a cyber table top for equipment vendors - home - itea
TRANSCRIPT
ZODIAC AEROSYSTEMSControl Systems Division
A Cyber Table Top for Equipment Vendors
Bob Baggerman
8 March 2018
ZODIAC AEROSYSTEMSControl Systems Division
Bob Baggerman
▪Senior Field Applications Engineer
▪ 2.5 years at Zodiac Data System Support airborne and ground recording systems
Coordinate ZDS cyber security activities
▪ 33 year at Georgia Tech Research Institute USAF Electronic Warfare development and test
8 March 2018 A Cyber Table Top for Equipment Vendors- 2 -
Introduction
ZODIAC AEROSYSTEMSControl Systems Division
▪ In the commercial realm developers (and their managers) are
key to implementing cyber-secure products
▪Developers typically sit behind a desk and don’t understand
operational aspect of equipment Very narrow view of cyber-security
Unsophisticated understanding of the threat
▪Developers don’t make cyber-security a priority Cyber-security doesn’t add “cool” features
Cyber-security doesn’t sell products
▪A well designed Cyber Table Top exercise is a good way to
demonstrate threats and vulnerabilities... But a full CTT is... Time Consuming
Expensive
8 March 2018 A Cyber Table Top for Equipment Vendors- 3 -
The Problem for Vendors
Vendors don’t have resources for comprehensive CTT
ZODIAC AEROSYSTEMSControl Systems Division
▪Conduct a very structured but abbreviated CTT
▪Do considerable preplanning for the developers and
managers Describe threats
Identify obvious vulnerabilities
Walk through attack scenarios that demonstrate loss of
Confidentiality
Integrity
Availability
▪Perform additional brainstorming
8 March 2018 A Cyber Table Top for Equipment Vendors- 4 -
Our solution
Risk Assessment is key to cyber-security planning
ZODIAC AEROSYSTEMSControl Systems Division
▪ From NIST SP 800-30r1
▪ The purpose of risk assessments is to inform decision makers and
support risk responses by identifying:
▪ (i) relevant threats to organizations or threats directed through
organizations against other organizations;
▪ (ii) vulnerabilities both internal and external to organizations;
▪ (iii) impact (i.e., harm) to organizations that may occur given the
potential for threats exploiting vulnerabilities; and
▪ (iv) likelihood that harm will occur.
8 March 2018 A Cyber Table Top for Equipment Vendors- 5 -
Risk Assessment Overview
ZODIAC AEROSYSTEMSControl Systems Division
- 6 -
Generic Risk Model
ZODIAC AEROSYSTEMSControl Systems Division
▪Collaborative effort with Red, Blue, and Green teams
▪Simulated wartime operation involving Planning
Preparation
Execution
Reporting
▪Used for initial Risk Assessment
▪A Cyber Table Top is a type of cyber war game risk
assessment
▪ Intellectual paper driven exercise
▪Useful to Socialize cyber-security concepts
Look beyond single systems to Systems of Systems
Lead to more useful Developmental Test (DT)
8 March 2018 A Cyber Table Top for Equipment Vendors- 7 -
Cyber War Gaming
ZODIAC AEROSYSTEMSControl Systems Division
8 March 2018 A Cyber Table Top for Equipment Vendors- 8 -
Cyber Table Top Process
ZODIAC AEROSYSTEMSControl Systems Division
▪ Targeted Risk Assessment Scope defined by scenarios
▪Normal Operations Airborne recorder installed in aircraft
Ground recorder installed in control room
Maintenance
▪Possible Remediation Technical
Administrative
▪Assumptions Equipment used in a controlled classified environment
▪Constraints Consider susceptibilities we can control
Long term considerations more important than short term
- 9 -
Zodiac CTT – Scope / Assumptions
ZODIAC AEROSYSTEMSControl Systems Division
▪ Threat Types Hostile cyber or physical attacks
Human errors
▪ Threat Actor Insider
Support of Nation-State
▪ Threat Events Hostile acts
Accidental data spill
- 10 -
Zodiac CTT – Threat Sources
Threats are not what many developers envision
ZODIAC AEROSYSTEMSControl Systems Division
▪Step 1 – Gather Information
▪Step 2 – Consider Access Points Ethernet Ports
Serial Ports
Discretes
Front Panel Display and Buttons
USB
eSATA
Removable Disks
Recording Interfaces
GPS Antenna
Module Slots
- 11 -
Zodiac CTT – Threat Sources
More access points than generally envisioned
ZODIAC AEROSYSTEMSControl Systems Division
- 12 -
Access Points
ZODIAC AEROSYSTEMSControl Systems Division
▪Easy access to Linux command prompt
▪Easy access to FTP
▪Easy access to hardware ports
▪RMM data persistence
▪Software loading not validated
▪Configuration not validated
▪Software Source Review and Validation
▪Others ?
- 13 -
CTT Step 3 – Susceptibilities
ZODIAC AEROSYSTEMSControl Systems Division
Threat Sources
▪ Hostile cyber or physical attacks
▪ Human errors
▪ Structural failures of organization-controlled resources
▪ Natural and man-made disasters, accidents, etc.
