Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace...
-
Upload
jaiden-charley -
Category
Documents
-
view
218 -
download
0
Transcript of Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace...
Threats to Software SecurityIntegrated with the Safety Planning
Process
Phil Cooke
Battlespace Management - Safety Policy
Royal Air Force
Contents
• Introduction• Stuxnet – the first of many• Latest ‘Mask’ Malware• A Need to Do More• Safety vs Security, Failure vs Attack• Attack Trees and Guide Words• Simple Case Studies
Safety in the Traditional Sense
• FSSE – Nature of accidents– Flixborough 1974
• Health and Safety at Work etc Act 1974
Safety in the Traditional Sense
• FSSE – Nature of accidents– Challenger 1986
• Leakage issue on previous flights
Safety in the Traditional Sense
• FSSE – Nature of accidents– Bexley 1997
• Maintenance issues, Overloading wagons and excess speed
Background and Motivation
• Pervious working environment• Stuxnet Virus 2009/2010• Interest in Supervisory Control and Data Acquisition
(SCADA) systems including Programmable Logic Controllers (PLCs)
• New Role working in ATM environment• Desire to combine knowledge of Security and Safety as
little exists on this subject
Stuxnet – The First (?) of Many (?)
• Virus discovered in Jun 2010, origin back in Jun 09• Targets a very specific hardware/software configuration at
Natanz, Iran – Uranium reprocessing facility• Executes by re-programming the PLC out of specified
boundaries• Virus deployed via USB pen drive on maintenance laptop• Duqu discovered in Sep 11 thought to be connected to
Stuxnet• Flame discovered in May 2012 thought to be connected
to Stuxnet
Stuxnet 0.5
• Stuxnet 1.0 discovered in Jun 2010• Variants later discovered but traced back as early as Nov
2007 and development as early as 2005• Similar attack vector but closed valves instead of
changing the rotation speed of centrifuges• More versions known to exist but code has never been
recovered• Many other SCADA systems vulnerable to attack
RAS Gas computer systems taken off line
days after a similar attack on Aramco (Aug 12)
Saudi Arabia’s national oil company was attacked by the Shamoon virus, which
targets energy sector infrastructure (Aug 12)
Mask Malware
• Aimed at Gov’ts and Finance Firms• Probably created by a Nation State• Reported by Kaspersky/BBC
Technology website on 11 Feb 2014• Involved in cyber espionage
operations since at least 2007• Ahead of Duqu in terms of
sophistication• Is this just the tip of the Iceberg?
How Skilled Do You Need To Be?
A Need to Do More
• Security and Safety need to be considered as a unity of specialisations and not just bolt-on’s to each other.
• Similarities with Safety a number of years ago?• Develop a methodology to integrate security aspects into
the safety analysis process• Cross domain applicability• Ability to apply at any stage of the safety lifecycle to
capture legacy projects
Safety vs Security, Failure vs Attack
• Systems need to operate in a safe manner• Systems need to be maintainable by many different and
disparate parties• Systems need to fail safe• Systems need to be resilient and resistant to attack
What Previously Existed
• Security Processes or Tools– Casals et al, 2012– 6 Step Process
• 1st 3 Steps considered and developed– Context establishment– Preliminary Risk Assessment– Vulnerability Assessment
What Previously Existed
• Attack Trees– Schneier, 1999– Used within the US DoD Defense Acquisition Guidebook (US
DoD 2012)• Simple example is an activity such as trying to open or
break into a safe.• Helpful to have Guide Words to assist in the process
Open safe
Learn combination
Cut open safePick lockInstall
improperly
Find written combination
Get combination from target
Get target to state
combination
Listen to conversation
Blackmail EavesdropThreaten Bribe
Log in to UNIX account
Learn password
Guess password
No password required
Use widely known
passwords
Find written password
Get password from target
Obtain sniffer output file
Install keyboard
sniffer
Blackmail StealThreaten Bribe
Log in to UNIX account
Learn password
Guess password
No password required
Use widely known
passwords
Find written password
Get password from target
Obtain sniffer output file
Install keyboard
sniffer
Blackmail StealThreaten Bribe
Open safe
Learn combination
Cut open safePick lockInstall
improperly
Find written combination
Get combination from target
Get target to state
combination
Listen to conversation
Blackmail EavesdropThreaten Bribe
Guide (Threat) Words
• Prof McDermott– Art rather than a Science
• Opdahl and Sindre– Brainstorming activity
• Use process similar to FHA– SHARD guidewords – Omission. Commission, Early, Late,
Value• Look for Threat Words rather than Guide Words
– Configuration, Authentication, Jamming, Replay, Lifecycle (learning)
Methodology Development
• Context Establishment
• Preliminary Risk Assessment
• Vulnerability Assessment
Define Initial Security Context
Define Threat Words
Obtain Preliminary System FTA
Develop Attack Trees to enable further Context establishment
Identify Primary Assets
IdentifyThreats to Security
Define Scenarios affecting Safety
Establish Likelihood of Occurrence
Define Severityof Outcome
Identify Vulnerabilities
Identify Vulnerable Assets
Develop Vulnerabilities
using Attack Trees
Case Study 1 – Implantable Medical Device
• Devices able to administer medication at varying rates• Read patients state and report back to a physician• Remote diagnostic/treatment
– Implantable Cardiac Defibrillators (ICDs)– Drug Delivery Systems (eg Insulin Pumps)– Neurostimulators (eg for Parkinson’s Disease)
Context Establishment
• Considers IMDs in general, no FTA• Threat words:
– Access– Identification or Privacy– Configuration– Authorisation– Availability– Distance– Frequency– Safety
Context Establishment
• Define Initial Security Context– Passive or active or coordinated adversaries, Insider attack.
