What Can We Do?

Tutorial on the Cybersecurity of Safety-Critical Systems

Prof. Chris Johnson,

School of Computing Science, University of Glasgow, Scotland.

http://www.dcs.gla.ac.uk/~johnson

Schedule

First Briefing

Understanding the Threats

Detailed patterns of attack.

Second Briefing

What can be done?

Protection, forensics and recovery.

Third Briefing

More detailed case studies…

Securing space-based assets.

Recap

• Is it a bug or an attack?

• Nature of the Threats:

– Insider attacks;

– Crowdsourcing and Hacktivism;

– Social Attacks and Spear Phishing;

– Certification attacks; Configuration Attacks;

– Command and Control Servers,

– Stuxnet; Sniffers…

• Next: What Can We Do?

Overview: What Can We Do?

• Safeguard the Supply Chain

– Safeguarding the insider threat;

– Redundancy and mixed certification…

– Analytical techniques (GSN, Attack trees);

– The Cloud...

• Increasing Resilience:

– Threat detection,

– Improved forensics,

– Recovery certification (is it safe yet?)…

• If all else fails: Cyberinsurance…

Sanity Check…

• This is only an initial overview…

What Can We Do?

1. To stay out of jail

– Legal requirements after an incident…

2. To develop the business…

– Advantages over competitors outside Europe.

Chris:

We can never be 100% secure.

Because…

Dijkstra:

Testing can prove the presence

of errors, but not their absence.

Copyright C.W. Johnson, 2013

Edsger W Dijkstra (1930-2002)

Conventional ANSP Expectations

ISO 27k

ISO/IEC 27000 — Information security management systems — Overview and vocabulary

ISO/IEC 27001 — Information security management systems — Requirements

ISO/IEC 27002 — Code of practice for information security management

ISO/IEC 27003 — Information security management system implementation guidance

ISO/IEC 27004 — Information security management — Measurement

ISO/IEC 27005 — Information security risk management

ISO/IEC 27006 — Requirements for providing audit and certification of information security

management systems

ISO/IEC 27007 — Guidelines for information security management systems auditing

ISO/IEC TR 27008 — Guidance for auditors on ISMS controls (focused on the information

security controls)

ISO/IEC 27010 — Information technology—Security techniques—Information security

management for inter-sector and inter-organizational communications

Conventional ANSP Expectations

US Federal Information Security Management Act (2002):

1. Identify and categorize the information that is to be protected;

2. Select minimum controls and document in a security policy;

3. Refine controls using a risk assessment procedure to assess the

probability and consequence of loss;

4. Document controls in a system security plan;

5. Implement security controls to mitigate risks;

6. Assess effectiveness of security controls once implemented;

7. Determine residual agency-level risk to mission or business;

8. Authorize information system for operation and maintain;

9. Monitor and audit the security controls on a continuous basis.

Conventional ANSP Expectations

• European General Data Protection Regs:

– Fines 2% of global annual turnover in 24 hours;

– Into force this year (Replaces 95/46/EC).

• Feb 2013 Network and Infosec Directive:

– single "competent authority" for infosec;

– "issue binding instructions to market operators”;

– (Frequentis is a “market operator”);

– obligatory incident reporting to authority;

– establish a national CERT.

Safeguard the Supply Chain

• Increasing focus on critical infrastructures:

– Political impact of Snowden revelations;

– Technical impact of Stuxnet weapons test…

• EC initiatives to safeguard supply chain:

– How can we do this? Switches?

• Specific issues here:

– Insider threat, redundancy;

– mixed certification, the Cloud…

Safeguard Supply Chain: Insider Threat

• Most companies - good security policies.

• Insider threat through negligence (AUDIT):

– All of them are ignored some of the time;

– Some policies are not known/forgotten to staff.

• Insider threat from maleficence (FILTER):

– Who do you trust? Background checks;

– Use of sub-contractors, agency staff.

• No use of untrusted code (EXCLUDE):

– Ban third party libraries? Trusted compilers?

Safeguard Supply Chain: Redundancy/Diversity

• Redundancy is key to safety in ATM;

– Doesn’t help much without diversity.

• N-version programming from same supplier?

• Diverse operating systems/hardware?

• How extreme do you get?

– The Naviair Windows fallback server…

– UK/US military hardware intermediate layer.

