Methodological Findings from Applying STPA in Cyber...
Transcript of Methodological Findings from Applying STPA in Cyber...
Thisinforma,onisexemptundertheFreedomofInforma,onAct2000(FOIA)andmaybeexemptunderotherUKinforma,onlegisla,on.ReferanyFOIAqueriestoncscinfoleg@ncsc.gov.uk.AllmaterialisUKCrownCopyright©
Methodological Findings from Applying STPA in Cyber Security Case Studies DrAnnaG.–SociotechnicalSecurityResearcherUKNa,onalCyberSecurityCentre
Thisinforma,onisexemptundertheFreedomofInforma,onAct2000(FOIA)andmaybeexemptunderotherUKinforma,onlegisla,on.ReferanyFOIAqueriestoncscinfoleg@ncsc.gov.uk.AllmaterialisUKCrownCopyright©
Methodological Findings from Applying STPA in Cyber Security Case Studies
• IntrototheroleoftheUKNa,onalCyberSecurityCentre(NCSC)
• OurWorkwithSTAMPandSTPA
• MethodologicalFindings:- TypeBScenarioGenera,on
- Documenta,onofaddi,onalinforma,onsuchassubsystemstatesandcondi,ons
Thisinforma,onisexemptundertheFreedomofInforma,onAct2000(FOIA)andmaybeexemptunderotherUKinforma,onlegisla,on.ReferanyFOIAqueriestoncscinfoleg@ncsc.gov.uk.AllmaterialisUKCrownCopyright©
UKNa&onalCyberSecurityCentre
Actasabridgebetweenindustry,governmentandacademia
Unifiedsourceofadvice,guidanceandsupportoncybersecurity
MIT STAMP Conference March 26th 2019
SociotechnicalSecurityGroup
Cybersecurityresearchinprac,ce
Sociotechnicallensoncybersecurityproblems
Mul,disciplinary
Vision:TomaketheUKthe
safestplacetoliveandworkonline
Interac,onsbetweenpeople,technology,organisa,onsand
processes
Thisinforma,onisexemptundertheFreedomofInforma,onAct2000(FOIA)andmaybeexemptunderotherUKinforma,onlegisla,on.ReferanyFOIAqueriestoncscinfoleg@ncsc.gov.uk.AllmaterialisUKCrownCopyright©
Our Work with STAMP and STPA
RiskFrameworks–CoreResearchQues&ons:
Dowehavetherightmixoftools/techniques/frameworks
forthecybersecurityproblemsoftodayandinthefuture?
Ifnot,whatdoweneedtoensure
ourcybersecurityrisktoolboxisfitforthecybersecurityproblemsoftoday
andinthefuture?
MIT STAMP Conference March 26th 2019
Systemstheore,capproachestocybersecurityrisk,
andSTAMPinpar,cular,shouldbepartofourcybersecurity
risktoolbox.
Thisinforma,onisexemptundertheFreedomofInforma,onAct2000(FOIA)andmaybeexemptunderotherUKinforma,onlegisla,on.ReferanyFOIAqueriestoncscinfoleg@ncsc.gov.uk.AllmaterialisUKCrownCopyright©
Our Work with STAMP and STPA Exploringapplicabilitytoavarietyofdifferentusecases:
Tradi&onalcybersecurityscenarios
• EnterpriseITinfrastructure
Jointsafetyandcybersecuritycontexts• Automated/connectedproducts
• Industrialcontrolsystems• Cri,calna,onalinfrastructure
NumberofcasestudiesworkingwithUKstakeholdersinvolvingsystemsindesignandinopera&ons
MIT STAMP Conference March 26th 2019
Thisinforma,onisexemptundertheFreedomofInforma,onAct2000(FOIA)andmaybeexemptunderotherUKinforma,onlegisla,on.ReferanyFOIAqueriestoncscinfoleg@ncsc.gov.uk.AllmaterialisUKCrownCopyright©
Illustrative Example – Drone
MIT STAMP Conference March 26th 2019
KeyPoints- Casestudyinvolvinganautomatedproductin
design
- Userinterfacesuchasasmartdevice
- Safetyandsecurityconcerns- CompletedseveralSTPAitera,ons- IncreasinglydetailedandcomplexHCS
Thisinforma,onisexemptundertheFreedomofInforma,onAct2000(FOIA)andmaybeexemptunderotherUKinforma,onlegisla,on.ReferanyFOIAqueriestoncscinfoleg@ncsc.gov.uk.AllmaterialisUKCrownCopyright©MIT STAMP Conference March 26th 2019
Controller
Controlledprocess
Controlac,ons Feedback
ControlAlgorithm
ProcessModel
TypeA
TypeB
Methodological Findings: Type B Scenario Generation WhywouldanUnsafeControlAc,onoccur?
