a cyber table top for equipment vendors - home - itea

ZODIAC AEROSYSTEMSControl Systems Division

A Cyber Table Top for Equipment Vendors

Bob Baggerman

8 March 2018


Bob Baggerman

▪Senior Field Applications Engineer

▪ 2.5 years at Zodiac Data System Support airborne and ground recording systems

Coordinate ZDS cyber security activities

▪ 33 year at Georgia Tech Research Institute USAF Electronic Warfare development and test

8 March 2018 A Cyber Table Top for Equipment Vendors- 2 -

Introduction


▪ In the commercial realm developers (and their managers) are

key to implementing cyber-secure products

▪Developers typically sit behind a desk and don’t understand

operational aspect of equipment Very narrow view of cyber-security

Unsophisticated understanding of the threat

▪Developers don’t make cyber-security a priority Cyber-security doesn’t add “cool” features

Cyber-security doesn’t sell products

▪A well designed Cyber Table Top exercise is a good way to

demonstrate threats and vulnerabilities... But a full CTT is... Time Consuming

Expensive


The Problem for Vendors

Vendors don’t have resources for comprehensive CTT


▪Conduct a very structured but abbreviated CTT

▪Do considerable preplanning for the developers and

managers Describe threats

Identify obvious vulnerabilities

Walk through attack scenarios that demonstrate loss of

Confidentiality

Integrity

Availability

▪Perform additional brainstorming


Our solution

Risk Assessment is key to cyber-security planning


▪ From NIST SP 800-30r1

▪ The purpose of risk assessments is to inform decision makers and

support risk responses by identifying:

▪ (i) relevant threats to organizations or threats directed through

organizations against other organizations;

▪ (ii) vulnerabilities both internal and external to organizations;

▪ (iii) impact (i.e., harm) to organizations that may occur given the

potential for threats exploiting vulnerabilities; and

▪ (iv) likelihood that harm will occur.


Risk Assessment Overview


- 6 -

Generic Risk Model


▪Collaborative effort with Red, Blue, and Green teams

▪Simulated wartime operation involving Planning

Preparation

Execution

Reporting

▪Used for initial Risk Assessment

▪A Cyber Table Top is a type of cyber war game risk

assessment

▪ Intellectual paper driven exercise

▪Useful to Socialize cyber-security concepts

Look beyond single systems to Systems of Systems

Lead to more useful Developmental Test (DT)


Cyber War Gaming



Cyber Table Top Process


▪ Targeted Risk Assessment Scope defined by scenarios

▪Normal Operations Airborne recorder installed in aircraft

Ground recorder installed in control room

Maintenance

▪Possible Remediation Technical

Administrative

▪Assumptions Equipment used in a controlled classified environment

▪Constraints Consider susceptibilities we can control

Long term considerations more important than short term

- 9 -

Zodiac CTT – Scope / Assumptions


▪ Threat Types Hostile cyber or physical attacks

Human errors

▪ Threat Actor Insider

Support of Nation-State

▪ Threat Events Hostile acts

Accidental data spill

- 10 -

Zodiac CTT – Threat Sources

Threats are not what many developers envision


▪Step 1 – Gather Information

▪Step 2 – Consider Access Points Ethernet Ports

Serial Ports

Discretes

Front Panel Display and Buttons

USB

eSATA

Removable Disks

Recording Interfaces

GPS Antenna

Module Slots

- 11 -

Zodiac CTT – Threat Sources

More access points than generally envisioned


- 12 -

Access Points


▪Easy access to Linux command prompt

▪Easy access to FTP

▪Easy access to hardware ports

▪RMM data persistence

▪Software loading not validated

▪Configuration not validated

▪Software Source Review and Validation

▪Others ?

- 13 -

CTT Step 3 – Susceptibilities


Threat Sources

▪ Hostile cyber or physical attacks

▪ Human errors

▪ Structural failures of organization-controlled resources

▪ Natural and man-made disasters, accidents, etc.

