1 / 44

Threats to Software Security Integrated with the Safety Planning Process

Threats to Software Security Integrated with the Safety Planning Process. Phil Cooke Battlespace Management - Safety Policy Royal Air Force. Contents. Introduction Stuxnet – the first of many Latest ‘Mask’ Malware A Need to Do More Safety vs Security, Failure vs Attack

kobe
Télécharger la présentation

Threats to Software Security Integrated with the Safety Planning Process

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Threats to Software SecurityIntegrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force

  2. Contents • Introduction • Stuxnet – the first of many • Latest ‘Mask’ Malware • A Need to Do More • Safety vs Security, Failure vs Attack • Attack Trees and Guide Words • Simple Case Studies

  3. Safety in the Traditional Sense FSSE – Nature of accidents Flixborough 1974 Health and Safety at Work etc Act 1974

  4. Safety in the Traditional Sense FSSE – Nature of accidents Challenger 1986 Leakage issue on previous flights

  5. Safety in the Traditional Sense FSSE – Nature of accidents Bexley 1997 Maintenance issues, Overloading wagons and excess speed

  6. Background and Motivation Pervious working environment Stuxnet Virus 2009/2010 Interest in Supervisory Control and Data Acquisition (SCADA) systems including Programmable Logic Controllers (PLCs) New Role working in ATM environment Desire to combine knowledge of Security and Safety as little exists on this subject

  7. Stuxnet – The First (?) of Many (?) Virus discovered in Jun 2010, origin back in Jun 09 Targets a very specific hardware/software configuration at Natanz, Iran – Uranium reprocessing facility Executes by re-programming the PLC out of specified boundaries Virus deployed via USB pen drive on maintenance laptop Duqu discovered in Sep 11 thought to be connected to Stuxnet Flame discovered in May 2012 thought to be connected to Stuxnet

  8. Stuxnet 0.5 Stuxnet 1.0 discovered in Jun 2010 Variants later discovered but traced back as early as Nov 2007 and development as early as 2005 Similar attack vector but closed valves instead of changing the rotation speed of centrifuges More versions known to exist but code has never been recovered Many other SCADA systems vulnerable to attack

  9. RAS Gas computer systems taken off line days after a similar attack on Aramco (Aug 12) Saudi Arabia’s national oil company was attacked by the Shamoon virus, which targets energy sector infrastructure (Aug 12)

  10. Mask Malware Aimed at Gov’ts and Finance Firms Probably created by a Nation State Reported by Kaspersky/BBC Technology website on 11 Feb 2014 Involved in cyber espionage operations since at least 2007 Ahead of Duqu in terms of sophistication Is this just the tip of the Iceberg?

  11. How Skilled Do You Need To Be?

  12. A Need to Do More Security and Safety need to be considered as a unity of specialisations and not just bolt-on’s to each other. Similarities with Safety a number of years ago? Develop a methodology to integrate security aspects into the safety analysis process Cross domain applicability Ability to apply at any stage of the safety lifecycle to capture legacy projects

  13. Safety vs Security, Failure vs Attack Systems need to operate in a safe manner Systems need to be maintainable by many different and disparate parties Systems need to fail safe Systems need to be resilient and resistant to attack

  14. What Previously Existed Security Processes or Tools Casals et al, 2012 6 Step Process 1st 3 Steps considered and developed Context establishment Preliminary Risk Assessment Vulnerability Assessment

  15. What Previously Existed Attack Trees Schneier, 1999 Used within the US DoD Defense Acquisition Guidebook (US DoD 2012) Simple example is an activity such as trying to open or break into a safe. Helpful to have Guide Words to assist in the process

  16. Guide (Threat) Words • Prof McDermott • Art rather than a Science • Opdahl and Sindre • Brainstorming activity • Use process similar to FHA • SHARD guidewords – Omission. Commission, Early, Late, Value • Look for Threat Words rather than Guide Words • Configuration, Authentication, Jamming, Replay, Lifecycle (learning)

