Caterpillar: Non-Confidential

SANS Automotive Cybersecurity SummitDetroit, Michigan

May 1-2, 2017PWBierdeman

Securing The Internet of BIG Things

2

Agenda• Caterpillar• Security for the Internet of Things (IoT)• Caterpillar strategy for IoT Security• Obstacles• Vision

3

The Age of Smart Iron

https://youtu.be/hj7bk2X9Zxw

https://youtu.be/hj7bk2X9Zxw

4

Cat® Machines• Diverse range of non-road products• 30+ machine types with multiple models

216B Skid SteerMe:

1.7865kg

Skid Steer:

L/W/H (m) 3.23 / 1.52 / 1.95Weight (kg) 2589kgEngine 2.2L Cat® 3024C

37kW

5

797F Mining Truck797F Mining Truck

L/W/H (m) 15.08 / 9.76 / 7.71 Weight (kg) 251998 kg (empty)Engine 106L Cat® C175-20

2983 kW

216B Skid Steer

3.23 / 1.52 / 1.95 2589kg2.2L Cat® 3024C37kW

6

7

IntroductionIoT, the “Internet of Things” is the network of interconnected devices that optimize daily activity. Labor saving devices, assistants, conveniences, remote access, ...

Caterpillar’s Internet of BIG Things means network connectivity of really big & heavy machines promoting greater uptime at a lower cost, using data analytics to increase safety, convenience, comfort and energy efficiency.

While improved connectivity enables useful features, it also increases the attack surface for malicious activity. Security vulnerabilities must be minimized to counteract unauthorized intervention by cyber attackers.

Information Technology (IT), Operational Technology (OT) & Industrial Internet of Things (IIoT) all require a secure foundation. This talk follows an IoT security approach with comments and suggestions regarding Caterpillar Electronics’ experience.

8

Industry Standard Approach

Steps to Address Security for the IoT

1. Assess Security Impact in Diverse Environments2. Apply a Multi-Faceted Security Approach3. Define Lifecycle Controls4. Partner for Success

This perspective on “Securing the Internet of BIG Things” was adapted as a reference framework to examine lessons learned during Caterpillar’s embedded security journey.

Greater Complexity leads to greater security risk

*Harbor Research: Security for the Internet of Things, 2016.

*

9

Security Infrastructure Includes:

Product & ECUOnboard Network

Back Office:Web servers & Databases

DevelopmentEnvironment: Source code

& Tools

Service Tools

Manufacturing / ECU Provisioning

Test labs tools & pilots

Flash Files

Customer Fleet

Worldwide communications

Internet All components must trusteach other

ECU

User Device

Cloud

HSM: Hardware Security Module

10

1. Assess Security Impact

Identify attackers

Identify attacks

Determine for each attacker-attack pair the likelihood and impact of an attack (likelihood x

impact = risk)

Identify all attacks with high risk (= high likelihood x high impact)

Derive countermeasures and recommendations for improvement

• Only identify attacks with high risk at this point

• At later point, consider all attacks with

• high impact (low or medium likelihood)

• medium impact and high or medium likelihood

• Finally, consider remaining risks of low impact or low likelihood.

Similar to FMEA

Update every couple years

Security Risk AssessmentAssess all infrastructure components independently for:• Compliance with best practice• Physical environment• Legal & Regulatory • Privacy concerns• Communications protocols• Who gets data• Duration of storage

Attacker goals: Capture, Disrupt, Manipulate

11

Embedded Security is NOT THE SAME as Network or PC-based Security

Embedded Security:• Attackers have constant physical access to

all electronics• Attackers can manipulate or replace all built-

in components• Attackers have unlimited time to try unlimited

offline attacks• Discovered vulnerabilities must be fixed in

hundreds or thousands of units• Products deployed may operate for many

years without change

Network / PC Security:• Attackers seldom have physical access to

target systems• Very little manipulation and no component

replacement• Attacks can be filtered

• Repairs can be made in central location

• System updates as needed, when needed

Caterpillar ECUCaterpillar Office

CIA AIC

Step 1aAssess Security Impact

Claim: IoT Security Baseline is: Proper IT Security – but...

12

Security Risk Assessment identifies Concerns of Embedded Systems:

• Enforce Safety & Quality• Support Brand reputation• Enable new business opportunities• Ensure embedded system integrity• Support Performance metrics

• Prevent unauthorized configurations• Avoid unauthorized remote manipulation• Ensure telematics data integrity

• Privacy issues are mostly confidentiality

Identify Gaps

Step 1bAssess Security Impact

13

Motivation to do embedded security• Evolutionary path

– incrementally add security components to current platform• Revolutionary path

– move to advanced technology platform with native security technologies

⇒ Three motivations for embedded security: 1. Regulatory

• Enables business in regulated sectors• Avoid Penalties for non-conformance

2. Quality• Reliability & Safety depend on Security• Security makes better products

3. Business Models• Make money with security• Lose money without security

Step 1cAssess Security Impact

13

2. Multi-Faceted Security Approach

IdentityAccess Controls and User ManagementEncryptionAnalyticsNetwork Security

Balance Security & Usability

IoT Security Stack:• Application Security• Network Security• Device Security

*Harbor Research: Security for the Internet of Things, 2016.

*

These steps enable security processes

15

Unique & Cryptographic IdentityIdentification: Each device needs a Unique Identity stored in immutable Hardware. System integrity must be assured with Hardware verification to trust participating devices are who they say they are. Software updates must be (signed) verified before flash to assure authenticity.

Access & User Management: Devices act as Client & Server. Unique cryptographic credential must be provisioned by enrollment system, signed by “root of trust” and stored in immutable memory to act like a device’s “username/password” to authorize its access to system features.

