Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace...

Threats to Software SecurityIntegrated with the Safety Planning

Process

Phil Cooke

Battlespace Management - Safety Policy

Royal Air Force

Contents

• Introduction• Stuxnet – the first of many• Latest ‘Mask’ Malware• A Need to Do More• Safety vs Security, Failure vs Attack• Attack Trees and Guide Words• Simple Case Studies

Safety in the Traditional Sense

• FSSE – Nature of accidents– Flixborough 1974

• Health and Safety at Work etc Act 1974


• FSSE – Nature of accidents– Challenger 1986

• Leakage issue on previous flights


• FSSE – Nature of accidents– Bexley 1997

• Maintenance issues, Overloading wagons and excess speed

Background and Motivation

• Pervious working environment• Stuxnet Virus 2009/2010• Interest in Supervisory Control and Data Acquisition

(SCADA) systems including Programmable Logic Controllers (PLCs)

• New Role working in ATM environment• Desire to combine knowledge of Security and Safety as

little exists on this subject

Stuxnet – The First (?) of Many (?)

• Virus discovered in Jun 2010, origin back in Jun 09• Targets a very specific hardware/software configuration at

Natanz, Iran – Uranium reprocessing facility• Executes by re-programming the PLC out of specified

boundaries• Virus deployed via USB pen drive on maintenance laptop• Duqu discovered in Sep 11 thought to be connected to

Stuxnet• Flame discovered in May 2012 thought to be connected

to Stuxnet

Stuxnet 0.5

• Stuxnet 1.0 discovered in Jun 2010• Variants later discovered but traced back as early as Nov

2007 and development as early as 2005• Similar attack vector but closed valves instead of

changing the rotation speed of centrifuges• More versions known to exist but code has never been

recovered• Many other SCADA systems vulnerable to attack

RAS Gas computer systems taken off line

days after a similar attack on Aramco (Aug 12)

Saudi Arabia’s national oil company was attacked by the Shamoon virus, which

targets energy sector infrastructure (Aug 12)

Mask Malware

• Aimed at Gov’ts and Finance Firms• Probably created by a Nation State• Reported by Kaspersky/BBC

Technology website on 11 Feb 2014• Involved in cyber espionage

operations since at least 2007• Ahead of Duqu in terms of

sophistication• Is this just the tip of the Iceberg?

How Skilled Do You Need To Be?

A Need to Do More

• Security and Safety need to be considered as a unity of specialisations and not just bolt-on’s to each other.

• Similarities with Safety a number of years ago?• Develop a methodology to integrate security aspects into

the safety analysis process• Cross domain applicability• Ability to apply at any stage of the safety lifecycle to

capture legacy projects

Safety vs Security, Failure vs Attack

• Systems need to operate in a safe manner• Systems need to be maintainable by many different and

disparate parties• Systems need to fail safe• Systems need to be resilient and resistant to attack

What Previously Existed

• Security Processes or Tools– Casals et al, 2012– 6 Step Process

• 1st 3 Steps considered and developed– Context establishment– Preliminary Risk Assessment– Vulnerability Assessment

What Previously Existed

• Attack Trees– Schneier, 1999– Used within the US DoD Defense Acquisition Guidebook (US

DoD 2012)• Simple example is an activity such as trying to open or

break into a safe.• Helpful to have Guide Words to assist in the process

Open safe

Learn combination

Cut open safePick lockInstall

improperly

Find written combination

Get combination from target

Get target to state

combination

Listen to conversation

Blackmail EavesdropThreaten Bribe

Log in to UNIX account

Learn password

Guess password

No password required

Use widely known

passwords

Find written password

Get password from target

Obtain sniffer output file

Install keyboard

sniffer

Blackmail StealThreaten Bribe

Log in to UNIX account

Learn password

Guess password

No password required

Use widely known

passwords

Find written password

Get password from target

Obtain sniffer output file

Install keyboard

sniffer

Blackmail StealThreaten Bribe

Open safe

Learn combination

Cut open safePick lockInstall

improperly

Find written combination

Get combination from target

Get target to state

combination

Listen to conversation

Blackmail EavesdropThreaten Bribe

Guide (Threat) Words

• Prof McDermott– Art rather than a Science

• Opdahl and Sindre– Brainstorming activity

• Use process similar to FHA– SHARD guidewords – Omission. Commission, Early, Late,

Value• Look for Threat Words rather than Guide Words

– Configuration, Authentication, Jamming, Replay, Lifecycle (learning)

Methodology Development

• Context Establishment

• Preliminary Risk Assessment

• Vulnerability Assessment

Define Initial Security Context

Define Threat Words

Obtain Preliminary System FTA

Develop Attack Trees to enable further Context establishment

Identify Primary Assets

IdentifyThreats to Security

Define Scenarios affecting Safety

Establish Likelihood of Occurrence

Define Severityof Outcome

Identify Vulnerabilities

Identify Vulnerable Assets

Develop Vulnerabilities

using Attack Trees

Case Study 1 – Implantable Medical Device

• Devices able to administer medication at varying rates• Read patients state and report back to a physician• Remote diagnostic/treatment

– Implantable Cardiac Defibrillators (ICDs)– Drug Delivery Systems (eg Insulin Pumps)– Neurostimulators (eg for Parkinson’s Disease)

Context Establishment

• Considers IMDs in general, no FTA• Threat words:

– Access– Identification or Privacy– Configuration– Authorisation– Availability– Distance– Frequency– Safety


• Define Initial Security Context– Passive or active or coordinated adversaries, Insider attack.

