What Can We Do? - system-safety.org · What Can We Do? Tutorial on the Cybersecurity of...
Transcript of What Can We Do? - system-safety.org · What Can We Do? Tutorial on the Cybersecurity of...
What Can We Do?
Tutorial on the Cybersecurity of Safety-Critical Systems
Prof. Chris Johnson,
School of Computing Science, University of Glasgow, Scotland.
http://www.dcs.gla.ac.uk/~johnson
Schedule
First Briefing
Understanding the Threats
Detailed patterns of attack.
Second Briefing
What can be done?
Protection, forensics and recovery.
Third Briefing
More detailed case studies…
Securing space-based assets.
Recap
• Is it a bug or an attack?
• Nature of the Threats:
– Insider attacks;
– Crowdsourcing and Hacktivism;
– Social Attacks and Spear Phishing;
– Certification attacks; Configuration Attacks;
– Command and Control Servers,
– Stuxnet; Sniffers…
• Next: What Can We Do?
Overview: What Can We Do?
• Safeguard the Supply Chain
– Safeguarding the insider threat;
– Redundancy and mixed certification…
– Analytical techniques (GSN, Attack trees);
– The Cloud...
• Increasing Resilience:
– Threat detection,
– Improved forensics,
– Recovery certification (is it safe yet?)…
• If all else fails: Cyberinsurance…
Sanity Check…
• This is only an initial overview…
What Can We Do?
1. To stay out of jail
– Legal requirements after an incident…
2. To develop the business…
– Advantages over competitors outside Europe.
Chris:
We can never be 100% secure.
Because…
Dijkstra:
Testing can prove the presence
of errors, but not their absence.
Copyright C.W. Johnson, 2013
Edsger W Dijkstra (1930-2002)
Conventional ANSP Expectations
ISO 27k
ISO/IEC 27000 — Information security management systems — Overview and vocabulary
ISO/IEC 27001 — Information security management systems — Requirements
ISO/IEC 27002 — Code of practice for information security management
ISO/IEC 27003 — Information security management system implementation guidance
ISO/IEC 27004 — Information security management — Measurement
ISO/IEC 27005 — Information security risk management
ISO/IEC 27006 — Requirements for providing audit and certification of information security
management systems
ISO/IEC 27007 — Guidelines for information security management systems auditing
ISO/IEC TR 27008 — Guidance for auditors on ISMS controls (focused on the information
security controls)
ISO/IEC 27010 — Information technology—Security techniques—Information security
management for inter-sector and inter-organizational communications
Conventional ANSP Expectations
US Federal Information Security Management Act (2002):
1. Identify and categorize the information that is to be protected;
2. Select minimum controls and document in a security policy;
3. Refine controls using a risk assessment procedure to assess the
probability and consequence of loss;
4. Document controls in a system security plan;
5. Implement security controls to mitigate risks;
6. Assess effectiveness of security controls once implemented;
7. Determine residual agency-level risk to mission or business;
8. Authorize information system for operation and maintain;
9. Monitor and audit the security controls on a continuous basis.
Conventional ANSP Expectations
• European General Data Protection Regs:
– Fines 2% of global annual turnover in 24 hours;
– Into force this year (Replaces 95/46/EC).
• Feb 2013 Network and Infosec Directive:
– single "competent authority" for infosec;
– "issue binding instructions to market operators”;
– (Frequentis is a “market operator”);
– obligatory incident reporting to authority;
– establish a national CERT.
Safeguard the Supply Chain
• Increasing focus on critical infrastructures:
– Political impact of Snowden revelations;
– Technical impact of Stuxnet weapons test…
• EC initiatives to safeguard supply chain:
– How can we do this? Switches?
• Specific issues here:
– Insider threat, redundancy;
– mixed certification, the Cloud…
Safeguard Supply Chain: Insider Threat
• Most companies - good security policies.
• Insider threat through negligence (AUDIT):
– All of them are ignored some of the time;
– Some policies are not known/forgotten to staff.
• Insider threat from maleficence (FILTER):
– Who do you trust? Background checks;
– Use of sub-contractors, agency staff.
• No use of untrusted code (EXCLUDE):
– Ban third party libraries? Trusted compilers?
Safeguard Supply Chain: Redundancy/Diversity
• Redundancy is key to safety in ATM;
– Doesn’t help much without diversity.
• N-version programming from same supplier?
