1. Informationssicherheit eingebetteter Systeme 21.10.2009: Einleitung Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST

2. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 20092 Ankündigungsfolie vom 8.10.2009 Titel „Informationssicherheit eingebetteter Systeme “ Zeit: Mittwoch 11:15 – 12:45, RUD25, 4.113 Beginn: 21.10. (!) Prüfbar: JA (mündliche Prüfung) Inhalt  Einführung in eingebettete Systeme  Grundlagen Informationssicherheit  Bedrohungen und Schutzmaßnahmen  Spezielle Herausforderungen an Rechenleistung, Energie, Kommunikation  Entwicklungsprozesse

3. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 20093 „Informationssicherheit eingebetteter Systeme“ Reihe von Vorlesungen zum Thema  „Eingebettete Systeme – Produktivität und Qualität“  „Eingebettete Systeme – Sicherheit und Zuverlässigkeit“ Baut NICHT auf VL vom SS auf  Wiederholungen evtl. unvermeidbar  Zwei Seiten der selben Medaille Verwandte Vorlesungen  Zuverlässige Systeme, Eigenschaften mobiler und eingebetteter Systeme  Kryptologie, Elektronische Signaturen

4. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 20094 Hinweise Vorlesung entfällt:  am 18. & 25.11. (SEFM)  am 16.12. (Koll. UHB) Ersatz: Vorlesungen von M. Conrad  Thema Automotive Security  Termin nach Vereinbarung (WebEx!) Blockvorlesung M. Roggenbach  15.-17.1.2010  22.-24.1.2010

5. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 20095 Blockvorlesung „Algebraische Spezifikation“ Titel: „Algebraische Spezifikation von Software und Hardware“ (H. Schlingloff / M. Roggenbach) Veranstaltungsform: Block-Kurs an 2 Wochenenden  15.1. nachmittags, 16.1., 17.1.  22.1. nachmittags, 23.1., 24.1 Inhalt  Spezifikationsformalismen  Common Algebraic Specification Language  Industrielle Anwendungsbeispiele  Werkzeuge (Theorembeweiser, Transformatoren)

6. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 20096 Further Remarks Slides will be in English We will have a few mascots  indicating a break Slides (without cartoons) available on web site http://www2.informatik.hu-berlin.de/~hs/Lehre/2009-SS_EmSec/index.html after the lecture

7. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 20097 Recommended Reading Claudia Eckert: IT-Sicherheit Konzepte - Verfahren – Protokolle, div. Auflagen, Oldenbourg Matt Bishop, Computer Security - Art and Science, Addison-Wesley Peter Marwedel, Embedded System Design, Springer

8. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 20098 The Topic “Embedded Security” “Fashion” research topic Not yet very mature  many research papers  some real, some imagined threats  different lectures with different emphasis Industrial relevance questionable  however, significant standard methods exist  “state-of-the-art” must be followed

9. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 20099 Contents – What You Should Learn Embedded systems design Foundations of security Threats and protective measures  information security threats  technical systems threats and measures Special challenges for embedded systems  security processing gap  battery gap  assurance gap Processes and methods  structured development methods  validation and proof, formal methods

10. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 200910 Structure 1. Introductory example 2. Embedded systems engineering 1.definitions and terms 2.design principles 3. Foundations of security 1.threats, attacks, measures 2.construction of safe systems 4. Design of secure systems 1.design challenges 2.safety modelling and assessment 3.cryptographic algorithms 5. Communication of embedded systems 1.remote access 2.sensor networks 6. Algorithms and measures 1.digital signatures 2.key management 3.authentification 4.authorization 7. Formal methods for security 1.protocol verification 2.logics and proof methods

11. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 200911 Introductory Example “Malicious Control System Cyber Security Attack Case Study – Maroochy Water Services, Australia”  Reference: M. D. Abrams, J. Weiss; Annual Computer Security Applications Conference, Dec. 2008 http://csrc.nist.gov/sec-cert/ics/papers.html http://csrc.nist.gov/sec-cert/ics/papers.html Actual control system cyber event  resulted in environmental and economic damage  malicious attack by knowledgeable insider, who had been a trusted contractor employee  timelines, control system response, and control system policies well investigated

12. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 200912 Attack Synopsis Players: V.B., Hunter Watertech, Maroochy Shire Council  Mr. B. had worked for Hunter Watertech, a small Australian firm that installed radio-controlled sewage equipment for the Maroochy Shire Council in Queensland, Australia (a rural area of great natural beauty and a tourist destination )  coming from a “strained relationship” with Hunter Watertech, B applied for a job with the Maroochy Shire Council  the Council decided not to hire him  he decided to “get even” with both the Council and his former employer On at least 46 occasions the offender issued remote radio commands to the sewage equipment of Maroochy Shire  these commands caused 800.000 litres of raw sewage to spill out into local parks, rivers and even the grounds of a Hyatt Regency hotel  huge environmental and financial damage: marine life died, the creek water turned black and the stench was unbearable for residents

13. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 200913 Time Line 1997-December 1999: B employed by Hunter Watertech Dec. 3, 1999: B resigns, seeks City Council employment Early January 2000: B turned down Feb 9-Apr 23, 2000: system experiences a series of faults  Pumps were not running when they should have been  Alarms were not reporting to the central computer  A loss of communication between the central computer and various pumping stations. Mar 16, 2000: Hunter Watertech tried to troubleshoot system Apr 19, 2000: Log indicates that a certain system program had been run (manually) at least 31 times Apr 23, 2000: Alarms at four pumping stations were disabled using the identification of a fake pumping station

14. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 200914 Time Line (continued) Apr 23, 2000: B, who was under police surveillance, was pulled over by police with computer equipment in car “Later investigations found B's laptop had been used at the time of the attacks and his hard drive contained software for accessing and controlling the sewage management system“ ( http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/ ) http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/ B asserted in a taped conversation that all the items in the vehicle were his own. He said he had been up to Rainbow Beach and that he used the computer for study, personal correspondence and work in his family business B sought to establish that some of the electronic messages that gave rise to the charges could have been caused by system malfunction or by error of Council employees Oct 31, 2001: B convicted in trial, sentenced to 2 years Mar 21, 2002: Appeal rejected

15. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 200915 Evidence Found in B’s Vehicle Laptop  software reloaded February 28, 2000  software used in the sewerage system (re)installed February 29 - run at least 31 times prior to April 19 - last run on April 23 “Motorola M120 two-way radio” (same type used in the Council’s system)  tuned into the frequencies of the repeater stations  serial numbers matched delivery docket provided by the supplier of the radios to Hunter Watertech “PDS Compact 500” computer control device  address set to spoof pumping station  serial number identified it as a device which should have been in the possession of Hunter Watertech

16. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 200916 Consideration Obviously, this was a “malicious attack”. Why? Obviously, the offender had to be jailed. Why? Obviously, he was the offender. Why? Obviously, this could have been prevented. How?

17. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 200917 Observations (1/3) B was an insider who was never an employee of the organization he attacked  Employee of contractor that supplied IT/control system technology - With his knowledge he was the “ultimate insider”  Difficulty to protect against insider attacks Contractor’s responsibilities unspecified / inadequate  Management, technical and operational cyber security controls  Personnel security controls - Background investigations - Protection from disgruntled employees

18. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 200918 Observations (2/3) As a skilful adversary, B was able to disguise his actions  A number of anomalous events occurred before recognition that the incidents were intentional  Extensive digital forensics were required to determine that a deliberate attack was underway Importance to determine whether intentional attack, or unintentional flaw or error  Insufficient means to differentiate attacks from malfunctions  No existing cyber security policies or procedures  No cyber security defences

19. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 200919 Observations (3/3) Radio communications used in system insecure or improperly configured  Wireless devices and software should be secured to the extent possible using physical and logical controls  Security controls not implemented or used properly Lack of adequate logging mechanisms for forensic purposes Insufficient further measures  Anti-virus  Firewall protection  Appropriate use of encryption  Upgrade-able systems (from a security perspective)  Proper staff training  Security auditing and control.

20. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 200920 Learning From the Maroochy Shire Cyber Attack Public record of an intentional, targeted attack by a knowledgeable person on an industrial control system teaches us to consider:  Critical physical, administrative, and supply chain vulnerabilities  Vulnerabilities coming from suppliers or others outside the organization  Contractor and sub-contractor personnel as a potential attack source Need to be concerned with both inside & outside attack Difficulty in identifying a control system cyber incident as a malicious attack and retaking control of a “hijacked” system A determined, knowledgeable adversary could potentially defeat most controls Structured defence-in-depth security is best

21. 21.10.2009Embedded Security © Prof. Dr. H. Schlingloff 200921 Abrams / Weiss Political Conclusions Public and private sector enterprises today are highly dependent on information systems to carry out their missions and business functions Developments in embedded systems have seen these traditionally closed systems become open and internet-connected, thus putting the national services critical infrastructure at risk To achieve mission and business success, enterprise information systems must be dependable in the face of serious cyber threats To achieve information system dependability, the systems must be appropriately protected 2b discussed: Do you agree with these statements?