Presentation is loading. Please wait.

Presentation is loading. Please wait.

Phil Cooke Battlespace Management - Safety Policy Royal Air Force

Similar presentations

Presentation on theme: "Phil Cooke Battlespace Management - Safety Policy Royal Air Force"— Presentation transcript:

1 Phil Cooke Battlespace Management - Safety Policy Royal Air Force
Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force

2 Contents Introduction Stuxnet – the first of many
Latest ‘Mask’ Malware A Need to Do More Safety vs Security, Failure vs Attack Attack Trees and Guide Words Simple Case Studies Research

3 Safety in the Traditional Sense
FSSE – Nature of accidents Flixborough 1974 Health and Safety at Work etc Act 1974 The way in which System failures and unintended human interaction evolve to lead to an accident. There are 3 main categories – intrinsic component failures, design or development issues or misuse. Flixborough – no works manager and no qualified mechanical engineers on site No calculations to take into account dog leg of new connecting pipe No permanent support for bypass assembly Explosion occurred during start-up (ie special phases of operation)

4 Safety in the Traditional Sense
FSSE – Nature of accidents Challenger 1986 Leakage issue on previous flights The way in which System failures and unintended human interaction evolve to lead to an accident. There are 3 main categories – intrinsic component failures, design or development issues or misuse. Challenger – program manager identified 5 different communication or organisational failures Normalisation of risk, risk boundaries constantly being pushed back, eroding safety margins

5 Safety in the Traditional Sense
FSSE – Nature of accidents Bexley 1997 Maintenance issues, Overloading wagons and excess speed The way in which System failures and unintended human interaction evolve to lead to an accident. There are 3 main categories – intrinsic component failures, design or development issues or misuse. Bexley – Overloading of one or more wagons Speed in excess of that permitted Deterioration in Bridge timbers due to poor maintenance activities and planning

6 Background and Motivation
Pervious working environment Stuxnet Virus 2009/2010 Interest in Supervisory Control and Data Acquisition (SCADA) systems including Programmable Logic Controllers (PLCs) New Role working in ATM environment Desire to combine knowledge of Security and Safety as little exists on this subject SCADA – computer controlled systems that monitor and control industrial processes that exist in the physical world

7 Stuxnet – The First (?) of Many (?)
Virus discovered in Jun 2010, origin back in Jun 09 Targets a very specific hardware/software configuration at Natanz, Iran – Uranium reprocessing facility Executes by re-programming the PLC out of specified boundaries Virus deployed via USB pen drive on maintenance laptop Duqu discovered in Sep 11 thought to be connected to Stuxnet Flame discovered in May 2012 thought to be connected to Stuxnet 4 Zero day exploits Very large virus payload (about 0.5Mb) Written (and requires) multiple computer languages Digitally signed with private keys of well know companies Speculation that the US and Israel were behind the code

8 Stuxnet 0.5 Stuxnet 1.0 discovered in Jun 2010
Variants later discovered but traced back as early as Nov 2007 and development as early as 2005 Similar attack vector but closed valves instead of changing the rotation speed of centrifuges More versions known to exist but code has never been recovered Many other SCADA systems vulnerable to attack

9 CCTV feeds are freely available which provide unrestricted access to many private feeds. It is likely that the same applies to SCADA systems if the right internet address is searched. Search engines exist which specifically look for business and industrial control systems. It is easier to keep an eye on a critical system in a far flung place via the internet than it is to send an engineer out. Cyber attacks are within the UK’s top 4 threats to national security. RAS Gas computer systems taken off line days after a similar attack on Aramco (Aug 12) Saudi Arabia’s national oil company was attacked by the Shamoon virus, which targets energy sector infrastructure (Aug 12)

10 Mask Malware Aimed at Gov’ts and Finance Firms
Probably created by a Nation State Reported by Kaspersky/BBC Technology website on 11 Feb 2014 Involved in cyber espionage operations since at least 2007 Ahead of Duqu in terms of sophistication Is this just the tip of the Iceberg? Mask taken from the Spanish word Careto found inside the code Evidence leads to Spanish hackers though this could be a red-herring Targets unpatched , earlier versions of Kaspersky’s anti-malware tools Sophisticated malware, rootkits, bootkits, Mac OSX, Linux and possibly Android and iOS versions as well.