• Diverse operating systems/hardware?
• How extreme do you get?
– The Naviair Windows fallback server…
– UK/US military hardware intermediate layer.
Safeguard Supply Chain: Mixed Certification
• Safety and Security – non-functional requirements:
– Typically, can have one but not both.
• Verification and validation prevent monitoring.
• Need for regulatory support:
– Primary system is safe (eg following ED-153);
– Secondary system is secure (ie using viral defs).
• On-going project in Glasgow…
Safeguard the Supply Chain
• Good news.
• Re-use some safety analysis techniques.
– Buy some important differences…
• Case Study 1 – Goal Structuring Notation:
– GSN for security cases?
– GSN for safety cases (with attack scenarios);
• Case Study 2 - Attack Trees:
– Beware differences with fault trees;
– Probability of an attack (UK guidance?).
VA Generic Security Case
Integrated Safety and Security Threats
G1: EGNOS SBAS is
acceptably safe
C1: SBAS performance requirements identified in EGNOS Service Defi nition Document – Open Service, Ref : EGN-SDD OS V1.1 – 30th October 2009 and ICAO Annex10 Vol I (Radio Navigation Aids) – 6th Ed July 2006 ver. 85, EC Reg 550/2004
S1: Initial tests on limited
geographical areas
G2: all identified hazards with accuracy, integrity, continuity and availability have been eliminated or mitigated to an acceptable level.
C2: Hazards and ‘feared events’
identified according to the EGNOS end-to-
end validation programme
G3: SBAS operations conducted
according to agreed SOPs.
C3: EGNOS Safety of Life Service
Definition Document European
Commission, DG Enterprise and
Industry Ref : EGN-SDD SoL, V1.0 also
RTCA/DO-229D
G4: Hazards to accuracy have been mitigated.
G8: Probability of deterministic
failure < 10{-5) per service hour
G9: Probability of random stochastic failure < 10{-5) per
service hour
G10: SBAS ops will be conducted following practices in European Cooperation for Space Standardization; Space Engineering –Verification;
ECSS-E-10-02A; 17 November 1998.
G11: SBAS ops meet detailed requirements
in Single European Sky Certification of ESSP
S4: Fault tree for EGNOS
components
S5: Evidence of Conformance from
Audit eg French NSA for EC, July 2010.
S6: Process evidence
from ESSP teams
S2: Real-time monitoring of
Signal-in-Space data
CE1: Excessive multipath
at RIMS level jeopardizes continuity
S3: Simulator data eg EGNOS
End to End Simulator (EETES)
G7: Hazards to, continuity have been
mitigated.
G5: Hazards to integrity have
been mitigated.
G6: Hazards to availability have been mitigated.
SC1: Localized jamming of GPS or spoofing invisible to ground
stations .
SC2: Concerns over insider threat to EGNOS ground
stations.
Resilience in the Cloud
Loss of Critical
Cloud
Infrastructure
Large scale
systems failure
Large scale
cyber attack
Design
less than
adequate
Risk
assessment
less than
adequate
Operation less
than adequate
Security
measures
less than
adequate
OR
OR OR
Incident
response less
than adequate
Incident
response
less than
adequate
Critical Cloud Failure
Large scale systems failure – 70 million
users lose access to file store for 3 days
Design
less than
adequate
Operation less
than adequate
OR
Incident
response less
than adequate
Core switch
failure
triggers loss
of service
Insufficient
attention paid
to internal
network
redundancy
AND
Failure to
address
problems
affecting 10
million users in
2005
Redundant
backup
server farm
not
completed
before
failure.
AND
Delays in
recovering
from initial
failure in
rollback to
previous
configuration
Secondary
failures as
huge backlog
of created by
users still
accessing
system
AND
Safeguard Supply Chain: The Cloud????
• Skyguide.
• But:
– You outsource the service;
– You do not outsource the risk.
Reliability in Cloud Infrastructures
• Two months, 1 million users: T-Mobile’s Sidekick users lost contacts,
calendars, photos when Microsoft subsidiary Danger suffered a server failure.
• Permanent data loss, over 6,300 users: 1-4th July 2010, Evernote hardware
failure, loss of data.
• Four days, 35,000 users: February 2011 Gmail accounts and Google Apps
customers lost all the data in the accounts. Google had to resort to restoring
backups from tapes, in an operation lasting 4 days.
