MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity – (IC) 3 Cyber Safety: A Systems Thinking and Systems Theory Approach.

Slides:



Advertisements
Similar presentations
ETHICAL HACKING A LICENCE TO HACK
Advertisements

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC) 3 3 Sept 2014 CYBER SAFETY: A Systems Thinking and Systems Theory.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Cyber Security and the Smart Grid George W. Arnold, Eng.Sc.D. National Institute of Standards and Technology (NIST) U.S. Department of Commerce
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
How secure are b Wireless Networks? By Ilian Emmons University of San Diego.
Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.
TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Lecture 11 Reliability and Security in IT infrastructure.
Session 3 – Information Security Policies
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
K E M A, I N C. Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Session No. 3 ICAO Safety Management Standards ICAO SMS Framework
System Theoretic Approach To Cybersecurity:
Outline  Company Profile  Services Provided  Assets  System Schema  Risk Categories  Technical Risks and Mitigation  Summary.
SEC835 Database and Web application security Information Security Architecture.
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.
Evolving IT Framework Standards (Compliance and IT)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.
IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Secure Connections for a Smarter World Dr. Shuyuan Mary Ho Assistant Professor School of Information Florida State University.
NATO Advanced Research Workshop “Best Practices and Innovative Approaches to Develop Cyber Security and Resiliency Policy Framework” Scenario for Discussion.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.
Appendix C: Designing an Operations Framework to Manage Security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security Business Risk and Data Protection Gregory Neuhaus.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
APolicy EASy Security Project Analysis and Recommendations for TJX Companies, Inc.
BUSINESS CLARITY ™ PCI – The Pathway to Compliance.
IAEA International Atomic Energy Agency The Human and Organizational Part of Nuclear Safety Monica Haage – International Specialist on.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
Security Outsourcing Melissa Karolewski. Overview Introduction Definitions Offshoring MSSP Outsourcing Advice Vendors MSSPs Benefits & Risks Security.
Information Security Principles and Practices by Mark Merkow and Jim Breithaupt Chapter 1: Why Study Information Security?
March 23, 2015 Missouri Public Service Commission | Jefferson City, MO.
MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity – (IC)3 Cyber Safety: A Systems Thinking and Systems Theory Approach.
Cybersecurity - What’s Next? June 2017
Breaches by Merchant Type
Introduction to the Federal Defense Acquisition Regulation
MIS 5121: Real World Control Failure - TJX
Cyber Attacks on Businesses 43% of cyber attacks target small business Only 14% of small business rate their ability to mitigate cyber risk highly.
ESSENTIALS OF A PHYSICAL SECURITY SYSTEMS RISK ASSESSMENT
Systems Theory Approach to Managing Cybersecurity –
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
IIA District Conference Seminar Presenter David Cole, CPA, CISA, CRISC
Chapter 1: Information Security Fundamentals
Presentation transcript:

MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity – (IC) 3 Cyber Safety: A Systems Thinking and Systems Theory Approach to Managing Cyber Security Risks Dr. Qi Van Eikema Hommes, Lecturer & Research Affiliate Hamid Salim Stuart Madnick, Professor Michael Coden, CISSP, Associate Director MIT-(IC) 3 Presented at the International Conference on Computer Security in a Nuclear World: Expert Discussion and Exchange, International Atomic Energy Agency, June 2, 2015, Vienna, Austria

Presentation Outline (IC) 3 Research Motivations Approaches – System-Theoretic Accident Model and Processes (STAMP) Causal Analysis based on STAMP (CAST) System Theoretic Process Analysis (STPA) Case Study – CAST Applied to the TJX Case – CAST Applied to Stuxnet Future Research Directions Copyright 2015, MIT-(IC)3, All Rights Reserved. 2

(IC) 3 is a Shared Research Consortium Join (IC) 3 at Each member contributes to the annual research budget All members share in the tools, models, methods, processes and procedures developed 3

Research Motivations Copyright 2015, MIT-(IC)3, All Rights Reserved. 4 Source: Hitachi Cyber to Physical Risks With Major Consequences

Controlled Process Model of controlled Process Model of controlled Process Control Actions Feedback = Sensors Controller System Theoretic Accident Model and Processes (STAMP) Copyright 2015, MIT-(IC)3, All Rights Reserved. 5 Professor Nancy Leveson analyzes industrial accidents including Citichem Oakbridge, Challenger disaster, etc., developing STAMP: Modeling the effects of complex system interactions by: Hierarchical Layers of Actuators/Controls and Sensors/Feedback Including the role of human actions and decisions as a part of the whole system Actuators =

