Trustworthy Industrial Control Systems - how to take ... · 2/12/2014 · SCEPTICS • The...
Transcript of Trustworthy Industrial Control Systems - how to take ... · 2/12/2014 · SCEPTICS • The...
Trustworthy Industrial Control Systems -how to take security seriouslyChris HankinImperial College London and Director of RITICSJune 2017
Overview
• The current threat
• Key questions
• The RITICS projects
• Summary
Convergence of OT and IT ...
... but with major differences:
• Time critical versus high throughput
• Continuous operation
• Increased importance of edge clients
• Complex interactions with physical processes
• Resource constraints
• Legacy issues: 15-20+ years of operation
• Access to components can be difficult
A change of emphasis ...
C
I
A
A
I
C
... not forgetting: Maintainability, Reliability and Safety
Espionage
Sabotage
ICS-CERT 2015: Incidents by sector
295 total (2015)
2016 update• 290 incidents• Critical Manufacturing 62• Communications 62• Energy 59
ICS-CERT 2015: Incidents by attempted infection vector
2016 update• 290 incidents• Spear Phishing 26%• Network Scanning 12%
ICS-CERT Advice (based on 2013/2014)
Vermont Electric Company
ICS Attack
But that is not all!
§ Increasing threat of terrorism
§ Increasing commoditisation and digitisation
§ The Internet of Things and Cyber-Physical systems
A Changing Landscape
Research Institute in Trustworthy Industrial Control Systems
RITICS: Novel, effective and efficient interventions
£2.4Mprogramme,5coordinatedprojects.
Phase1(Directorship)awarded01/01/14,ChrisHankin,ImperialCollegeLondon.
Phase2awarded01/10/14.
MUMBA: Multifaceted metrics for ICS business risk analysis
CAPRICA: Converged approach towards resilient industrial control systems and cyber assurance
CEDRICS: Communicating and evaluating cyber risk and dependencies in ICS
SCEPTICS: A systematicevaluation process for threats to ICS(incl. national grid and rail networks)
Key Questions / Challenges
Do we understand the harm threats pose to our ICS systems and business?
Can we confidently articulate these threats as business risk?
What could be novel effective and efficient interventions?
Impact
v Contribution to new Cyber Security Strategy for UK railways.
v Tools for building models of complex cyber physical systems.
v Testbeds.v A serious game for studying security decisions.v Secure implementation of gateway module
compatible with IEC and IEEE standards.v Contribution to European work on certification
of ICS components.
SCEPTICS
• The SCEPTICS project aims to raise the awareness of ICS owners to the vulnerabilities within their ICS, by providing a toolkit of analysis techniques they can use to perform their own risk assessments and identify threats.
Operational concept from the Network Rail Technical Strategy (June 2013). Available from http://www.networkrail.co.uk/publications/technical-strategy.pdfLast accessed 2nd December 2014.
• SCEPTICS is:• Developing processes for system
scoping and analysis from an industrial perspective
• Establishing appropriate methods for identification of harm threats and vulnerabilities
• Documenting and packaging the tools and processes for use by industry stakeholders on their own networks
CEDRICS
Effect of increasing diversity by adding AVs
1.E-07
1.E-06
1.E-05
1.E-04
1.E-03
1.E-02
1.E-01
1.E+00
0 2 4 6 8 10 12 14 16
Number of diverse AVs (N)
Pro
b. 1
ooN
sys
tem
fails
on a
t lea
st o
ne d
eman
d
Observed Exponential Hyper-exponential
• Argumentation and assurance- Claims arguments evidence- Empirically based, technically sound
• Defence-in-depth- Fundamental principle
• System models- Risk evaluation- Uncertainty in structure
• Partners- Adelard- Psymetrix (a GE company)
Mumba: Multi-Faceted Metrics for Business Risk Analysis
•
• Studies of perception errors in security incidents
• Decisions & Disruptions: a serious game for studying security decisions.
Multi-faceted metrics templates and construction methodology + demonstration on case studies
CAPRICA
• Implementing a complete end-to-end physical test-bed• PMU (synchrophasor) control of synchronous power island reconnection• Secure communication of time synchronized power measurements for
real-time control over wide area networks
• Objectives• Research attack detection
and countermeasureapproaches based on cyber-physical interoperation
• Develop a benchmark cyber-secure ICT implementation (and compare with typical industry designs)
RITICS @ Imperial
Database
WebServer
Workstation
Historian
RemoteWorkstation
PLCs
Workstation
InsecureInternet
InsecureRemoteAccess
InfectedUSBDrive
SocialEngineering
InsecureRemoteSupport
Workstation
Internet
CorporateNetwork ControlNetwork FieldDevices
D
exploitsnetwork ASP
Resources
ControlPairs
DefenderTarget
AttackPaths
AttackerTarget
Resources
Simulation
... ...
D
PSO
D PSO
A
PSO
D PSO
A
PSO A
D A
evolve
BestResponse
efenderProfile
ttackerProfileA0
1
2
n
0
1
2
n
n-Ite
ratio
nOptim
isatio
n
DefenderTurn
AttackerTurnOptimal Defensive Strategies for ICS • Based on APT attack graphs. • Optimal deployment of Defence-in-depth, critical-
component defence and bottle-neck defence. • Optimal defence: Particle Swarm Optimisation• Adaptive Defences for various cost-effectiveness
of investment.
Tolerance against Zero-day exploits• Utilise software and hardware diversity to
maximise tolerance against zero-day exploits.• Modelled using a Markov Random Field model
and optimised using an efficient message passing algorithm.
• Stuxnet-like and scalability experiments.
Win8IE8
Ubt14ChromeDebian8
ChromeMySQL
Win8IE8
MSSQL12
f1
Win8 Win8MSSQL12
Win10IE8
Ubt14.04IE8
Ubt14.04ChromeMySQL
Win10IE8
MSSQL14
Win8MSSQL12
f2
Win8IE8
MSSQL14
Win10IE10
MSSQL12
Ubt14.04Chrome
Win8IE8
Win8IE8
Win8IE10
c1
c2
c3
c4z1 z2
z4z3
p1 p2
p3
t1 t3 t2
t4t5t6
0
0 0
0
0
1
1
0 0
0
1
0
exploits
entry
target
(b) diversifying single-label hosts
1
1 1
1
1
1
1
1 1
1
1
1
exploits
entry
target
(a) Mono-culture single-label hosts
0.5
0.5 0.5
0.5
0.5
1
1
0.5 0.5
0.5
1
0.5
exploits
entry
target
(c) diversifying single-label hosts with similarity
0.5
0.5 0.5
0.51
0.5
1
1
0.5 0.5
0.51
1
0.5
exploitsexploits
entry
target
(d) diversifying multi-label hosts with similarity
Summary
• OT is like IT – but different!
• Move from Espionage to Sabotage
• Lack of risk awareness at CxO level
• Need for OT-specific solutions