john walsh, sypris on cyber physical systems - boston secot meetup 2015
TRANSCRIPT
Cyber Physical Systems Security In The APT Cyber Threat Environment
Securing Trust – Requires Achieving Cyber Resilience Cyber Physical – High Assurance Control Systems
John Walsh – President, Sypris June 10, 2015
Public Internet / Mobile Phone “Growing Security Surface”
Personal Information Security
Industrial / Commercial
Critical Infrastructure
Allies & Foreign National
Suite B / HAIPE
Type I
• POS/Digital Identity • Identity Theft • Health Care
• Financial • Transportation
• Energy and Utilities • Industrial
• NATO • 5 Eyes • Channel Partners
• US Military • 3 Letter Agencies
Large Market (Low Value
per unit)
Niche Market (High Value
per unit)
Size Requirement Path Customers
Margin? Barriers?
Segments
Big Players
Sypris Value Chain: SypherTM
SiOMetricsTM
Trust Beyond Manufacturing TM
Cyber Range (Ops)
Secure Enterprise
Secure Infrastructure “Cyber Resilience”
Organic
Collaborate
Partner
Least Assurance
Highest Assurance
3
Disruptive Technology Platforms to Commercial That Leverage Type 1 Iden?ty, Encryp?on, and Cyber to CoTs (Lowest Cost/Complexity)
“The IoT is In the Product” Embedded Sensors, Controls, Com Links, “Touch Points/Access”…
Ξ Security is the issue: • Our increasing dependence on Informa3on and Communica3on Technologies (ICT) exposes the world to new risks. Large-‐scale security breaches are becoming more common. Cyber-‐terrorism is a real menace. CriDcal informaDon infrastructures that support our financial system, the distribuDon of energy and food, as well as health and transportaDon face these risks.
Ξ The threat is increasingly targeDng cyber physical systems Ξ Example -‐ Connected Vehicle – V2V… Cyber Physical
• Messaging/TransacDons, POS, Digital Gateway, Binding Personal IdenDty to Vehicle, Safety Systems, Entertainment, Automated TransportaDon Systems
• End-‐Points or Integrated Mobile Device? • Increased Safety or Vulnerability?
We are Only Seeing the Tip of the Iceberg Headline Grabbing Attacks
Tens of Thousands More Below the Surface APT Attacks"Zero-Day Attacks"Polymorphic Attacks"Targeted Attacks
Premise for Cyber Physical – Assume the Adversary is Present Design to Achieve Cyber Resilience -‐ High Assurance
United
Contributing Factor for Increased Cyber Physical Risk!
Asymmetry Increasing – Industry Focus on Counter-‐measuring the Threat
Adversary Collaboration, Sponsors, & Availability of Attacks/Tools !
Increasing Cyber Physical ConnecDvity and Dependence IPV6 325 Trillion Trillion Trillion Iden??es……
Enabling Anonymity and Challenging Security in Cyber Space
RSA: 95% Successful Breaches in 2014 involved Compromise of IdenDty in Some Way to Gain Access
Cyber Economics – Lower Cost to Attack then Defend
Cost to Attack
Cyber Warfare Symmetry
Advantage: Attackers Advantage: Defenders
Attack Surface Growing:
Policy Effectiveness
min
max
• Cyber Activists Organize & Target Focused Attacks !• Fully Funded Organized Crime – Focused Attacks!• Nation State Sponsored/Rogue Attacks
Industry Challenge: Develop and Implement Methods to Reverse the Asymmetry Achieve System Design Inherent Cyber Resilience
Cyber Resilience
Cyber Physical Systems Characteristics “System of Systems” - Architecture
Ξ Complexity leads to many threat vectors and vulnerabili3es • Systems of systems…..Design… -‐ complex interac3ons/compa3bility • Many Human 2 Machine and Machine 2 Machine “Touch Points”
• “Insider Threat Poten3al” must be considered
• Maintenance Overhaul and Repair; Upgrades…. Supply Chain • Increasing Internet Connec3vity and Embedded Sensors based Systems • Special Test Equipment, authen3ca3on, and access management • Legacy architecture compa3bility – decades old technology • Proprietary systems/standards……. Within SCADA et al
Ξ Designed for cost and performance – not security Ξ Designed for naturally occurring events/environments Ξ APT’s are becoming Na3on State Capable – Systems Approach Ξ System security funcDonal design responsibility and
requirements (specs) – Design Org Structure (Integrate Cyber) • Gov’t, OEM’s, Subsystems Providers, Universi3es….