• Active Adversary Attack Tree Active adversary interferes with
communications
Has capability to receive and decode
signals
Has capability to transmit signals
Can transmit incorrectly encoded
signals
Can transmit correctly encoded
signals
Passiveadversary
eavesdrops on signals
AttemptingDDoSattack
Attemptingmalicious
attack
Preliminary Risk Assessment
• Identify Primary Assets– IMD, programming devices, management devices
• Identify Threats to Security– From research, encryption is not used between IMDs and
supporting equipment, however the signalling format could be spoofed allowing unauthorised transmissions to be sent.
– Devices transmit when a magnet is placed nearby– Device programmable or readable 24hrs per day?
• Define Scenarios Affecting Safety– Patient entering a treatment room in a non-local environment– Important or influential figure fitted with IMD– Organised Crime gangs seeking to steal device
Preliminary Risk Assessment
• Patient in a non-local environmentPatient requires
emergency treatment in a foreign location
Foreign denotes away from their normal
medical staff
Medical Staff aware, but unable to communicate
correctly with IMD
Medical staff unaware of IMD
constraints or special requirements
IMD requires authorisation or authentication
Medical staff unable to deactivate IMD to allow other surgical
procedure
Medical Staff unable to get patient history
IMD damaged by medical treatment
Patient harmed by medication or by IMD
working against medication
Patient incapacitatedor unable to
communicate presence of IMD
Medical staff treat patient without
knowledge of IMD
Medical Staff need to know to scan for
device
Authenticationor encryption prevents
access to IMD
Authenticationor encryption prevents
access to IMD
Authenticationor encryption prevents
access to IMD
Authenticationor encryption prevents
access to IMD
IMD shouldemit tone or vibration
when magnet is placed nearby
Treatmentcould be contra toIMD medication
requirements
Preliminary Risk Assessment
• Establish Likelihood of Occurrence– As of 2012, no evidence could be found regarding attacks on
IMDs– Kramer et al, 2012, states “there are no known case reports of
malevolent interference that specifically target medical device function”
Preliminary Risk Assessment
• Severity of Outcome– Worst case is death– Least is possible early failure of device
• Most devices are 5-7 years so replacement is always assumed necessary at some future point
Vulnerability Assessment
• Identify Vulnerable Assets– IMD and supporting equipment
• Identify Vulnerabilities– Replay Attack– Electromagnetic interference– Malware on supporting PC– DoS attack
• Develop Attacks using Attack Trees
Evaluation and Further Work
• IMD use and proliferation is growing• Technology is outpacing Security, not Safety
– Possibly security through ambiguity– Stuxnet was directed at 2 specific targets worldwide
• IMDs must have high security but ease of access• Consider a dual approach – threat in one direction,
vulnerability in the other
Case Study 2 – European Railway Traffic Management System - ERTMS
• The ERTMS aims to replace the many different national train control and command systems in Europe with a standardised system.
• System relies upon the GSM networks.• A full and complete security audit was performed on the
ERTMS and in précis was:– The specs from a safety perspective were considered and
safety requirements for technical interoperations were derived– Consideration of the context in which ERTMS operates and
its trust relationships with other systems– Both top down and bottom up approaches investigated– Attack scenarios devised and graded
Context Establishment
• System description available from ERTMS web page
Context Establishment
• Define Threat Words:– Location
• Balise position• Cuttings, tunnels, shadowing by other trains• GPS used as a backup when GSM is lost?
– Access• Data - system uses cryptography and all users have same key• Data – GSM-R: Handsets authenticate with the network but not vice
versa• Physical – some data is entered locally
– Identification• Each train has a unique identity – spoofing?• Balises are not physically protected• GSM repeater could be spoofed and information extracted
Context Establishment
• Define Threat Words:– Authorisation
• Can the driver override some or all aspects? How is this recorded?• If GSM-R is the sole source of authorisation, what happens in an
outage?
– Jamming• Passenger using small GSM jamming device – what effect to ERTMS?• What precedence is given to GSM-R traffic?
– Etc etc
Context Establishment
• Define Initial Security Context– What could be gained from attacking the system– How could the system be attacked?– What capabilities would the attacker need?
