cyber security assurance in the smart city context · ics information technology (general purpose)...
TRANSCRIPT
Murray Rosenthal, CISA, CRISC Risk Management, Cyber Security and Compliance
Strategic Planning and Architecture Information & Technology Division
City of Toronto [email protected]
Cyber Security Assurance in the Smart City
Agenda
Background
Establishing Context
Applicability
Architecture
Threat Modeling
Governance and Recent Developments
Summation
Universe of
Discourse
Cyber Security
Information Security
Critical Infrastructure
Smart City
Scope of Interest
Operational Technology
Information Technology
Architecture
Cyber Physical Systems (CPS)
•Internet of Things, M2M, sensors, SCADA, ICS, PCS…
Concepts
Massively Disruptive Forces
Mobility (functionality convergence)
Cloud (XaaS out-boarding)
Big Data (analytics)
Cyber-
Physical Systems
(exploitation of edge devices)
Smart City (digital by
design)
Trends, technologies, processes, and ideas that fundamentally alter the status quo and re-shape it.
Orders of Complexity
Smart City Framework – Transitioning the Operating Model
http://shop.bsigroup.com/upload/Smart_cities/BSI-PAS-181-executive-summary-UK-EN.pdf
Current Operating Model
Smart City Framework
serv
ice
dig
itiz
atio
n
Defining Smart City
Smart City
(whole of government)
Smart City
(whole of everything)
Scope of Interest
Sph
eres
of
Infl
uen
ce
dig
ital
by
de
sign
Canada United States
1 Energy and Utilities 1 Energy
2 Information and Communication Technology 2 Communications
3 Information Technology
3 Finance 4 Financial Services
4 Health Care 5 Healthcare and Public Health
5 Food 6 Food and Agriculture
6 Water 7 Water and Wastewater Systems
7 Transportation 8 Transportation Systems
8 Safety 9 Emergency Services
9 Government 10 Government Facilities
10 Manufacturing 11 Critical Manufacturing
12 Chemical
13 Dams
14 Commercial Facilities
15 Defense Industrial Base
16 Nuclear Reactors, Material and Waste
Critical Infrastructure Sectors by Geography
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/index-en.aspx
https://www.dhs.gov/critical-infrastructure-sectors
Computing
correctness of physical processes based on
data collected during Monitoring phase
Networking
- data aggregation- data diffusion
Actuation
action execution based on results generated
during Computing phase
Monitoring
physical processes and environment
CPS Abstraction – Generalized Workflow
data acquisition from sensors
physical aggregation of data in network
valid computed result of physical system states inform the controller to select valid commands
control commands sent to actuators
Cyber-Physical Infrastructure Systems
CPS Applicability (non-exhaustive)
http://www.nist.gov/el/upload/12-Cyber-Physical-Systems020113_final.pdf
https://s3.amazonaws.com/nist-sgcps/cpspwg/pwgglobal/CPS_PWG_Draft_Framework_for_Cyber-Physical_Systems_Release_0_8_September_2015.pdf
Principal Attack Vectors in an Unsecured Time Network
(Anarchists, hacktivists) Attackers Bot-net operators Criminal groups Foreign intelligence services Industrial spies Insiders Phishers Spammers Spyware/malware authors Terrorists
Dark Actors
http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
CPS adversaries - differing motivations +
behaviours
Cyber Security Scope of Interest
Cyber Security Assurance
Critical Infrastructure Protection
Government
Smart City
is concerned
with
such as
that employs
Operational Technology (fit-for-purpose)
to leverage
Cyber-Physical Systems (CPS)
comprised of
Service Digitization
through
IoT
M2M
PCS
SCADA
sensors
ICS
Information Technology (general purpose)
and integrate
with
digital business disruption/
optimization approach
sector
strategy
objective
cybe
r sec
urity
scop
e of
inte
rest
edge
core
orchestration
discipline
elements
Information Security Assurance ca. 2005