Typical Industrial or Cyber Incident Investigation Model Copyright 2015, MIT-(IC)3, All Rights Reserved. 6 Investigation usually stops when a human error is found

Add Maintenance and Evolution Layers Copyright 2015, MIT-(IC)3, All Rights Reserved. 7

Add Project Management and Operations Management Layers Copyright 2015, MIT-(IC)3, All Rights Reserved. 8

Add Company Management Layer Copyright 2015, MIT-(IC)3, All Rights Reserved. 9

Add State, Federal, Regulatory Layers 10 Generic Control Model

The Approaches STAMP = System Theoretic Accident Model And Processes 1.CAST: Causal Analysis using System Theory – Prove the model by looking backwards 2.STPA: System Theoretic Process Analysis – Apply the model looking forward for incident prevention 11 Copyright 2015, MIT-(IC)3, All Rights Reserved.

CAST Systematic Analysis Process Copyright 2015, MIT-(IC)3, All Rights Reserved System and hazard definition 2System level safety/security requirements 3Draw hierarchical control structure 4Proximate events 5Analyze the physical system 6Moving up the levels of the control structure 7Coordination and communication 8Dynamics and change over time 9Generate recommendations.

STPA Systematic Incident Prevention Process 13 Safety or Security Problem to Prevent Hazard Inadequate Control Actions Causes Design and Management Requirements and Controls Copyright 2015, MIT-(IC)3, All Rights Reserved.

Presentation Outline (IC) 3 Research Motivations Approaches – System-Theoretic Accident Model and Processes (STAMP) Causal Analysis based on STAMP (CAST) System Theoretic Process Analysis (STPA) Case Study – CAST Applied to the TJX Case – CAST Applied to Stuxnet Future Research Directions Copyright 2015, MIT-(IC)3, All Rights Reserved. 14

TJX (TJ Maxx & Marshalls) Case Study TJX is a US-based major off-price retailer. – Revenues > $25 billion (FY2014) Victim of largest (by number of cards) cyber-attack in history, when announced in Cost to TJX > $170 million, per SEC filings. Cyber-attack launched from a store on Miami, FL in 2005 by exploiting Wi-Fi vulnerability. Hackers ultimately reached corporate payment servers and stole current transaction data. Cyber-attack lasted for over 1.5 years (According to the US ICS-CERT, based on all reported ICS cyber-attacks, the average time that cyber-attackers were inside the ICS system before being discovered was 243 days.) 15 Copyright 2015, MIT-(IC)3, All Rights Reserved. Sources: Federal/State Court records (primary), TJX SEC Filings, Others (NYT, WSJ, Globe, FTC, Academic papers, Journal articles). ICS-CERT Oral Presentation, ABB Automation & Power World, March, 2015

CAST Step 1: Identify System and Hazards System – TJX payment card processing system Hazards – at system level – System allows for unauthorized access to customer information 16 Copyright 2015, MIT-(IC)3, All Rights Reserved. 1 System and hazard definition 2 System level safety/security requirements 3Draw control structure 4Proximate events 5 Analyze the physical system 6 Moving up the levels of the control structure 7 Coordination and communication 8 Dynamics and change over time 9 Generate recommendations.

CAST Step 2: Define System Security Requirements Protect customer information from unauthorized access. Provide adequate training to staff for managing security technology infrastructure. Minimize losses from unauthorized access to payment system. 17 Copyright 2015, MIT-(IC)3, All Rights Reserved. 1 System and hazard definition 2 System level safety/security requirements 3Draw control structure 4Proximate events 5 Analyze the physical system 6 Moving up the levels of the control structure 7 Coordination and communication 8 Dynamics and change over time 9 Generate recommendations.

18 Cast Step 3: Hierarchical Control Structure

Proximal Event Chain Copyright 2015, MIT-(IC)3, All Rights Reserved System and hazard definition 2System level safety/security requirements 3Draw control structure 4Proximate events 5Analyze the physical system 6Moving up the levels of the control structure 7Coordination and communication 8Dynamics and change over time 9Generate recommendations.

Breaching Marshalls’ Store Copyright 2015, MIT-(IC)3, All Rights Reserved AP- Open authentication vs Shared Key authentication. 2.WEP publically known weak algorithm compromised. 3.Sniffers used to monitor data packets. 4.Hackers steal store employee account information and gain access to TJX corporate servers.