11 How Skilled Do You Need To Be?

12 A Need to Do More Security and Safety need to be considered as a unity of specialisations and not just bolt-on’s to each other. Similarities with Safety a number of years ago? Develop a methodology to integrate security aspects into the safety analysis process Cross domain applicability Ability to apply at any stage of the safety lifecycle to capture legacy projects

13 Safety vs Security, Failure vs Attack
Systems need to operate in a safe manner Systems need to be maintainable by many different and disparate parties Systems need to fail safe Systems need to be resilient and resistant to attack Safe – designed so hazards are minimised and risk is ALARP Open architecture, single point encryption not practical Failure modes need to be considerate of user or surroundings Resistant – prevent attack Resilient – in the face of attack, minimise impact

14 What Previously Existed
Security Processes or Tools Casals et al, 2012 6 Step Process 1st 3 Steps considered and developed Context establishment Preliminary Risk Assessment Vulnerability Assessment Casals paper introduced a quantitative risk assessment methodology for aircraft networked systems that could be adapted to different points of view, eg at an aircraft level or at a systems level.

15 What Previously Existed
Attack Trees Schneier, 1999 Used within the US DoD Defense Acquisition Guidebook (US DoD 2012) Simple example is an activity such as trying to open or break into a safe. Helpful to have Guide Words to assist in the process Fault trees have been used to determine probability calculations for system level failures or other unwanted functions or outcomes. Software by its definition cannot fail, so fault tree analysis can’t be performed on software. Bruce Schneier first proposed the use of Attack Trees in 1999 as a useful tool to visualise the issue of computer security vulnerabilities and they are a manner of describing the actions required for an attack to propagate through a system or process. Every attack goal is used as the basis for an attack tree.

16 This can be further developed or mirrored into breaking into a password protected device.



19 Guide (Threat) Words Prof McDermott Opdahl and Sindre
Art rather than a Science Opdahl and Sindre Brainstorming activity Use process similar to FHA SHARD guidewords – Omission. Commission, Early, Late, Value Look for Threat Words rather than Guide Words Configuration, Authentication, Jamming, Replay, Lifecycle (learning) (James Madison University, Virginia) proposed an encyclopaedic knowledge was required Opdahl and Sindre University of Bergen, Norway FHA – (S)FFA, (C)HAZOP, SHARD, SNEAK

20 Methodology Development
Context Establishment Preliminary Risk Assessment Vulnerability Assessment

21 Case Study 1 – Implantable Medical Device
Devices able to administer medication at varying rates Read patients state and report back to a physician Remote diagnostic/treatment Implantable Cardiac Defibrillators (ICDs) Drug Delivery Systems (eg Insulin Pumps) Neurostimulators (eg for Parkinson’s Disease) Million US citizens relied on IMDs in one way or another

22 Context Establishment
Considers IMDs in general, no FTA Threat words: Access Identification or Privacy Configuration Authorisation Availability Distance Frequency Safety Access – easily accessible for those who need it but difficult for those who don’t. Paramedics first on scene, hospital staff, foreign hospital staff. Confidentiality issues. Identification or Privacy – If person is incapacitated, they need a method of communication the fact they have an IMD in order that no contra medication is prescribed. Person may not wish for others to know of device due to social stigma, possibility of increasing the likelihood of attack, or it may identify an expensive medical device and make the person open to theft. Configuration – Only those authorised to modify the configuration should be able to, this suggests some form of authentication or authorisation. Changes in configuration could affect dose rates or frequency of medication/sensing. Authorisation – Many advanced IMDs may have several categories of personnel that are able to access the device eg patients doctor, paramedics, device programmers etc. It may have a ‘holiday’ mode where security is degraded in return for easier access by non-specialist staff for emergency reasons. It then becomes a risk trade-off as to which aspect presents the greatest risk to the patient. Availability – Due to the invasiveness of surgery, many IMDs have batteries which last for many years. A repeated attack on the device could deplete the battery power significantly such that the life of the IMD is reduced leading to greater risk with future surgery. Distance – Many IMDs use the Medical Implant Communications Service (MICS) which is a short range communication service typically several cms up to 5m maximum. Increased range could give greater freedom (eg from home portal) but an increased security risk. Frequency – The MICS frequency band is shared on a secondary basis with meteorological balloon (primary users). It may be possible to block, interfere or otherwise affect the MICS transmissions. Safety – It may be considered to have Safety as an unusual guide or threat word but if the device is attacked, there needs to be a fail safe mode that the device can go into, however there needs to be anti tamper mechanisms such that the device can’t be fooled into thinking there is an emergency. Parallels can be drawn with car air bags where it was discovered that in some models, once the air bags had deployed, the doors would unlock – essential in a crash. Thieves would hit the front of the car, setting off the air bags and thus unlocking the car making it easier to steal.