Traditional Beliefs/Myths Ξ Air Gapped = Secure Ξ Compartmentalized = Secure Ξ Proprietary Silicon, So\ware, OS = Secure Ξ Proprietary Protocols = Secure Ξ Root of Trust in Hardware (Cer3ficate & So\ware Based) are
not spoof-‐able = Secure Ξ Passwords, BiOMetrics, Assigned Creden3als, PKI Keys = Secure Ξ Short Range Bluetooth, and other interfaces are less vulnerable Ξ Minimal need for plaaorm cyber threat/malware detec3on,
monitoring, and mi3ga3on capabili3es Ξ Vulnerabili3es are few and the cost to hack is high Ξ Adding Security is Complex and Costly
Most Cyber Physical Systems -‐ less secure than IT/Network Systems
Source: hdp://seadlevolt.com/wp-‐content/uploads/2012/07/Volt-‐transparent.png
Engine
RDS
Telema3cs Brakes
Seatbelts
Keyfob
TPMS
V2V
Steering Physical CANBUS Access
Remote Adack Vector
CANBUS Devices
Dashboard Side Hazard Sensors
R2V
• CD-‐Based Firmware Updates • Controlled Code ExecuDon via .WMA File • Buffer-‐Overflow w/ Bluetooth Paired Phone • Buffer-‐Overflow in Cellular Modem • Compromised Service Shop Computers
Transmission Airbags
• CANBus Denial of Service Aaacks • Shell Access to Head Unit from USB Ports • Onboard Cellular Auth Vulnerability • Bluetooth PIN Brute-‐force • FM RDS sends CAN Packets
A Complex Cyber Physical System with Mul?ple Access Points & Vulnerabili?es
Complexity and Vulnerability Growing Ξ ~ 100 million lines of code per vehicle
• 40% of Vehicle Cost • 50% of Warranty Claims • Increasing with advent of the “Connected Vehicle”, IPV6 Implementa3on, Automated Safety and Transporta3on (V2V)
Ξ ~ 40+ Networks per vehicle • Inter and Intra net • 100+ sensors • Com/Sensor Links – On-‐Star, Phone, Internet, Bluetooth, CALM, DSRC, ……
“Will the technologies we are developing to make vehicles safer be used to make them unsafe?”
Cyberphysical Adack – Targe3ng Vunerabili3es
Cyber Physical Systems Complexity
Real World Cyberphysical Adacks
Cyber Physical System – Determine Adack Vectors
Sypris Proprietary
Pladorm SimulaDons to Determine Aaack Vector, Exploit, – Specific Outcome
Attacks Designed to Accomplish Specific Outcomes Ξ Target specific components or en3re subsystems/systems:
• The\; Hi-‐Jacking; Shutdown; Loss of Control/Impact; Isolate; Iden3ty • Target individuals, organiza3ons/manufacturers,…..
