Presentation on theme: "Phil Cooke Battlespace Management - Safety Policy Royal Air Force"— Presentation transcript:
1Phil Cooke Battlespace Management - Safety Policy Royal Air Force Threats to Software Security Integrated with the Safety Planning ProcessPhil CookeBattlespace Management - Safety PolicyRoyal Air Force
2Contents Introduction Stuxnet – the first of many Latest ‘Mask’ MalwareA Need to Do MoreSafety vs Security, Failure vs AttackAttack Trees and Guide WordsSimple Case StudiesResearch
3Safety in the Traditional Sense FSSE – Nature of accidentsFlixborough 1974Health and Safety at Work etc Act 1974The way in which System failures and unintended human interaction evolve to lead to an accident. There are 3 main categories – intrinsic component failures, design or development issues or misuse.Flixborough – no works manager and no qualified mechanical engineers on siteNo calculations to take into account dog leg of new connecting pipeNo permanent support for bypass assemblyExplosion occurred during start-up (ie special phases of operation)
4Safety in the Traditional Sense FSSE – Nature of accidentsChallenger 1986Leakage issue on previous flightsThe way in which System failures and unintended human interaction evolve to lead to an accident. There are 3 main categories – intrinsic component failures, design or development issues or misuse.Challenger – program manager identified 5 different communication or organisational failuresNormalisation of risk, risk boundaries constantly being pushed back, eroding safety margins
5Safety in the Traditional Sense FSSE – Nature of accidentsBexley 1997Maintenance issues, Overloading wagons and excess speedThe way in which System failures and unintended human interaction evolve to lead to an accident. There are 3 main categories – intrinsic component failures, design or development issues or misuse.Bexley – Overloading of one or more wagonsSpeed in excess of that permittedDeterioration in Bridge timbers due to poor maintenance activities and planning
6Background and Motivation Pervious working environmentStuxnet Virus 2009/2010Interest in Supervisory Control and Data Acquisition (SCADA) systems including Programmable Logic Controllers (PLCs)New Role working in ATM environmentDesire to combine knowledge of Security and Safety as little exists on this subjectSCADA – computer controlled systems that monitor and control industrial processes that exist in the physical world
7Stuxnet – The First (?) of Many (?) Virus discovered in Jun 2010, origin back in Jun 09Targets a very specific hardware/software configuration at Natanz, Iran – Uranium reprocessing facilityExecutes by re-programming the PLC out of specified boundariesVirus deployed via USB pen drive on maintenance laptopDuqu discovered in Sep 11 thought to be connected to StuxnetFlame discovered in May 2012 thought to be connected to Stuxnet4 Zero day exploitsVery large virus payload (about 0.5Mb)Written (and requires) multiple computer languagesDigitally signed with private keys of well know companiesSpeculation that the US and Israel were behind the code
8Stuxnet 0.5 Stuxnet 1.0 discovered in Jun 2010 Variants later discovered but traced back as early as Nov 2007 and development as early as 2005Similar attack vector but closed valves instead of changing the rotation speed of centrifugesMore versions known to exist but code has never been recoveredMany other SCADA systems vulnerable to attack
9CCTV feeds are freely available which provide unrestricted access to many private feeds. It is likely that the same applies to SCADA systems if the right internet address is searched. Search engines exist which specifically look for business and industrial control systems. It is easier to keep an eye on a critical system in a far flung place via the internet than it is to send an engineer out.Cyber attacks are within the UK’s top 4 threats to national security.RAS Gas computer systems taken off line days after a similar attack on Aramco (Aug 12)Saudi Arabia’s national oil company was attacked by the Shamoon virus, which targets energy sector infrastructure (Aug 12)
10Mask Malware Aimed at Gov’ts and Finance Firms Probably created by a Nation StateReported by Kaspersky/BBC Technology website on 11 Feb 2014Involved in cyber espionage operations since at least 2007Ahead of Duqu in terms of sophisticationIs this just the tip of the Iceberg?Mask taken from the Spanish word Careto found inside the codeEvidence leads to Spanish hackers though this could be a red-herringTargets unpatched , earlier versions of Kaspersky’s anti-malware toolsSophisticated malware, rootkits, bootkits, Mac OSX, Linux and possibly Android and iOS versions as well.
