Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force.

Similar presentations


Presentation on theme: "Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force."— Presentation transcript:

1 Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force

2 Contents Introduction Stuxnet – the first of many Latest ‘Mask’ Malware A Need to Do More Safety vs Security, Failure vs Attack Attack Trees and Guide Words Simple Case Studies

3 Safety in the Traditional Sense FSSE – Nature of accidents –Flixborough 1974 Health and Safety at Work etc Act 1974

4 Safety in the Traditional Sense FSSE – Nature of accidents –Challenger 1986 Leakage issue on previous flights

5 Safety in the Traditional Sense FSSE – Nature of accidents –Bexley 1997 Maintenance issues, Overloading wagons and excess speed

6 Background and Motivation Pervious working environment Stuxnet Virus 2009/2010 Interest in Supervisory Control and Data Acquisition (SCADA) systems including Programmable Logic Controllers (PLCs) New Role working in ATM environment Desire to combine knowledge of Security and Safety as little exists on this subject

7 Stuxnet – The First (?) of Many (?) Virus discovered in Jun 2010, origin back in Jun 09 Targets a very specific hardware/software configuration at Natanz, Iran – Uranium reprocessing facility Executes by re-programming the PLC out of specified boundaries Virus deployed via USB pen drive on maintenance laptop Duqu discovered in Sep 11 thought to be connected to Stuxnet Flame discovered in May 2012 thought to be connected to Stuxnet

8 Stuxnet 0.5 Stuxnet 1.0 discovered in Jun 2010 Variants later discovered but traced back as early as Nov 2007 and development as early as 2005 Similar attack vector but closed valves instead of changing the rotation speed of centrifuges More versions known to exist but code has never been recovered Many other SCADA systems vulnerable to attack

9 RAS Gas computer systems taken off line days after a similar attack on Aramco (Aug 12) Saudi Arabia’s national oil company was attacked by the Shamoon virus, which targets energy sector infrastructure (Aug 12)

10 Mask Malware Aimed at Gov’ts and Finance Firms Probably created by a Nation State Reported by Kaspersky/BBC Technology website on 11 Feb 2014 Involved in cyber espionage operations since at least 2007 Ahead of Duqu in terms of sophistication Is this just the tip of the Iceberg?

11 How Skilled Do You Need To Be?

12 A Need to Do More Security and Safety need to be considered as a unity of specialisations and not just bolt-on’s to each other. Similarities with Safety a number of years ago? Develop a methodology to integrate security aspects into the safety analysis process Cross domain applicability Ability to apply at any stage of the safety lifecycle to capture legacy projects

13 Safety vs Security, Failure vs Attack Systems need to operate in a safe manner Systems need to be maintainable by many different and disparate parties Systems need to fail safe Systems need to be resilient and resistant to attack

14 What Previously Existed Security Processes or Tools –Casals et al, 2012 –6 Step Process 1 st 3 Steps considered and developed –Context establishment –Preliminary Risk Assessment –Vulnerability Assessment

15 What Previously Existed Attack Trees –Schneier, 1999 –Used within the US DoD Defense Acquisition Guidebook (US DoD 2012) Simple example is an activity such as trying to open or break into a safe. Helpful to have Guide Words to assist in the process

16

17

18

19 Guide (Threat) Words Prof McDermott –Art rather than a Science Opdahl and Sindre –Brainstorming activity Use process similar to FHA –SHARD guidewords – Omission. Commission, Early, Late, Value Look for Threat Words rather than Guide Words –Configuration, Authentication, Jamming, Replay, Lifecycle (learning)

20 Methodology Development Context Establishment Preliminary Risk Assessment Vulnerability Assessment

21 Case Study 1 – Implantable Medical Device Devices able to administer medication at varying rates Read patients state and report back to a physician Remote diagnostic/treatment –Implantable Cardiac Defibrillators (ICDs) –Drug Delivery Systems (eg Insulin Pumps) –Neurostimulators (eg for Parkinson’s Disease)

22 Context Establishment Considers IMDs in general, no FTA Threat words: –Access –Identification or Privacy –Configuration –Authorisation –Availability –Distance –Frequency –Safety

23 Context Establishment Define Initial Security Context –Passive or active or coordinated adversaries, Insider attack. Active Adversary Attack Tree

24 Preliminary Risk Assessment Identify Primary Assets –IMD, programming devices, management devices Identify Threats to Security –From research, encryption is not used between IMDs and supporting equipment, however the signalling format could be spoofed allowing unauthorised transmissions to be sent. –Devices transmit when a magnet is placed nearby –Device programmable or readable 24hrs per day? Define Scenarios Affecting Safety –Patient entering a treatment room in a non-local environment –Important or influential figure fitted with IMD –Organised Crime gangs seeking to steal device

25 Preliminary Risk Assessment Patient in a non-local environment

26 Preliminary Risk Assessment Establish Likelihood of Occurrence –As of 2012, no evidence could be found regarding attacks on IMDs –Kramer et al, 2012, states “there are no known case reports of malevolent interference that specifically target medical device function”

27 Preliminary Risk Assessment Severity of Outcome –Worst case is death –Least is possible early failure of device Most devices are 5-7 years so replacement is always assumed necessary at some future point

28 Vulnerability Assessment Identify Vulnerable Assets –IMD and supporting equipment Identify Vulnerabilities –Replay Attack –Electromagnetic interference –Malware on supporting PC –DoS attack Develop Attacks using Attack Trees

29 Evaluation and Further Work IMD use and proliferation is growing Technology is outpacing Security, not Safety –Possibly security through ambiguity –Stuxnet was directed at 2 specific targets worldwide IMDs must have high security but ease of access Consider a dual approach – threat in one direction, vulnerability in the other

