securing cyber-physical software c. warren axelrod, phd senior consultant, delta risk llc
TRANSCRIPT
![Page 1: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/1.jpg)
Securing Cyber-Physical Software
C. Warren Axelrod, PhD
Senior Consultant, Delta Risk LLC
![Page 2: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/2.jpg)
Agenda
• Overview• Security of Safety-Critical Systems in the News• Safe & Secure Software Systems Engineering (S4E)• Different outlooks of security & safety software engineers• What are “cyber-physical systems”?• Process for securing software systems• Process for ensuring systems are safe• Certification of avionics and other safety-critical systems• Recommendations for application security and safety folks• Summary and conclusions
![Page 3: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/3.jpg)
About the Presenter
• Career as a senior executive in IT and InfoSec areas in financial services
• ISE Luminary Leadership Award (2007)
• Computerworld Premier 100 and Best-in-Class Awards (2003)
• Contributed to the National Strategy to Secure Cyberspace (2002)
• Congressional Subcommittee testimony on cyber security (2001)
• Represented financial services over Y2K at the National Information Center
• Co-founder and Board member of the FS-ISAC
• Contributed to FSSCC Research Agenda
• Published 5 books on IT management and information security
• Published 100+ professional articles and book chapters; posted 200+ blogs
• Moderated and presented at150+ conferences, seminars, roundtables
• Ph.D. in Managerial Economics, Cornell University; B.Sc. Honors in Electrical Engineering and MA Honors in Economics and Statistics, Glasgow University
• Certifications: CISSP, CISM
Hosted by OWASP & the NYC ChapterHosted by OWASP & the NYC Chapter
![Page 4: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/4.jpg)
Overview
Security and safety software engineers live in different and often separate worlds. The former worry about protecting information-processing systems and data from attacks. The latter are very concerned with potential harm that could be inflicted by malfunctions and failures of computer control systems.
It is not sufficient to train software safety engineers about securing control systems. Information security professionals need to gain a greater understanding of the control systems to which their information systems are increasingly being connected. This two-way exchange of ideas and approaches is crucial if we are to ensure that systems comprising both security-critical and safety-critical components meet necessary standards and certifications across the board.
This presentation addresses the security-safety gap that exists for software.
![Page 5: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/5.jpg)
Forbes’ Andy Greenberg Investigates
Hacking a Prius
Video available at
http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video
![Page 6: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/6.jpg)
Who Is To Blame?
• The issue of LIABILITY may be the greatest hindrance to progress ...– What happened?– Whose fault was it? (The driver/controller, obviously)– Who can we sue?– For how much?
• With increasing system complexity, greater interconnectivity and inadequate monitoring and data collection, the root cause may be very difficult to discern
![Page 7: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/7.jpg)
Hackers Beware!
The Barnaby Jack Case
Video available at
http://www.youtube.com/watch?v=sjnnB_pJzHU
![Page 8: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/8.jpg)
The Cheney Video
Paranoia or Reality?
Video available at
http://www.youtube.com/watch?v=N-2iyUpnUwY
![Page 9: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/9.jpg)
Grid Attacks
The Aurora Project
Video available at
http://www.youtube.com/watch?v=rTkXgqK1l9A
![Page 10: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/10.jpg)
Safety vs. Security per Barnes
“Safety and security are intertwined through communication ... in the case of safety, the software [system] must not harm the world; in the case of security, the world must not harm the software [system]. A safety-critical [software] system is one in which the program must be correct ... A security-critical [software] system is one in which it must not be possible for some incorrect or malicious input from the outside [or from an insider] to violate the integrity of the system ...”*
Adapted from: J.G.P. Barnes, “Ada”in Avionics: Elements, Software and Functions
Edited by C.R. SpitzerCRC Press, FL, 2007
*Based on definitions of safety and security found in Boehm, 1978
![Page 11: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/11.jpg)
Academic Hole per Weiss
“...the general lack of security for ICSs [industrial control systems] is due to a ‘hole ... in academia’ since ‘security is taught in computer science departments, whereas control systems are taught in various engineering departments.’”
Adapted from: Joseph WeissProtecting Industrial Control Systems from Electronic Threats
Momentum Press: New York, 2010.
