developong secure component for embedded systems

1

Developing secure components for embedded systems

(or how to make sure the infrastructure keeps running)

Prof. Jim Norton!Steering Group Chair!

Secure Software Development Partnership!Vice-President Professionalism!BCS Chartered Institute for IT!

External Director!UK Parliamentary Office of Science &

Technology (POST)!

www.profjimnorton.com!

Copyright 2010 Prof. Jim Norton 2 ISSD 20th May 2010

Issues to be covered

So whats the problem?. Why now? What is the key commonality? Breaking the vicious circle Sustaining the breakout Final thoughts

2


So what is the problem?

There is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success than to take the lead in the introduction of a new order of things. Niccolo Machiavelli from The Prince

We have known for thirty years how to develop formal specifications, generate secure code and thus deliver secure systems.

Typically though systems are not conceived or built in this way. There has been relatively little demand for formal methods. Employers have not regarded these skills as key for

recruitment.

Universities are thus less keen to keep them in the syllabus. So, with some honorable exceptions, we have a declining spiral. This needs to change but




3


Why now?

A series of reports published in the summer of 2009 stressed the need for major investment in infrastructure renewal and hardening against a wide range of threats


Quotes from the reports (1) Recommendation 52: Government should review its powers to mandate realistic minimum levels of resilience in relation to all critical infrastructures and in relation to all areas of interdependence between different infrastructure sectors. Where wider interpretation or amendment of existing legislation is not sufficient and new primary legislation is required, this should be included in the planned further Bill on Civil Contingencies.

Recommendation 53: Government should bring together regulators of the different infrastructure industries and require them to enforce higher resilience standards in their own sectors, as well as to investigate and strengthen resilience in areas of interdependencies between sectors and in sector supply chains.

Recommendation 54: Government should go further and signal to sector regulators that it would welcome investment by utility providers in relevant areas outside their own core business areas where such investment would reduce interdependence on other elements of the infrastructure. Investment by the power generators, national grid and energy distribution companies in mobile communications that are more resilient against power failure, for example, would be welcome.

Recommendation 57: Government should task the Centre for the Protection of National Infrastructure (CPNI) with the development of security recommendations aimed at mitigating command and control risks associated with Smart Grids

4


Quotes from the reports (2) We do not believe that the NI can continue on its current trajectory, for three main reasons:

it is highly fragmented, both in terms of delivery and governance its resilience against systemic failure is significantly weakening through a

combination of: o ageing infrastructure components; o greater complexity and interconnectivity between the different infrastructure

sectors; and o nearing maximum capacity as a result of increased social and economic

pressures

the significant challenges posed by climate change and socio-demographic changes, which mean that: o there is an urgent need for a major change in devising low carbon solutions to

meet the 80% target for reducing greenhouse gas emissions by 2050; o core pieces of infrastructure need to be future-proofed against extreme natural

events; and o they need to be able to respond to future demographic, social and life style

changes.


Quotes from the reports (3)

We recommend that the government creates a single point of authority for infrastructure resilience to coordinate the work of the agencies responsible for dealing with individual sectors and threats and recognise interdependency. This would provide the fundamental overview that is lacking, consider how to fill in the gaps and address the areas of infrastructure defence which are currently ignored.

With climate change identified as the biggest threat currently facing the UKs infrastructure, government must ensure that the newly created Natural Hazards Team is effective. Government should invest the Natural Hazards Team with the power to provide strong leadership to asset owners and ensure legislation is properly enforced.

Government must give clearer guidance to sector regulators such as Ofgem and Ofwat. At present these regulators remit is largely the short-term prices paid by end users. In order to deliver the improvements to resilience identified as necessary by government and the overview function for infrastructure resilience, regulators must have the capacity to address asset resilience as well as broader and longer term consumer interests. Regulators require the ability to ensure asset owners build in reserve capacity to critical infrastructure and that they are fully prepared for any emergency scenario.

5





What is the key commonality?

Much of the underpinning system design and software in command and control systems (such as Supervisory Control and Data Acquisition - SCADA) is poor.

6


Plenty of good advice on which to draw Reports from the UK Royal Academy of Engineering:

http://www.raeng.org.uk/news/publications/list/reports/Engineering_values_in_IT.pdf

http://www.raeng.org.uk/news/publications/list/reports/Complex_IT_Projects.pdf

Report from the US National Academy of Sciences

http://www.nap.edu/catalog.php?record_id=11923 (there is a link to download a free PDF)

Report from the US National Security Agency demonstrator project

http://www.adacore.com/home/products/sparkpro/tokeneer

Report from the global work on Information Security Economics

http://www.cl.cam.ac.uk/~rja14/Papers/econ_czech.pdf

With grateful thanks to Prof. Martyn Thomas for all these references.




7


Could infrastructure projects break the vicious circle?

Even with the challenging economic backdrop, we are likely to see extensive investment in enhancing and hardening the UK national infrastructure over the next several years.

It seems to me to be crucially important that this investment is based on the best principles of secure design and implementation, especially in terms of software and embedded systems

If we want that high confidence that a system has some desired properties (e.g. specific security properties), then this can only be shown by analysis, supported (to a degree) by testing.

Once that is accepted, it dictates the whole strategy for development, because it requires that the desired properties are expressed in a formal language, and that the software is developed using notations and languages that can be rigorously analysed to show that the system they describe has the required properties. If there is a market for certifiably secure software, then there will be a market for the languages, methods and analysis tools that will be needed.


Achieving the breakout

Take the new infrastructure projects as the catalyst for a fundamental change in practice, leveraging Governments role in regulation and, to a lesser extent, procurement.

Adopt a mandatory two-stage procurement, with an initial step in which a systems architect would capture, formalise and analyse the customer's requirements;

Demand that key operational software should always be delivered with an evidence-based argument that it met the security specification;

Rely far more on analysis and far less on testing as the core evidence.

Again with grateful thanks to Prof. Martyn Thomas for inputs to the Secure Software Development Partnership.

8





From breakout to critical mass

Recommendation 60: Government should also approach the European Commission to sponsor a programme for the creation of a range of secure and reliable standard software modules (such as simple operating systems, database management systems and graphical user interfaces). These modules should be developed using formal methods and be made available free of charge through an Open Source licence to encourage their widespread use.

9





Final thoughts We live today in a complex, densely networked and heavily technology-reliant society. Extensive privatisation and the pursuit of competitive advantage in globalised markets, have also led us to pare down the systems we rely upon until little or no margin for error remains. We have switched to lean production, stretched supply chains, decreased stock inventories and reduced redundancy in our systems. We have outsourced, offshored and embraced a just-in-time culture with little heed for just-in-case. This magnifies not only efficiency but also vulnerability. Everything depends on infrastructure functioning smoothly and the infrastructure of modern life can be brittle: interdependent systems can make for cascades of concatenated failure when one link in the chain is broken.

Lets use the opportunity of infrastructure renewal to drive a renaissance in Security by Design, bringing back into widespread use the good practice that we have long known and understood.

10

Copyright 2009 Prof. Jim Norton 19 RiskConf 05.11.2009

But remember, security is a continual battle. Dont ever sit back and believe

that you have won!

Oh dear!

Presentation can be Downloaded from: www.profjimnorton.com/issdjn.pdf

Lets now have a debate as to whether what I have suggested is:

desirable? sensible? implementable?

developong secure component for embedded systems

Documents