Lebenszyklusorientiertes Risikomanagement in - rt

VDI/VDE-Gesellschaft
Mess- und Automatisierungstechnik • GMA
VDI-Expertenforum, 21. September 2010:
IT Security in der Automation – Verstehen und Handeln!
Lebenszyklusorientiertes Risikomanagement in
COTS-basierten Systemen
Svilen Ivanov, rt-solutions.de GmbH, Köln
Heiko Adamczyk, ifak e.V., Magdeburg
Outline
- COTS (Commercial off-the-shelf) technologies and security
- IT Security risk management in industrial automation
- Risk management aspects in:
- Design and development phase
- Integration and operational phase
- Summary
Seite 2
Gains and risks from standard technologies
Potential gain from standard (COTS) technologies
- Interoperability, savings, long-term availability, …
Increased information security risks
- All IT-risks are applicable to the automation domain
Risk-based approach for achieving adequate security protection
- Recommended by international best practices
- Find the correct relation between gain and risks
Potential loss
from risks
Potential gain
from possibilities
Seite 3
Security Risk Management in Industrial Automation Systems
Start
Identify Assets
Analyze threats
Perform
process audit
Process
documentation
Determine relevant
security objectives
Analyze &
assess risks
Implement
countermeasures
Select
countermeasures
Identify individual
measures & assess their
effectiveness
Source: VDI/VDE 2182-1
Design and Development Phase:
How to develop a secure COTS-based
system?
Integration and Operation Phase:
How to integrate and operate a
COTS-based system in a secure way?
Seite 4
COTS based Design and Development
COTS based mean:
- instead of specific requirements there are general goals, i.e. a secure
product by using best practices in a secure development process
By the way, this means also:
- well-established software development process (V-Model)
- continuous tool chain for the development process (Eclipse)
- using a semi formal modeling language (UML and subsets)
- using well know IDE for mission critical software dev. (TopCased)
- using code generation instead of error-prone coding (openArchitectureWare,
Acceleo) but use well known security libraries (OpenSSL)
- using vulnerability scanner (OpenVHS, nmap etc.)
- using simulations for (simple) model checking
- using as far as possible patterns, i.e.:
- requirements via problem frames,
- design patterns via standards/ guidelines (defense of depth, HIL) and
- implementation via code libraries
Seite 5
Interfacing development and security model
V-Model
VDI/VDE 2182-1 Model
Model
(Processes)
Start
(relation to management model)
Part of the Documentation
(results of each process step)
- Requirements phase
- Structuring analysis
(MisUseCases)
(target of evaluation,
environmental conditions)
- Architectural design
(initial Architecture)
Identify Assets
- List of Assets
- critical elements of the
Software (Assets)
Analyze threats
- Threat matrix
- relevant threats
- Threat matrix with relevant
security objectives
- security objectives of
the assets
Determine relevant
security objectives
(i.e. integrity)
- risk assessment with
relevant threats
1
- vulnerabilities
Identify individual measures
& assess their effectiveness
- List of countermeasures,
their effectiveness & costs
2
- Security Functions
Select countermeasures
- selected countermeasures
- Security Functions
- countermeasures implemented
- Validation & Verification
- Audit report
- documentation
Analyze & assess risks
Implement countermeasures
Perform process audit
(Identification & Analyse)
(Software functions &
their characteristics)
(i.e. Test)
Seite 6
Interaction point 1: Vulnerabilities Analysis
Asset
WLAN-Network according IEEE 802.11i, usage of WPA2 (CCMP - Counter-Mode-CBCMAC Protocol based on AES, 128bit key length) and
Pre-Shared Keys (WPA2-PSK).
Threat
scenario
An attacker can access the WLAN network and breach the vulnerable management frames.
Vulnerabilities
1) The management frames are not designed securely.
2) Calculation of the Pairwise Master Key (PMK) as follows:
PSK = PMK = PBKDF2(Password, SSID, SSIDlength, 4096, 256)
The Parameter SSID and SSIDlength are transferred in plaintext. This allows the attacker to
read them.
3) The length of the password is 8 Bytes (minimum allowed value), but using a string which
can be found in the dictionary.
Probability of
threat
High (Freeware-Tools available, i.e. aircrack, coWPAtty and WPA Cracker).
Risk
assessment
1) A simple dissociation massage can disrupt an ongoing data connection. This is a threat
against the systems availability. The safety system reaction to that threat is to go to the safe
state immediately.
2) Gathering the complete connection establishment (send an dissociation massage) to
listen the key distribution. Using the keys and peform a dictionary attack, it may possible to
get the Password.