Safeguard Supply Chain: Mixed Certification

• Safety and Security – non-functional requirements:

– Typically, can have one but not both.

• Verification and validation prevent monitoring.

• Need for regulatory support:

– Primary system is safe (eg following ED-153);

– Secondary system is secure (ie using viral defs).

• On-going project in Glasgow…

Safeguard the Supply Chain

• Good news.

• Re-use some safety analysis techniques.

– Buy some important differences…

• Case Study 1 – Goal Structuring Notation:

– GSN for security cases?

– GSN for safety cases (with attack scenarios);

• Case Study 2 - Attack Trees:

– Beware differences with fault trees;

– Probability of an attack (UK guidance?).

VA Generic Security Case

Integrated Safety and Security Threats

G1: EGNOS SBAS is

acceptably safe

C1: SBAS performance requirements identified in EGNOS Service Defi nition Document – Open Service, Ref : EGN-SDD OS V1.1 – 30th October 2009 and ICAO Annex10 Vol I (Radio Navigation Aids) – 6th Ed July 2006 ver. 85, EC Reg 550/2004

S1: Initial tests on limited

geographical areas

G2: all identified hazards with accuracy, integrity, continuity and availability have been eliminated or mitigated to an acceptable level.

C2: Hazards and ‘feared events’

identified according to the EGNOS end-to-

end validation programme

G3: SBAS operations conducted

according to agreed SOPs.

C3: EGNOS Safety of Life Service

Definition Document European

Commission, DG Enterprise and

Industry Ref : EGN-SDD SoL, V1.0 also

RTCA/DO-229D

G4: Hazards to accuracy have been mitigated.

G8: Probability of deterministic

failure < 10{-5) per service hour

G9: Probability of random stochastic failure < 10{-5) per

service hour

G10: SBAS ops will be conducted following practices in European Cooperation for Space Standardization; Space Engineering –Verification;

ECSS-E-10-02A; 17 November 1998.

G11: SBAS ops meet detailed requirements

in Single European Sky Certification of ESSP

S4: Fault tree for EGNOS

components

S5: Evidence of Conformance from

Audit eg French NSA for EC, July 2010.

S6: Process evidence

from ESSP teams

S2: Real-time monitoring of

Signal-in-Space data

CE1: Excessive multipath

at RIMS level jeopardizes continuity

S3: Simulator data eg EGNOS

End to End Simulator (EETES)

G7: Hazards to, continuity have been

mitigated.

G5: Hazards to integrity have

been mitigated.

G6: Hazards to availability have been mitigated.

SC1: Localized jamming of GPS or spoofing invisible to ground

stations .

SC2: Concerns over insider threat to EGNOS ground

stations.

Resilience in the Cloud

Loss of Critical

Cloud

Infrastructure

Large scale

systems failure

Large scale

cyber attack

Design

less than

adequate

Risk

assessment

less than

adequate

Operation less

than adequate

Security

measures

less than

adequate

OR

OR OR

Incident

response less

than adequate

Incident

response

less than

adequate

Critical Cloud Failure

Large scale systems failure – 70 million

users lose access to file store for 3 days

Design

less than

adequate

Operation less

than adequate

OR

Incident

response less

than adequate

Core switch

failure

triggers loss

of service

Insufficient

attention paid

to internal

network

redundancy

AND

Failure to

address

problems

affecting 10

million users in

2005

Redundant

backup

server farm

not

completed

before

failure.

AND

Delays in

recovering

from initial

failure in

rollback to

previous

configuration

Secondary

failures as

huge backlog

of created by

users still

accessing

system

AND

Safeguard Supply Chain: The Cloud????

• Skyguide.

• But:

– You outsource the service;

– You do not outsource the risk.

Reliability in Cloud Infrastructures

• Two months, 1 million users: T-Mobile’s Sidekick users lost contacts,

calendars, photos when Microsoft subsidiary Danger suffered a server failure.

• Permanent data loss, over 6,300 users: 1-4th July 2010, Evernote hardware

failure, loss of data.

• Four days, 35,000 users: February 2011 Gmail accounts and Google Apps

customers lost all the data in the accounts. Google had to resort to restoring

backups from tapes, in an operation lasting 4 days.