  17. Methodology Development • Context Establishment • Preliminary Risk Assessment • Vulnerability Assessment

  18. Case Study 1 – Implantable Medical Device Devices able to administer medication at varying rates Read patients state and report back to a physician Remote diagnostic/treatment Implantable Cardiac Defibrillators (ICDs) Drug Delivery Systems (eg Insulin Pumps) Neurostimulators (eg for Parkinson’s Disease)

  19. Context Establishment Considers IMDs in general, no FTA Threat words: Access Identification or Privacy Configuration Authorisation Availability Distance Frequency Safety

  20. Context Establishment Define Initial Security Context Passive or active or coordinated adversaries, Insider attack. Active Adversary Attack Tree

  21. Preliminary Risk Assessment Identify Primary Assets IMD, programming devices, management devices Identify Threats to Security From research, encryption is not used between IMDs and supporting equipment, however the signalling format could be spoofed allowing unauthorised transmissions to be sent. Devices transmit when a magnet is placed nearby Device programmable or readable 24hrs per day? Define Scenarios Affecting Safety Patient entering a treatment room in a non-local environment Important or influential figure fitted with IMD Organised Crime gangs seeking to steal device

  22. Preliminary Risk Assessment Patient in a non-local environment

  23. Preliminary Risk Assessment Establish Likelihood of Occurrence As of 2012, no evidence could be found regarding attacks on IMDs Kramer et al, 2012, states “there are no known case reports of malevolent interference that specifically target medical device function”

  24. Preliminary Risk Assessment Severity of Outcome Worst case is death Least is possible early failure of device Most devices are 5-7 years so replacement is always assumed necessary at some future point

  25. Vulnerability Assessment Identify Vulnerable Assets IMD and supporting equipment Identify Vulnerabilities Replay Attack Electromagnetic interference Malware on supporting PC DoS attack Develop Attacks using Attack Trees

  26. Evaluation and Further Work IMD use and proliferation is growing Technology is outpacing Security, not Safety Possibly security through ambiguity Stuxnet was directed at 2 specific targets worldwide IMDs must have high security but ease of access Consider a dual approach – threat in one direction, vulnerability in the other

  27. Case Study 2 – European Railway Traffic Management System - ERTMS The ERTMS aims to replace the many different national train control and command systems in Europe with a standardised system. System relies upon the GSM networks. A full and complete security audit was performed on the ERTMS and in précis was: The specs from a safety perspective were considered and safety requirements for technical interoperations were derived Consideration of the context in which ERTMS operates and its trust relationships with other systems Both top down and bottom up approaches investigated Attack scenarios devised and graded

  28. Context Establishment System description available from ERTMS web page

  29. Context Establishment Define Threat Words: Location Balise position Cuttings, tunnels, shadowing by other trains GPS used as a backup when GSM is lost? Access Data - system uses cryptography and all users have same key Data – GSM-R: Handsets authenticate with the network but not vice versa Physical – some data is entered locally Identification Each train has a unique identity – spoofing? Balises are not physically protected GSM repeater could be spoofed and information extracted

  30. Context Establishment Define Threat Words: Authorisation Can the driver override some or all aspects? How is this recorded? If GSM-R is the sole source of authorisation, what happens in an outage? Jamming Passenger using small GSM jamming device – what effect to ERTMS? What precedence is given to GSM-R traffic? Etc etc

  31. Context Establishment Define Initial Security Context What could be gained from attacking the system How could the system be attacked? What capabilities would the attacker need?