Ξ Vulnerabili3es Provide Direct Access: • Vehicle Command, Control, Iden3ty…..Privacy:
• ECU’s; Guidance Systems • Sensor/Interlock Systems • An3-‐lock Brake System (ABS) • Electronic Steering Systems (growing) • Accelerator & Transmission Shi\ing • Dynamic Controls & An3-‐Collision • Com Links/Interfaces (On-‐Star; DSRC, Blue Tooth, Phone, Emergency, Entertainment, Maintenance & Repair)
• Security of Vehicle • Environmental Controls… • Vehicle Performance Indicators/Repor3ng (Fuel, Speed, Engine..) • Insurance Risk Assessment Monitoring
Vulnerability Identification Challenge Results (Major Automakers – Current Vehicles)
VEHICLE RESULT
1 -‐ Disabled Brakes on Vehicle -‐ Controlled High Beams of Vehicle
2 Vehicle put in “Lockdown” mode: -‐ Windows Up, Doors Locked -‐ Maximum Chair Heat, Maximum Interior Heat -‐ Seatbelt Dghtened, Driver pressed against steering wheel
3 -‐ Vehicle rendered completely useless -‐ Vehicle easily stolen
4 -‐ Vehicle exhibited highest level of security -‐ 2 days to gain electronic access & control
5 -‐ Vehicle exhibited least amount of security -‐ 60 seconds to gain electronic access & control -‐ CANBUS access via mirror
UNCLASSIFIED / FOR OFFICIAL USE ONLY 16
© 2015 by Sypris Electronics LLC, All Rights Reserved
Cyberphysical Adack – Targe3ng Vulnerabili3es (FMEA)
Cyber Physical Systems Complexity
Real World Cyberphysical Adacks
Cyber Physical System – Determine Adack Vectors
Pladorm SimulaDons to Determine Aaack Vector, Exploit, – Specific Outcome
UNCLASSIFIED / FOR OFFICIAL USE ONLY 17
© 2015 by Sypris Electronics LLC, All Rights Reserved
High Assurance Resilient Controls Systems Critical Controls Systems Vulnerability
SE Findings:
Creating a Robust Security Architecture"Layered High Assurance Approach to Security – Systems Approach
UNCLASSIFIED / FOR OFFICIAL USE ONLY 19
© 2015 by Sypris Electronics LLC, All Rights Reserved
Use Cyber Physical Systems Modeling & SimulaDon Vulnerability Assessment, Design, Test & Valida>on Tools
Unbound possibili3es for scenario modeling of: • Network topologies • SCADA systems • Embedded Control systems • Test and Evalua3on of baseline
configura3ons – Threat emula3on
• Baseline change management – Mo3vated by Technologies and/or
Threats – Assessing hardware and so\ware
op3ons in a virtual environment prior to being placed on live ones
UNCLASSIFIED / FOR OFFICIAL USE ONLY 20
© 2015 by Sypris Electronics LLC, All Rights Reserved © 2015 by Sypris Electronics LLC, All Rights Reserved
High Assurance Cyber Physical Systems Resilient “Bus Architecture & Cyber/Physical Embedded Solu?ons”
• FMEA approach to priori3ze countermeasures to adack vectors • Integrated data and assured computa3on for Cri3cal Control Systems/Bus
Architecture – authen3ca3on/crypto secure and monitoring • Treat cyber physical systems and controllers like Type-‐1 COMSEC
– Protect the essen3al data (states, gains, etc.) – Authen3cate the code – secure boot & processing – Authen3cate the data sources/links – Tamper protec3on of the cri3cal features – Both on-‐plaaorm and off-‐plaaorm
– Use of encrypDon and hardware (silicon) based idenDty as the root-‐of-‐trust • Assume a malicious adack
– Mother nature (physics, failures) is not the limi3ng factor – Adacks will target gerng control system into unintended or undocumented states
(similar to tradi3onal computer adack techniques) – High security so\ware development techniques must be applied to control systems – Trusted compu3ng techniques add hardware assurance to cri3cal compu3ng func3ons
UNCLASSIFIED / FOR OFFICIAL USE ONLY 21
© 2015 by Sypris Electronics LLC, All Rights Reserved © 2015 by Sypris Electronics LLC, All Rights Reserved
Securing the Smart Grid
• CKMS Integrated with Sypris Cyber Range to support large scale tes3ng of CKMS protocol and performance
• AMI Network modeled using Cyber Range Modeling and Simula3on Canvas
• AMI Network Deployed to Virtual Environment with External Interface to CKMS Server
• Current AMI Components include Collectors and Smart Meters
– Collectors are similar to network routers – Smart Meters are managed as Groups for
simplifying the crea3on of large scale networks
• Framework for tes3ng CKMS with various key management technologies and network architectures
Sypris Cyber Range (Large-scale Testing)
Black Objects™CKMS
AMI Smart Meter Test Bed (Hardware In-Loop)
Collector
Smart Meter Client(M1)
Smart Meter Client(M2)
SSL with Mutual Authentication
Key Management Interoperability Protocol
(KMIP) over Ethernet
Symmetric Key Cryptography
Collector = Windows PC + DNT900 Radio + Net+MeterMon Application
Smart Meter Client = Landis+Gyr Meter Board + DNT900 Radio + Windows PC
KMIP
900M
hz
KMIP900Mhz
Public Network
Collector = Cyber Range Router VM with Traffic Enable/Disable
Smart Meter Group = Cyber Range Windows VM with CKMS Client Test Service.