Whywouldcontrolac,onsbeimproperlyexecutedornotexecuted,leadingtohazard?
STPAStep4:Iden,fyLossScenariosandRequirementsOuroriginalmethodappliedincasestudies- TakeeachindividualUCAiden,fiedinStep3- ApplyTypeAscenariothinkingtotheUCA- ApplyTypeBscenariothinkingtotheUCAToolimited- TypeBscenarioslinkeddirectlytohazard- CanapplyTypeBtocontrolac,onsButnotwanttoloserela,onshipbetweenUCAsandbothtypesofscenarios
Thisinforma,onisexemptundertheFreedomofInforma,onAct2000(FOIA)andmaybeexemptunderotherUKinforma,onlegisla,on.ReferanyFOIAqueriestoncscinfoleg@ncsc.gov.uk.AllmaterialisUKCrownCopyright©MIT STAMP Conference March 26th 2019
Type B Scenario Generation How to generate the broadest range of Type B scenarios to inform subsequent requirements? Adjustedmethodologyappliedincasestudies:- TakeeachindividualUCAiden,fiedinStep3- ApplyTypeAscenariothinkingtotheUCA- ApplyTypeBscenariothinkingtotheUCA- ApplyTypeBscenariothinkingtothecontrolac,on
asawhole- ConsiderrequirementsgeneratedfrombothTypeA
andBscenariosappliedtotheindividualUCAswhengenera,ngrequirementstomi,gateTypeBscenariosfromcorrespondingControlAc,on
Illustra&veDroneExample
CA.1Take-offCA.2Land
CA.3PairsmartdeviceCA.4Unpairsmartdevice
CA.5Take-offCA.6Land
CA.7PairsmartdeviceCA.8Unpairsmartdevice
CA.9PairsmartdeviceCA.10Revokesmartdevice
User
Interface(SmartDevice)
InternalAutomatedController
CentralManagementSubsystem
CA.11Pairsmartdevice
CA.12Revokesmartdevice
Thisinforma,onisexemptundertheFreedomofInforma,onAct2000(FOIA)andmaybeexemptunderotherUKinforma,onlegisla,on.ReferanyFOIAqueriestoncscinfoleg@ncsc.gov.uk.AllmaterialisUKCrownCopyright©MIT STAMP Conference March 26th 2019
Interplay between Type A and Type B Scenarios and Requirements Illustra&veDrone
ExampleTypeBScenarioanalysisappliedtoCA.5‘Take-off’andCA.6‘Land’
Serial From To Ac&on TypeBScenarioDescrip&on Hazard Addi&onalRequirements
CA.5 Interface(SmartDevice)
InternalAutomatedController
Take-off
Thesescenariosrefertoasitua,oninwhichthecommandsarenotac,oned.Thiscouldoccurduetoafailureinthecontrolpath,eitherbyamaliciousactorjammingtheconnec,on,orbyatechnicalfailure.Thereisalsoapossibilitythatlegi,matecommandsfromtheuserwouldbecountermandedinthecontrolpathbyaspoofedsmartdevice.Theseriskshavealreadybeenmi,gatedbyR3.5andR.3.9.
H.02,H.03
None–exposureto
hazardmi,gatedbyexis,ng
requirements.
CA.6 Interface(SmartDevice)
InternalAutomatedController
Land
CA.1Take-offCA.2Land
CA.3PairsmartdeviceCA.4Unpairsmartdevice
CA.5Take-offCA.6Land
CA.7PairsmartdeviceCA.8Unpairsmartdevice
CA.9PairsmartdeviceCA.10Revokesmartdevice
User
Interface(SmartDevice)
InternalAutomatedController
CentralManagementSubsystem
CA.11Pairsmartdevice
CA.12Revokesmartdevice
Thisinforma,onisexemptundertheFreedomofInforma,onAct2000(FOIA)andmaybeexemptunderotherUKinforma,onlegisla,on.ReferanyFOIAqueriestoncscinfoleg@ncsc.gov.uk.AllmaterialisUKCrownCopyright©MIT STAMP Conference March 26th 2019
Interplay between Type A and Type B Scenarios and Requirements Illustra&veDrone
Example
TypeBScenarioanalysisappliedtoCA.12RevokesmartdeviceSerial From To Ac&on TypeBScenarioDescrip&on Hazard Addi&onal
Requirements
CA.12 CentralManage-mentSubsystem
InternalAutomatedController
Revokesmartdevice
InthisscenariotheCA‘Revokesmartdevice’isnotreceivedorac,onedbytheInternalAutomatedController.Thiscouldallowcontrolac,onsfromastolenorspoofedsmartdevicetocon,nuetoexertcontroloverthedrone.Currentlycommandsfromthesmartdeviceandthecentralmanagementsystemcouldbereceivedcontemporaneouslyandthosefromthesmartdevicecouldbeac,oned,overridingthosefromthecentralmanagementsystem.Mi,ga,onwouldbetoprivilegethecommandsfromthecentralmanagementsubsystemoverothercontrollers.
