Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jeanne H. Espedalen Attack Trees Describing Security in Distributed Internet-Enabled Metrology.

Similar presentations


Presentation on theme: "Jeanne H. Espedalen Attack Trees Describing Security in Distributed Internet-Enabled Metrology."— Presentation transcript:

1 Jeanne H. Espedalen Attack Trees Describing Security in Distributed Internet-Enabled Metrology

2 Contents: Background, attack trees Background, metrology and calibration The basic ideas of the thesis work Performing the task – a case study Some results Conclusion

3 Author Background in metrology and calibration Electronics Engineer Worked at Justervesenet from 1994 Part time student at GUC from 2002

4 Background, Attack Trees Open door Dismantle door Burst door open Open lock Open locked door Destroy lock Open lock with a key Get hold of a key Pick lock Open lock without key Get someone with a key to open Find a key Steal key Know which door the key belongs to and BribeThreatenDupe Find a person with a key Convince someone to open and Get a key to open lock Introduced by Bruce Scheiner in 1999 Semi-formal method Root – main goal, sub-goals and Boolean calculation  possible attacks Could include attributes, indicating cost, skills etc. Used to find vulnerabilities, analyze security threats Not very well known, or much used as methodology

5 Background, Metrology and Calibration Metrology ( BIPM ) – “The science of measurement” Calibration (International Vocabulary of Basic and General Terms in Metrology) – “set of operations that establish, under specified conditions, the relationship between values of quantities indicated by a measuring instrument or measuring system..”

6 Background, Traditional Calibration Justervesenet Customer High-precision devices UUT Calibration location T 1, P 1, H 1 T 2, P 2, H 2 Long downtime for unit under test (UUT) (~weeks) Less control with the transport uncertainty introduced in the calibration result The UUT is calibrated in an environment different from it’s normal working conditions The customer is not part of the calibration process

7 Justervesenet Customer Transfer standard UUT Transfer standard Calibration location T 1, P 1, H 1 T 2, P 2, H 2 www Justervesenet investigates effects of transport and environmental conditions for the transfer standard and has more control The UUT is calibrated in it’s normal working environment Short downtime for the UUT (~hours) The customer is part of the calibration process Background, Internet-Enabled Calibration

8 iMet, a System for the Future Justervesenet Transport standard Server Firewall www Firewall Customer Measurement software Measurement data Measurement software Measurement data DUT Firewall-friendly, bidirectional HTTPS channel Updated measurement procedures and instrument drivers in database server Measurement procedures automatically downloaded to customer, compiled and run Measurement data returned Security?

9 The Basic Goals of the Project Investigation of the attack tree method, evaluate usability of this Security analysis of the iMet system, a case study

10 A Case Study The case study was performed in a process of several steps: Identification of critical assets Attack trees  vulnerabilities Threats Risk level Countermeasures

11 Identifying Critical Assets Metrology specific: –Correct measurement results –Instruments in setup System application –IT systems –Application components, SW and HW

12 Implementing Attack Tree Method High level analysis, attacks on critical asset: –Correct measurement results

13 Incorrect values from data collections Manipulated data- collection at customer Faulty cal. result in DB Faulty data transfer from cal. result DB to cal.cert. Faulty data transfer between customer / JV Error in calculations Incorrect calibration values in calibration certificate Incorrect calibra- tion results Incorrect calculation routine Bug in calcu- lation routine Incorrect calibrator standard data Error in data input to calculations Wrong version of calculation routine Wrong version of program Manipulated calibration results Error in data collection Pretend to be custom er Use Instr. with incorrect ID Simulate instrument setup at customer Manipulate cal values before they are returned Perform as customer Steal cal. standard in transport and Wrong version of program Change ID in Instru- ment Faulty data- collection at customer Error in data- collection at customer Selection based on critical asset

14 Incorrect values from data collections Manipulated data- collection at customer Faulty cal. result in DB Faulty data transfer from cal. result DB to cal.cert. Faulty data transfer between customer / JV Error in calculations Incorrect calibration values in calibration certificate Incorrect calibra- tion results Incorrect calculation routine Bug in calcu- lation routine Incorrect calibrator standard data Error in data input to calculations Wrong version of calculation routine Manipulated calibration results Error in data collection Pretend to be custom er Use Instr. with incorrect ID Simulate instrument setup at customer Manipulate cal values before they are returned Perform as customer Steal cal. standard in transport and Wrong version of program Change ID in Instru- ment Faulty data- collection at customer Error in data- collection at customer Wrong version of program Selection of goal for refinement

15 Attack Trees Refinement and ‘digging’ into the critical or interesting parts of the trees: –Goal: Wrong version of program

16 Obsolete version used Obsolete version used at customer Obsolete version available in DB Obsolete version loaded from DB Manipulat ed during upload/ download Manipulated version used Wrong version of program Access to source code Manipulate program in DB Author- ized access Required skills to perform change Manipulated program at customer Unauthor -ized access Acc- ess to DB Author- ized access Unauthor -ized access Lack of or insuff. routine for deleting and/or removing obsolete version Obsolete version possible to load at customer Obsolete version available at customer No/faulty version control and Requir- ed skills to perform change and No/faulty version control Obsolete version in DB Sign code with valid key Valid, manipulated version in DB and Man-in- the- middle attack Access to valid key Author- ized access Unauthor -ized access Selected goal for refinement

17 Obsolete version used Obsolete version used at customer Obsolete version available in DB Obsolete version loaded from DB Manipulate d during upload/ download Manipulate program in DB Author- ized access Unauthor- ized access Acc- ess to DB Lack of or insuff. routine for deleting and/or removing obsolete version Obsolete version possible to load at customer Obsolete version available at customer No/faulty version control and Requir- ed skills to perform change and No/faulty version control Obsolete version in DB Sign code with valid key Valid, manipulated version in DB and Man-in- the-middle attack Access to valid key Author- ized access Unauthor- ized access Manipulated version used Wrong version of program Access to source code Required skills to perform change Manipulated program at customer Author- ized access Unauthor- ized access and Selection of branch/goal for example

18 Program could be manipulated and used at customer’s –A skilled customer could manipulate the downloaded source code, and e.g. simulate measurements –Source code is signed in database, and this signature is checked at download. But customer could run another version, and integrity of the returned measurement data is thereby not secured by this signature. Identifying Vulnerabilities, an Example

19 Customer could want to simulate or manipulate measurements or instrument ID –Save time (instrument should be used in production most of the time) –Fabricate good results Threats to the System, Example

20 “Program could be manipulated and used at customer” –High criticality (integrity of measurement data) –Low/medium threat (we know our customers..) Risk level MEDIUM Assessment of Risk Level, Example

21 Technical: Implement code obfuscator –Make the code harder to understand, and thereby manipulate Administrative: Signing of contract between customer and authority –Define responsibilities, judicial liability For the future: Build authentication and signing mechanisms into the instruments –Secure integrity of measurement data Countermeasures, Example

22 Some Results: Usability of Method (Semi-)Formalized method: –A guide through analysis Flexibility –Depth of analysis, maturity of system, interpretation of the trees Presentation of results from analysis –Should adapt to recipients

23 Some Results: The iMet System We have identified 14 vulnerabilities We have suggested mitigation strategies for these, based on risk assessment. Most of them easily achievable

24 Conclusion We have performed: Evaluation of usability of the attack tree method –General usability –For this system (and similar) A case study of the iMet system –Security analysis –Countermeasures


Download ppt "Jeanne H. Espedalen Attack Trees Describing Security in Distributed Internet-Enabled Metrology."

Similar presentations


Ads by Google