ISO/IEC 15408-1:2009, Information Technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model
Cyber Security - Smart City Context
Cyber Security Assurance
Critical Infrastructure Protection
Government
Smart City
is concerned
with
such as
that employs
Operational Technology (fit-for-purpose)
to leverage
Cyber-Physical Systems (CPS)
comprised of
Service Digitization
through
IoT
M2M
PCS
SCADA
sensors
ICS
Information Technology (general purpose)
and integrate
with
digital business disruption/
optimization approach
sector
strategy
objective
cybe
r sec
urity
scop
e of
inte
rest
edge
core
orchestration
discipline
elements
Confidentiality
Integrity
Availability
CIA Triad (inverted)
identification authentication
authorization non-repudiation
IDentity of Things (IDoT)
Privacy
Safety
Resiliency
Reliability
Tru
stw
ort
hin
ess
Cyb
er
Secu
rity
Ass
ert
ion
s
If you remember nothing else…
https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf
http://www.iiconsortium.org/edge-intelligence.htm
OT and IT Representation – CPS Logical Architecture Exemplar
Operational Technology Enclave Information Technology Enclave
Internet of Things (CPS) – Generalized Topology
http://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf
Architecture
Context
Concept
Logical
Physical
Components
Executive Perspective(Planner)
Business Mgt. Perspective(Owner)
Technician Perspective(Subcontractor)
Engineer Perspective(Builder/Contractor)
Architect Perspective(Designer)
Ø strategy bound the problem define the scope of interest
Ø business architecture develop owner requirementsv “architectural drawings”
what do business owners want to do conceptually
Ø logical architecture develop design requirementsv“architectural plans”, “as designed representations”
how is the object actually designed based on the concept
Ø physical architecture develop physical requirementsv“as planned representations”
how will the object actually operate based on the design overall physical implementation of the design
Ø component (technology) architecture develop individual component specificationsv“tooling configurations”, “run books”, “procedures”
how will the individual components actually be configured individual technology specifications of the physical architecture
Context
Concept
Logical
Physical
Components
Instantiation
Executive Perspective(Planner)
Business Mgt. Perspective(Owner)
Enterprise Perspective(Operations)
Technician Perspective(Subcontractor)
Engineer Perspective(Builder/Contractor)
Architect Perspective(Designer)
Ø strategy bound the problem define the scope of interest
Ø business architecture develop owner requirementsv “architectural drawings”
what do business owners want to do conceptually
Ø logical architecture develop design requirementsv“architectural plans”, “as designed representations”
how is the object actually designed based on the concept
Ø physical architecture develop physical requirementsv“as planned representations”
how will the object actually operate based on the design overall physical implementation of the design
Ø component (technology) architecture develop individual component specificationsv“tooling configurations”, “run books”, “procedures”
how will the individual components actually be configured individual technology specifications of the physical architecture
Ø functioning target operating environment (TOE) run steady-state, production environment
out o
f ban
d
Architecture
transformation
transformation
transformation
transformation
abstractness– highest model detail - lowest
abstractness level – lowest model detail - highest
abstractness level – ↓ model detail - ↑
REIFICATION
THE PASSAGE OF AN IDEA THROUGH A COMPLETE SET OF TRANSFORMATIONS THAT RESULTS IN THE INSTANTIATION – REALIZATION/OPERATIONALIZATION – OF THE ORIGINAL IDEA.
