john walsh, sypris on cyber physical systems - boston secot meetup 2015

Cyber Physical Systems Security In The APT Cyber Threat Environment

Securing Trust – Requires Achieving Cyber Resilience Cyber Physical – High Assurance Control Systems

John Walsh – President, Sypris June 10, 2015

Sypris Proprietary

High Assurance Systems – Securing the Last Mile in Cyber!

Public Internet / Mobile Phone “Growing Security Surface”

Personal Information Security

Industrial / Commercial

Critical Infrastructure

Allies & Foreign National

Suite B / HAIPE

Type I

•  POS/Digital Identity •  Identity Theft •  Health Care

•  Financial •  Transportation

•  Energy and Utilities •  Industrial

•  NATO •  5 Eyes •  Channel Partners

•  US Military •  3 Letter Agencies

Large Market (Low Value

per unit)

Niche Market (High Value

per unit)

Size Requirement Path Customers

Margin? Barriers?

Segments

Big Players

Sypris Value Chain: SypherTM

SiOMetricsTM

Trust Beyond Manufacturing TM

Cyber Range (Ops)

Secure Enterprise

Secure Infrastructure “Cyber Resilience”

Organic

Collaborate

Partner

Least Assurance

Highest Assurance

3

Disruptive Technology Platforms to Commercial That Leverage Type 1 Iden?ty, Encryp?on, and Cyber to CoTs (Lowest Cost/Complexity)

“The IoT is In the Product” Embedded Sensors, Controls, Com Links, “Touch Points/Access”…

Ξ  Security is the issue: •  Our increasing dependence on Informa3on and Communica3on Technologies (ICT) exposes the world to new risks. Large-‐scale security breaches are becoming more common. Cyber-‐terrorism is a real menace. CriDcal informaDon infrastructures that support our financial system, the distribuDon of energy and food, as well as health and transportaDon face these risks.

Ξ  The threat is increasingly targeDng cyber physical systems Ξ  Example -‐ Connected Vehicle – V2V… Cyber Physical

•  Messaging/TransacDons, POS, Digital Gateway, Binding Personal IdenDty to Vehicle, Safety Systems, Entertainment, Automated TransportaDon Systems

•  End-‐Points or Integrated Mobile Device? •  Increased Safety or Vulnerability?

We are Only Seeing the Tip of the Iceberg Headline Grabbing Attacks

Tens of Thousands More Below the Surface APT Attacks"Zero-Day Attacks"Polymorphic Attacks"Targeted Attacks

Premise for Cyber Physical – Assume the Adversary is Present Design to Achieve Cyber Resilience -‐ High Assurance

United

Contributing Factor for Increased Cyber Physical Risk!

Asymmetry Increasing – Industry Focus on Counter-‐measuring the Threat

Adversary Collaboration, Sponsors, & Availability of Attacks/Tools !

Increasing Cyber Physical ConnecDvity and Dependence IPV6 325 Trillion Trillion Trillion Iden??es……

Enabling Anonymity and Challenging Security in Cyber Space

RSA: 95% Successful Breaches in 2014 involved Compromise of IdenDty in Some Way to Gain Access

Cyber Economics – Lower Cost to Attack then Defend

Cost to Attack

Cyber Warfare Symmetry

Advantage: Attackers Advantage: Defenders

Attack Surface Growing:

Policy Effectiveness

min

max

•  Cyber Activists Organize & Target Focused Attacks !•  Fully Funded Organized Crime – Focused Attacks!•  Nation State Sponsored/Rogue Attacks

Industry Challenge: Develop and Implement Methods to Reverse the Asymmetry Achieve System Design Inherent Cyber Resilience

Cyber Resilience

Cyber Physical Systems Characteristics “System of Systems” - Architecture

Ξ  Complexity leads to many threat vectors and vulnerabili3es •  Systems of systems…..Design… -‐ complex interac3ons/compa3bility •  Many Human 2 Machine and Machine 2 Machine “Touch Points”

•  “Insider Threat Poten3al” must be considered

•  Maintenance Overhaul and Repair; Upgrades…. Supply Chain •  Increasing Internet Connec3vity and Embedded Sensors based Systems •  Special Test Equipment, authen3ca3on, and access management •  Legacy architecture compa3bility – decades old technology •  Proprietary systems/standards……. Within SCADA et al

Ξ  Designed for cost and performance – not security Ξ  Designed for naturally occurring events/environments Ξ  APT’s are becoming Na3on State Capable – Systems Approach Ξ  System security funcDonal design responsibility and

requirements (specs) – Design Org Structure (Integrate Cyber) •  Gov’t, OEM’s, Subsystems Providers, Universi3es….