• Several hours, service-wide: 6,11 and 15 August 2008, Google’s enterprise e-

mail system, Apps Premier Edition, outage affected nearly all users for 2 hours;

some were affected for 24 hours.

• 72 hours, 70million users: Millions of Blackberry users across Europe, Middle

East and Africa suffered outage for 3 days in October 2011. Speculation is that

most of global customer base (70m users ) were affected at some point during

72 hours.

• Security “Upside”:

– Better coordination of security;

– Better training and monitoring;

– Share costs of secure infrastructure.

• Security “Downside”:

– Providers unsure what is running;

– Do all clients install secure patches?

– What is ‘normal traffic’? Etc

http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494

Risks Associated with Loss of Governance

Increase Resilience

• Cannot be 10% secure:

– But avoid negligence… and prison time.

• Detecting an attack is non-trivial.

• Recovery can take months…

• Specific issues here:

– Threat detection, improved forensics, recovery

certification…

Increase Resilience: Threat Detection

• Two primary approaches:

– 1. Monitor to detect only normal traffic;

– 2. Monitor to detect any abnormal behaviour.

• Approach 1 does not work:

– Need mixed certification approach above.

• Approach 2 does not work:

– Most ANSPs cannot characterize ‘normal’.

• FAA/US Navy/Glasgow joint project…

Li (MIT Thesis, 2013) ILS Nominal Approach

One Month of Radar Targets in an ACC

Number of Radar Targets-Bytes over Network

Increase Resilience: Threat Detection

• But beware: false positives…

• Attackers don’t need to penetrate system.

• They only need to trigger threat detection.

• You then waste thousands in analysis…

• 2nd Generation Denial of Service Attacks.

Increase Resilience: Improved Forensics

NIST Incident Response Lifecycle

Incident handlers should consider not only the current functional impact of the

incident, but also the likely future functional impact if it is not immediately

contained. Incidents may affect the confidentiality, integrity, and availability of

the organization’s information... (NIST, 2012)

Increase Resilience: Improved Forensics

• Immediate Actions and Containment.

• Who to notify?

– Colleagues, Regulators, Police, Other ANSPs,

– Media, Airlines, Public etc.

• What systems are affected?

– Network? Other installations? USB plague…

• How long has the attack lasted?

– Do archive versions contain the malware too?

Increase Resilience: Improved Forensics

• Immediate Actions and Containment.

• Is it safe to maintain operations?

– Almost certainly violating certification…

• How to cope with existing safety concerns?

– What if attack is detected during upgrade?

– What if attack is detected when systems down?

– Attackers will time their attack of course…

W32.Duqu: C&C Linux Server Deletion

Increase Resilience: Improved Forensics

1. Protect subject computer system from alteration, data

corruption, virus infection, physical damage;

2. Uncover all files: normal, hidden, deleted, encrypted etc;

3. Recover as many of the deleted files as possible;

4. Reveal the contents of hidden and temporary files;

5. Access the protected and encrypted files, if legal;

6. Analyse all data, including unallocated file space & file slack;

7. Print out all relevant files, conduct system examination;

8. Provide expert testimony or consultation, if required.

Increase Resilience: Improved Forensics

NIST Guidelines on Forensic Analysis

Increase Resilience: Improved Forensics

US Department of Justice (2008) treat like any other crime

scene:

“Follow departmental policy for securing crime scenes.

• Immediately secure all electronic devices, personal and portable.

• Ensure no unauthorized person accesses devices at crime scene.

• Refuse offers of help/assistance from any unauthorized persons.

• Remove everyone from area where evidence is to be collected.

• Ensure that the condition of any electronic device is not altered.

• STOP! Leave a computer or electronic device off if it is already

turned off”.

Increase Resilience: Improved Forensics

UK Association of Chief Police Officers (2007, 2011)

1. No action should change data held on a computer or storage

media which may subsequently be relied upon in court;

2. When anyone has to access original data on a computer or

storage media, they must be competent and give evidence

explaining relevance and implications of their actions;

3. An audit trail of all processes on computer-based electronic

evidence should be created and preserved. An independent 3rd

party should examine processes and achieve same result;

4. Person in charge of the investigation has overall responsibility for

ensuring that the law and these principles are adhered to.

Increased Resilience: Recovery & Certification

Increased Resilience: Incident Reporting

• Three types of reporting systems:

– support emergency response;

– support incident prevention;

– support legal actions.

