securing the internet of big things - sans institute...797f mining truck l/w/h (m) 15.08 / 9.76 /...
TRANSCRIPT
-
Caterpillar: Non-Confidential
SANS Automotive Cybersecurity SummitDetroit, Michigan
May 1-2, 2017PWBierdeman
Securing The Internet of BIG Things
-
2
Agenda• Caterpillar• Security for the Internet of Things (IoT)• Caterpillar strategy for IoT Security• Obstacles• Vision
-
3
The Age of Smart Iron
https://youtu.be/hj7bk2X9Zxw
https://youtu.be/hj7bk2X9Zxw
-
4
Cat® Machines• Diverse range of non-road products• 30+ machine types with multiple models
-
216B Skid SteerMe:
1.7865kg
Skid Steer:
L/W/H (m) 3.23 / 1.52 / 1.95Weight (kg) 2589kgEngine 2.2L Cat® 3024C
37kW
5
-
797F Mining Truck797F Mining Truck
L/W/H (m) 15.08 / 9.76 / 7.71 Weight (kg) 251998 kg (empty)Engine 106L Cat® C175-20
2983 kW
216B Skid Steer
3.23 / 1.52 / 1.95 2589kg2.2L Cat® 3024C37kW
6
-
7
IntroductionIoT, the “Internet of Things” is the network of interconnected devices that optimize daily activity. Labor saving devices, assistants, conveniences, remote access, ...
Caterpillar’s Internet of BIG Things means network connectivity of really big & heavy machines promoting greater uptime at a lower cost, using data analytics to increase safety, convenience, comfort and energy efficiency.
While improved connectivity enables useful features, it also increases the attack surface for malicious activity. Security vulnerabilities must be minimized to counteract unauthorized intervention by cyber attackers.
Information Technology (IT), Operational Technology (OT) & Industrial Internet of Things (IIoT) all require a secure foundation. This talk follows an IoT security approach with comments and suggestions regarding Caterpillar Electronics’ experience.
-
8
Industry Standard Approach
Steps to Address Security for the IoT
1. Assess Security Impact in Diverse Environments2. Apply a Multi-Faceted Security Approach3. Define Lifecycle Controls4. Partner for Success
This perspective on “Securing the Internet of BIG Things” was adapted as a reference framework to examine lessons learned during Caterpillar’s embedded security journey.
Greater Complexity leads to greater security risk
*Harbor Research: Security for the Internet of Things, 2016.
*
-
9
Security Infrastructure Includes:
Product & ECUOnboard Network
Back Office:Web servers & Databases
DevelopmentEnvironment: Source code
& Tools
Service Tools
Manufacturing / ECU Provisioning
Test labs tools & pilots
Flash Files
Customer Fleet
Worldwide communications
Internet All components must trusteach other
ECU
User Device
Cloud
HSM: Hardware Security Module
-
10
1. Assess Security Impact
Identify attackers
Identify attacks
Determine for each attacker-attack pair the likelihood and impact of an attack (likelihood x
impact = risk)
Identify all attacks with high risk (= high likelihood x high impact)
Derive countermeasures and recommendations for improvement
• Only identify attacks with high risk at this point
• At later point, consider all attacks with
• high impact (low or medium likelihood)
• medium impact and high or medium likelihood
• Finally, consider remaining risks of low impact or low likelihood.
Similar to FMEA
Update every couple years
Security Risk AssessmentAssess all infrastructure components independently for:• Compliance with best practice• Physical environment• Legal & Regulatory • Privacy concerns• Communications protocols• Who gets data• Duration of storage
Attacker goals: Capture, Disrupt, Manipulate
-
11
Embedded Security is NOT THE SAME as Network or PC-based Security
Embedded Security:• Attackers have constant physical access to
all electronics• Attackers can manipulate or replace all built-
in components• Attackers have unlimited time to try unlimited
offline attacks• Discovered vulnerabilities must be fixed in
hundreds or thousands of units• Products deployed may operate for many
years without change
Network / PC Security:• Attackers seldom have physical access to
target systems• Very little manipulation and no component
replacement• Attacks can be filtered
• Repairs can be made in central location
• System updates as needed, when needed
Caterpillar ECUCaterpillar Office
CIA AIC
Step 1aAssess Security Impact
Claim: IoT Security Baseline is: Proper IT Security – but...
-
12
Security Risk Assessment identifies Concerns of Embedded Systems:
• Enforce Safety & Quality• Support Brand reputation• Enable new business opportunities• Ensure embedded system integrity• Support Performance metrics
• Prevent unauthorized configurations• Avoid unauthorized remote manipulation• Ensure telematics data integrity
• Privacy issues are mostly confidentiality
Identify Gaps
Step 1bAssess Security Impact
-
13
Motivation to do embedded security• Evolutionary path
– incrementally add security components to current platform• Revolutionary path
– move to advanced technology platform with native security technologies
⇒ Three motivations for embedded security: 1. Regulatory
• Enables business in regulated sectors• Avoid Penalties for non-conformance
2. Quality• Reliability & Safety depend on Security• Security makes better products
3. Business Models• Make money with security• Lose money without security
Step 1cAssess Security Impact
-
13
2. Multi-Faceted Security Approach
IdentityAccess Controls and User ManagementEncryptionAnalyticsNetwork Security
Balance Security & Usability
IoT Security Stack:• Application Security• Network Security• Device Security
*Harbor Research: Security for the Internet of Things, 2016.
*
These steps enable security processes
-
15
Unique & Cryptographic IdentityIdentification: Each device needs a Unique Identity stored in immutable Hardware. System integrity must be assured with Hardware verification to trust participating devices are who they say they are. Software updates must be (signed) verified before flash to assure authenticity.