Traditional Beliefs/Myths Ξ  Air Gapped = Secure Ξ  Compartmentalized = Secure Ξ  Proprietary Silicon, So\ware, OS = Secure Ξ  Proprietary Protocols = Secure Ξ  Root of Trust in Hardware (Cer3ficate & So\ware Based) are

not spoof-‐able = Secure Ξ  Passwords, BiOMetrics, Assigned Creden3als, PKI Keys = Secure Ξ  Short Range Bluetooth, and other interfaces are less vulnerable Ξ  Minimal need for plaaorm cyber threat/malware detec3on,

monitoring, and mi3ga3on capabili3es Ξ  Vulnerabili3es are few and the cost to hack is high Ξ  Adding Security is Complex and Costly

Most Cyber Physical Systems -‐ less secure than IT/Network Systems

Source: hdp://seadlevolt.com/wp-‐content/uploads/2012/07/Volt-‐transparent.png

Engine

RDS

Telema3cs Brakes

Seatbelts

Keyfob

TPMS

V2V

Steering Physical CANBUS Access

Remote Adack Vector

CANBUS Devices

Dashboard Side Hazard Sensors

R2V

•  CD-‐Based Firmware Updates •  Controlled Code ExecuDon via .WMA File •  Buffer-‐Overflow w/ Bluetooth Paired Phone •  Buffer-‐Overflow in Cellular Modem •  Compromised Service Shop Computers

Transmission Airbags

•  CANBus Denial of Service Aaacks •  Shell Access to Head Unit from USB Ports •  Onboard Cellular Auth Vulnerability •  Bluetooth PIN Brute-‐force •  FM RDS sends CAN Packets

A Complex Cyber Physical System with Mul?ple Access Points & Vulnerabili?es

Complexity and Vulnerability Growing Ξ  ~ 100 million lines of code per vehicle

•  40% of Vehicle Cost •  50% of Warranty Claims •  Increasing with advent of the “Connected Vehicle”, IPV6 Implementa3on, Automated Safety and Transporta3on (V2V)

Ξ  ~ 40+ Networks per vehicle •  Inter and Intra net •  100+ sensors •  Com/Sensor Links – On-‐Star, Phone, Internet, Bluetooth, CALM, DSRC, ……

“Will the technologies we are developing to make vehicles safer be used to make them unsafe?”

Cyberphysical Adack – Targe3ng Vunerabili3es

Cyber Physical Systems Complexity

Real World Cyberphysical Adacks

Cyber Physical System – Determine Adack Vectors

Sypris Proprietary

Pladorm SimulaDons to Determine Aaack Vector, Exploit, – Specific Outcome

Attacks Designed to Accomplish Specific Outcomes Ξ  Target specific components or en3re subsystems/systems:

•  The\; Hi-‐Jacking; Shutdown; Loss of Control/Impact; Isolate; Iden3ty •  Target individuals, organiza3ons/manufacturers,…..

Ξ  Vulnerabili3es Provide Direct Access: •  Vehicle Command, Control, Iden3ty…..Privacy:

•  ECU’s; Guidance Systems •  Sensor/Interlock Systems •  An3-‐lock Brake System (ABS) •  Electronic Steering Systems (growing) •  Accelerator & Transmission Shi\ing •  Dynamic Controls & An3-‐Collision •  Com Links/Interfaces (On-‐Star; DSRC, Blue Tooth, Phone, Emergency, Entertainment, Maintenance & Repair)

•  Security of Vehicle •  Environmental Controls… •  Vehicle Performance Indicators/Repor3ng (Fuel, Speed, Engine..) •  Insurance Risk Assessment Monitoring

Vulnerability Identification Challenge Results (Major Automakers – Current Vehicles)

VEHICLE RESULT

1 -‐ Disabled Brakes on Vehicle -‐ Controlled High Beams of Vehicle

2 Vehicle put in “Lockdown” mode: -‐ Windows Up, Doors Locked -‐ Maximum Chair Heat, Maximum Interior Heat -‐ Seatbelt Dghtened, Driver pressed against steering wheel