• Legal requirement following Article 13a.

– Obligation to report cyber-incidents to NRA:

– Will it be CAA or Ofcom (Telco Regulator)?

• Internal systems distribute alerts across company;

– Identify common symptoms and causal analysis.

Simplified Internal Cyber-incident Reporting

Gatekeeper Architecture

Active External Monitoring Reporting System

Introducing EASA/ENISA etc…

What Can Be Done: Cyber Exercises…

What Can Be Done Cyber Exercises…

What Can Be Done: Simplified Attack

The Stuxnet Scenario

If All Else Fails: Cyberinsurance

“Government should incentivize the market to

make more secure products and services.

Additional incentives should include reduced

liability in exchange for improved security or

increased liability for the consequences of

poor security, indemnification, tax incentives,

and new regulatory requirements and

compliance mechanisms”.

– White House (2009) review of Cyber security.

What Can Be Insured?

• First party risk:

– Loss or damage to digital assets;

– Business interruption;

– Cyber extortion;

– Reputation & theft of assets.

• Third party cyber risks:

– Security and privacy breaches;

– Investigation of privacy breach;

– Customer notification expenses;

– civil damages/defamation;

– Loss of third party data.

Copyright C.W. Johnson, 2014

The Obama Administration…

• PPIs not working, Senate limits Fed power.

• Cyber-insurance is attractive:

– tax breaks and access to Federal funds;

– Investment in security reduces

• Concern over Cyber-storm & actuarial pricing:.

– Limit liability reduces cost of cyber-insurance;

– Who pays residual costs? tax payers or levy or?

– OR Governments subsidises cyber insurance?

– Concerns premiums will automatically rise.

Barriers to Cyber Insurance (1)

“Lack of actuarial data results in high premiums for first-

party policies;

Mistaken belief that standard corporate insurance

policies already cover most cyber risks;

Fear that a so-called “cyber hurricane” will overwhelm

carriers who might otherwise enter the market before

they build up sufficient reserves to cover large losses”.

Dept of Homeland Security (2012)

Barriers to Cyber Insurance (2)

• Moral hazard:

– No investment in security if we can claim…

• Adverse selection:

– high risk organisations buy insurance but

premium based on rest of market…

• Externalities

– Don’t cover party who did not choose to incur

that cost eg web site customer?

• Interdependencies:

– security depends on many organisations.

DHS 2012 Initiative…

“Establishing a federal reinsurance entity to

promote the development of actuarial data

that carriers will need to create new insurance

products”.

• Cyber Safety Act to promote:

1. new cybersecurity technologies/ services;

2. insurance requirements for purchasers of them;

3. corresponding liability caps”.

Obama 2013 CyberSec Executive Order

• Federal agencies to share incidents

– Encourage voluntary sharing for companies.

• U.S. Securities & Exchange Commission,

– Finance Disclosure Guidance on Cyber-security,

– “firms disclose the risk of cyber incidents

– “make an investment in the company risky”

– expect registrants to evaluate

• Inconsistent cf FCC Telecomms (NORS).

– Obama promises renewed legislation in this area.

EC Proposals…

• Focus on litigation and regulation 8(

– Make it easy for private legal cases;

– Permit CyberSec class actions in Europe.

• Cross-border data privacy laws with US.

• Force companies to notify consumers

– European General Data Protection Regulation

– Fines can be levied up to 2% of global annual

turnover within 24 hours – Barclays???

EC Proposals…

• Growing market in cyber-insurance.

• Lloyds Register and the Geneva Assoc.

• European Commission projects support:

– Robust, valuation of security breaches;

– Feb 2013 CybserSec Proposed Directive.

• Mandatory insurance for certain areas?

Overview: What Can We Do?

• Safeguard the Supply Chain

– Safeguarding the insider threat;

– Redundancy and mixed certification…

– Analytical techniques (GSN, Attack trees);

– The Cloud...

• Increasing Resilience:

– Threat detection,

– Improved forensics,

– Recovery certification…

• If all else fails: Cyberinsurance…

Schedule

First Briefing

Understanding the Threats

Detailed patterns of attack.

Second Briefing

What can be done?

Protection, forensics and recovery.

Third Briefing

More detailed case studies…

Securing space-based assets.

Any Questions?

Copyright C.W. Johnson, 2014