220 likes | 233 Vues
Fulfill the security policies and enable smart services without risking network, system or data of the product operator and of the service provider. This pilot use case explores the consequences of insecure Cyber-Physical Systems (CPS) and presents a state-of-the-art approach and results for achieving high-secured inter-cloud connectivity.
E N D
High Secured Inter-Cloud Connectivity via Public Networks Andreas Aldrian Christoph Schmittner Austrian Institute of Technology Christoph.schmittner.fl@ait.ac.at AVL List GmbH andreas.aldrian@avl.com
storyline Pilot Use Case Consequencesofinsecure CPS Goal State ofthe Art Approach Results
use case in a nutshell no inbound initiation no routing isolated network internet AVL AVL product @customer • Typical use cases: • remote interaction • remote updates of software/firmware • health and status tracking • pre-emptive services (condition based) • logistic purposes • reporting of availability and utilization
Consequencesofinsecure CPS Modern ICS and CPS require connection, cooperation, automation These (often legacy) systems have diverse operationaland communication requirements(interfaces, protocols) http://www.symantec.com/connect/blogs/iot-devices-being-increasingly-used-ddos-attacks
Consequencesofinsecure CPS Modern ICS and CPS require connection, cooperation, automation These (often legacy) systems have diverse operationaland communication requirements(interfaces, protocols) http://www.symantec.com/connect/blogs/iot-devices-being-increasingly-used-ddos-attacks http://www.theregister.co.uk/2016/03/24/water_utility_hacked/
Consequencesofinsecure CPS Modern ICS and CPS require connection, cooperation, automation These (often legacy) systems have diverse operationaland communication requirements(interfaces, protocols) https://www.sentryo.net/cyberattack-on-a-german-steel-mill/ http://www.symantec.com/connect/blogs/iot-devices-being-increasingly-used-ddos-attacks http://www.theregister.co.uk/2016/03/24/water_utility_hacked/
Consequencesofinsecure CPS Modern ICS and CPS require connection, cooperation, automation These (often legacy) systems have diverse operationaland communication requirements(interfaces, protocols) https://www.sentryo.net/cyberattack-on-a-german-steel-mill/ http://www.networkworld.com/article/2225104/microsoft-subnet/not-cyber-myths--hacking-oil-rigs--water-plants--industrial-infrastructure.html http://www.symantec.com/connect/blogs/iot-devices-being-increasingly-used-ddos-attacks http://www.theregister.co.uk/2016/03/24/water_utility_hacked/
Goal Fulfillthe security policies and enable smart services without risking Network, system or data of the product operator and of the service provider Safety or reliability of machinery
State ofthe Art First industrialsecuritystandard: IEC 62443: Industrial communication networks - Network and system security Considers IT-Security, securityofmachineryand also impacts on safetyandreliability
State ofthe Art First industrialsecuritystandard: IEC 62443: Industrial communication networks - Network and system security Considers IT-Security, securityofmachineryand also impacts on safetyandreliability Under Review Development Development Planned Under Review Planned Available Available Under Review Draft Available Draft Draft
Approach Weneededsomethingwhichworksforsafety & security Wedeveloped an approachforsafety & securityanalysisand iterative design workflow
Safety & Security analysis approach System Model Basedon ISO 27005 IEC 60812 Microsoft STRIDE Securityobjectives Failurecatalogue Survey Threatcatalogue Unified catalogue Impactassessment Riskassessment Risk Catalogue Likelihoodassessment Based on: ETSI TS 102 165-1 IEC 60812
Simplified systemmodel Toeaseriskassessmentsomecomponentshavebeencombined Stronglyrelatedprocesseswithin a trustboundary Data flowsbetweenthesamecomponents
Threat & Failure Catalogue Similar approach for safety and security, use system model and identify potential manipulations (STRIDE) or deviations (failure modes) from normal operation STRIDE: Spoofing of user identity, Tampering, Repudiation, Information disclosure, Denial of service (D.o.S), Elevation of privilege Failuremodesforcommunicationorprocessingunits: Missing Data, Incorrect Data, Timing of Data, Extra Data, Halt/Abnormal, Omitted Event, Incorrect Logic, Timing/Order
Risk Catalogue Investigate overlap between safety and security effects Estimate risk based on impact and likelihood Formulate safety and security goals
results of the security & safety analysis no inbound initiation non-routable communication (serial interface) AVL product @customer internet AVL infra mediator unit
final topology & encryption levels we utilized ISO20922 (MQTT) as data exchange between both clouds
ArrowHead contribution ISO20922 + HW security as enabler for secure inter-cloud communication