• Active Adversary Attack Tree Active adversary interferes with

communications

Has capability to receive and decode

signals

Has capability to transmit signals

Can transmit incorrectly encoded

signals

Can transmit correctly encoded

signals

Passiveadversary

eavesdrops on signals

AttemptingDDoSattack

Attemptingmalicious

attack

Preliminary Risk Assessment

• Identify Primary Assets– IMD, programming devices, management devices

• Identify Threats to Security– From research, encryption is not used between IMDs and

supporting equipment, however the signalling format could be spoofed allowing unauthorised transmissions to be sent.

– Devices transmit when a magnet is placed nearby– Device programmable or readable 24hrs per day?

• Define Scenarios Affecting Safety– Patient entering a treatment room in a non-local environment– Important or influential figure fitted with IMD– Organised Crime gangs seeking to steal device


• Patient in a non-local environmentPatient requires

emergency treatment in a foreign location

Foreign denotes away from their normal

medical staff

Medical Staff aware, but unable to communicate

correctly with IMD

Medical staff unaware of IMD

constraints or special requirements

IMD requires authorisation or authentication

Medical staff unable to deactivate IMD to allow other surgical

procedure

Medical Staff unable to get patient history

IMD damaged by medical treatment

Patient harmed by medication or by IMD

working against medication

Patient incapacitatedor unable to

communicate presence of IMD

Medical staff treat patient without

knowledge of IMD

Medical Staff need to know to scan for

device

Authenticationor encryption prevents

access to IMD


access to IMD


access to IMD


access to IMD

IMD shouldemit tone or vibration

when magnet is placed nearby

Treatmentcould be contra toIMD medication

requirements


• Establish Likelihood of Occurrence– As of 2012, no evidence could be found regarding attacks on

IMDs– Kramer et al, 2012, states “there are no known case reports of

malevolent interference that specifically target medical device function”


• Severity of Outcome– Worst case is death– Least is possible early failure of device

• Most devices are 5-7 years so replacement is always assumed necessary at some future point

Vulnerability Assessment

• Identify Vulnerable Assets– IMD and supporting equipment

• Identify Vulnerabilities– Replay Attack– Electromagnetic interference– Malware on supporting PC– DoS attack

• Develop Attacks using Attack Trees

Evaluation and Further Work

• IMD use and proliferation is growing• Technology is outpacing Security, not Safety

– Possibly security through ambiguity– Stuxnet was directed at 2 specific targets worldwide

• IMDs must have high security but ease of access• Consider a dual approach – threat in one direction,

vulnerability in the other

Case Study 2 – European Railway Traffic Management System - ERTMS

• The ERTMS aims to replace the many different national train control and command systems in Europe with a standardised system.

• System relies upon the GSM networks.• A full and complete security audit was performed on the

ERTMS and in précis was:– The specs from a safety perspective were considered and

safety requirements for technical interoperations were derived– Consideration of the context in which ERTMS operates and

its trust relationships with other systems– Both top down and bottom up approaches investigated– Attack scenarios devised and graded


• System description available from ERTMS web page


• Define Threat Words:– Location

• Balise position• Cuttings, tunnels, shadowing by other trains• GPS used as a backup when GSM is lost?

– Access• Data - system uses cryptography and all users have same key• Data – GSM-R: Handsets authenticate with the network but not vice

versa• Physical – some data is entered locally

– Identification• Each train has a unique identity – spoofing?• Balises are not physically protected• GSM repeater could be spoofed and information extracted


• Define Threat Words:– Authorisation

• Can the driver override some or all aspects? How is this recorded?• If GSM-R is the sole source of authorisation, what happens in an

outage?

– Jamming• Passenger using small GSM jamming device – what effect to ERTMS?• What precedence is given to GSM-R traffic?

– Etc etc


• Define Initial Security Context– What could be gained from attacking the system– How could the system be attacked?– What capabilities would the attacker need?