Threat Model
▪ Insider
▪ Susceptibility where outside systems touch Interfaces
Design and Components
Transportation and Storage
Maintenance and Updates
Configuration
Data Transfer
- 14 -
CTT Step 4 - Attacks
ZODIAC AEROSYSTEMSControl Systems Division
Attack Scenario Assumptions
▪ Test team is mostly good guys
▪One insider bad guy Maybe works at test location
Maybe works at factory
Maybe drives a delivery truck
▪ Insider bad guy is supported by Nation-State adversary
- 15 -
CTT Step 4 - Attacks
ZODIAC AEROSYSTEMSControl Systems Division
Attack Scenarios
▪ Loss of Confidentiality
▪ Loss of Integrity
▪ Loss of Availability
CIA !
- 16 -
CTT Step 4 - Attacks
Attack “success” is more than just stealing data
ZODIAC AEROSYSTEMSControl Systems Division
▪Supply Chain Attack Points During manufacture
During distribution
▪Supply Chain Attack Targets Software
Hardware
▪Ethernet
▪Removable Media
- 17 -
Special Attention
ZODIAC AEROSYSTEMSControl Systems Division
Example Attack – The Story of Airman Adams
▪ Discover previously unknown capability - How could an adversary discover
and report previously unknown capabilities of on-board systems?
- 18 -
CTT Step 4 - Attacks
ZODIAC AEROSYSTEMSControl Systems Division
# Set default params
if xFilesFactor is None:
xFilesFactor = 0.5
if aggregationMethod is None:
aggregationMethod = 'average'
#Validate archive configurations...
validateArchiveList(archiveList)
#Looks good, now we create the file and write the header
if os.path.exists(path):
raise InvalidConfiguration("File %s already exists!" % path)
fh = None
try:
fh = open(path,'wb')
if LOCK:
fcntl.flock( fh.fileno(), fcntl.LOCK_EX )
aggregationType = struct.pack( longFormat, aggregationMethodToType.get(aggregationMethod, 1) )
oldest = max([secondsPerPoint * points for secondsPerPoint,points in archiveList])
maxRetention = struct.pack( longFormat, oldest )
xFilesFactor = struct.pack( floatFormat, float(xFilesFactor) )
archiveCount = struct.pack(longFormat, len(archiveList))
packedMetadata = aggregationType + maxRetention + xFilesFactor + archiveCount
fh.write(packedMetadata)
headerSize = metadataSize + (archiveInfoSize * len(archiveList))
archiveOffsetPointer = headerSize
for secondsPerPoint,points in archiveList:
archiveInfo = struct.pack(archiveInfoFormat, archiveOffsetPointer, secondsPerPoint, points)
fh.write(archiveInfo)
archiveOffsetPointer += (points * pointSize)
ZODIAC AEROSYSTEMSControl Systems Division
8 March 2018 A Cyber Table Top for Equipment Vendors- 20 -
ZODIAC AEROSYSTEMSControl Systems Division
8 March 2018 A Cyber Table Top for Equipment Vendors- 21 -
ZODIAC AEROSYSTEMSControl Systems Division
8 March 2018 A Cyber Table Top for Equipment Vendors- 22 -
ZODIAC AEROSYSTEMSControl Systems Division
▪Sophisticated attack by an unsophisticated agent
▪Well designed to return high value information
▪No one large vulnerability, many small ones
▪ Takes advantage of Access to normally unclassified uncontrolled equipment
Hidden memory and hidden capabilities for long term monitoring
Modern miniaturized technology
Unexpected threat goal
Human nature
No network cable needed!
8 March 2018 A Cyber Table Top for Equipment Vendors- 23 -
Attack Summary
ZODIAC AEROSYSTEMSControl Systems Division
Loss of Confidentiality
▪ Discover previously unknown equipment - How could an adversary become
aware of previously unseen equipment on-board an aircraft?
▪ Discover new software versions - How could an adversary track software
versions on-board an aircraft, noting new versions?
▪ Discover performance parameters - How could an adversary measure and
store important performance parameters?
▪ Discover test location - How could an adversary discover and report the
location of a test?
▪ Access recorded data - This is the big one. How could an adversary get
access to a complete recorded file?
- 24 -
CTT Step 4 - Attacks
ZODIAC AEROSYSTEMSControl Systems Division
- 25 -
CTT Step 4 - Attacks
Loss of Integrity
▪ Change test data - How could an adversary change test data to make test
results seem better or worse than they actually are?
▪ Degrade GPS - How could an adversary degrade GPS position or time
information?
Loss of Availability
▪ Disable system - How could an adversary disable the recording system
resulting in the loss of test data?
▪ Disable other On-board systems
ZODIAC AEROSYSTEMSControl Systems Division
- 26 -
CTT Step 5 - Mitigation
Strong Passwords Controlled by User
Digital Signing and Authentication of Software
Digital Signing and Authentication of Configuration
Third Party Review of Software
Physical Access Control
Thorough Secure Erase
Software Assurance Activities
ZODIAC AEROSYSTEMSControl Systems Division
▪ Developers don’t have a good picture of the threat landscape
Typically not cleared
Typically don’t understand operational aspect
“Just unplug the network cable”
▪ There is a benefit to a structured risk assessment
Developers need to understand loss of: Confidentiality
Integrity
Availability
▪ A walk through of well designed threat scenarios demonstrates
threat attack vectors can lead to “Aha!” moment
▪ Vendor CTT activities could be used to support larger government
CTT activities
▪ Key Problem – Not enough time to get cosmic buy-in from
participants with limited time
8 March 2018 A Cyber Table Top for Equipment Vendors- 27 -
Conclusions