3 -‐ Vehicle rendered completely useless -‐ Vehicle easily stolen

4 -‐ Vehicle exhibited highest level of security -‐ 2 days to gain electronic access & control

5 -‐ Vehicle exhibited least amount of security -‐ 60 seconds to gain electronic access & control -‐ CANBUS access via mirror

UNCLASSIFIED / FOR OFFICIAL USE ONLY 16

© 2015 by Sypris Electronics LLC, All Rights Reserved

Cyberphysical Adack – Targe3ng Vulnerabili3es (FMEA)

Cyber Physical Systems Complexity

Real World Cyberphysical Adacks

Cyber Physical System – Determine Adack Vectors

Pladorm SimulaDons to Determine Aaack Vector, Exploit, – Specific Outcome



High Assurance Resilient Controls Systems Critical Controls Systems Vulnerability

SE Findings:

Creating a Robust Security Architecture"Layered High Assurance Approach to Security – Systems Approach



Use Cyber Physical Systems Modeling & SimulaDon Vulnerability Assessment, Design, Test & Valida>on Tools

Unbound possibili3es for scenario modeling of: •  Network topologies •  SCADA systems •  Embedded Control systems •  Test and Evalua3on of baseline

configura3ons –  Threat emula3on

•  Baseline change management –  Mo3vated by Technologies and/or

Threats –  Assessing hardware and so\ware

op3ons in a virtual environment prior to being placed on live ones


© 2015 by Sypris Electronics LLC, All Rights Reserved © 2015 by Sypris Electronics LLC, All Rights Reserved

High Assurance Cyber Physical Systems Resilient “Bus Architecture & Cyber/Physical Embedded Solu?ons”

•  FMEA approach to priori3ze countermeasures to adack vectors •  Integrated data and assured computa3on for Cri3cal Control Systems/Bus

Architecture – authen3ca3on/crypto secure and monitoring •  Treat cyber physical systems and controllers like Type-‐1 COMSEC

–  Protect the essen3al data (states, gains, etc.) –  Authen3cate the code – secure boot & processing –  Authen3cate the data sources/links –  Tamper protec3on of the cri3cal features –  Both on-‐plaaorm and off-‐plaaorm

–  Use of encrypDon and hardware (silicon) based idenDty as the root-‐of-‐trust •  Assume a malicious adack

–  Mother nature (physics, failures) is not the limi3ng factor –  Adacks will target gerng control system into unintended or undocumented states

(similar to tradi3onal computer adack techniques) –  High security so\ware development techniques must be applied to control systems –  Trusted compu3ng techniques add hardware assurance to cri3cal compu3ng func3ons



Securing the Smart Grid

•  CKMS Integrated with Sypris Cyber Range to support large scale tes3ng of CKMS protocol and performance

•  AMI Network modeled using Cyber Range Modeling and Simula3on Canvas

•  AMI Network Deployed to Virtual Environment with External Interface to CKMS Server

•  Current AMI Components include Collectors and Smart Meters

–  Collectors are similar to network routers –  Smart Meters are managed as Groups for

simplifying the crea3on of large scale networks

•  Framework for tes3ng CKMS with various key management technologies and network architectures

Sypris Cyber Range (Large-scale Testing)

Black Objects™CKMS

AMI Smart Meter Test Bed (Hardware In-Loop)

Collector

Smart Meter Client(M1)


SSL with Mutual Authentication

Key Management Interoperability Protocol

(KMIP) over Ethernet

Symmetric Key Cryptography

Collector = Windows PC + DNT900 Radio + Net+MeterMon Application

Smart Meter Client = Landis+Gyr Meter Board + DNT900 Radio + Windows PC

KMIP

900M

hz

KMIP900Mhz

Public Network

Collector = Cyber Range Router VM with Traffic Enable/Disable

Smart Meter Group = Cyber Range Windows VM with CKMS Client Test Service.