  32. Context Establishment Develop Attack Trees

  33. Preliminary Risk Assessment Identify Primary Assets European Train Control System – ETCS GSM-R – railway specific system built upon GSM standards ETCS Onboard Trackside Balises Radio Comms System (GSM-R) Radio Block Centres – issue movement authorisations to trains

  34. Preliminary Risk Assessment Identify Threats to Security 93 page report written on the “ERTMS Specification Security Audit Analysis of Attack Scenarios” 29 July 2011 Balise location considered for the remainder of the case study Uses standard transmission protocol Position or positional data could be affected Metallic structures affecting balise signal performance

  35. Preliminary Risk Assessment Define Scenarios Affecting Safety Reputational/financial attack by an active aggressor but with limited technical knowledge of the system Balise is moved closer to or further away from neighbour thus changing the reported position of the train or causing an error signal to be generated Establish Likelihood of Occurrence Hard to estimate without greater technical knowledge of the system

  36. Preliminary Risk Assessment Define Severity of Outcome Also hard to estimate without greater system knowledge Train movements would be scheduled to allow for greatest traffic flow but with sufficient time in-between trains for safety reasons similar to airport arrival and departure traffic. Positional errors would need to be evaluated for different areas. Busy junctions (Clapham junction) would work with a smaller error than a remote location with a low density of points

  37. Preliminary Risk Assessment

  38. Vulnerability Assessment Identify Vulnerable Assets Large proportion of the system relies on assets outside the control or standards of the ERTMS GSM-R may be adaptable but GSM unlikely Balise and programming device Driver (always has positive control) Network infrastructure Remember O2 outage in 2012 where some users affected but not others? Identify Vulnerabilities Network Outages

  39. Vulnerability Assessment GSM_R Outage Vulnerability

  40. Evaluation and Further Work 3 Aspects considered in Context evaluation Why, How, What Full Set Why, How, What, Where, When, Who Generation of a threat word taxonomy External systems are vital to operation of the system yet limited control or authority available Partial failures must be considered (O2 Outage)

  41. References ANONYMISED (2010). Information security audit of ERTMS, Technical report. This report is currently not publicly available; however, copies of the report may be made available on request, subject to approval from the relevant stakeholders. ANONYMISED (2011). ERTMS specification security audit – Analysis of attack scenarios, Technical report. This report is currently not publicly available; however, copies of the report may be made available on request, subject to approval from the relevant stakeholders. Casals, S., Owezarski, P. and Descargues, G. (2012). Risk assessment for airworthiness security. Safecomp 2012 [Online]. Available at: http://hal.archives-ouvertes.fr/docs/00/69/85/23/PDF/ Risk_Assessment_for_Airworthiness_Security_8p_.pdf [Accessed 12 June 2012]. Falliere, N., O Murchu, L. and Chien, E. (2011). W32.Stuxnet dossier. [Online] Symantec Security Response. February 2011. Available at: http://www.symantec.com/content/en/us/enterprise/ media /security_response/whitepapers/w32_stuxnet_dossier.pdf [Accessed 22 February 2012]. Kramer, D., Baker, M., Ransford, B., Molina-Markham, A., Stewart, Q., Fu, K and Reynolds, M. (2012). Security and privacy qualities of medical devices: An analysis of FDA postmarket surveillance. PLoS One, 7(7), e40200. doi:10.1371/journal.pone.0040200 McDermott, J. (2000). Attack net penetration testing. New Security Paradigms Workshop 2000. McDonald, G., Murchu, L., Doherty, S., Chien, E., (2013). Stuxnet 0.5: The Missing Link. [Online] Symantec Security Response. February 2013. Available at: http://www.symantec.com/content/en/us/enterprise/media/ security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf [Accessed 20 February 2014]. Opdahl, A. and Sindre, G. (2008). Experimental comparison of attack trees and misuse cases for security threat identification. Information and Software Technology, 51(5), 916-932. Schneier, B. Attack Trees. [Online]. Dr Dobbs Journal, December 1999. Available at: http://www.schneier.com/paper-attacktrees-ddj-ft.html [Accessed 1 July 2012]. US DoD (2012). Defense Acquisition Guidebook. [Online]. Available at: http://at.dod.mil/docs/ DefenseAcquisitionGuidebook.pdf [Accessed 1 July 2012].

More Related