![Page 12: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/12.jpg)
Structure & Hierarchy of S4E
SYSTEMS
Hardware SOFTWARE
TechnologyPeople Processes
Development(Projects)
Operations(Support)
NonfunctionalFunctional
SECURITYPerformanceSAFETY Reliability
ENGINEERING ManagementAssurance
Facilities Data
Elem
ents Documents
Compliance
Char
acte
ristic
s
Testing Monitoring Reporting RespondingActiv
ities
Repairing
Adapted from: C. W. Axelrod, Engineering Safe and Secure Software Systems, © 2013 Artech House
![Page 13: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/13.jpg)
The 3-Pumpkin Model
SafeSoftware Systems
SecureSoftware Systems
Safe& SecureSoftware Systems
The World
Damage
Damage
AttacksAttacks
Source: C.W. Axelrod, Engineering Safe and Secure Software Systems, © 2013 Artech House
![Page 14: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/14.jpg)
NSF Definition of CPS
• National Science Foundation (NSF) definition– The term cyber-physical system refers to the tight conjoining of and
coordination between computational and physical resources– Research advances in cyber-physical systems promise to transform our
world with systems that:• respond more quickly• are more precise• work in dangerous or inaccessible environments• provide large-scale, distributed coordination• are highly efficient• augment human capabilities, and• enhance societal wellbeing
Source: NSF, Cyber-Physical System (CPS) Program Solicitation NSF 10-515, 2010
![Page 15: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/15.jpg)
Defining Cyber-Physical Systems
Adapted from: C.W. Axelrod, “Mitigating the Risks of Cyber-Physical Systems,” IEEE LISAT Conference, Farmingdale, NY, May 2013 © 2013 IEEE
Utilities & Firmware
Hardware
Supports Physical System
Control and Administrative
Software
Data-Processing Software
ManagesReports
“CYBER” “PHYSICAL”
ExternalEnd
Users
Internal Users and
Admins/Ops
Control System Admins/Operators
Utilities Firmware Hardware
Interfaces
Embedded SystemInformation System“Cyber-Physical System”
Support
![Page 16: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/16.jpg)
Security and Safety Risks
• Risks from security-critical systems– Economic—fraud, identity theft, lost customers and sales, out-of-
business, restitution– Legal—criminal activities, regulatory fines/actions, business damage
control, lawsuits– Social—loss of reputation
• Risks from safety-critical systems– Physical harm—loss of life, injuries, radioactivity, chemical and other
poisonings– Environmental damage—contamination, pollution, destruction
and/or abandonment of buildings and transportation paths– Economic—costs of recovery/repair/reconstitution, bankruptcy,
restitution– Legal—regulatory fines/actions, business damage control, lawsuits– Social—loss of reputation
![Page 17: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/17.jpg)
Threats & Consequences
External SecurityThreats/Exploits
and External Events
Security-Critical Information
Systems
INTERNAL & EXTERNAL THREATS & EXPLOITS
Social/LegalImpact
Safety-Critical ControlSystems
CONSEQUENCES OF MALFUNCTION,
MISUSE OR FAILURE
Physical Harm
Economic Impact
Damage to Environment
InsiderThreats/Exploits (Intentional and
Accidental)
SOFTWARE-INTENSIVE SYSTEMS
Source: C.W. Axelrod, Engineering Safe and Secure Software Systems, © 2013 Artech House
![Page 18: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/18.jpg)
Securing Systems Information
Source: C.W. Axelrod, Engineering Safe and Secure Software Systems, © 2013 Artech House
![Page 19: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/19.jpg)
Making Software Systems Safe
Source: C.W. Axelrod, “Mitigating the Risks of Cyber-Physical Systems,” IEEE LISAT Conference, Farmingdale, NY, May 2013 © 2013 IEEE
![Page 20: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/20.jpg)
RTCA/DO-178C Standard Applied to Aircraft
SystemType of System
Level A(Catastrophic)
Level B(Hazardous)
Level C (Major)
Level D(Minor)
Flight control Control XCockpit display and controls
Control X
Flight management Control XBrakes and ground guidance
Control X
Centralized alarms management
Information X
Cabin management
Information X
Onboard communications
Information X
Table 1: RTCA/DO-178C standard applied to aircraft certification
Certification Levels for Various Aircraft Systems
![Page 21: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/21.jpg)
Verification and Validation
• Safety-critical control systems are generally subjected to intensive internal and/or external verification and validation to meet safety certification standards
• Collection of data required for V&V is intentionally built into design and manufacture of safety-critical systems
• WHY ARE VERIFICATION AND VALIDATION SO OFTEN MISSING FROM SDLCs FOR SECURITY-CRITICAL SYSTEMS?