H.01,H.05
R.3.28Thereshouldbea
mechanismtoensurethatcommandsfromtheCentral
ManagementSystemare
givenprecedence
overcommandsfromothercontrollers.
CA.1Take-offCA.2Land
CA.3PairsmartdeviceCA.4Unpairsmartdevice
CA.5Take-offCA.6Land
CA.7PairsmartdeviceCA.8Unpairsmartdevice
CA.9PairsmartdeviceCA.10Revokesmartdevice
User
Interface(SmartDevice)
InternalAutomatedController
CentralManagementSubsystem
CA.11Pairsmartdevice
CA.12Revokesmartdevice
Thisinforma,onisexemptundertheFreedomofInforma,onAct2000(FOIA)andmaybeexemptunderotherUKinforma,onlegisla,on.ReferanyFOIAqueriestoncscinfoleg@ncsc.gov.uk.AllmaterialisUKCrownCopyright©MIT STAMP Conference March 26th 2019
Interplay between Type A and Type B Scenarios and Requirements Whatdidthisapproachgiveus?
- Broadbasisforgenera,ngbothtypesofscenariosandcorrespondingrequirements
- U,lityinprac,ceofconsideringthepoten,alexposure
tohazardfromdifferentdirec,ons
- Foundnewscenariosandaddi,onalrequirements
- InterplaybetweenscenariosandrequirementsgeneratedfromindividualUCAsandthecontrolac,ontheUCAisderivedfrom
Requirement Derivedfrom: Connec&ontoHazard
R3.5 UCA3.2-TypeACA.5-TypeBCA.6-TypeB
H.02H.03
R3.9 UCA3.2-TypeACA.5-TypeBCA.6-TypeB
H.02H.03
R3.28 CA.12-TypeB H.01H.05
…… ….. ……
- Traceabilityofrequirementstomul,plescenariosandexposuretohazard
- Addedweighttonecessityofrequirementswhencommunica,ngfindings
Thisinforma,onisexemptundertheFreedomofInforma,onAct2000(FOIA)andmaybeexemptunderotherUKinforma,onlegisla,on.ReferanyFOIAqueriestoncscinfoleg@ncsc.gov.uk.AllmaterialisUKCrownCopyright©
Methodological Findings: Documentation of Subsystem States / Conditions • CaseStudyExampleKeyPoints:- Automatedproductindesign- Safetyandsecurityconcerns- Geo-fencedperimeterforlanding- Importanceof:• Sequencingofavailablecontrolac,ons• Movingbetweenstatesof‘Disabled’,‘FlightMode’,‘StandbyPassive’and‘StandbyAc,ve’
MIT STAMP Conference March 26th 2019
User
Interface(SmartDevice)
InternalAutomatedController
PhysicalProcesses
CA.Checklandingarea(whenin‘Standby
Passive’)CA.Land(whenin‘StandbyActive’)
F.Landingareaclear(i.e.changeto
‘StandbyActive’)/Notclear
(i.e.remainin‘StandbyPassive’)
Landed/Notlanded
CA.Land
CA.Land
GeolocationDetectionSubsystem
CA.Providegeolocation
status
F.Withinperimeter(i.e.changeto
‘StandbyPassive’)/Notwithinperimeter(i.eremainin‘Flight
Mode’)
F.Landed/Notlanded/Drone
Status
F.Landed/Notlanded/Drone
Status
Illustra&veDrone
Example
Thisinforma,onisexemptundertheFreedomofInforma,onAct2000(FOIA)andmaybeexemptunderotherUKinforma,onlegisla,on.ReferanyFOIAqueriestoncscinfoleg@ncsc.gov.uk.AllmaterialisUKCrownCopyright©
Documentation of Subsystem States / Conditions From To Control
Ac&onWhenthiscondi&onistrue:
Feedback Changetostatus?