23 Context Establishment
Define Initial Security Context Passive or active or coordinated adversaries, Insider attack. Active Adversary Attack Tree Whilst the actual attack is not defined, the possible types of attack are: Considering an active attacker, their aim may be to send malicious data or just to disturb or disrupt the device with false data, a DoS attack.

24 Preliminary Risk Assessment
Identify Primary Assets IMD, programming devices, management devices Identify Threats to Security From research, encryption is not used between IMDs and supporting equipment, however the signalling format could be spoofed allowing unauthorised transmissions to be sent. Devices transmit when a magnet is placed nearby Device programmable or readable 24hrs per day? Define Scenarios Affecting Safety Patient entering a treatment room in a non-local environment Important or influential figure fitted with IMD Organised Crime gangs seeking to steal device Primary Assets Software Radio – GSM base station, 591SU, Ettus Research, £1000 Scenarios affecting safety Body parts are traded, so why not IMDs? Black market in drugs and pharmaceuticals Dick Cheney was 46th Vice President of USA from 24

25 Preliminary Risk Assessment
Patient in a non-local environment

26 Preliminary Risk Assessment
Establish Likelihood of Occurrence As of 2012, no evidence could be found regarding attacks on IMDs Kramer et al, 2012, states “there are no known case reports of malevolent interference that specifically target medical device function” Medical organisations may have a vested interest to keep such events out of the public eye. Imagine the concern if it was publically announced that a particular type of IMD was susceptible to attack. We’ve seen the news about breast implants where, even those who did not have the particular make of implants, still wanted their removed or changed.

27 Preliminary Risk Assessment
Severity of Outcome Worst case is death Least is possible early failure of device Most devices are 5-7 years so replacement is always assumed necessary at some future point Function not provided Function provided when not required 27

28 Vulnerability Assessment
Identify Vulnerable Assets IMD and supporting equipment Identify Vulnerabilities Replay Attack Electromagnetic interference Malware on supporting PC DoS attack Develop Attacks using Attack Trees For this case, it was assumed that the necessary receiving, transmitting or computer equipment was available. It is widely publicised that attacks are possible in ‘laboratory’ conditions, so the requirement to prove this for a practical situation is taken as given. Malware – correct program reported but incorrect program running - Stuxnet

29 Evaluation and Further Work
IMD use and proliferation is growing Technology is outpacing Security, not Safety Possibly security through ambiguity Stuxnet was directed at 2 specific targets worldwide IMDs must have high security but ease of access Consider a dual approach – threat in one direction, vulnerability in the other

30 Case Study 2 – European Railway Traffic Management System - ERTMS
The ERTMS aims to replace the many different national train control and command systems in Europe with a standardised system. System relies upon the GSM networks. A full and complete security audit was performed on the ERTMS and in précis was: The specs from a safety perspective were considered and safety requirements for technical interoperations were derived Consideration of the context in which ERTMS operates and its trust relationships with other systems Both top down and bottom up approaches investigated Attack scenarios devised and graded

31 Context Establishment
System description available from ERTMS web page

32 Context Establishment
Define Threat Words: Location Balise position Cuttings, tunnels, shadowing by other trains GPS used as a backup when GSM is lost? Access Data - system uses cryptography and all users have same key Data – GSM-R: Handsets authenticate with the network but not vice versa Physical – some data is entered locally Identification Each train has a unique identity – spoofing? Balises are not physically protected GSM repeater could be spoofed and information extracted

33 Context Establishment
Define Threat Words: Authorisation Can the driver override some or all aspects? How is this recorded? If GSM-R is the sole source of authorisation, what happens in an outage? Jamming Passenger using small GSM jamming device – what effect to ERTMS? What precedence is given to GSM-R traffic? Etc etc

34 Context Establishment
Define Initial Security Context What could be gained from attacking the system How could the system be attacked? What capabilities would the attacker need? Attack on National and International infrastructure – terrorist attack at a major sporting or political event? Financial, reputational harm Many different aspects of the system could be attacked High – specialist in the field Medium – requires ability to analyse the system specification and engineer an attack Low – requires no specialist knowledge

35 Context Establishment
Develop Attack Trees

36 Preliminary Risk Assessment
Identify Primary Assets European Train Control System – ETCS GSM-R – railway specific system built upon GSM standards ETCS Onboard Trackside Balises Radio Comms System (GSM-R) Radio Block Centres – issue movement authorisations to trains