• Several hours, service-wide: 6,11 and 15 August 2008, Google’s enterprise e-
mail system, Apps Premier Edition, outage affected nearly all users for 2 hours;
some were affected for 24 hours.
• 72 hours, 70million users: Millions of Blackberry users across Europe, Middle
East and Africa suffered outage for 3 days in October 2011. Speculation is that
most of global customer base (70m users ) were affected at some point during
72 hours.
• Security “Upside”:
– Better coordination of security;
– Better training and monitoring;
– Share costs of secure infrastructure.
• Security “Downside”:
– Providers unsure what is running;
– Do all clients install secure patches?
– What is ‘normal traffic’? Etc
http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494
Risks Associated with Loss of Governance
Increase Resilience
• Cannot be 10% secure:
– But avoid negligence… and prison time.
• Detecting an attack is non-trivial.
• Recovery can take months…
• Specific issues here:
– Threat detection, improved forensics, recovery
certification…
Increase Resilience: Threat Detection
• Two primary approaches:
– 1. Monitor to detect only normal traffic;
– 2. Monitor to detect any abnormal behaviour.
• Approach 1 does not work:
– Need mixed certification approach above.
• Approach 2 does not work:
– Most ANSPs cannot characterize ‘normal’.
• FAA/US Navy/Glasgow joint project…
Li (MIT Thesis, 2013) ILS Nominal Approach
One Month of Radar Targets in an ACC
Number of Radar Targets-Bytes over Network
Increase Resilience: Threat Detection
• But beware: false positives…
• Attackers don’t need to penetrate system.
• They only need to trigger threat detection.
• You then waste thousands in analysis…
• 2nd Generation Denial of Service Attacks.
Increase Resilience: Improved Forensics
NIST Incident Response Lifecycle
Incident handlers should consider not only the current functional impact of the
incident, but also the likely future functional impact if it is not immediately
contained. Incidents may affect the confidentiality, integrity, and availability of
the organization’s information... (NIST, 2012)
Increase Resilience: Improved Forensics
• Immediate Actions and Containment.
• Who to notify?
– Colleagues, Regulators, Police, Other ANSPs,
– Media, Airlines, Public etc.
• What systems are affected?
– Network? Other installations? USB plague…
• How long has the attack lasted?
– Do archive versions contain the malware too?
Increase Resilience: Improved Forensics
• Immediate Actions and Containment.
• Is it safe to maintain operations?
– Almost certainly violating certification…
• How to cope with existing safety concerns?
– What if attack is detected during upgrade?
– What if attack is detected when systems down?
– Attackers will time their attack of course…
W32.Duqu: C&C Linux Server Deletion
Increase Resilience: Improved Forensics
1. Protect subject computer system from alteration, data
corruption, virus infection, physical damage;
2. Uncover all files: normal, hidden, deleted, encrypted etc;
3. Recover as many of the deleted files as possible;
4. Reveal the contents of hidden and temporary files;
5. Access the protected and encrypted files, if legal;
6. Analyse all data, including unallocated file space & file slack;
7. Print out all relevant files, conduct system examination;
8. Provide expert testimony or consultation, if required.
Increase Resilience: Improved Forensics
NIST Guidelines on Forensic Analysis
Increase Resilience: Improved Forensics
US Department of Justice (2008) treat like any other crime
scene:
“Follow departmental policy for securing crime scenes.
• Immediately secure all electronic devices, personal and portable.
• Ensure no unauthorized person accesses devices at crime scene.
• Refuse offers of help/assistance from any unauthorized persons.
• Remove everyone from area where evidence is to be collected.
• Ensure that the condition of any electronic device is not altered.
• STOP! Leave a computer or electronic device off if it is already
turned off”.
Increase Resilience: Improved Forensics
UK Association of Chief Police Officers (2007, 2011)
1. No action should change data held on a computer or storage
media which may subsequently be relied upon in court;
2. When anyone has to access original data on a computer or
storage media, they must be competent and give evidence
explaining relevance and implications of their actions;
3. An audit trail of all processes on computer-based electronic
evidence should be created and preserved. An independent 3rd
party should examine processes and achieve same result;
4. Person in charge of the investigation has overall responsibility for
ensuring that the law and these principles are adhered to.
Increased Resilience: Recovery & Certification
Increased Resilience: Incident Reporting
• Three types of reporting systems:
– support emergency response;
– support incident prevention;
– support legal actions.
