© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Massimo Scipioni

TRUST Autumn Conference 2011

Realizing intrinsically cyber secure large systems

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Outline

• Introduction• The problem context• The solution

• Development process• Users’ processes and procedures• Cyber Command & Control

• Conclusions

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Introduction

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Introduction (1/2)

“State of the Art” seamless Offer, ranging from Products to Integrated Systems and Solutions.

HOMELAND PROTECTION DEFENCE SYSTEMS

BORDER & TERRITORY PROTECTIONCRITICAL INFRASTRUCTURES PROTECTION

CRISIS MANAGEMENTMAJOR EVENTS

C4ISTAR SYSTEMSNCW INFRASTRUCTURESAIR DEFENCE SYSTEMS

BATTLESPACE C4ISTAR SYSTEMS

AIRBORNE, SURVEILLANCE & SECURITY SYSTEMS

AIRBORNEMISSION SYSTEMS

ATC/ATM & AIRPORT SYSTEMS

VTMS & MARITIME AWARENESS

ADVANCED IT FOR SECURITY,

LOGISTICS, AUTOMATION

AVIONICS (EW, RADAR, EO) NAVAL RADARS & FIRE CONTROL SYSTEMS

GROUND RADARS

NAVAL COMBAT SYSTEMS INTEGRATIONGROUND COMMAND & CONTROL SYSTEMS

NAVAL & GROUNDAVIONIC CNI

PROFESSIONAL TETRA - WiMAX

SENSOR

INTEGRATED SYSTEMS

COMMAND & CONTROL COMMUNICATIONS

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Introduction (2/2)

• A large system is a system of systems, namely a network of interconnected systems that cooperate to perform common functions, more and more in terms of network enabled capability.

• FINMECCANICA assigned to SELEX Sistemi Integrati the prime contractor and architect mission role for large systems development.

• Playing this role the Company is responsible for defining large systems requirements, both functional and non-functional.

• Security is a crucial non-functional requirements family when developing large systems.

• Cyber security is the flow down of general security measures to protect against and react to cyber attacks.

• The Company is therefore approaching the problem to realize large systems intrinsically cyber secure.

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

The problem context

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

A definition

Cyber security is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, bestpractices, assurance and technologies that can be used to protect the cyber environment, organization and users’ assets.

General security objectives:• availability;• integrity (which may include

authenticity and non-repudiation);

• confidentiality.

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Objectives and threats

• Availability • The capability of the system to protect data

and processes from the denial of service to the authorized users.

• Main threat: Distributed Denial of Service.

• Integrity• The capability of the system to protect data

and processes from unauthorized changes.• Main threats: Exploit, Rootkit.

• Confidentiality • The capability of the system to protect data

and processes from unauthorized access.• Main threats: Eavesdropping, Keylogging,

Data Exfiltration.

8

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

The problem (1/3)

• Cyber attacks cover a wide range of actions: attacks can affect data, processes and programs, as well as the network environment.

• Such attacks might involve intrusions into networks for the purpose of compromising data, degrading communications, interrupting commerce, or impairing critical infrastructures (such as transportation or medical and emergency services).

• Stuxnet taught us a lesson!

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

The problem (2/3)

Besides,

the whole is more vulnerable than the composing parts.

• Integrating diverse and heterogeneous systems a degradation of the derived large system in the cyber security domain emerges.

• This means that a large system may be affected by vulnerabilities due to its intrinsic complexity.

• Such vulnerabilities may even not affect the composing systems.

How do we fill this gap?

Realizing intrinsically cyber secure large systems.

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

The problem (3/3)

How do we develop intrinsically cyber secure large systems?

Not just providing large systems with firewalls, IDSs, etc., in other words not just surrounding the system with a Maginot line

but

i. Adopting a cyber security oriented system design and development process.

ii. Defining operating processes and procedures to guide system users, at any level, to work in respect of cyber security requirements.

iii. Providing large systems with a cyber command & control that analyses, protects and contrasts cyber intrusions.

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

The development process

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Cyber security oriented life cycle

Requirements definition

Security requirement

s

Abuse cases

Architectural design

Threat modeling

Risk analisys

Implementation Testing Deployment

Secure coding

Secure testing

Penetration testing

Secure code review

Vulnerability management

Secure deployment

Operational enabling

Security Testing

Attack Patterns – Security Patterns

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Design and development of artefacts (1/2)

Hardware architecture and network topology are designed to be highly resilient and such that cyber security related non functional requirements are fully satisfied.