37 Preliminary Risk Assessment
Identify Threats to Security 93 page report written on the “ERTMS Specification Security Audit Analysis of Attack Scenarios” 29 July 2011 Balise location considered for the remainder of the case study Uses standard transmission protocol Position or positional data could be affected Metallic structures affecting balise signal performance Balise – may be possible to obtain balise from elsewhere and program with ETCS data Programmer is handheld and placed close to balise. If false data is sent, the train may receive false data, fail to interpret it and go into failsafe mode, possibly applying brakes causing a denial of service attack Publicly available documentation from the Polish Office of Rail Transportation articulates the 3 dimensional space around a balise where conductors must not be placed (The Office of Rail Transportation, 2012). It may therefore be possible for an attacker to hide a loop aerial within this space with the intent of either trying to receive the transmission from the train and subsequent balise reply, or to simply prevent or disrupt the balise from receiving the train’s interrogation request

38 Preliminary Risk Assessment
Define Scenarios Affecting Safety Reputational/financial attack by an active aggressor but with limited technical knowledge of the system Balise is moved closer to or further away from neighbour thus changing the reported position of the train or causing an error signal to be generated Establish Likelihood of Occurrence Hard to estimate without greater technical knowledge of the system May need several balises to be moved to generate an accumulative error May be rejected by the system as a valid balise therefore the main attack method may have failed but a second order outcome could be experienced.

39 Preliminary Risk Assessment
Define Severity of Outcome Also hard to estimate without greater system knowledge Train movements would be scheduled to allow for greatest traffic flow but with sufficient time in-between trains for safety reasons similar to airport arrival and departure traffic. Positional errors would need to be evaluated for different areas. Busy junctions (Clapham junction) would work with a smaller error than a remote location with a low density of points

40 Preliminary Risk Assessment

41 Vulnerability Assessment
Identify Vulnerable Assets Large proportion of the system relies on assets outside the control or standards of the ERTMS GSM-R may be adaptable but GSM unlikely Balise and programming device Driver (always has positive control) Network infrastructure Remember O2 outage in 2012 where some users affected but not others? Identify Vulnerabilities Network Outages

42 Vulnerability Assessment
GSM_R Outage Vulnerability

43 Evaluation and Further Work
3 Aspects considered in Context evaluation Why, How, What Full Set Why, How, What, Where, When, Who Generation of a threat word taxonomy External systems are vital to operation of the system yet limited control or authority available Partial failures must be considered (O2 Outage)

44 References ANONYMISED (2010). Information security audit of ERTMS, Technical report. This report is currently not publicly available; however, copies of the report may be made available on request, subject to approval from the relevant stakeholders. ANONYMISED (2011). ERTMS specification security audit – Analysis of attack scenarios, Technical report. This report is currently not publicly available; however, copies of the report may be made available on request, subject to approval from the relevant stakeholders. Casals, S., Owezarski, P. and Descargues, G. (2012). Risk assessment for airworthiness security. Safecomp 2012 [Online]. Available at: Risk_Assessment_for_Airworthiness_Security_8p_.pdf [Accessed 12 June 2012]. Falliere, N., O Murchu, L. and Chien, E. (2011). W32.Stuxnet dossier. [Online] Symantec Security Response. February Available at: media /security_response/whitepapers/w32_stuxnet_dossier.pdf [Accessed 22 February 2012]. Kramer, D., Baker, M., Ransford, B., Molina-Markham, A., Stewart, Q., Fu, K and Reynolds, M. (2012). Security and privacy qualities of medical devices: An analysis of FDA postmarket surveillance. PLoS One, 7(7), e doi: /journal.pone McDermott, J. (2000). Attack net penetration testing. New Security Paradigms Workshop 2000. McDonald, G., Murchu, L., Doherty, S., Chien, E., (2013). Stuxnet 0.5: The Missing Link. [Online] Symantec Security Response. February Available at: security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf [Accessed 20 February 2014]. Opdahl, A. and Sindre, G. (2008). Experimental comparison of attack trees and misuse cases for security threat identification. Information and Software Technology, 51(5), Schneier, B. Attack Trees. [Online]. Dr Dobbs Journal, December Available at: [Accessed 1 July 2012]. US DoD (2012). Defense Acquisition Guidebook. [Online]. Available at: DefenseAcquisitionGuidebook.pdf [Accessed 1 July 2012].

Download ppt "Phil Cooke Battlespace Management - Safety Policy Royal Air Force"

Similar presentations

Ads by Google