Threat Model

▪ Insider

▪ Susceptibility where outside systems touch Interfaces

Design and Components

Transportation and Storage

Maintenance and Updates

Configuration

Data Transfer

- 14 -

CTT Step 4 - Attacks


Attack Scenario Assumptions

▪ Test team is mostly good guys

▪One insider bad guy Maybe works at test location

Maybe works at factory

Maybe drives a delivery truck

▪ Insider bad guy is supported by Nation-State adversary

- 15 -



Attack Scenarios

▪ Loss of Confidentiality

▪ Loss of Integrity

▪ Loss of Availability

CIA !

- 16 -


Attack “success” is more than just stealing data


▪Supply Chain Attack Points During manufacture

During distribution

▪Supply Chain Attack Targets Software

Hardware

▪Ethernet

▪Removable Media

- 17 -

Special Attention


Example Attack – The Story of Airman Adams

▪ Discover previously unknown capability - How could an adversary discover

and report previously unknown capabilities of on-board systems?

- 18 -



# Set default params

if xFilesFactor is None:

xFilesFactor = 0.5

if aggregationMethod is None:

aggregationMethod = 'average'

#Validate archive configurations...

validateArchiveList(archiveList)

#Looks good, now we create the file and write the header

if os.path.exists(path):

raise InvalidConfiguration("File %s already exists!" % path)

fh = None

try:

fh = open(path,'wb')

if LOCK:

fcntl.flock( fh.fileno(), fcntl.LOCK_EX )

aggregationType = struct.pack( longFormat, aggregationMethodToType.get(aggregationMethod, 1) )

oldest = max([secondsPerPoint * points for secondsPerPoint,points in archiveList])

maxRetention = struct.pack( longFormat, oldest )

xFilesFactor = struct.pack( floatFormat, float(xFilesFactor) )

archiveCount = struct.pack(longFormat, len(archiveList))

packedMetadata = aggregationType + maxRetention + xFilesFactor + archiveCount

fh.write(packedMetadata)

headerSize = metadataSize + (archiveInfoSize * len(archiveList))

archiveOffsetPointer = headerSize

for secondsPerPoint,points in archiveList:

archiveInfo = struct.pack(archiveInfoFormat, archiveOffsetPointer, secondsPerPoint, points)

fh.write(archiveInfo)

archiveOffsetPointer += (points * pointSize)


▪Sophisticated attack by an unsophisticated agent

▪Well designed to return high value information

▪No one large vulnerability, many small ones

▪ Takes advantage of Access to normally unclassified uncontrolled equipment

Hidden memory and hidden capabilities for long term monitoring

Modern miniaturized technology

Unexpected threat goal

Human nature

No network cable needed!


Attack Summary


Loss of Confidentiality

▪ Discover previously unknown equipment - How could an adversary become

aware of previously unseen equipment on-board an aircraft?

▪ Discover new software versions - How could an adversary track software

versions on-board an aircraft, noting new versions?

▪ Discover performance parameters - How could an adversary measure and

store important performance parameters?

▪ Discover test location - How could an adversary discover and report the

location of a test?

▪ Access recorded data - This is the big one. How could an adversary get

access to a complete recorded file?

- 24 -



- 25 -


Loss of Integrity

▪ Change test data - How could an adversary change test data to make test

results seem better or worse than they actually are?

▪ Degrade GPS - How could an adversary degrade GPS position or time

information?

Loss of Availability

▪ Disable system - How could an adversary disable the recording system

resulting in the loss of test data?

▪ Disable other On-board systems


- 26 -

CTT Step 5 - Mitigation

Strong Passwords Controlled by User

Digital Signing and Authentication of Software

Digital Signing and Authentication of Configuration

Third Party Review of Software

Physical Access Control

Thorough Secure Erase

Software Assurance Activities


▪ Developers don’t have a good picture of the threat landscape

Typically not cleared

Typically don’t understand operational aspect

“Just unplug the network cable”

▪ There is a benefit to a structured risk assessment

Developers need to understand loss of: Confidentiality

Integrity

Availability

▪ A walk through of well designed threat scenarios demonstrates

threat attack vectors can lead to “Aha!” moment

▪ Vendor CTT activities could be used to support larger government

CTT activities

▪ Key Problem – Not enough time to get cosmic buy-in from

participants with limited time


Conclusions

a cyber table top for equipment vendors - home - itea

Documents