Smart City – A Complete Set of Transformations
CYBER SECURITY AND CRITICAL INFRASTRUCTURE PROTECTION GENERALLY, AND IN THE SMART CITY CONTEXT IN PARTICULAR, ARE NOT SOLELY ABOUT THE TECHNOLOGY REQUIRED TO SAFEGUARD OPERATIONAL TECHNOLOGY ASSETS AND RELATED INVESTMENTS. THEY ARE ABOUT THE TOTAL SET OF TRANSFORMATIONS REQUIRED TO TAKE CYBER SECURITY AND CRITICAL INFRASTRUCTURE PROTECTION FROM CONCEPT TO INSTANTIATION, OR OPERATION. EVEN A TOTAL SET OF TECHNOLOGY MODELS, IN THE ABSENCE OF ANY OTHER ARCHITECTURAL SPECIFICATIONS AT THEIR RESPECTIVE LAYERS OF ABSTRACTION, WILL NOT YIELD A COMPLETE DESCRIPTION OF SOME HIGHER ORDER CONCEPT, IN THIS CASE CYBER SECURITY CONTEXTUALIZED TO ADDRESS SPECIFIC ORGANIZATIONAL, SMART CITY REQUIREMENTS. WITHOUT THE TRANSCRIPTION OF MANAGEMENT’S INTENTIONS INTO DETAILED SPECIFICATIONS THROUGH WHICH ACTUAL ENGINEERING WORK CAN BE DONE, ASSUMPTIONS ABOUT THE COMPLEX OBJECT – SMART CITY – ARE GOING TO BE NECESSARILY MADE. THOSE ASSUMPTIONS ARE NEITHER RIGHT NOR WRONG, BUT ANY ARCHITECTURAL ASPECT LEFT UNEXPRESSED IS TACIT APPROVAL ABOUT THE COMFORT THE ORGANIZATION HAS WITH IT BEING LEFT IN AN IMPLICIT STATE OF NON-EXPRESSION.
urban legend
authoritative
Enterprise Architecture
Reproduced with kind permission from Zachman International.
Security Architecture
Reproduced with kind permission from the SABSA Institute.
urban legend
authoritative
Bodies of Knowledge – Cyber Security + Smart City by Viewpoint
Executive Perspective (Planner)Context
Enterprise Perspective(Operations)Instantiation
2016201520142010 2012 20132011
BSI – British Standards InstituteCCTX – Canadian Cyber Threat ExchangeCIS – Center for Internet SecurityCSA – Cloud Security AllianceDHS – Department of Homeland SecurityEO – Executive OrderGCTC – Global City Teams ChallengeIIC – Industrial Internet Consortium
cybersecurity (CI)smart city (IoT, cyber
physical systems (CPS))
Business Mgt. Perspective (Owner)Concept
Architect Perspective (Designer)Logical
Engineer Perspective(Builder/Contractor)Physical
Technician Perspective(Subcontractor)Components
PSCCanada’s Cyber
Security StrategyISO/IEC
ISO/IEC 27032:2012, Information technology –
Security techniques – Guidelines for
cybersecurity
EO 13636Improving
Critical Infrastructure Cybersecurity
BSIPAS 181: Smart city
framework – Guide to establishing strategies for
smart cities and communities
NISTFramework for Improving
Critical Infrastructure Cybersecurity, V1.0
GCTC (NIST, usignite)Establish and demonstrate replicable, scalable and sustainable models for incubation and deployment of
interoperable, standards-based IoT solutions and demonstrate their measurable benefits in smart communities/cities
PSCØ CCTXØ SCADA Security Portal
CanadaØ $237 million in cyber
security funding over the next five years
Science of Smart City Operations and Platforms Engineering
(SCOPE) WG, GCTCCPS extensibility, scalability,
interoperability, replicability and smartness
OCF (formerly OIC)“… to help unify IoT standards so that companies and developers
can create IoT solutions and devices that work seamlessly
together.”