Hackers Establish VPN Connection Copyright 2015, MIT-(IC)3, All Rights Reserved Hackers use Marshalls AP to install VPN connection. 2.VPN is between TJX corporate server and hacker controlled servers in Latvia. 3.Code installed on TJX corporate payment processing server. 4.No longer using TJX network

Flow for Sales of Stolen Payment Card Information Copyright 2015, MIT-(IC)3, All Rights Reserved Hackers are selling credit card data for almost 1.5 years

Analyzing the Physical System Copyright 2015, MIT-(IC)3, All Rights Reserved System and hazard definition 2System level safety/security requirements 3Draw control structure 4Proximate events 5Analyze the physical system 6Moving up the levels of the control structure 7Coordination and communication 8Dynamics and change over time 9Generate recommendations.

Cast Step 5: Analyzing the Physical Process (TJX Retail Store) Copyright 2015, MIT-(IC)3, All Rights Reserved. 24

Cast Step 5: Analyzing the Physical Process (TJX Retail Store) Copyright 2015, MIT-(IC)3, All Rights Reserved Safety Requirements and Constraints Prevent unauthorized access to customer information. Emergency and Safety Equipment Wi-Fi network Access Point (AP) authentication Wi-Fi encryption algorithm Failures and Inadequacy Retail store Wi-Fi AP misconfigured Inadequate encryption technology – WEP decrypting key were freely available on the internet. Inadequate monitoring of data activities on the Wi-Fi. Physical & Contextual Factors Early adopter of Wi-Fi Learning curve and training Safety Requirements and Constraints Prevent unauthorized access to customer information. Emergency and Safety Equipment Wi-Fi network Access Point (AP) authentication Wi-Fi encryption algorithm Failures and Inadequacy Retail store Wi-Fi AP misconfigured Inadequate encryption technology – WEP decrypting key were freely available on the internet. Inadequate monitoring of data activities on the Wi-Fi. Physical & Contextual Factors Early adopter of Wi-Fi Learning curve and training Four Key Areas: 1.Safety Requirements & Constraints 2.Emergency & Safety Equipment 3.Failures & Inadequacy 4.Physical & Contextual Factors

Analyzing the Control Structure Copyright 2015, MIT-(IC)3, All Rights Reserved System and hazard definition 2System level safety/security requirements 3Draw control structure 4Proximate events 5Analyze the physical system 6Moving up the levels of the control structure 7Coordination and communication 8Dynamics and change over time 9Generate recommendations.

Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure Copyright 2015, MIT-(IC)3, All Rights Reserved Payment Card Processing System

Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure Copyright 2015, MIT-(IC)3, All Rights Reserved Safety Requirements and Constraints Prevent unauthorized access to customer information. Emergency and Safety Equipment – Payment card data is encrypted during transmission and storage – Conform to Payment Card Industry Data Security Standard (PCI-DSS) Failures and Inadequacy – Payment data briefly stored and then transmitted unencrypted to the bank. – Not compliant with PCI-DSS. – Fifth Third Bancorp had limited influence on TJX Safety Requirements and Constraints Prevent unauthorized access to customer information. Emergency and Safety Equipment – Payment card data is encrypted during transmission and storage – Conform to Payment Card Industry Data Security Standard (PCI-DSS) Failures and Inadequacy – Payment data briefly stored and then transmitted unencrypted to the bank. – Not compliant with PCI-DSS. – Fifth Third Bancorp had limited influence on TJX Physical Contextual Factors – PCI-DSS is not legally required by States (except for NV) and Federal Government. – Fifth Third Bancorp has no regulatory role Physical Contextual Factors – PCI-DSS is not legally required by States (except for NV) and Federal Government. – Fifth Third Bancorp has no regulatory role Payment Card Processing System

Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure Copyright 2015, MIT-(IC)3, All Rights Reserved State Legislature PCI-DSS is a law in the State of Nevada, but not in Massachusetts where TJX is headquartered. TJX a creates jobs and generates tax revenue in Massachusetts. State Legislature PCI-DSS is a law in the State of Nevada, but not in Massachusetts where TJX is headquartered. TJX a creates jobs and generates tax revenue in Massachusetts. State Legislature

Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure Copyright 2015, MIT-(IC)3, All Rights Reserved Federal Regulatory agency: Most Cyber Security standards are voluntary and are written broadly. At the time of the attack, no regulation existed for the overall retail industry. Federal Regulatory agency: Most Cyber Security standards are voluntary and are written broadly. At the time of the attack, no regulation existed for the overall retail industry. Regulatory Agencies: FTC, SEC, etc.

Coordination and Communication Copyright 2015, MIT-(IC)3, All Rights Reserved System and hazard definition 2System level safety/security requirements 3Draw control structure 4Proximate events 5Analyze the physical system 6Moving up the levels of the control structure 7Coordination and communication 8Dynamics and change over time 9Generate recommendations.