Context Establishment
• Develop Attack TreesERTMS open to security attack
compromising safety
Linked Balise
Radio Block Centre attack
Network attack
ECTS attack
Unlinked Balise
GSM-R attackBalise attack
Crypto attack
Information erorrPosition errorPosition error Information erorr Software radio attackSignal jamming
attack
Preliminary Risk Assessment
• Identify Primary Assets– European Train Control System – ETCS– GSM-R – railway specific system built upon GSM standards
• ETCS– Onboard– Trackside
• Balises• Radio Comms System (GSM-R)• Radio Block Centres – issue movement authorisations to trains
Preliminary Risk Assessment
• Identify Threats to Security– 93 page report written on the “ERTMS Specification Security
Audit Analysis of Attack Scenarios” 29 July 2011– Balise location considered for the remainder of the case study– Uses standard transmission protocol– Position or positional data could be affected– Metallic structures affecting balise signal performance
Preliminary Risk Assessment
• Define Scenarios Affecting Safety– Reputational/financial attack by an active aggressor but with
limited technical knowledge of the system– Balise is moved closer to or further away from neighbour thus
changing the reported position of the train or causing an error signal to be generated
• Establish Likelihood of Occurrence– Hard to estimate without greater technical knowledge of the
system
Preliminary Risk Assessment
• Define Severity of Outcome– Also hard to estimate without greater system knowledge– Train movements would be scheduled to allow for greatest
traffic flow but with sufficient time in-between trains for safety reasons similar to airport arrival and departure traffic.
– Positional errors would need to be evaluated for different areas. Busy junctions (Clapham junction) would work with a smaller error than a remote location with a low density of points
Preliminary Risk AssessmentNon-technological attacker seeks to
damage reputation or finances of company
Attack route chosen is via the balises
Un-noticed access to the trackside and
balise
Physical access required to the
trackside and balise
Attack performed at night or during dawn/
dusk periods
Mount attack in tunnel or railway
cuttingMove balisePlace new balise
Disrupt balise communications
Reprogram balise
discounted due to technology
required
Obtain balisefrom anotherarea or track
Place conductoror metallic object
near balise
Remove balise completely
Reduce distance between balises
Increase distance
between balises
Vulnerability Assessment
• Identify Vulnerable Assets– Large proportion of the system relies on assets outside the
control or standards of the ERTMS– GSM-R may be adaptable but GSM unlikely– Balise and programming device– Driver (always has positive control)– Network infrastructure
• Remember O2 outage in 2012 where some users affected but not others?
– Identify Vulnerabilities• Network Outages
Vulnerability Assessment
• GSM_R Outage Vulnerability
ETRMS susceptible to Network Outages
Partial Network outage
Total network outageNetwork jammed or
intercepted
Attack usingsoftware radio and
software
Alltrains using
ERTMS in same situation
Non affectedtrains continue to
operate
Affected trainsuse ‘fail-safe’ and
stop
Evaluation and Further Work
• 3 Aspects considered in Context evaluation– Why, How, What
• Full Set– Why, How, What, Where, When, Who
• Generation of a threat word taxonomy• External systems are vital to operation of the system yet
limited control or authority available• Partial failures must be considered (O2 Outage)
References
• ANONYMISED (2010). Information security audit of ERTMS, Technical report. This report is currently not publicly available; however, copies of the report may be made available on request, subject to approval from the relevant stakeholders.
• ANONYMISED (2011). ERTMS specification security audit – Analysis of attack scenarios, Technical report. This report is currently not publicly available; however, copies of the report may be made available on request, subject to approval from the relevant stakeholders.
• Casals, S., Owezarski, P. and Descargues, G. (2012). Risk assessment for airworthiness security. Safecomp 2012 [Online]. Available at: http://hal.archives-ouvertes.fr/docs/00/69/85/23/PDF/ Risk_Assessment_for_Airworthiness_Security_8p_.pdf [Accessed 12 June 2012].
• Falliere, N., O Murchu, L. and Chien, E. (2011). W32.Stuxnet dossier. [Online] Symantec Security Response. February 2011. Available at: http://www.symantec.com/content/en/us/enterprise/ media /security_response/whitepapers/w32_stuxnet_dossier.pdf [Accessed 22 February 2012].
• Kramer, D., Baker, M., Ransford, B., Molina-Markham, A., Stewart, Q., Fu, K and Reynolds, M. (2012). Security and privacy qualities of medical devices: An analysis of FDA postmarket surveillance. PLoS One, 7(7), e40200. doi:10.1371/journal.pone.0040200
• McDermott, J. (2000). Attack net penetration testing. New Security Paradigms Workshop 2000.• McDonald, G., Murchu, L., Doherty, S., Chien, E., (2013). Stuxnet 0.5: The Missing Link. [Online] Symantec
Security Response. February 2013. Available at: http://www.symantec.com/content/en/us/enterprise/media/ security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf [Accessed 20 February 2014].
• Opdahl, A. and Sindre, G. (2008). Experimental comparison of attack trees and misuse cases for security threat identification. Information and Software Technology, 51(5), 916-932.
• Schneier, B. Attack Trees. [Online]. Dr Dobbs Journal, December 1999. Available at: http://www.schneier.com/paper-attacktrees-ddj-ft.html [Accessed 1 July 2012].
• US DoD (2012). Defense Acquisition Guidebook. [Online]. Available at: http://at.dod.mil/docs/ DefenseAcquisitionGuidebook.pdf [Accessed 1 July 2012].