cross-industry collaboration
Cybersecurity National Action Plan (CNAP) Fact Sheet
Ø Executive Order -- Commission on Enhancing National Cybersecurity
Ø Federal CISO
2016 Budget, Ontario, Ministry of Finance
Ø Digital Government Action Plan
Ø Chief Digital Officer
NIST (CPS Public WG)Draft Framework for
Cyber-Physical Systems
NIST RFI“Views on the Framework
for Improving Critical Infrastructure Cybersecurity”
IICIndustrial Internet
Reference Architecture
CSASecurity Guidance for Early Adopters of the Internet of
Things (IoT)
CISInternet of Things Security
Companion to the CIS Critical Security Controls
CISThe CIS Critical Security
Controls for Effective Cyber Defense
OWASPInternet of Things (IoT) Project
attack surface areas testing guides top vulnerabilitiessecurity guidance IoT/SCADA s/w weaknesses
developer guidance design principles
securingsmartcities.org, CSACyber Security Guidelines for
Smart City Technology Adoption
*
Draft NISTIR 8063Primitives and Elements of
Internet of Things (IoT) Trustworthiness
GSMAØ IoT Security GuidelinesØ IoT Security Guidelines for
Service EcosystemsØ IoT Security Guidelines for
Endpoint EcosystemsØ IoT Security Guidelines for
Network Operators
Pure-play “Greenfield” CPS Vendors (IoT, M2M, ICS, SCADA, PCS, ...)/Home-grown ”Brownfield” Legacy Devices Integrated with CPS Functionality
Functioning Smart City
Functioning Cyber Security Assurance Program City
PPD-21Critical
Infrastructure Security and
Resilience
SABSA InstituteSABSA Enhanced NIST
Cybersecurity Framework (SENC)
*
ISO - International Organization for StandardizationNIST – National Institute of Standards and TechnologyOCF – Open Connectivity FoundationOCIA – Office of Cyber and Infrastructure AnalysisOWASP - Open Web Application Security ProjectPPD – Presidential Policy DirectivePSC – Public Safety Canada
DHS (OCIA)The Future of Smart Cities:
Cyber-Physical Infrastructure Risk
*
PSC, DHSCanada-United
States Action Plan for Critical
Infrastructure
PSCAction Plan for Critical
Infrastructure, 2014-2017
securingsmartcities.orgThe Smart City Department:
Cyber Security Role and Implications
*
Bodies of Knowledge are not the architecture. They inform the architecture. Bodies of Knowledge are externalities. They say nothing about the organization itself.
Sector (transportation,
etc.)
Attack Surface (sector-specific
vertical)
Abuse Case (general
description)
Vector (abuse case narrative)
Abuse Case/Threat
Modeling
Vector
Abuse Case Vector
Attack Surface
Abuse Case Vector
Abuse Case
Vector
Vector
Vector
Semantic Model for Developing Threat Models in the Smart City Context
Smart City Attack Surfaces and Vectors (non-exhaustive)
Sector – Water and Wastewater Systems
Attack Surface – Smart Water Treatment
Abuse Case: Smart Water Treatment Facility Disruption
Vector 1: A malicious actor conducts a cyber-attack on a smart water treatment facility to prevent proper functionality, endangering the systems and public health.
Vector 2: A malicious actor gains remote access to a smart wastewater facility to cause water system backups and potential environmental damage.
Attack Surface – Smart Water Distribution
Abuse Case: Smart Water Distribution System Disruption
Vector 1: A malicious actor remotely attacks smart water distribution systems to damage system components, disable system sensors, disrupt storage and flows, or distribute contaminated water.
Vector 2: A malicious actor disrupts storm water-management systems during severe weather to create unsafe conditions, strain storm water-management systems, and compound the consequences of inclement weather.
Attack Surface – Smart Water Storage
Abuse Case: Infiltration of a Smart Water Storage Facility
Vector 1: A malicious actor targets smart pumps, valves, and other components in smart water storage facility control systems to manipulate water flow.
Vector 2: A malicious actor manipulates safety sensors to mask the presence of dangerous substances in smart water-storage facilities.
https://ics-cert.us-cert.gov/sites/default/files/documents/OCIA%20-%20The%20Future%20of%20Smart%20Cities%20-%20Cyber-Physical%20Infrastructure%20Risk.pdf
CPS Threat Model
1. MitM
(replay)
2. DoS
( flood)
3. MitM
(replay)
4. eavesdrop
5. MitM
(replay)
Computing
correctness of physical processes based on
data collected during Monitoring phase
Networking
- data aggregation- data diffusion
Actuation
action execution based on results generated
during Computing phase
Monitoring
physical processes and environment
6. DoS
(flood)
7. MitM
(replay)
8. eavesdrop
9. key attack
http://people.cis.ksu.edu/~danielwang/Investigation/CPS_Security_threat/05724910.pdf
CPS Threat Model and Cyber Security Assertions Applicability
1. MitM
(replay)
2. DoS
( flood)
3. MitM
(replay)
4. eavesdrop
5. MitM
(replay)
Computing
correctness of physical processes based on
data collected during Monitoring phase
Networking
- data aggregation- data diffusion
Actuation
action execution based on results generated
during Computing phase
Monitoring
physical processes and environment
6. DoS
(flood)
7. MitM
(replay)
8. eavesdrop
9. key attack
http://people.cis.ksu.edu/~danielwang/Investigation/CPS_Security_threat/05724910.pdf
Confidentiality
Integrity
Availability
CIA Triad (inverted)
identification authentication
authorization non-repudiation
IDentity of Things (IDoT)
Privacy
Safety
Resiliency
Reliability
Tru
stw
ort
hin
ess
Cyb
er
Secu
rity
Ass
ert
ion
s
Business Requirements
Cyber Security Technology
strategic controls
operational controls
tactical controls
Cyber Security Conceptual Risk Management Framework
Audit Oversight
Based on http://www.iiroc.ca/industry/Documents/CybersecurityBestPracticesGuide_en.pdf
Working Groups Vocabulary and Reference Architecture Cybersecurity and Privacy Timing and Synchronization Data Interoperability Use Cases
https://s3.amazonaws.com/nist-sgcps/cpspwg/pwgglobal/CPS_PWG_Draft_Framework_for_Cyber-Physical_Systems_Release_0_8_September_2015.pdf
CPS Framework – Domains, Facets, Aspects
https://s3.amazonaws.com/nist-sgcps/cpspwg/pwgglobal/CPS_PWG_Draft_Framework_for_Cyber-Physical_Systems_Release_0_8_September_2015.pdf
CPS Framework – All Facets View
A prototypical model to describe the lifecycle of a Smart City initiative (“I9”).
Stages Plan Develop Run Review
Phases Ideate
(list the services)
Itemize (document
the services)
Investigate (conduct due
care assessments)
Invest (capitalize
the services)
Innovate (develop the
services)
Incubate (isolate the
services)
Implement (stage the services)
Instantiate (operate
the services)
Iterate (improve the
services)
What
Brainstorm thumbnail sketches of Smart City services.
Describe the benefit/value proposition
(intangibles).
Privacy Confirm the financing
model (PPP).
Describe the architecture.
(engineer)
Beta-test functionality.
Promote to production.
Run in steady-state.
Create an enhancements
backlog.
Security
Legal
Develop the
business case.
Determine fit-for-purpose.
Monetize feasibility/ economic
value (tangibles).
Information Management Design the
solution. (manufacture) …
Who service sponsor stakeholders service sponsor
technology sponsor
PPP – public-private partnerships
innovation marker
Innovation Markers and Security Intervention
security intervention
Citizen-centric design
•crowd sourcing •competitive hack-
a-thons
Partnerships • academia
• R+D • private sector
• NFP
Seminal Messages
“Universe of Discourse” - An (arcane) term that you will grow to appreciate over time. If you cannot articulate the boundaries of your cyber security assurance scope, and do not have the organizational vocabulary through which you express it, nothing authoritative will take root.
For your own good, adopt a programmatic approach to cyber security assurance. Simply put: START WITH THE BUSINESS. This is not a drill!
Culture eats strategy (and technology) for breakfast – No matter how defined your cyber security strategy may be, it will be destroyed by dark organizational culture.
If your understanding of cyber security does not include architecture, you will necessarily (a) place the sustainability of your organization's cyber security efforts in peril by focusing on technology to the exclusion of anything else, and (b) make dangerous, and indefensible, assumptions about cyber security design and operation.
Grow up - You don't know everything about cyber security and, yes, hero culture is dead. If partnerships and intelligence exchange were ever considered critical for business success, they are absolutely essential in the cyber security assurance context.
IDentity of Things (IDoT) – The identification of edge devices, authenticating to them and authorizing permissions to embedded, on-board functionality will necessarily form part of your cyber security assurance posture.
Develop a (legal) recourse strategy that protects your organization against vendors who ship porous cyber-physical systems.
Consider how your organization will position itself to address Smart City: holistically and integrated, or vertical and siloed.
Consider the establishment of a Smart City Department as the formal accountability office.
Murray Rosenthal, CISA, CRISC Risk Management, Cyber Security and Compliance
Strategic Planning and Architecture Information & Technology Division
City of Toronto [email protected]
Cyber Security Assurance in the Smart City