12A Need to Do MoreSecurity and Safety need to be considered as a unity of specialisations and not just bolt-on’s to each other.Similarities with Safety a number of years ago?Develop a methodology to integrate security aspects into the safety analysis processCross domain applicabilityAbility to apply at any stage of the safety lifecycle to capture legacy projects
13Safety vs Security, Failure vs Attack Systems need to operate in a safe mannerSystems need to be maintainable by many different and disparate partiesSystems need to fail safeSystems need to be resilient and resistant to attackSafe – designed so hazards are minimised and risk is ALARPOpen architecture, single point encryption not practicalFailure modes need to be considerate of user or surroundingsResistant – prevent attackResilient – in the face of attack, minimise impact
14What Previously Existed Security Processes or ToolsCasals et al, 20126 Step Process1st 3 Steps considered and developedContext establishmentPreliminary Risk AssessmentVulnerability AssessmentCasals paper introduced a quantitative risk assessment methodology for aircraft networked systems that could be adapted to different points of view, eg at an aircraft level or at a systems level.
15What Previously Existed Attack TreesSchneier, 1999Used within the US DoD Defense Acquisition Guidebook (US DoD 2012)Simple example is an activity such as trying to open or break into a safe.Helpful to have Guide Words to assist in the processFault trees have been used to determine probability calculations for system level failures or other unwanted functions or outcomes. Software by its definition cannot fail, so fault tree analysis can’t be performed on software.Bruce Schneier first proposed the use of Attack Trees in 1999 as a useful tool to visualise the issue of computer security vulnerabilities and they are a manner of describing the actions required for an attack to propagate through a system or process.Every attack goal is used as the basis for an attack tree.
16This can be further developed or mirrored into breaking into a password protected device.
19Guide (Threat) Words Prof McDermott Opdahl and Sindre Art rather than a ScienceOpdahl and SindreBrainstorming activityUse process similar to FHASHARD guidewords – Omission. Commission, Early, Late, ValueLook for Threat Words rather than Guide WordsConfiguration, Authentication, Jamming, Replay, Lifecycle (learning)(James Madison University, Virginia) proposed an encyclopaedic knowledge was requiredOpdahl and Sindre University of Bergen, NorwayFHA – (S)FFA, (C)HAZOP, SHARD, SNEAK
20Methodology Development Context EstablishmentPreliminary Risk AssessmentVulnerability Assessment
21Case Study 1 – Implantable Medical Device Devices able to administer medication at varying ratesRead patients state and report back to a physicianRemote diagnostic/treatmentImplantable Cardiac Defibrillators (ICDs)Drug Delivery Systems (eg Insulin Pumps)Neurostimulators (eg for Parkinson’s Disease)Million US citizens relied on IMDs in one way or another
22Context Establishment Considers IMDs in general, no FTAThreat words:AccessIdentification or PrivacyConfigurationAuthorisationAvailabilityDistanceFrequencySafetyAccess – easily accessible for those who need it but difficult for those who don’t.Paramedics first on scene, hospital staff, foreign hospital staff. Confidentiality issues.Identification or Privacy – If person is incapacitated, they need a method of communication the fact they have an IMD in order that no contra medication is prescribed. Person may not wish for others to know of device due to social stigma, possibility of increasing the likelihood of attack, or it may identify an expensive medical device and make the person open to theft.Configuration – Only those authorised to modify the configuration should be able to, this suggests some form of authentication or authorisation. Changes in configuration could affect dose rates or frequency of medication/sensing.Authorisation – Many advanced IMDs may have several categories of personnel that are able to access the device eg patients doctor, paramedics, device programmers etc. It may have a ‘holiday’ mode where security is degraded in return for easier access by non-specialist staff for emergency reasons. It then becomes a risk trade-off as to which aspect presents the greatest risk to the patient.Availability – Due to the invasiveness of surgery, many IMDs have batteries which last for many years. A repeated attack on the device could deplete the battery power significantly such that the life of the IMD is reduced leading to greater risk with future surgery.Distance – Many IMDs use the Medical Implant Communications Service (MICS) which is a short range communication service typically several cms up to 5m maximum. Increased range could give greater freedom (eg from home portal) but an increased security risk.Frequency – The MICS frequency band is shared on a secondary basis with meteorological balloon (primary users). It may be possible to block, interfere or otherwise affect the MICS transmissions.Safety – It may be considered to have Safety as an unusual guide or threat word but if the device is attacked, there needs to be a fail safe mode that the device can go into, however there needs to be anti tamper mechanisms such that the device can’t be fooled into thinking there is an emergency. Parallels can be drawn with car air bags where it was discovered that in some models, once the air bags had deployed, the doors would unlock – essential in a crash. Thieves would hit the front of the car, setting off the air bags and thus unlocking the car making it easier to steal.