User Interface Land StandbyPassiveorStandbyAc,ve
LandedNotLandedDroneStatus
N/A
AutomatedInternalController
Geoloca,onDetec,onSubsystem
Providegeoloca,onstatus
Allstates WithinperimeterNotwithinperimeter
StandbyPassiveNochange
AutomatedInternalController
PhysicalProcesses
Checklandingarea
StandbyPassive
LandingareaclearNotclear
StandbyAc,veNochange
AutomatedInternalcontroller
PhysicalProcesses
Land StandbyAc,ve
LandedNotlanded
N/A
MIT STAMP Conference March 26th 2019
User
Interface(SmartDevice)
InternalAutomatedController
PhysicalProcesses
CA.Checklandingarea(whenin‘Standby
Passive’)CA.Land(whenin‘StandbyActive’)
F.Landingareaclear(i.e.changeto
‘StandbyActive’)/Notclear
(i.e.remainin‘StandbyPassive’)
Landed/Notlanded
CA.Land
CA.Land
GeolocationDetectionSubsystem
CA.Providegeolocation
status
F.Withinperimeter(i.e.changeto
‘StandbyPassive’)/Notwithinperimeter(i.eremainin‘Flight
Mode’)
F.Landed/Notlanded/Drone
Status
F.Landed/Notlanded/Drone
Status
Illustra&veDrone
Example
Thisinforma,onisexemptundertheFreedomofInforma,onAct2000(FOIA)andmaybeexemptunderotherUKinforma,onlegisla,on.ReferanyFOIAqueriestoncscinfoleg@ncsc.gov.uk.AllmaterialisUKCrownCopyright©
Documentation of Subsystem States / Conditions From To Control
Ac&onWhenthiscondi&onistrue:
Feedback Changetostatus?
User Interface Land StandbyPassiveorStandbyAc,ve
LandedNotLandedDroneStatus
N/A
AutomatedInternalController
Geoloca,onDetec,onSubsystem
Providegeoloca,onstatus
Allstates WithinperimeterNotwithinperimeter
StandbyPassiveNochange
AutomatedInternalController
PhysicalProcesses
Checklandingarea
StandbyPassive
LandingareaclearNotclear
StandbyAc,veNochange
AutomatedInternalcontroller
PhysicalProcesses
Land StandbyAc,ve
LandedNotlanded
N/A
MIT STAMP Conference March 26th 2019
Helpsdefinewhatop,onsareavailableunderwhatcondi,ons
toformpartofControlAlgorithmofaController
HelpsdefinewhatfeedbackaControllerneedsforitsProcessModelandwhatitneedstoknowaboutthestateofthesystem
Thisinforma,onisexemptundertheFreedomofInforma,onAct2000(FOIA)andmaybeexemptunderotherUKinforma,onlegisla,on.ReferanyFOIAqueriestoncscinfoleg@ncsc.gov.uk.AllmaterialisUKCrownCopyright©
Documentation of Subsystem States / Conditions
From To ControlAc&on Whenthiscondi&onistrue:
Feedback Changetostatus?
User Interface Land StandbyPassiveorStandbyAc,ve
LandedNotLandedDroneStatus
N/A
AutomatedInternalController
Geoloca,onDetec,onSubsystem
Providegeoloca,onstatus
Allstates WithinperimeterNotwithinperimeter
StandbyPassiveNochange
AutomatedInternalController
PhysicalProcesses
Checklandingarea
StandbyPassive LandingareaclearNotclear
StandbyAc,veNochange
AutomatedInternalcontroller
PhysicalProcesses
Land StandbyAc,ve LandedNotlanded
N/A
MIT STAMP Conference March 26th 2019
Addi,onalinforma,ontoberecorded:- Subsystemstates- Condi,onsthatmustbetruefortransi,onsbetween
suchstates- Subsequentchangestostatusdependentonwhat
feedbackisreceived
Mayhelpanalysttospot:- Missingsubsystemstates- Missingcondi,onsnecessaryfortransi,ons- Sequencingerrorsleadingtohazard
Mayhelpanalysttogenerate:- UCAs- Lossscenarios- Requirementstomi,gateexposuretohazard
Dependentonsystemunderanalysis- Levelofcomplexity/detailoftheHCS- Numberofsubsystemstates/condi,ons
Thisinforma,onisexemptundertheFreedomofInforma,onAct2000(FOIA)andmaybeexemptunderotherUKinforma,onlegisla,on.ReferanyFOIAqueriestoncscinfoleg@ncsc.gov.uk.AllmaterialisUKCrownCopyright©
Our Next Steps
• Con,nuetodeepenourunderstandingofSTAMP(STPAandCAST)inrela,ontocybersecurity
• Provideadviceandguidanceasapplicableacrossourbroadremit
• Expandthesystemstheore,capproachesavailableinourcybersecurityrisktoolbox
MIT STAMP Conference March 26th 2019
Thisinforma,onisexemptundertheFreedomofInforma,onAct2000(FOIA)andmaybeexemptunderotherUKinforma,onlegisla,on.ReferanyFOIAqueriestoncscinfoleg@ncsc.gov.uk.AllmaterialisUKCrownCopyright©
Ques&ons?
Contact:[email protected]
MIT STAMP Conference March 26th 2019