Step 2aMulti-Faceted

Security Approach

16

Encryption & Analytics Encryption:• The major challenge with crypto is key management• Standard symmetric & asymmetric algorithms fit

resources of current systems.• A big challenge is ability to migrate algorithms to stay

effective with long lived systems

Step 2bMulti-Faceted

Security Approach

Analytics: (Network Traffic)• Run Time Integrity Check (RTIC) in hardware• Run time network communications anomaly monitor

17

Network Security & BalanceNetwork Security: • End to end secure sessions are achieved by encrypting at end points• Remote initiated• Assume Internet and wireless networks are untrustedRight sized security: HARD TO DO• Often hard to know what security options exist• Disconnected assets are exponentially harder to authenticate.• Culture changes slowly (i.e. Removing debug – complicates troubleshooting)• Don’t compromise with a global vulnerability

Step 2cMulti-Faceted

Security Approach

18

3. Define Lifecycle Controls

1. Deployment2. Operations3. Incident & Remediation4. Retirement & Disposal

*Harbor Research: Security for the Internet of Things, 2016.

*

19

Deployment

Cat Products are expected to serve decades – not just years as some IoT “things”

Step 3aDefine Lifecycle

ControlsDeployment Trade offs: Make vs Buy vs Open

• Mismatched COTS (Commercial Off the Shelf) abstractions• Internet protocols are verbose• (Generally – proprietary solutions are weak)• Standard PKI(Public Key Infrastructure) - poor fit with embedded systems• Keys & certs that out last HSM (Hardware Security Module) vendor• Untrusted real time clock for cert expiration• Combining Legacy with new tech

Provision Security at ECU manufacturer• Secure Key Injection• Secure manufacturing process

Security tests• Penetration test – with production application• Isolate development/test vs releases• Certification test – Conformance level

20

Operation to RetirementOperations: (Device & Infrastructure)• Verified boot, authenticated flash• Over The Air flash update• Full machine flash through GatewayIncident & Remediation• On Demand Verify - “Remote Attestation”• Ties back to “Analytics” (RTIC)• Isolate network services to halt potential compromise while

maintaining local availability• Extends Continuous Product Improvement programRetirement & Disposal• Cultural change with machine built to last decades• Covers Data lifecycle as well as Device lifecycle

Step 3bDefine Lifecycle

Controls

21

4. Partnering for Success

Leverage industry standards & protocols – avoid proprietary obscurityContract security consultants with industry expertise

COTS (commercial off the shelf) crypto library – avoid custom solutions and maintenance

Research concepts and alternative technologies

Security Risk Assessments & Pen Test experts

Silicon security architecture: Root of Trust

Hardware Security Module: Rack Mount, Smart Cards

Operating System Security features

Partner with:• Subject matter experts• Industry standards• Commercial & Open Source• Silicon architectures

Don’t “go it alone”

22

Information Technology Operational TechnologyPr

iorit

ies Confidentiality Availability ControlIntegrity Integrity

SafetyAvailability Confidentiality

Chall

enge

s

► Users are primary threat vectors► Intellectual Property► Personal Information (PII and/or PHI)► Financial data

► Sophisticated threat actors - often state funded► General awareness of threats► Mature vulnerability & patch management► Threat Actor Motives: financial, economic/cyber espionage

► Devices/equipment/applications are primary threat vectors► Physical damage, incorrect operation► Threaten physical safety► Extortion: Safety or Disclosure

► Researchers, Customer Security Reviews, Sophisticated threat actors► Awareness of threats and threat actors is relatively low► Vulnerability & patch management challenges► Threat Actor Motives: physical safety, damage, extortion, disclosure

Cons

eque

nces COMMON CONSEQUENCES: IP theft || Reputational damage || Non-compliance

► Loss of customer trust & confidence► Loss of financial information► Loss of revenue► Loss of Intellectual Property

► Loss of customer trust & confidence► Loss of brand value► Damage to equipment► Human health and safety issues► Loss of Intellectual Property (shop floor automation)► Direct financial impacts

IT vs OTAdded Security Dimensions

Order of importance

Additional priorities

23

Obstacles• The threat is real, persistent & changing• Intermittent connection to back office• Incomplete security standards – leads to – Proprietary solution• Coexistence between competing standards• Resistance to change – historical constraints• Dealing with Legacy products• Decaying algorithm strength – prepare for change

24

Vision• Awareness - Universally understood security terms• Conformance levels that advertise security target goal• Certification test to assure alignment to security goal• No security inventions needed – standard solutions leveraged• Balanced Security with Usability – “Right sized”• Convergence of IT, OT, IIoT & IoT security• Ubiquitous patching• Prevent – Detect – React

25

© 2017 Caterpillar. All Rights Reserved.CAT, CATERPILLAR, their respective logos, "Caterpillar Yellow," the "Power Edge" trade dress as well ascorporate and product identity used herein, are trademarks of Caterpillar and may not be used without permission.

Securing The Internet of BIG ThingsAgendaThe Age of Smart Iron Cat® Machines216B Skid Steer797F Mining TruckSlide Number 7Industry Standard ApproachSecurity Infrastructure Includes:1. Assess Security ImpactEmbedded Security is NOT THE SAME as Network or PC-based SecuritySecurity Risk Assessment identifies �Concerns of Embedded Systems:Motivation to do embedded securitySlide Number 14Unique & Cryptographic IdentityEncryption & Analytics Network Security & Balance3. Define Lifecycle ControlsDeploymentOperation to Retirement4. Partnering for SuccessSlide Number 22ObstaclesVisionSlide Number 25