23Context Establishment Define Initial Security ContextPassive or active or coordinated adversaries, Insider attack.Active Adversary Attack TreeWhilst the actual attack is not defined, the possible types of attack are:Considering an active attacker, their aim may be to send malicious data or just to disturb or disrupt the device with false data, a DoS attack.
24Preliminary Risk Assessment Identify Primary AssetsIMD, programming devices, management devicesIdentify Threats to SecurityFrom research, encryption is not used between IMDs and supporting equipment, however the signalling format could be spoofed allowing unauthorised transmissions to be sent.Devices transmit when a magnet is placed nearbyDevice programmable or readable 24hrs per day?Define Scenarios Affecting SafetyPatient entering a treatment room in a non-local environmentImportant or influential figure fitted with IMDOrganised Crime gangs seeking to steal devicePrimary AssetsSoftware Radio – GSM base station, 591SU, Ettus Research, £1000Scenarios affecting safetyBody parts are traded, so why not IMDs?Black market in drugs and pharmaceuticalsDick Cheney was 46th Vice President of USA from24
25Preliminary Risk Assessment Patient in a non-local environment
26Preliminary Risk Assessment Establish Likelihood of OccurrenceAs of 2012, no evidence could be found regarding attacks on IMDsKramer et al, 2012, states “there are no known case reports of malevolent interference that specifically target medical device function”Medical organisations may have a vested interest to keep such events out of the public eye. Imagine the concern if it was publically announced that a particular type of IMD was susceptible to attack. We’ve seen the news about breast implants where, even those who did not have the particular make of implants, still wanted their removed or changed.
27Preliminary Risk Assessment Severity of OutcomeWorst case is deathLeast is possible early failure of deviceMost devices are 5-7 years so replacement is always assumed necessary at some future pointFunction not providedFunction provided when not required27
28Vulnerability Assessment Identify Vulnerable AssetsIMD and supporting equipmentIdentify VulnerabilitiesReplay AttackElectromagnetic interferenceMalware on supporting PCDoS attackDevelop Attacks using Attack TreesFor this case, it was assumed that the necessary receiving, transmitting or computer equipment was available. It is widely publicised that attacks are possible in ‘laboratory’ conditions, so the requirement to prove this for a practical situation is taken as given.Malware – correct program reported but incorrect program running - Stuxnet
29Evaluation and Further Work IMD use and proliferation is growingTechnology is outpacing Security, not SafetyPossibly security through ambiguityStuxnet was directed at 2 specific targets worldwideIMDs must have high security but ease of accessConsider a dual approach – threat in one direction, vulnerability in the other
30Case Study 2 – European Railway Traffic Management System - ERTMS The ERTMS aims to replace the many different national train control and command systems in Europe with a standardised system.System relies upon the GSM networks.A full and complete security audit was performed on the ERTMS and in précis was:The specs from a safety perspective were considered and safety requirements for technical interoperations were derivedConsideration of the context in which ERTMS operates and its trust relationships with other systemsBoth top down and bottom up approaches investigatedAttack scenarios devised and graded
31Context Establishment System description available from ERTMS web page
32Context Establishment Define Threat Words:LocationBalise positionCuttings, tunnels, shadowing by other trainsGPS used as a backup when GSM is lost?AccessData - system uses cryptography and all users have same keyData – GSM-R: Handsets authenticate with the network but not vice versaPhysical – some data is entered locallyIdentificationEach train has a unique identity – spoofing?Balises are not physically protectedGSM repeater could be spoofed and information extracted
33Context Establishment Define Threat Words:AuthorisationCan the driver override some or all aspects? How is this recorded?If GSM-R is the sole source of authorisation, what happens in an outage?JammingPassenger using small GSM jamming device – what effect to ERTMS?What precedence is given to GSM-R traffic?Etc etc
34Context Establishment Define Initial Security ContextWhat could be gained from attacking the systemHow could the system be attacked?What capabilities would the attacker need?Attack on National and International infrastructure – terrorist attack at a major sporting or political event? Financial, reputational harmMany different aspects of the system could be attackedHigh – specialist in the fieldMedium – requires ability to analyse the system specification and engineer an attackLow – requires no specialist knowledge