KMIP

900Mhz

SSL with Mutual Authentication

Key Management Interoperability Protocol

(KMIP) over Ethernet



Considera3ons –  Systems approach to iden3fy where

encryp3on is required •  Based on Failure Modes

Effects Analysis (FMEA) –  Encryp3on at low cost (power, size,

price, data latency, processing overhead)

–  Strength of encryp3on – mul3ple algorithms

–  Standards based •  FIPS •  NIST •  Type 1

–  Flexibility for the future •  Algorithm updates •  Lifecycle approach

Enabling Protec?on of Cri?cal Data & Processing for Commercial Sypris Approach: SYPHER™

•  Commercial Off-‐the-‐Shelf FPGA based cryptographic solu3on

•  Secure Boot & Data at Rest Architecture •  Reuse of NSA cer3fiable solu3ons to

commercial standards •  Scalable solu3on to fit specific SWaP

requirements •  Standalone module or incorporated

into an exis3ng LRU •  Scalable to future FPGA technology

advancements •  Field upgradeable / updateable •  Rapid customiza3on design 3me •  Flexible interfaces •  Standard Libraries

•  Key Management •  Audit & Access Control •  Encryp3on algorithms



“Silicon Based IdenDty” as a Basis for Cyber Resilience Provides all Creden?als “Root-‐of-‐Trust”

ü  Non-‐Transferable, Intrinsic IdenDty and AaestaDon – Deny Access ü  Eliminates Storage of InformaDon, Private Key (Keyless), Single Points of

Failure – Lowest Vulnerability, Cost, & Complexity

AuthenDcaDon “Holy Grail”

SiOMetricsTM Changes the “Rules of the Game”

SiOMetrics

Today’s Situation •  Assigned Identity •  “Big Data” Analytics

Cyber Resilience

CYBER ECONOMICS

Tomorrow’s Solution •  Extracted Hardware Identity •  Hardware Root-Of-Trust •  Reduction of Attack Surface •  SiOMetrics Enhanced “Big Data” Analytics and Firewalls

COST TO DEFEND

Cyber Gap

Advantage: Attackers Advantage: Defenders

COST TO ATTACK

“Plug-‐and-‐Play SiOMetricsTM Enables Cyber Resilience With Universal Ease of Implementa?on and Scalability

•  Patented architecture and algorithms •  Provides absolute proof of idenDty, enabling aaestaDon and aaribuDon

-  AnD-‐tamper, unclone-‐able -  Reduces the cyber aaack surface

•  No storage of private data/informaDon •  Eliminates the need for a Private Key •  Enables key-‐less and one-‐way authenDcaDon •  Ability to metadata bind informaDon to hardware idenDty to expand the Root-‐of-‐Trust

-  Binding of hardware ID complements “Big Data” and firewalls

•  Each end point is unique due to its SiOMetricsTM-‐derived fingerprint

•  Life cycle beyond Quantum CompuDng -  RSA 7068 bit versus SiO 384 bit

•  Universally implementable, less complex, lower cost, highly scalable

•  Can secure applicaDons currently not available with current PKI or other security constructs Sypris Proprietary and Confiden3al ©2015

Rogues Play

24

(M2M; P2M; P2P)

Secure Identity Based Authentication •  Current State -‐ Protocols (i.e. FTP) u3lize spoof-‐

able IP address and so\ware. •  Lidle to no security

•  SioMetricsTM State – Enables Cryptographic binding of a non spoof-‐able an3-‐tamper machine/device iden3ty: •  Machine-‐Machine or Device-‐Device Authen3ca3on •  Mobile/Remote devices, Vehicle ID, Personal ID in

addi3on to exis3ng methods for role based access. •  Meta-‐Data binding for secure com/sensor link,

“cloud data access”,…. for all messaging and transac3ons on the bus and/or network

•  One Way Authen3ca3on per Event/Transac3on; Revoca3on/Invoca3on of Privileges

•  No private or secret informa3on storage required on devices or servers

ELIMINATES UNAUTHORIZED Vehicle Systems/Networks Access: -‐ Role Base RestricDon to Owners, Dealers, Authorized Repair, DOT….

A Diverse Set of Current ApplicaDons

HIGH ASSURANCE PLATFORM SECURITY / CONTROL SYSTEMS

POINT OF SERVICE

DIGITAL CURRENCY, SECURE COMMUNICATIONS / DATA TRANSFER

CRITICAL INFRASTRUCTURE

ENTERPRISE NETWORK SECURITY

Sypris Proprietary and Confiden3al ©2015

26

john walsh, sypris on cyber physical systems - boston secot meetup 2015

Technology

surface apt attacks

max cyber activists

increased cyber physical

target focused attacks

cyber economics lower

assurance highest assurance

unit niche market high

attackers advantage