Step 7: Coordina- tion and Commun- ication Copyright 2015, MIT-(IC)3, All Rights Reserved Aware of PCI-DSS compliance issue.

Step 7: Coordina- tion and Commun- ication Copyright 2015, MIT-(IC)3, All Rights Reserved Lack of coordination for PCI-DSS Compliance

Step 7: Coordina- tion and Commun- ication Copyright 2015, MIT-(IC)3, All Rights Reserved Aware of PCI-DSS compliance issue. Cyber Security spending was not the highest priority.

Step 7: Coordina- tion and Commun- ication Copyright 2015, MIT-(IC)3, All Rights Reserved Missing support

Step 7: Coordina- tion and Commun- ication Copyright 2015, MIT-(IC)3, All Rights Reserved Missing support Uninformed

Step 7: Coordina- tion and Commun- ication Copyright 2015, MIT-(IC)3, All Rights Reserved No single person responsible for cyber security

Dynamic Migration to High Risk State Copyright 2015, MIT-(IC)3, All Rights Reserved System and hazard definition 2System level safety/security requirements 3Draw control structure 4Proximate events 5Analyze the physical system 6Moving up the levels of the control structure 7Coordination and communication 8Dynamics and change over time 9Generate recommendations.

CAST Step 8: Dynamics and Migration to a High-Risk State Initially cyber security risk was low because vulnerabilities were unknown to everyone – experts, businesses, and hackers. Flaws in managerial decision making process. – Information availability: recent experiences strongly influence the decision (i.e., no break- ins so far.) 39 Copyright 2015, MIT-(IC)3, All Rights Reserved.

CAST Step 8: Dynamics and Migration to a High-Risk State (Cont.) 40 Above is a message from CIO in November 2005 to his staff, requesting agreement on his belief that cyber security risk is low. There were only two opposing views, a majority of his staff agreed. This confirmation trap led to postponing upgrades. “My understanding is that we can be PCI-compliant without the planned FY07 upgrade to WPA technology for encryption because most of our stores do not have WPA capability without some changes. WPA is clearly best practice and may ultimately become a requirement for PCI compliance sometime in the future. I think we have an opportunity to defer some spending from FY07’s budget by removing the money for the WPA upgrade, but would want us all to agree that the risks are small or negligible.” – TJX CIO, Nov Copyright 2015, MIT-(IC)3, All Rights Reserved.

Comparison of Results from FTC and CPC Investigations and STAMP/CAST Analysis 41 No.RecommendationCPCFTC STAMP /CAST 1 Create an executive level role for managing cyber security risks. No*Yes 2PCI-DSS integration with TJX processes. No Yes 3Develop a safety culture. No Yes 4 Understand limitations of PCI-DSS and standards in general. No Yes 5Review system architecture. No Yes 6Upgrade encryption technology. YesNoYes 7Implement vigorous monitoring of systems. YesNoYes 8Implement information security program. NoYes CPC = Canadian Privacy Commission FTC = Federal Trade Commission * = Indicates recommendations that are close to STAMP/CAST based analysis but also has differences.

Research Contributions 1.Highlighted need for systematic thinking and systems engineering approach to cyber security. 2.Tested STAMP/CAST as a new approach for managing cyber security risks. 3.Discovered new insights when applying STAMP/CAST to the TJX case. 4.Recommendations provide a basis for preventing similar events in the future. 5.The US Air Force has successfully implemented, and is implementing STPA as a cyber security measure 6.STAMP/CAST/STPA is compatible with the NIST Cybersecurity Framework, UK Cyber Essentials, IEC and other Cybersecurity standards Copyright 2015, MIT-(IC)3, All Rights Reserved. 42

Application to Cyber Physical System (Stuxnet Example) 43 Copyright 2015, MIT-(IC)3, All Rights Reserved.

Future Research Directions Continue applying CAST for Cyber Security attack analysis and generate comprehensive list of recommendations that include: Improvements to mitigate technology vulnerabilities Ways to address systemic issues related to management, decision making, culture, policy and regulation. Apply the System Theoretic Process Analysis (STPA) approach to identify system vulnerability prior to an attack. – (IC) 3 has started a project to ensure the cyber security of complex power grids, working with major grid operators in the US, Dubai, and Singapore. 44 Copyright 2015, MIT-(IC)3, All Rights Reserved.

MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity – (IC) 3 Questions? Michael Coden, CISSP, Associate Director MIT-(IC) 3 Presented at the International Conference on Computer Security in a Nuclear World: Expert Discussion and Exchange, International Atomic Energy Agency, June 2, 2015, Vienna, Austria

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.