30 Case Study 2 – European Railway Traffic Management System - ERTMS The ERTMS aims to replace the many different national train control and command systems in Europe with a standardised system. System relies upon the GSM networks. A full and complete security audit was performed on the ERTMS and in précis was: –The specs from a safety perspective were considered and safety requirements for technical interoperations were derived –Consideration of the context in which ERTMS operates and its trust relationships with other systems –Both top down and bottom up approaches investigated –Attack scenarios devised and graded

31 Context Establishment System description available from ERTMS web page

32 Context Establishment Define Threat Words: –Location Balise position Cuttings, tunnels, shadowing by other trains GPS used as a backup when GSM is lost? –Access Data - system uses cryptography and all users have same key Data – GSM-R: Handsets authenticate with the network but not vice versa Physical – some data is entered locally –Identification Each train has a unique identity – spoofing? Balises are not physically protected GSM repeater could be spoofed and information extracted

33 Context Establishment Define Threat Words: –Authorisation Can the driver override some or all aspects? How is this recorded? If GSM-R is the sole source of authorisation, what happens in an outage? –Jamming Passenger using small GSM jamming device – what effect to ERTMS? What precedence is given to GSM-R traffic? –Etc etc

34 Context Establishment Define Initial Security Context –What could be gained from attacking the system –How could the system be attacked? –What capabilities would the attacker need?

35 Context Establishment Develop Attack Trees

36 Preliminary Risk Assessment Identify Primary Assets –European Train Control System – ETCS –GSM-R – railway specific system built upon GSM standards ETCS –Onboard –Trackside Balises Radio Comms System (GSM-R) Radio Block Centres – issue movement authorisations to trains

37 Preliminary Risk Assessment Identify Threats to Security –93 page report written on the “ERTMS Specification Security Audit Analysis of Attack Scenarios” 29 July 2011 –Balise location considered for the remainder of the case study –Uses standard transmission protocol –Position or positional data could be affected –Metallic structures affecting balise signal performance

38 Preliminary Risk Assessment Define Scenarios Affecting Safety –Reputational/financial attack by an active aggressor but with limited technical knowledge of the system –Balise is moved closer to or further away from neighbour thus changing the reported position of the train or causing an error signal to be generated Establish Likelihood of Occurrence –Hard to estimate without greater technical knowledge of the system

39 Preliminary Risk Assessment Define Severity of Outcome –Also hard to estimate without greater system knowledge –Train movements would be scheduled to allow for greatest traffic flow but with sufficient time in-between trains for safety reasons similar to airport arrival and departure traffic. –Positional errors would need to be evaluated for different areas. Busy junctions (Clapham junction) would work with a smaller error than a remote location with a low density of points

40 Preliminary Risk Assessment

41 Vulnerability Assessment Identify Vulnerable Assets –Large proportion of the system relies on assets outside the control or standards of the ERTMS –GSM-R may be adaptable but GSM unlikely –Balise and programming device –Driver (always has positive control) –Network infrastructure Remember O 2 outage in 2012 where some users affected but not others? –Identify Vulnerabilities Network Outages

42 Vulnerability Assessment GSM_R Outage Vulnerability

43 Evaluation and Further Work 3 Aspects considered in Context evaluation –Why, How, What Full Set –Why, How, What, Where, When, Who Generation of a threat word taxonomy External systems are vital to operation of the system yet limited control or authority available Partial failures must be considered (O 2 Outage)

44 References ANONYMISED (2010). Information security audit of ERTMS, Technical report. This report is currently not publicly available; however, copies of the report may be made available on request, subject to approval from the relevant stakeholders. ANONYMISED (2011). ERTMS specification security audit – Analysis of attack scenarios, Technical report. This report is currently not publicly available; however, copies of the report may be made available on request, subject to approval from the relevant stakeholders. Casals, S., Owezarski, P. and Descargues, G. (2012). Risk assessment for airworthiness security. Safecomp 2012 [Online]. Available at: Risk_Assessment_for_Airworthiness_Security_8p_.pdf [Accessed 12 June 2012]. Falliere, N., O Murchu, L. and Chien, E. (2011). W32.Stuxnet dossier. [Online] Symantec Security Response. February Available at: media /security_response/whitepapers/w32_stuxnet_dossier.pdf [Accessed 22 February 2012]. Kramer, D., Baker, M., Ransford, B., Molina-Markham, A., Stewart, Q., Fu, K and Reynolds, M. (2012). Security and privacy qualities of medical devices: An analysis of FDA postmarket surveillance. PLoS One, 7(7), e doi: /journal.pone McDermott, J. (2000). Attack net penetration testing. New Security Paradigms Workshop McDonald, G., Murchu, L., Doherty, S., Chien, E., (2013). Stuxnet 0.5: The Missing Link. [Online] Symantec Security Response. February Available at: security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf [Accessed 20 February 2014]. Opdahl, A. and Sindre, G. (2008). Experimental comparison of attack trees and misuse cases for security threat identification. Information and Software Technology, 51(5), Schneier, B. Attack Trees. [Online]. Dr Dobbs Journal, December Available at: [Accessed 1 July 2012]. US DoD (2012). Defense Acquisition Guidebook. [Online]. Available at: DefenseAcquisitionGuidebook.pdf [Accessed 1 July 2012].


Download ppt "Threats to Software Security Integrated with the Safety Planning Process Phil Cooke Battlespace Management - Safety Policy Royal Air Force."

Similar presentations


Ads by Google