- Anforderungsphase
(MisUseCases)
Assets identifizieren
start
Bedrohungen analysieren
Relevante Schutzziele
ermitteln
- Bedrohungsmatrix
- Bedrohungsmatrix mit
relevanten Schutzzielen
Schutzmaßnahmen
aufzeigen und Wirksamkeit
bewerten
- Risikobewertungen mit
relevanten Bedrohungen
Schutzmaßnahmen
umsetzen
Prozessaudit
durchführen
- kritische Elemente
der
Software (Assets)
- Liste der Assets
Risiken analysieren
und bewerten
Schutzmaßnahmen
auswählen
- Architekturphase
(initiale Architektur)
- Strukturanalyse
(Betrachtungsgegenstand,
Umgebungsbedingungen)
- Liste v. Schutzmaßnahmen,
deren Wirksamkeit & Kosten
- ausgewählte Schutzmaßnahmen
- Schutzmaßnahmen
umgesetzt
- Auditbericht
1
- keine
- Schutzziele der
Assets
(z. B. Integrität,
Verfügbarkeit)
2
3
- Schwachstellen
(Identifikation & Analyse)
- Security Funktionen
(Softwarefunktionen &
ihre Kenngrößen)
- Security Funktionen
- Validation & Verifikation
(u.a. Test)
- Dokumentationen
Source: EU project flexWARE, ICT-224359, 09/2008 - 02/2012
Seite 7
Interaction point 2: SW functions and their
characteristic parameters
- Anforderungsphase
(MisUseCases)
Assets identifizieren
start
Bedrohungen analysieren
Relevante Schutzziele
ermitteln
- Architekturphase
(initiale Architektur)
- Strukturanalyse
(Betrachtungsgegenstand,
Umgebungsbedingungen)
- kritische Elemente
der
Software (Assets)
- Liste der Assets
- Bedrohungsmatrix
- keine
- Schutzziele der
Assets
(z. B. Integrität,
Verfügbarkeit)
Risiken analysieren
und bewerten
- Bedrohungsmatrix mit
relevanten Schutzzielen
Schutzmaßnahmen
aufzeigen und Wirksamkeit
bewerten
- Risikobewertungen mit
relevanten Bedrohungen
Schutzmaßnahmen
auswählen
Schutzmaßnahmen
umsetzen
Prozessaudit
durchführen
- Liste v. Schutzmaßnahmen,
deren Wirksamkeit & Kosten
- ausgewählte Schutzmaßnahmen
- Schutzmaßnahmen
umgesetzt
- Auditbericht
2
3
2
- Schwachstellen
(Identifikation & Analyse)
Security Objective:
- Confidentiality: Encryption via
Advanced Encryption Standard (AES)
- Security Funktionen
(Softwarefunktionen &
ihre Kenngrößen)
- Security Funktionen
- Validation & Verifikation
(u.a. Test)
- Dokumentationen
characteristic parameter:
• code run time
• LOC
• Halstead's metrics
• cyclomatic number
• Maintainability Index
• etc.
Lib. 1) AESCrypt
Lib. 2) OpenSSL
Source: EU project flexWARE,
ICT-224359, 09/2008 - 02/2012
Seite 8
Design and Development: Eclipse tool chain
Modeling (UML, SysML)
TopCased
Simulation (UML, SysML)
TopCased
Yakindu
Yakindu
Code-Generation
Acceleo
(TopCased)
Oaw/Yakindu
Input
Requirement:
- MisUseCases
- Problem Frames
- Tropos
Output
Guidelines
Splint
Vulnerabilities
Language
Subsets
Nmap,
OpenVHS
Firmware
Documentation
Doxygen
Libraries:
- OpenSSL
Coding
Editing
Flash
Debugging
CDT
(TopCased)
OpenOCD
Zylin CDT
Seite 9
Integration and operation:
Problem of risk management
Assets
Threats
Risks
Controls
Vulnerabilities
Risk management can be complex and time-consuming
- Lots of association decisions among assets, threats,
vulnerabilities and controls
- User support is required
Seite 10
Reference model based approach*
2
1
Vendor
Operator
(User)
3
Referencemodel
Support the user during risk management
- Based on international standard for information security (ISO/IEC 27001-5)
Basic idea:
- Vendor: delivers the technology together with a reference model for risk
management
- User: provides use-case specific information
- Reference model: makes proposals for risk assessment and security controls
* Ivanov, Scholz, Schemmer & Schumann, 'Security with COTS Technologies',
atp edition - Automatisierungstechnische Praxis 7-8, 2010
Seite 11
Reference model:
Basic components
Technology-specific use
case scenario
Generic security knowledgebase
Data,
information
Normal use
Server
Deploy
Configure
User
Storage
devices
Unauthorized
access
Maintainer
Pre-analysis: risk
assessment and risk
treatment for the scenario
Attacker
Auhentic
ation
Misbehavi
our
Awareness
Proposal system / Tool
•Semantic level identification
•Analyse user-specific information
•Look-up in the knowledgebase
Seite 12
Reference model: example
Wireless communication in automation
Personnel mobile terminals
- Gain: easy access to information and to company network
Asset
Customer
orders
Risk
Unauthorized
access
Data,
information
Impact
Loss of
reputation
Server
Likelihood
Medium
Storage
devices
Impact level
High
Misbehaviour
Unauthorized
access
Implemented
controls
Awareness
training
Proposed
controls
Awareness
training,
Device
encryption
Risik-Level
High
Attacker
Device
encryption
Awareness
Seite 13
The first evaluations show a correct operation of the
proposal system
Scenario
- Prototypical implementation in a risk management tool
- Generic Flexware scenario (smart warehouse)
- Threat-analysis by expert vs. threat-analysis by the tool
- based on BSI catalogue of 500 threats
- Knowledgebase extracted from the BSI catalogue
Results
- Significant reduction of the threats
- Expert: 50 relevant; Tool: 100 – 300 relevant
- Reduction depends on asset description text
Room for improvement
- Knowledgebase content and structure
Seite 14
Summary
- Consider security risks together with gains from COTS technologies
- Achieve security by a continuous organizational process
- Apply established best practices step by step
- Use COTS security solutions
- Align the software develop process with a security management
model like VDI/VDE 2182-1
- Integrate and operate the system in a secure way:
- Apply risk-based approach for achieving adequate security protection
- Find the correct relation between gain and risks
Seite 15