document, torn it in pieces, and put the pieces into the 'cornet.' … Commandant Esterhazy was acquitted by the Court-martial, and on the very next day Colonel Picquart was himself summoned to submit to a military inquiry. The Court-martial sat with closed doors, so that neither the charges nor the proceedings nor the findings would be known to the public, but the findings have found their way into the newspapers. [Picquart, cleared himself on the main charges.] … But as to the charge (which had never been disputed) that in 1897 Colonel Picquart had communicated General Gonse's letters to M. Leblois, this the Court found to be proved; and for this military offence
Colonel Picquart was removed from the army upon a pension of a little more than 2,000f., or £80, per annum. Other chastisements have followed. …
"We now come to the famous declaration of July 7 (1898), made by M. Cavaignac, Minister of War. On an interpellation by M. Castelin, the Minister of War replied that hitherto the Government had respected the 'chose jugée,' but now considerations superior to reasons of law made it necessary for them to bring before the Chamber and the country all the truth in their possession, the facts which had come to confirm the conviction of Captain Dreyfus. He made this declaration because of the absolute certainty he had of his guilt. He based his declaration first on documents in the Intelligence Department, and then on Captain Dreyfus's own confessions. The latter will here be dealt with first. The Minister relied on two witnesses. One was Captain d'Attel, who on the day of Captain Dreyfus's resignation had told Captain Anthoine that Captain Dreyfus had just said in his presence, 'As to what I have handed over, it was worth nothing. If I had been let alone I should have had more in exchange.' Captain Anthoine had, according to the Minister, immediately repeated these words to Major de Mitry. But Captain d'Attel is dead, and M. Cavaignac did not state to the Chamber at what date or on whose authority this information came to the War Office. The other witness was a Captain Lebrun-Renault, still alive, who had acted as captain of the escort on the day of degradation, January 5, 1895. … The Minister omits to specify the date at which Captain Lebrun-Renault first communicated to the War Office. It is believed to be in November, 1897; and against these allegations may be set the testimony of Commandant Forzinetti, the governor of the prison in which Captain Dreyfus was confined, to the effect that there is no record of confession in the official report made at the time by Captain Lebrun-Renault, as Captain of the escort, and that within the last year the Captain had denied to him (Commandant Forzinetti) that there had been any confession. Further we
know that throughout his imprisonment before trial, at the trial, at the scene of his degradation, and in his letter written immediately afterwards to his wife, and to the Minister of War, Captain Dreyfus protested his innocence and that he had never committed even the slightest imprudence.
"Then as to the documents confirmatory of the conviction of Captain Dreyfus. M. Cavaignac did not say whether by this term 'guilt' be meant that Captain Dreyfus had been guilty of writing the bordereau, or had been guilty otherwise as a traitor. Indeed it was remarked that he never so much as mentioned the bordereau. Was, then, the bordereau dropped, as a document, no longer recognized to be in the handwriting of Captain Dreyfus? But he informed the Chamber that the Intelligence Department had during the last six years accumulated 1,000 documents and letters relating to espionage, of the authorship of which there was no reasonable doubt. {231}
He would call the attention of the Chamber to only three, all of which, he said, had passed between the persons who had been mentioned (Colonel von Schwarzkoppen and M. Panizzardi). Here again it was noticed that the 'document libérateur' (ce canaille de D.) was not mentioned. Had this, too, been dropped as no longer to be relied upon, because' D.' did not mean Dreyfus, or was it now omitted because it had been produced at the Court-martial by General Mercier and therefore could not be said to be confirmatory of his conviction? Of the three documents which M. Cavaignac specified, the first, dated in March, 1894, made reference to a person indicated as D.; the second, dated April 16, 1894, contained the expression 'cette canaille de D.,' the same as that used in the 'document libérateur.' The third was no other than 'la preuve absolue' which General de Pellieux had imported into his evidence in the Zola trial as having been in the hands of the Government at the time of the Castelin interpellation in November, 1896. M. Cavaignac read out its contents, of which the following is an exact transcript: 'J'ai lu qu'un député va interpeller sur
Dreyfus. Si je dirai que jamais j'avais des relations avec ce Juif. C'est entendu. Si on vous demande, dites comme ça, car il faut pas que on sache jamais personne ce qui est arrivé avec lui.' ['I read that a deputy is going to question concerning Dreyfus. I shall say that I never had relations with that Jew. If they ask you, say the same, for it is necessary that we know no one who approaches him.'] M. Cavaignac went on to say that the material authenticity of this document depended not merely on its origin, but also on its similarity with a document written in 1894 on the same paper and with the same blue pencil, and that its moral authenticity was established by its being part of a correspondence exchanged between the same persons in 1896. 'The first writes to the other, who replies in terms which left no obscurity on the cause of their common uneasiness.' The Chamber was transported with the speech of the Minister of War, and, treating it as a 'coup de grâce' to the 'affaire Dreyfus,' decreed by a majority of 572 to two that a print of it should be placarded in the 36,000 communes of France. On the next day Colonel Picquart wrote a letter to the Minister of War undertaking to prove that the first two documents had nothing to do with Captain Dreyfus, and that the third, 'la preuve absolue,' was a forgery. Within six weeks his words as to 'la preuve absolue' come true. On August 31 the public are startled with the announcement that Colonel Henry has confessed to having forged it himself, and has committed suicide in the fortress Mont Valérien, being found with his throat cut and a razor in his left hand. The discovery of the forgery was stated to have arisen from a clerk in the Intelligence Department having detected by the help of a specially strong lamp that the blue paper of 'la preuve absolue' was not identical with the blue paper of a similar document of 1894 which M. Cavaignac had relied upon as a proof of its material authenticity. … As a sequel to this confession, General de Boisdeffre, chief of the staff, has resigned, feeling he could not remain after having placed before the Minister of War as genuine a document proved to be a forgery. Commandant Esterhazy has been removed from the