Software architecture mapping onto the hardware architecture is optimized wrt the cyber security requirements. Functional and non-functional requirements allocation components is cyber security driven.

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Design and development of artefacts (2/2)

Software code artefacts at any architectural level are not affected by defects originating vulnerabilities.

Software testing artefacts stress the system to simulate the possible kinds of attack foreseen for the system under test, performing penetration testing, security testing, etc.

A cyber secure operating system is the basement upon which build secure applications.

Common core

Applicatio

n

Customiza

tion

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

The users’ processes and procedures

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Users’ processes and procedures

• Users’ and operators’ behaviour is crucial to the cyber security. • A set of cyber security oriented processes and procedures to guide

users is produced as part of the large system development. • This will largely reduce the occurrences of the so called insider

threats, namely attacks both volunteer and non-volunteer due to system users and operators. Internal attacks are definitely more dangerous than the external ones.

• Very often cyber attacks causing significant damages are originated from incautious actions (e.g. infected USB keys).

• Training programs will be put in place to build the necessary awareness in the personnel who will be using the system.

• Need to know and responsibility to share policies will be set forth and adopted by the users’ community.

• Following this approach, the cyber security related human factors become an integrated part of the large system design and development.

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

The Cyber Command & Control

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Cyber Command & Control (1/4)

• A cyber command & control is provided as part of the large system.• Such cyber command & control application is the large system cyber

security supervisor and embraces the whole large system. • It integrates the lower level cyber security applications, embedded in

the composing systems, and provides additional functions in order to build an overall protection and to guarantee an improved cyber security capability to the whole large system.

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Cyber Command & Control (2/4)

Systems

Cyber Command & Control

Malicious activities detection

Post attacks restoring support

Attacks prevention and defence

Intelligence and Decision Support

Consolidated information Assurance picture management

Cyber Command & Control Data Base

Non open sources (e.g. ISP)

Open sources (e.g. web)

Risks and threats dynamic assessment

•Risk analysis•Vulnerability assessment

•Platform application information

•Log•Network monitoring

•Cyber events

•Risk management

•Patch management

•CERT interoperability•Anomaly management

•Incident management

•Counter measures

Open info

Non open info

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Cyber Command & Control (3/4)

• Consolidated information assurance picture management• Provide operators with a real time human computer interface to interact with

the Cyber Command & Control:• Visualize all the node of networks in the domain under control,• Visualize the geo-reference of systems, networks, nodes and incidents,• Visualize the risk status of all the assets in the domain.

• Malicious activity detection• Collect and correlate information coming from:

• Network monitoring,• Application status monitoring,• Access control,

in order to detect malicious activity.• Attacks prevention and defense

• Stop or mitigate any detected attack and implement preventive measures to avoid attacks.

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Cyber Command & Control (4/4)

• Risks and threats dynamic assessment• Project the current situation into the future, • Assess the damage incurred from an attack,• Improve the understanding of threats by assessing on-going attacks.

• Post attacks restoration support• Support the composing systems in restoring after an attack has been stopped

and the damage has been assessed:• Replace compromised systems and information, • Take actions with respect to compromised confidentiality of information.

• Intelligence and decision support• Support operations by accessing and exploiting any kind of open and non-

open sources relevant to the cyber defence and security situation,• Correlate and fuse heterogeneous data coming from diverse sources to

support the intelligence processing,• Support operators in taking decision as to the best way to manage situations,

providing alternative scenarios.

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Conclusions

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Conclusions

• The development of cyber secure large systems is based on three main pillars: • A design, development, integration and deployment process

oriented to cyber defence and security;• Users’ and operators’ processes and procedures oriented to

cyber security;• A cyber command and control embedded in the large system.

• From the architectural perspective, the whole stack, from the hardware platforms up to the application software, are rigorously cyber secure.

• All the concepts discussed is applied to both the newly developed large systems and the legacy ones.

• This way a holistic approach is applied to the realization of cyber secure large systems.

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Thank you for your attention

© 2

011

SE

LEX

Sis

tem

i Int

egra

ti -

Com

mer

cial

in

Con

fiden

ce

Via Tiburtina, Km 12.40000131 - Roma, ItaliaT. +39 06 41501

SELEX Sistemi Integrati