Smart Meter Client(M2)
KMIP
900Mhz
SSL with Mutual Authentication
Key Management Interoperability Protocol
(KMIP) over Ethernet
UNCLASSIFIED / FOR OFFICIAL USE ONLY 22
© 2015 by Sypris Electronics LLC, All Rights Reserved © 2015 by Sypris Electronics LLC, All Rights Reserved
Considera3ons – Systems approach to iden3fy where
encryp3on is required • Based on Failure Modes
Effects Analysis (FMEA) – Encryp3on at low cost (power, size,
price, data latency, processing overhead)
– Strength of encryp3on – mul3ple algorithms
– Standards based • FIPS • NIST • Type 1
– Flexibility for the future • Algorithm updates • Lifecycle approach
Enabling Protec?on of Cri?cal Data & Processing for Commercial Sypris Approach: SYPHER™
• Commercial Off-‐the-‐Shelf FPGA based cryptographic solu3on
• Secure Boot & Data at Rest Architecture • Reuse of NSA cer3fiable solu3ons to
commercial standards • Scalable solu3on to fit specific SWaP
requirements • Standalone module or incorporated
into an exis3ng LRU • Scalable to future FPGA technology
advancements • Field upgradeable / updateable • Rapid customiza3on design 3me • Flexible interfaces • Standard Libraries
• Key Management • Audit & Access Control • Encryp3on algorithms
UNCLASSIFIED / FOR OFFICIAL USE ONLY 23
© 2015 by Sypris Electronics LLC, All Rights Reserved
“Silicon Based IdenDty” as a Basis for Cyber Resilience Provides all Creden?als “Root-‐of-‐Trust”
ü Non-‐Transferable, Intrinsic IdenDty and AaestaDon – Deny Access ü Eliminates Storage of InformaDon, Private Key (Keyless), Single Points of
Failure – Lowest Vulnerability, Cost, & Complexity
AuthenDcaDon “Holy Grail”
SiOMetricsTM Changes the “Rules of the Game”
SiOMetrics
Today’s Situation • Assigned Identity • “Big Data” Analytics
Cyber Resilience
CYBER ECONOMICS
Tomorrow’s Solution • Extracted Hardware Identity • Hardware Root-Of-Trust • Reduction of Attack Surface • SiOMetrics Enhanced “Big Data” Analytics and Firewalls
COST TO DEFEND
Cyber Gap
Advantage: Attackers Advantage: Defenders
COST TO ATTACK
“Plug-‐and-‐Play SiOMetricsTM Enables Cyber Resilience With Universal Ease of Implementa?on and Scalability
• Patented architecture and algorithms • Provides absolute proof of idenDty, enabling aaestaDon and aaribuDon
- AnD-‐tamper, unclone-‐able - Reduces the cyber aaack surface
• No storage of private data/informaDon • Eliminates the need for a Private Key • Enables key-‐less and one-‐way authenDcaDon • Ability to metadata bind informaDon to hardware idenDty to expand the Root-‐of-‐Trust
- Binding of hardware ID complements “Big Data” and firewalls
• Each end point is unique due to its SiOMetricsTM-‐derived fingerprint
• Life cycle beyond Quantum CompuDng - RSA 7068 bit versus SiO 384 bit
• Universally implementable, less complex, lower cost, highly scalable
• Can secure applicaDons currently not available with current PKI or other security constructs Sypris Proprietary and Confiden3al ©2015
Rogues Play
24
(M2M; P2M; P2P)
Secure Identity Based Authentication • Current State -‐ Protocols (i.e. FTP) u3lize spoof-‐
able IP address and so\ware. • Lidle to no security
• SioMetricsTM State – Enables Cryptographic binding of a non spoof-‐able an3-‐tamper machine/device iden3ty: • Machine-‐Machine or Device-‐Device Authen3ca3on • Mobile/Remote devices, Vehicle ID, Personal ID in
addi3on to exis3ng methods for role based access. • Meta-‐Data binding for secure com/sensor link,
“cloud data access”,…. for all messaging and transac3ons on the bus and/or network
• One Way Authen3ca3on per Event/Transac3on; Revoca3on/Invoca3on of Privileges
• No private or secret informa3on storage required on devices or servers
ELIMINATES UNAUTHORIZED Vehicle Systems/Networks Access: -‐ Role Base RestricDon to Owners, Dealers, Authorized Repair, DOT….