hazmat signs for industrial software - credc...the degree to which a chemical substance can damage...
TRANSCRIPT
![Page 1: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/1.jpg)
cred-c.org | 1
Hazmat Signs for Industrial Software…if they existed, what would they look like?
Bryan Owen PE, OSIsoft LLC
![Page 2: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/2.jpg)
cred-c.org | 2
Most Industrial Software is ‘Toxic’
![Page 3: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/3.jpg)
cred-c.org | 3
ToxicityThe degree to which a chemical substance can damage an organism• Whole organism• Organs,• Tissue,• Or even cellular damage.
![Page 4: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/4.jpg)
cred-c.org | 4
Toxin Categories
BiologicalHazard
CorrosiveHazard
PhysicalHazard
Non-IonizingRadiation
Hazard
![Page 5: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/5.jpg)
cred-c.org | 5
“Cyber” – Bio Hazard
Abuse of legitimate ICS functionality• Stuxnet• Crashoverride / Industroyer
• Eg Protocols: IEC101, IEC104, and IEC61850
BiologicalHazard
![Page 6: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/6.jpg)
cred-c.org | 6
“Cyber” – Corrosive Hazard
Non-ICS specific Ransomware & Wipers • Brickerbot• Not Petya / WannaCry• Shamoon
• Eg Protocols: SMB, TelnetCorrosive
Hazard
![Page 7: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/7.jpg)
cred-c.org | 7
“Cyber” – Physical Hazard
Enlistment in bots • Carna• Mirai• Reaper• And many other similar threatsPhysical
Hazard
![Page 8: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/8.jpg)
cred-c.org | 8
“Cyber” – Radio Hazards
Recent malware targeting radios• BadBIOS• BlueBorne• WPA2 Krack
Non-IonizingRadiation
Hazard
![Page 9: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/9.jpg)
cred-c.org | 9
Chemical Hazard Labels – NFPA Diamond
HEALTH
FLAMABILITY
REACTIVITY
SPECIAL HAZARDS
0
3
0 4
Will Not Burn
Shock and Heat May Detonate
LeastSerious
MostSerious
![Page 10: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/10.jpg)
cred-c.org | 10
Cyber Hazard Labels: “C-I-A Triad Model”
CONFIDENTIALITY
INTEGRITY
AVAILABILITY
SPECIAL HAZARDS
4 Remote, Anonymous, Default Configuration, Root Access
3 Remote, Anonymous, Default Configuration, User Access
2 Remote, Authenticated, Default Configuration, Root Access
1 Remote, Authenticated, Custom Configuration, Write Access
0 Remote, Authenticated, Read Access
![Page 11: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/11.jpg)
cred-c.org | 11
Cyber Hazard Labels: “V-A-T Model (OSSTMM)” 1/2
VISIBILITY
ACCESS
TRUST
SPECIAL HAZARDS
VISIBILITY4 Remote management endpoints
3 Remote write access endpoints
2 Remote read access endpoints
1 Device broadcasts
0 No targets visible remotely
![Page 12: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/12.jpg)
cred-c.org | 12
Cyber Hazard Labels: “V-A-T Model (OSSTMM)” 2/2
VISIBILITY
ACCESS
TRUST
SPECIAL HAZARDS
TRUST4 Unmanaged 3P components, 3P
managed trust infrastructure
3 Unmanaged 3P components
2 3P managed trust infrastructure
1 Self-managed 3P components, trust infrastructure
0 Trusted foundry with transparency
![Page 13: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/13.jpg)
cred-c.org | 13
Cyber Hazard Labels: Cornell “SoS” Blueprint
OBFUSCATION
ISOLATION
MONITORING
SPECIAL HAZARDS
Blueprint for a science of cybersecurityThe Next Wave Vol. 19 No. 2 | 2012 Fred B. Schneider Safety
• No ‘bad thing’ happensLiveness• Some ‘good thing’ happens
![Page 14: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/14.jpg)
cred-c.org | 14
Special Cyber Hazards: “Observables”
• Digital signature or unique hash• Documentation of third party components• Important dates (creation, last modified)• Memory safe frameworks and languages• User mode vs kernel or root• Execution flags (ASLR, CFG, DEP, NX, etc…)• Network protocol safety• Software update mechanism
A badness-omemter can’t tell you that you’re secure. It can only tell you that you’re not.
Badness-ometers are good. Do you own one? by Gary McGrawhttps://www.synopsys.com/blogs/software-security/badness-ometers-are-good-do-you-own-one
![Page 15: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/15.jpg)
cred-c.org | 15
Idea: Safety Data Sheets
![Page 16: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/16.jpg)
cred-c.org | 16
Cyber Security Data SheetsCyber Security Technical Assessment Methodology:Vulnerability Identification and Mitigation3002008023Final Report, October 2016
Michael Thow – EPRI Steve Hagan – Fisher Valves Dan Griffin – JW SecureJohn Connelly – Exelon Inman – Lanier – Fisher Valves Justin Kosar – Assoc. Electric CooperativeManu Sharma – Exelon Mike Hagen – Fisher Valves Andrew Dettmer – Assoc. Electric CooperativeKenneth Levandoski – Exelon Andrew Clark – Sandia National Laboratory Steve Ricker – East Kentucky Power CooperativeBrad Yeates – Southern Company Matthew Coulter – Duke Energy Phillip Turner – Sandia National LaboratoryScott Junkin – Southern Company Susan Ritter – Duke Energy Tim Wheeler – Sandia National LaboratoryRichard Atkinson – Arizona Public Service Mark Denton – Duke Energy Alice Muna – Sandia National Laboratory
Sandra Bittner – Arizona Public Service Norman Geddes – Southern Eng. Services Christine Lai – Sandia National Laboratory
![Page 17: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/17.jpg)
cred-c.org | 17
EPRI TAM Overview
![Page 18: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/18.jpg)
cred-c.org | 18
EPRI TAM – Attack Surface Characterization
![Page 19: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/19.jpg)
cred-c.org | 19
Reference Cyber Security Data SheetsA key part of the Supply Chain• Step 1 & 2 by EPRI, Vendors, and
other Stakeholders• Starting point for tailored CSDS
Big Idea:You can create a
CSDS too!
Cyber Security Technical Assessment Methodology:Vulnerability Identification and Mitigation3002008023
![Page 20: Hazmat Signs for Industrial Software - CREDC...The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage](https://reader033.vdocument.in/reader033/viewer/2022051908/5ffce439a15d1e4dec6f4676/html5/thumbnails/20.jpg)
http://cred-c.org
@credcresearch
facebook.com/credcresearch/Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security