• INCLUDE THEM!
![Page 22: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/22.jpg)
Functional Security Testing
• Functional testing is the norm, i.e., verifying that the system does what it is supposed to
• Non-functional testing for performance, security, availability, etc. is often neglected under pressure to deliver software on time
• Software systems often lacking basic security through inadequate testing
• INCLUDE FULL FUNCTIONAL SECURITY TESTING IN SDLCs
![Page 23: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/23.jpg)
Generation of Security Data
• InfoSec practitioners use readily-available data to develop security metrics used in decision-making
• Often easier-to-collect data are less useful• Applications, system software and networks must generate
more useful data (even if doing so is costly and time-consuming) subject to acceptable ROI
• BUILD-IN CREATION OF SECURITY DATA (Safety data collectors are often incorporated into control systems, e.g., black boxes or event recorders are already in aircraft, trains, and increasingly in cars)
![Page 24: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/24.jpg)
Summary
• Software security and safety approaches are outside-in and inside-out respectively
• Need to address both for cyber-physical systems and systems of systems
• Increasing connectivity between security-critical information systems and safety-critical control systems is resulting in “vulnerable control systems” and “hazardous information systems”
![Page 25: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/25.jpg)
What We Need
• Transference of knowledge and experience between security and safety silos through education and training, professional certifications, etc.
• Information sharing about cyber and physical threats, exploits, events and consequences
• Participation and collaboration among security and safety software professionals at each and every stage of the SDLC
• Building security and safety requirements in, rather than them bolting on
• Sharing responsibility (liability?) for overall software system safety and security
![Page 26: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/26.jpg)
References
• C. W. Axelrod, “Bridging the Safety-Security Software Gap,” 5th International Conference on Safety and Security Engineering (SAFE 2013), Rome, Italy, September 2013
• C.W. Axelrod, “Mitigating the Risks of Cyber-Physical Systems,” IEEE LISAT Conference, Farmingdale, NY, May 2013
• C.W. Axelrod, Engineering Safe and Secure Software Systems, Artech House, 2012• C.W. Axelrod, “The Need for Functional Security Testing,” CrossTalk, 24(2), 2011• C.W. Axelrod, “Creating Data from Applications for Detecting Stealth Attacks,” CrossTalk, 24(5), 2011• C.W. Axelrod, “Applying Lessons from Safety-Critical Systems to Security-Critical Software,” 2011
IEEE LISAT Conference, Farmingdale, NY, May 2011• J.G.P. Barnes, “Ada” in C.R. Spitzer (ed.) Avionics: Elements, Software and Functions, CRC Press, 2007• B.W. Boehm, Characteristics of Software Quality, North-Holland, 1978• Carnegie Mellon University Software Engineering Institute (CMU SEI), Software Assurance Curriculum
Project: Volume I: Master of Software Assurance Reference Curriculum, Technical Report CMU/SEI-2010-TR-005, 2010
• D. Firesmith, Security and Safety Requirements for Software-Intensive Systems. Auerbach Publications, December 2013 (forthcoming)
• National Science Foundation (NSF), Cyber-Physical System (CPS), Program Solicitation NSF 10-515, 2010
• J. Weiss, Protecting Industrial Control Systems from Electronic Threats, Momentum Press, 2010
![Page 27: Securing Cyber-Physical Software C. Warren Axelrod, PhD Senior Consultant, Delta Risk LLC](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cce5503460f94999fe8/html5/thumbnails/27.jpg)
Contact Information
• C. Warren Axelrod, Ph.D.• Senior Consultant, Delta Risk LLC• Telephone: 917-670-1720• Email: [email protected]