Access & User Management: Devices act as Client & Server. Unique cryptographic credential must be provisioned by enrollment system, signed by “root of trust” and stored in immutable memory to act like a device’s “username/password” to authorize its access to system features.
Step 2aMulti-Faceted
Security Approach
-
16
Encryption & Analytics Encryption:• The major challenge with crypto is key management• Standard symmetric & asymmetric algorithms fit
resources of current systems.• A big challenge is ability to migrate algorithms to stay
effective with long lived systems
Step 2bMulti-Faceted
Security Approach
Analytics: (Network Traffic)• Run Time Integrity Check (RTIC) in hardware• Run time network communications anomaly monitor
-
17
Network Security & BalanceNetwork Security: • End to end secure sessions are achieved by encrypting at end points• Remote initiated• Assume Internet and wireless networks are untrustedRight sized security: HARD TO DO• Often hard to know what security options exist• Disconnected assets are exponentially harder to authenticate.• Culture changes slowly (i.e. Removing debug – complicates troubleshooting)• Don’t compromise with a global vulnerability
Step 2cMulti-Faceted
Security Approach
-
18
3. Define Lifecycle Controls
1. Deployment2. Operations3. Incident & Remediation4. Retirement & Disposal
*Harbor Research: Security for the Internet of Things, 2016.
*
-
19
Deployment
Cat Products are expected to serve decades – not just years as some IoT “things”
Step 3aDefine Lifecycle
ControlsDeployment Trade offs: Make vs Buy vs Open
• Mismatched COTS (Commercial Off the Shelf) abstractions• Internet protocols are verbose• (Generally – proprietary solutions are weak)• Standard PKI(Public Key Infrastructure) - poor fit with embedded systems• Keys & certs that out last HSM (Hardware Security Module) vendor• Untrusted real time clock for cert expiration• Combining Legacy with new tech
Provision Security at ECU manufacturer• Secure Key Injection• Secure manufacturing process
Security tests• Penetration test – with production application• Isolate development/test vs releases• Certification test – Conformance level
-
20
Operation to RetirementOperations: (Device & Infrastructure)• Verified boot, authenticated flash• Over The Air flash update• Full machine flash through GatewayIncident & Remediation• On Demand Verify - “Remote Attestation”• Ties back to “Analytics” (RTIC)• Isolate network services to halt potential compromise while
maintaining local availability• Extends Continuous Product Improvement programRetirement & Disposal• Cultural change with machine built to last decades• Covers Data lifecycle as well as Device lifecycle
Step 3bDefine Lifecycle
Controls
-
21
4. Partnering for Success
Leverage industry standards & protocols – avoid proprietary obscurityContract security consultants with industry expertise
COTS (commercial off the shelf) crypto library – avoid custom solutions and maintenance
Research concepts and alternative technologies
Security Risk Assessments & Pen Test experts
Silicon security architecture: Root of Trust
Hardware Security Module: Rack Mount, Smart Cards
Operating System Security features
Partner with:• Subject matter experts• Industry standards• Commercial & Open Source• Silicon architectures
Don’t “go it alone”
-
22
Information Technology Operational TechnologyPr
iorit
ies Confidentiality Availability ControlIntegrity Integrity
SafetyAvailability Confidentiality
Chall
enge
s
► Users are primary threat vectors► Intellectual Property► Personal Information (PII and/or PHI)► Financial data
► Sophisticated threat actors - often state funded► General awareness of threats► Mature vulnerability & patch management► Threat Actor Motives: financial, economic/cyber espionage
► Devices/equipment/applications are primary threat vectors► Physical damage, incorrect operation► Threaten physical safety► Extortion: Safety or Disclosure
► Researchers, Customer Security Reviews, Sophisticated threat actors► Awareness of threats and threat actors is relatively low► Vulnerability & patch management challenges► Threat Actor Motives: physical safety, damage, extortion, disclosure
Cons
eque
nces COMMON CONSEQUENCES: IP theft || Reputational damage || Non-compliance
► Loss of customer trust & confidence► Loss of financial information► Loss of revenue► Loss of Intellectual Property
► Loss of customer trust & confidence► Loss of brand value► Damage to equipment► Human health and safety issues► Loss of Intellectual Property (shop floor automation)► Direct financial impacts
IT vs OTAdded Security Dimensions
Order of importance
Additional priorities
-
23
Obstacles• The threat is real, persistent & changing• Intermittent connection to back office• Incomplete security standards – leads to – Proprietary solution• Coexistence between competing standards• Resistance to change – historical constraints• Dealing with Legacy products• Decaying algorithm strength – prepare for change
-
24
Vision• Awareness - Universally understood security terms• Conformance levels that advertise security target goal• Certification test to assure alignment to security goal• No security inventions needed – standard solutions leveraged• Balanced Security with Usability – “Right sized”• Convergence of IT, OT, IIoT & IoT security• Ubiquitous patching• Prevent – Detect – React
-
25
© 2017 Caterpillar. All Rights Reserved.CAT, CATERPILLAR, their respective logos, "Caterpillar Yellow," the "Power Edge" trade dress as well ascorporate and product identity used herein, are trademarks of Caterpillar and may not be used without permission.
Securing The Internet of BIG ThingsAgendaThe Age of Smart Iron Cat® Machines216B Skid Steer797F Mining TruckSlide Number 7Industry Standard ApproachSecurity Infrastructure Includes:1. Assess Security ImpactEmbedded Security is NOT THE SAME as Network or PC-based SecuritySecurity Risk Assessment identifies �Concerns of Embedded Systems:Motivation to do embedded securitySlide Number 14Unique & Cryptographic IdentityEncryption & Analytics Network Security & Balance3. Define Lifecycle ControlsDeploymentOperation to Retirement4. Partnering for SuccessSlide Number 22ObstaclesVisionSlide Number 25