• Legal requirement following Article 13a.
– Obligation to report cyber-incidents to NRA:
– Will it be CAA or Ofcom (Telco Regulator)?
• Internal systems distribute alerts across company;
– Identify common symptoms and causal analysis.
Simplified Internal Cyber-incident Reporting
Gatekeeper Architecture
Active External Monitoring Reporting System
Introducing EASA/ENISA etc…
What Can Be Done: Cyber Exercises…
What Can Be Done Cyber Exercises…
What Can Be Done: Simplified Attack
The Stuxnet Scenario
If All Else Fails: Cyberinsurance
“Government should incentivize the market to
make more secure products and services.
Additional incentives should include reduced
liability in exchange for improved security or
increased liability for the consequences of
poor security, indemnification, tax incentives,
and new regulatory requirements and
compliance mechanisms”.
– White House (2009) review of Cyber security.
What Can Be Insured?
• First party risk:
– Loss or damage to digital assets;
– Business interruption;
– Cyber extortion;
– Reputation & theft of assets.
• Third party cyber risks:
– Security and privacy breaches;
– Investigation of privacy breach;
– Customer notification expenses;
– civil damages/defamation;
– Loss of third party data.
Copyright C.W. Johnson, 2014
The Obama Administration…
• PPIs not working, Senate limits Fed power.
• Cyber-insurance is attractive:
– tax breaks and access to Federal funds;
– Investment in security reduces
• Concern over Cyber-storm & actuarial pricing:.
– Limit liability reduces cost of cyber-insurance;
– Who pays residual costs? tax payers or levy or?
– OR Governments subsidises cyber insurance?
– Concerns premiums will automatically rise.
Barriers to Cyber Insurance (1)
“Lack of actuarial data results in high premiums for first-
party policies;
Mistaken belief that standard corporate insurance
policies already cover most cyber risks;
Fear that a so-called “cyber hurricane” will overwhelm
carriers who might otherwise enter the market before
they build up sufficient reserves to cover large losses”.
Dept of Homeland Security (2012)
Barriers to Cyber Insurance (2)
• Moral hazard:
– No investment in security if we can claim…
• Adverse selection:
– high risk organisations buy insurance but
premium based on rest of market…
• Externalities
– Don’t cover party who did not choose to incur
that cost eg web site customer?
• Interdependencies:
– security depends on many organisations.
DHS 2012 Initiative…
“Establishing a federal reinsurance entity to
promote the development of actuarial data
that carriers will need to create new insurance
products”.
• Cyber Safety Act to promote:
1. new cybersecurity technologies/ services;
2. insurance requirements for purchasers of them;
3. corresponding liability caps”.
Obama 2013 CyberSec Executive Order
• Federal agencies to share incidents
– Encourage voluntary sharing for companies.
• U.S. Securities & Exchange Commission,
– Finance Disclosure Guidance on Cyber-security,
– “firms disclose the risk of cyber incidents
– “make an investment in the company risky”
– expect registrants to evaluate
• Inconsistent cf FCC Telecomms (NORS).
– Obama promises renewed legislation in this area.
EC Proposals…
• Focus on litigation and regulation 8(
– Make it easy for private legal cases;
– Permit CyberSec class actions in Europe.
• Cross-border data privacy laws with US.
• Force companies to notify consumers
– European General Data Protection Regulation
– Fines can be levied up to 2% of global annual
turnover within 24 hours – Barclays???
EC Proposals…
• Growing market in cyber-insurance.
• Lloyds Register and the Geneva Assoc.
• European Commission projects support:
– Robust, valuation of security breaches;
– Feb 2013 CybserSec Proposed Directive.
• Mandatory insurance for certain areas?
Overview: What Can We Do?
• Safeguard the Supply Chain
– Safeguarding the insider threat;
– Redundancy and mixed certification…
– Analytical techniques (GSN, Attack trees);
– The Cloud...
• Increasing Resilience:
– Threat detection,
– Improved forensics,
– Recovery certification…
• If all else fails: Cyberinsurance…
Schedule
First Briefing
Understanding the Threats
Detailed patterns of attack.
Second Briefing
What can be done?
Protection, forensics and recovery.
Third Briefing
More detailed case studies…
Securing space-based assets.
Any Questions?
Copyright C.W. Johnson, 2014