36Preliminary Risk Assessment Identify Primary AssetsEuropean Train Control System – ETCSGSM-R – railway specific system built upon GSM standardsETCSOnboardTracksideBalisesRadio Comms System (GSM-R)Radio Block Centres – issue movement authorisations to trains
37Preliminary Risk Assessment Identify Threats to Security93 page report written on the “ERTMS Specification Security Audit Analysis of Attack Scenarios” 29 July 2011Balise location considered for the remainder of the case studyUses standard transmission protocolPosition or positional data could be affectedMetallic structures affecting balise signal performanceBalise – may be possible to obtain balise from elsewhere and program with ETCS dataProgrammer is handheld and placed close to balise.If false data is sent, the train may receive false data, fail to interpret it and go into failsafe mode, possibly applying brakes causing a denial of service attackPublicly available documentation from the Polish Office of Rail Transportation articulates the 3 dimensional space around a balise where conductors must not be placed (The Office of Rail Transportation, 2012). It may therefore be possible for an attacker to hide a loop aerial within this space with the intent of either trying to receive the transmission from the train and subsequent balise reply, or to simply prevent or disrupt the balise from receiving the train’s interrogation request
38Preliminary Risk Assessment Define Scenarios Affecting SafetyReputational/financial attack by an active aggressor but with limited technical knowledge of the systemBalise is moved closer to or further away from neighbour thus changing the reported position of the train or causing an error signal to be generatedEstablish Likelihood of OccurrenceHard to estimate without greater technical knowledge of the systemMay need several balises to be moved to generate an accumulative errorMay be rejected by the system as a valid balise therefore the main attack method may have failed but a second order outcome could be experienced.
39Preliminary Risk Assessment Define Severity of OutcomeAlso hard to estimate without greater system knowledgeTrain movements would be scheduled to allow for greatest traffic flow but with sufficient time in-between trains for safety reasons similar to airport arrival and departure traffic.Positional errors would need to be evaluated for different areas. Busy junctions (Clapham junction) would work with a smaller error than a remote location with a low density of points
41Vulnerability Assessment Identify Vulnerable AssetsLarge proportion of the system relies on assets outside the control or standards of the ERTMSGSM-R may be adaptable but GSM unlikelyBalise and programming deviceDriver (always has positive control)Network infrastructureRemember O2 outage in 2012 where some users affected but not others?Identify VulnerabilitiesNetwork Outages
43Evaluation and Further Work 3 Aspects considered in Context evaluationWhy, How, WhatFull SetWhy, How, What, Where, When, WhoGeneration of a threat word taxonomyExternal systems are vital to operation of the system yet limited control or authority availablePartial failures must be considered (O2 Outage)
44ReferencesANONYMISED (2010). Information security audit of ERTMS, Technical report. This report is currently not publicly available; however, copies of the report may be made available on request, subject to approval from the relevant stakeholders.ANONYMISED (2011). ERTMS specification security audit – Analysis of attack scenarios, Technical report. This report is currently not publicly available; however, copies of the report may be made available on request, subject to approval from the relevant stakeholders.Casals, S., Owezarski, P. and Descargues, G. (2012). Risk assessment for airworthiness security. Safecomp 2012 [Online]. Available at: Risk_Assessment_for_Airworthiness_Security_8p_.pdf [Accessed 12 June 2012].Falliere, N., O Murchu, L. and Chien, E. (2011). W32.Stuxnet dossier. [Online] Symantec Security Response. February Available at: media /security_response/whitepapers/w32_stuxnet_dossier.pdf [Accessed 22 February 2012].Kramer, D., Baker, M., Ransford, B., Molina-Markham, A., Stewart, Q., Fu, K and Reynolds, M. (2012). Security and privacy qualities of medical devices: An analysis of FDA postmarket surveillance. PLoS One, 7(7), e doi: /journal.poneMcDermott, J. (2000). Attack net penetration testing. New Security Paradigms Workshop 2000.McDonald, G., Murchu, L., Doherty, S., Chien, E., (2013). Stuxnet 0.5: The Missing Link. [Online] Symantec Security Response. February Available at: security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf [Accessed 20 February 2014].Opdahl, A. and Sindre, G. (2008). Experimental comparison of attack trees and misuse cases for security threat identification. Information and Software Technology, 51(5),Schneier, B. Attack Trees. [Online]. Dr Dobbs Journal, December Available at: [Accessed 1 July 2012].US DoD (2012). Defense Acquisition Guidebook. [Online]. Available at: DefenseAcquisitionGuidebook.pdf [Accessed 1 July 2012].