• Develop Attack TreesERTMS open to security attack

compromising safety

Linked Balise

Radio Block Centre attack

Network attack

ECTS attack

Unlinked Balise

GSM-R attackBalise attack

Crypto attack

Information erorrPosition errorPosition error Information erorr Software radio attackSignal jamming

attack


• Identify Primary Assets– European Train Control System – ETCS– GSM-R – railway specific system built upon GSM standards

• ETCS– Onboard– Trackside

• Balises• Radio Comms System (GSM-R)• Radio Block Centres – issue movement authorisations to trains


• Identify Threats to Security– 93 page report written on the “ERTMS Specification Security

Audit Analysis of Attack Scenarios” 29 July 2011– Balise location considered for the remainder of the case study– Uses standard transmission protocol– Position or positional data could be affected– Metallic structures affecting balise signal performance


• Define Scenarios Affecting Safety– Reputational/financial attack by an active aggressor but with

limited technical knowledge of the system– Balise is moved closer to or further away from neighbour thus

changing the reported position of the train or causing an error signal to be generated

• Establish Likelihood of Occurrence– Hard to estimate without greater technical knowledge of the

system


• Define Severity of Outcome– Also hard to estimate without greater system knowledge– Train movements would be scheduled to allow for greatest

traffic flow but with sufficient time in-between trains for safety reasons similar to airport arrival and departure traffic.

– Positional errors would need to be evaluated for different areas. Busy junctions (Clapham junction) would work with a smaller error than a remote location with a low density of points

Preliminary Risk AssessmentNon-technological attacker seeks to

damage reputation or finances of company

Attack route chosen is via the balises

Un-noticed access to the trackside and

balise

Physical access required to the

trackside and balise

Attack performed at night or during dawn/

dusk periods

Mount attack in tunnel or railway

cuttingMove balisePlace new balise

Disrupt balise communications

Reprogram balise

discounted due to technology

required

Obtain balisefrom anotherarea or track

Place conductoror metallic object

near balise

Remove balise completely

Reduce distance between balises

Increase distance

between balises


• Identify Vulnerable Assets– Large proportion of the system relies on assets outside the

control or standards of the ERTMS– GSM-R may be adaptable but GSM unlikely– Balise and programming device– Driver (always has positive control)– Network infrastructure

• Remember O2 outage in 2012 where some users affected but not others?

– Identify Vulnerabilities• Network Outages


• GSM_R Outage Vulnerability

ETRMS susceptible to Network Outages

Partial Network outage

Total network outageNetwork jammed or

intercepted

Attack usingsoftware radio and

software

Alltrains using

ERTMS in same situation

Non affectedtrains continue to

operate

Affected trainsuse ‘fail-safe’ and

stop

Evaluation and Further Work

• 3 Aspects considered in Context evaluation– Why, How, What

• Full Set– Why, How, What, Where, When, Who

• Generation of a threat word taxonomy• External systems are vital to operation of the system yet

limited control or authority available• Partial failures must be considered (O2 Outage)

References

• ANONYMISED (2010). Information security audit of ERTMS, Technical report. This report is currently not publicly available; however, copies of the report may be made available on request, subject to approval from the relevant stakeholders.

• ANONYMISED (2011). ERTMS specification security audit – Analysis of attack scenarios, Technical report. This report is currently not publicly available; however, copies of the report may be made available on request, subject to approval from the relevant stakeholders.

• Casals, S., Owezarski, P. and Descargues, G. (2012). Risk assessment for airworthiness security. Safecomp 2012 [Online]. Available at: http://hal.archives-ouvertes.fr/docs/00/69/85/23/PDF/ Risk_Assessment_for_Airworthiness_Security_8p_.pdf [Accessed 12 June 2012].

• Falliere, N., O Murchu, L. and Chien, E. (2011). W32.Stuxnet dossier. [Online] Symantec Security Response. February 2011. Available at: http://www.symantec.com/content/en/us/enterprise/ media /security_response/whitepapers/w32_stuxnet_dossier.pdf [Accessed 22 February 2012].

• Kramer, D., Baker, M., Ransford, B., Molina-Markham, A., Stewart, Q., Fu, K and Reynolds, M. (2012). Security and privacy qualities of medical devices: An analysis of FDA postmarket surveillance. PLoS One, 7(7), e40200. doi:10.1371/journal.pone.0040200

• McDermott, J. (2000). Attack net penetration testing. New Security Paradigms Workshop 2000.• McDonald, G., Murchu, L., Doherty, S., Chien, E., (2013). Stuxnet 0.5: The Missing Link. [Online] Symantec

Security Response. February 2013. Available at: http://www.symantec.com/content/en/us/enterprise/media/ security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf [Accessed 20 February 2014].

• Opdahl, A. and Sindre, G. (2008). Experimental comparison of attack trees and misuse cases for security threat identification. Information and Software Technology, 51(5), 916-932.

• Schneier, B. Attack Trees. [Online]. Dr Dobbs Journal, December 1999. Available at: http://www.schneier.com/paper-attacktrees-ddj-ft.html [Accessed 1 July 2012].

• US DoD (2012). Defense Acquisition Guidebook. [Online]. Available at: http://at.dod.mil/docs/ DefenseAcquisitionGuidebook.pdf [Accessed 1 July 2012].

Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace...

Documents

Transcript of Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace...