Murray Rosenthal, CISA, CRISC Risk Management, Cyber Security and Compliance

Strategic Planning and Architecture Information & Technology Division

City of Toronto mrosent@toronto.ca

Cyber Security Assurance in the Smart City

Agenda

Background

Establishing Context

Applicability

Architecture

Threat Modeling

Governance and Recent Developments

Summation

Universe of

Discourse

Cyber Security

Information Security

Critical Infrastructure

Smart City

Scope of Interest

Operational Technology

Information Technology

Architecture

Cyber Physical Systems (CPS)

•Internet of Things, M2M, sensors, SCADA, ICS, PCS…

Concepts

< Background/ >

< Establishing Context/ >

https://www.linkedin.com/pulse/strong-rigorous-scientific-foundation-cyber-ecosystem-shawn-riley

http://securingsmartcities.org/wp-content/uploads/2016/03/Pen-Testing-A-City-wp.pdf

Massively Disruptive Forces

Mobility (functionality convergence)

Cloud (XaaS out-boarding)

Big Data (analytics)

Cyber-

Physical Systems

(exploitation of edge devices)

Smart City (digital by

design)

Trends, technologies, processes, and ideas that fundamentally alter the status quo and re-shape it.

Orders of Complexity

Smart City Framework – Transitioning the Operating Model

http://shop.bsigroup.com/upload/Smart_cities/BSI-PAS-181-executive-summary-UK-EN.pdf

Current Operating Model

Smart City Framework

serv

ice

dig

itiz

atio

n

Defining Smart City

Smart City

(whole of government)

Smart City

(whole of everything)

Scope of Interest

Sph

eres

of

Infl

uen

ce

dig

ital

by

de

sign

Canada United States

1 Energy and Utilities 1 Energy

2 Information and Communication Technology 2 Communications

3 Information Technology

3 Finance 4 Financial Services

4 Health Care 5 Healthcare and Public Health

5 Food 6 Food and Agriculture

6 Water 7 Water and Wastewater Systems

7 Transportation 8 Transportation Systems

8 Safety 9 Emergency Services

9 Government 10 Government Facilities

10 Manufacturing 11 Critical Manufacturing

12 Chemical

13 Dams

14 Commercial Facilities

15 Defense Industrial Base

16 Nuclear Reactors, Material and Waste

Critical Infrastructure Sectors by Geography

http://www.publicsafety.gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/index-en.aspx

https://www.dhs.gov/critical-infrastructure-sectors

http://www.cepa.com/wp-content/uploads/2014/10/ng-cepa2014.pdf

< Applicability/ >

Computing

correctness of physical processes based on

data collected during Monitoring phase

Networking

- data aggregation- data diffusion

Actuation

action execution based on results generated

during Computing phase

Monitoring

physical processes and environment

CPS Abstraction – Generalized Workflow

data acquisition from sensors

physical aggregation of data in network

valid computed result of physical system states inform the controller to select valid commands

control commands sent to actuators

Cyber-Physical Infrastructure Systems

CPS Applicability (non-exhaustive)

http://www.nist.gov/el/upload/12-Cyber-Physical-Systems020113_final.pdf

https://s3.amazonaws.com/nist-sgcps/cpspwg/pwgglobal/CPS_PWG_Draft_Framework_for_Cyber-Physical_Systems_Release_0_8_September_2015.pdf

Principal Attack Vectors in an Unsecured Time Network

(Anarchists, hacktivists) Attackers Bot-net operators Criminal groups Foreign intelligence services Industrial spies Insiders Phishers Spammers Spyware/malware authors Terrorists

Dark Actors

http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf

CPS adversaries - differing motivations +

behaviours

Cyber Security Scope of Interest

Cyber Security Assurance

Critical Infrastructure Protection

Government

Smart City

is concerned

with

such as

that employs

Operational Technology (fit-for-purpose)

to leverage

Cyber-Physical Systems (CPS)

comprised of

Service Digitization

through

IoT

M2M

PCS

SCADA

sensors

ICS

Information Technology (general purpose)

and integrate

with

digital business disruption/

optimization approach

sector

strategy

objective

cybe

r sec

urity

scop

e of

inte

rest

edge

core

orchestration

discipline

elements

Information Security Assurance ca. 2005

ISO/IEC 15408-1:2009, Information Technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model

Cyber Security - Smart City Context

Cyber Security Assurance

Critical Infrastructure Protection

Government

Smart City

is concerned

with

such as

that employs

Operational Technology (fit-for-purpose)

to leverage

Cyber-Physical Systems (CPS)

comprised of

Service Digitization

through

IoT

M2M

PCS

SCADA

sensors

ICS

Information Technology (general purpose)

and integrate

with

digital business disruption/

optimization approach

sector

strategy

objective

cybe

r sec

urity

scop

e of

inte

rest

edge

core

orchestration

discipline

elements

Confidentiality

Integrity

Availability

CIA Triad (inverted)

identification authentication

authorization non-repudiation

IDentity of Things (IDoT)

Privacy

Safety

Resiliency

Reliability

Tru

stw

ort

hin

ess

Cyb

er

Secu

rity

Ass

ert

ion

s

If you remember nothing else…

https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf

http://www.iiconsortium.org/edge-intelligence.htm

OT and IT Representation – CPS Logical Architecture Exemplar

Operational Technology Enclave Information Technology Enclave

< Architecture/ >

Internet of Things (CPS) – Generalized Topology

http://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf

Architecture

Context

Concept

Logical

Physical

Components

Executive Perspective(Planner)

Business Mgt. Perspective(Owner)

Technician Perspective(Subcontractor)

Engineer Perspective(Builder/Contractor)

Architect Perspective(Designer)

Ø strategy bound the problem define the scope of interest

Ø business architecture develop owner requirementsv “architectural drawings”

what do business owners want to do conceptually

Ø logical architecture develop design requirementsv“architectural plans”, “as designed representations”

how is the object actually designed based on the concept

Ø physical architecture develop physical requirementsv“as planned representations”

how will the object actually operate based on the design overall physical implementation of the design

Ø component (technology) architecture develop individual component specificationsv“tooling configurations”, “run books”, “procedures”

how will the individual components actually be configured individual technology specifications of the physical architecture

Context

Concept

Logical

Physical

Components

Instantiation

Executive Perspective(Planner)

Business Mgt. Perspective(Owner)

Enterprise Perspective(Operations)

Technician Perspective(Subcontractor)

Engineer Perspective(Builder/Contractor)

Architect Perspective(Designer)

Ø strategy bound the problem define the scope of interest

Ø business architecture develop owner requirementsv “architectural drawings”

what do business owners want to do conceptually

Ø logical architecture develop design requirementsv“architectural plans”, “as designed representations”

how is the object actually designed based on the concept

Ø physical architecture develop physical requirementsv“as planned representations”

how will the object actually operate based on the design overall physical implementation of the design

Ø component (technology) architecture develop individual component specificationsv“tooling configurations”, “run books”, “procedures”

how will the individual components actually be configured individual technology specifications of the physical architecture

Ø functioning target operating environment (TOE) run steady-state, production environment

out o

f ban

d

Architecture

transformation

transformation

transformation

transformation

abstractness– highest model detail - lowest

abstractness level – lowest model detail - highest

abstractness level – ↓ model detail - ↑

REIFICATION

THE PASSAGE OF AN IDEA THROUGH A COMPLETE SET OF TRANSFORMATIONS THAT RESULTS IN THE INSTANTIATION – REALIZATION/OPERATIONALIZATION – OF THE ORIGINAL IDEA.

Smart City – A Complete Set of Transformations

CYBER SECURITY AND CRITICAL INFRASTRUCTURE PROTECTION GENERALLY, AND IN THE SMART CITY CONTEXT IN PARTICULAR, ARE NOT SOLELY ABOUT THE TECHNOLOGY REQUIRED TO SAFEGUARD OPERATIONAL TECHNOLOGY ASSETS AND RELATED INVESTMENTS. THEY ARE ABOUT THE TOTAL SET OF TRANSFORMATIONS REQUIRED TO TAKE CYBER SECURITY AND CRITICAL INFRASTRUCTURE PROTECTION FROM CONCEPT TO INSTANTIATION, OR OPERATION. EVEN A TOTAL SET OF TECHNOLOGY MODELS, IN THE ABSENCE OF ANY OTHER ARCHITECTURAL SPECIFICATIONS AT THEIR RESPECTIVE LAYERS OF ABSTRACTION, WILL NOT YIELD A COMPLETE DESCRIPTION OF SOME HIGHER ORDER CONCEPT, IN THIS CASE CYBER SECURITY CONTEXTUALIZED TO ADDRESS SPECIFIC ORGANIZATIONAL, SMART CITY REQUIREMENTS. WITHOUT THE TRANSCRIPTION OF MANAGEMENT’S INTENTIONS INTO DETAILED SPECIFICATIONS THROUGH WHICH ACTUAL ENGINEERING WORK CAN BE DONE, ASSUMPTIONS ABOUT THE COMPLEX OBJECT – SMART CITY – ARE GOING TO BE NECESSARILY MADE. THOSE ASSUMPTIONS ARE NEITHER RIGHT NOR WRONG, BUT ANY ARCHITECTURAL ASPECT LEFT UNEXPRESSED IS TACIT APPROVAL ABOUT THE COMFORT THE ORGANIZATION HAS WITH IT BEING LEFT IN AN IMPLICIT STATE OF NON-EXPRESSION.

urban legend

authoritative

Enterprise Architecture

Reproduced with kind permission from Zachman International.

Security Architecture

Reproduced with kind permission from the SABSA Institute.

urban legend

authoritative

Bodies of Knowledge – Cyber Security + Smart City by Viewpoint

Executive Perspective (Planner)Context

Enterprise Perspective(Operations)Instantiation

2016201520142010 2012 20132011

BSI – British Standards InstituteCCTX – Canadian Cyber Threat ExchangeCIS – Center for Internet SecurityCSA – Cloud Security AllianceDHS – Department of Homeland SecurityEO – Executive OrderGCTC – Global City Teams ChallengeIIC – Industrial Internet Consortium

cybersecurity (CI)smart city (IoT, cyber

physical systems (CPS))

Business Mgt. Perspective (Owner)Concept

Architect Perspective (Designer)Logical

Engineer Perspective(Builder/Contractor)Physical

Technician Perspective(Subcontractor)Components

PSCCanada’s Cyber

Security StrategyISO/IEC

ISO/IEC 27032:2012, Information technology –

Security techniques – Guidelines for

cybersecurity

EO 13636Improving

Critical Infrastructure Cybersecurity

BSIPAS 181: Smart city

framework – Guide to establishing strategies for

smart cities and communities

NISTFramework for Improving

Critical Infrastructure Cybersecurity, V1.0

GCTC (NIST, usignite)Establish and demonstrate replicable, scalable and sustainable models for incubation and deployment of

interoperable, standards-based IoT solutions and demonstrate their measurable benefits in smart communities/cities

PSCØ CCTXØ SCADA Security Portal

CanadaØ $237 million in cyber

security funding over the next five years

Science of Smart City Operations and Platforms Engineering

(SCOPE) WG, GCTCCPS extensibility, scalability,

interoperability, replicability and smartness

OCF (formerly OIC)“… to help unify IoT standards so that companies and developers

can create IoT solutions and devices that work seamlessly

together.”

cross-industry collaboration

Cybersecurity National Action Plan (CNAP) Fact Sheet

Ø Executive Order -- Commission on Enhancing National Cybersecurity

Ø Federal CISO

2016 Budget, Ontario, Ministry of Finance

Ø Digital Government Action Plan

Ø Chief Digital Officer

NIST (CPS Public WG)Draft Framework for

Cyber-Physical Systems

NIST RFI“Views on the Framework

for Improving Critical Infrastructure Cybersecurity”

IICIndustrial Internet

Reference Architecture

CSASecurity Guidance for Early Adopters of the Internet of

Things (IoT)

CISInternet of Things Security

Companion to the CIS Critical Security Controls

CISThe CIS Critical Security

Controls for Effective Cyber Defense

OWASPInternet of Things (IoT) Project

attack surface areas testing guides top vulnerabilitiessecurity guidance IoT/SCADA s/w weaknesses

developer guidance design principles

securingsmartcities.org, CSACyber Security Guidelines for

Smart City Technology Adoption

*

Draft NISTIR 8063Primitives and Elements of

Internet of Things (IoT) Trustworthiness

GSMAØ IoT Security GuidelinesØ IoT Security Guidelines for

Service EcosystemsØ IoT Security Guidelines for

Endpoint EcosystemsØ IoT Security Guidelines for

Network Operators

Pure-play “Greenfield” CPS Vendors (IoT, M2M, ICS, SCADA, PCS, ...)/Home-grown ”Brownfield” Legacy Devices Integrated with CPS Functionality

Functioning Smart City

Functioning Cyber Security Assurance Program City

PPD-21Critical

Infrastructure Security and

Resilience

SABSA InstituteSABSA Enhanced NIST

Cybersecurity Framework (SENC)

*

ISO - International Organization for StandardizationNIST – National Institute of Standards and TechnologyOCF – Open Connectivity FoundationOCIA – Office of Cyber and Infrastructure AnalysisOWASP - Open Web Application Security ProjectPPD – Presidential Policy DirectivePSC – Public Safety Canada

DHS (OCIA)The Future of Smart Cities:

Cyber-Physical Infrastructure Risk

*

PSC, DHSCanada-United

States Action Plan for Critical

Infrastructure

PSCAction Plan for Critical

Infrastructure, 2014-2017

securingsmartcities.orgThe Smart City Department:

Cyber Security Role and Implications

*

Bodies of Knowledge are not the architecture. They inform the architecture. Bodies of Knowledge are externalities. They say nothing about the organization itself.

< Threat Modeling/ >

Sector (transportation,

etc.)

Attack Surface (sector-specific

vertical)

Abuse Case (general

description)

Vector (abuse case narrative)

Abuse Case/Threat

Modeling

Vector

Abuse Case Vector

Attack Surface

Abuse Case Vector

Abuse Case

Vector

Vector

Vector

Semantic Model for Developing Threat Models in the Smart City Context

Smart City Attack Surfaces and Vectors (non-exhaustive)

Sector – Water and Wastewater Systems

Attack Surface – Smart Water Treatment

Abuse Case: Smart Water Treatment Facility Disruption

Vector 1: A malicious actor conducts a cyber-attack on a smart water treatment facility to prevent proper functionality, endangering the systems and public health.

Vector 2: A malicious actor gains remote access to a smart wastewater facility to cause water system backups and potential environmental damage.

Attack Surface – Smart Water Distribution

Abuse Case: Smart Water Distribution System Disruption

Vector 1: A malicious actor remotely attacks smart water distribution systems to damage system components, disable system sensors, disrupt storage and flows, or distribute contaminated water.

Vector 2: A malicious actor disrupts storm water-management systems during severe weather to create unsafe conditions, strain storm water-management systems, and compound the consequences of inclement weather.

Attack Surface – Smart Water Storage

Abuse Case: Infiltration of a Smart Water Storage Facility

Vector 1: A malicious actor targets smart pumps, valves, and other components in smart water storage facility control systems to manipulate water flow.

Vector 2: A malicious actor manipulates safety sensors to mask the presence of dangerous substances in smart water-storage facilities.

https://ics-cert.us-cert.gov/sites/default/files/documents/OCIA%20-%20The%20Future%20of%20Smart%20Cities%20-%20Cyber-Physical%20Infrastructure%20Risk.pdf

CPS Threat Model

1. MitM

(replay)

2. DoS

( flood)

3. MitM

(replay)

4. eavesdrop

5. MitM

(replay)

Computing

correctness of physical processes based on

data collected during Monitoring phase

Networking

- data aggregation- data diffusion

Actuation

action execution based on results generated

during Computing phase

Monitoring

physical processes and environment

6. DoS

(flood)

7. MitM

(replay)

8. eavesdrop

9. key attack

http://people.cis.ksu.edu/~danielwang/Investigation/CPS_Security_threat/05724910.pdf

CPS Threat Model and Cyber Security Assertions Applicability

1. MitM

(replay)

2. DoS

( flood)

3. MitM

(replay)

4. eavesdrop

5. MitM

(replay)

Computing

correctness of physical processes based on

data collected during Monitoring phase

Networking

- data aggregation- data diffusion

Actuation

action execution based on results generated

during Computing phase

Monitoring

physical processes and environment

6. DoS

(flood)

7. MitM

(replay)

8. eavesdrop

9. key attack

http://people.cis.ksu.edu/~danielwang/Investigation/CPS_Security_threat/05724910.pdf

Confidentiality

Integrity

Availability

CIA Triad (inverted)

identification authentication

authorization non-repudiation

IDentity of Things (IDoT)

Privacy

Safety

Resiliency

Reliability

Tru

stw

ort

hin

ess

Cyb

er

Secu

rity

Ass

ert

ion

s

< Governance and Recent Developments/ >

Business Requirements

Cyber Security Technology

strategic controls

operational controls

tactical controls

Cyber Security Conceptual Risk Management Framework

Audit Oversight

Based on http://www.iiroc.ca/industry/Documents/CybersecurityBestPracticesGuide_en.pdf

https://pages.nist.gov/smartcitiesarchitecture/

Working Groups Vocabulary and Reference Architecture Cybersecurity and Privacy Timing and Synchronization Data Interoperability Use Cases

https://s3.amazonaws.com/nist-sgcps/cpspwg/pwgglobal/CPS_PWG_Draft_Framework_for_Cyber-Physical_Systems_Release_0_8_September_2015.pdf

CPS Framework – Domains, Facets, Aspects

https://s3.amazonaws.com/nist-sgcps/cpspwg/pwgglobal/CPS_PWG_Draft_Framework_for_Cyber-Physical_Systems_Release_0_8_September_2015.pdf

CPS Framework – All Facets View

A prototypical model to describe the lifecycle of a Smart City initiative (“I9”).

Stages Plan Develop Run Review

Phases Ideate

(list the services)

Itemize (document

the services)

Investigate (conduct due

care assessments)

Invest (capitalize

the services)

Innovate (develop the

services)

Incubate (isolate the

services)

Implement (stage the services)

Instantiate (operate

the services)

Iterate (improve the

services)

What

Brainstorm thumbnail sketches of Smart City services.

Describe the benefit/value proposition

(intangibles).

Privacy Confirm the financing

model (PPP).

Describe the architecture.

(engineer)

Beta-test functionality.

Promote to production.

Run in steady-state.

Create an enhancements

backlog.

Security

Legal

Develop the

business case.

Determine fit-for-purpose.

Monetize feasibility/ economic

value (tangibles).

Information Management Design the

solution. (manufacture) …

Who service sponsor stakeholders service sponsor

technology sponsor

PPP – public-private partnerships

innovation marker

Innovation Markers and Security Intervention

security intervention

Citizen-centric design

•crowd sourcing •competitive hack-

a-thons

Partnerships • academia

• R+D • private sector

• NFP

< Summation/ >

Seminal Messages

“Universe of Discourse” - An (arcane) term that you will grow to appreciate over time. If you cannot articulate the boundaries of your cyber security assurance scope, and do not have the organizational vocabulary through which you express it, nothing authoritative will take root.

For your own good, adopt a programmatic approach to cyber security assurance. Simply put: START WITH THE BUSINESS. This is not a drill!

Culture eats strategy (and technology) for breakfast – No matter how defined your cyber security strategy may be, it will be destroyed by dark organizational culture.

If your understanding of cyber security does not include architecture, you will necessarily (a) place the sustainability of your organization's cyber security efforts in peril by focusing on technology to the exclusion of anything else, and (b) make dangerous, and indefensible, assumptions about cyber security design and operation.

Grow up - You don't know everything about cyber security and, yes, hero culture is dead. If partnerships and intelligence exchange were ever considered critical for business success, they are absolutely essential in the cyber security assurance context.

IDentity of Things (IDoT) – The identification of edge devices, authenticating to them and authorizing permissions to embedded, on-board functionality will necessarily form part of your cyber security assurance posture.

Develop a (legal) recourse strategy that protects your organization against vendors who ship porous cyber-physical systems.

Consider how your organization will position itself to address Smart City: holistically and integrated, or vertical and siloed.

Consider the establishment of a Smart City Department as the formal accountability office.

Murray Rosenthal, CISA, CRISC Risk Management, Cyber Security and Compliance

Strategic Planning and Architecture Information & Technology Division

City of Toronto mrosent@toronto.ca

Cyber Security Assurance in the Smart City