from ukraine to pacemakers!

SESSIONID:

#RSAC

MarieMoe

FromUkrainetoPacemakers!TheReal-WorldConsequencesofLogicalAttacks

HTA-F03

ResearchScientistSINTEF@MarieGMoe

Éireann LeverettFounderandCEOConcinnityRisks@concinnityrisks

#RSAC

Ataleofengineersandintegrity…

2

#RSAC

Theinternetisn’tvirtual.

3

Infactitneverwas.

Itjustwasn’t‘embodied’yet.

Whatcanweexpectofcyber-physicalsecurityandfailures?

Inotherwords,howdeepistheiceberg?

#RSAC

IT/OTBigPicture

4

#RSAC

C02Model(LetgooftheCIA)Controllability Observability Operability

Inability tobring theprocessor systemintoadesiredstate.

Examplefailuresinclude:

Inability tomeasurestateandmaintainsituationalawareness.

Examplefailuresinclude:

Inabilityofthedevicetoachieveacceptableoperations.

Examplefailuresinclude:• Control networknot in

acontrollablestate• Thereisno longera

control sequencewhichcanbring thesystemintoanintended state

• Thesequenceofthecontrol commands isunknown totheoperator (becauseithasbeenalteredorpotentiallyaltered)

• Actuatorhaslostconnectivityorpower

• Inability tomonitorsensors(dataintegritylossand/or lossofavailability)

• Untrustworthy measurement(datahaslostveracity)

• Measurementofallnecessaryquantitiesattheright locationsisnolongerpossible

• Inability tointerpret themeasurementse.g.changing thelanguageofalerts

• Inability tomaintainoptimaloperationsunder attack

• Thephysicaldevicehasbeendamagede.g.motorburntout,gearteethgrounddown,pressurevesselburst

• Inability tosafelyshutdown

• Multipleoperatorsworkingagainsteachother through samecontrol channel

#RSAC

Let’ssimplify:Howmanyactuators?

Itisthegrowthofactuatorsalesthatwilldefinecyber-physicalhacking,evenmoresothanthehackersthemselves.

#RSAC

Insecurityisatransitiveproperty

•Ifmycomputer issecure•Andmyhouseissecure•Itdoesn’t implymyphoneissecure

Securityisn’t!

•mypasswordsareknown

Ifmyemailisinsecure:

•myprivatekeysareknown•itcould*still* be spawningreverseshells

Ifmycomputerwas insecure:

•Whatisthesumofvulnerabilities?•Let’sseehowinsecurity transitivity looksintime…

Soinsecurity istransitive intimealso!

#RSAC

Vulnerablepopulationsasatimeline.

2015SecurityMetricsfortheAndroidEcosystem(Thomas,Beresford,Rice)

#RSAC

Insecurityiscompose-able

Vulnerabilitiescanbebuiltintoemergentcapabilities.

It isdifficulttopredicttheemergent

capabilityfornon-physicaleffects.

Whenyouaddinphysicaleffects,

yougetcombinatorialexplosion.

Howwouldyou“map”allpossibleemergentphysical

effects?

#RSAC

Nowwithaddedphysicaleffects!

Thesystemisvulnerable

Ifthereexistsavulnerablee

Ifthereexistsavulnerableu

Ifthereexistsavulnerableym

UnexpectedPhysicaleffects

RemembertheC02Model?

Let’sdeepdiveintothat…

#RSAC

Sensorsarevulnerable

Padmavathi,DrG.,andMrsShanmugapriya."Asurvey ofattacks,securitymechanisms andchallengesinwireless sensornetworks."

#RSAC

Actuatorsarevulnerable

“ICannotBePlayedonRecordPlayerX”

Hasbeentruesince(atleast):vonNeumann’sSelf-replicatingkinematics

Asimpleexampleiscarsdrivingthemselvesofftheroad

Acomplexexamplewouldbearoboticarmunpluggingits’networkorpowercable.

Wehaven’tevendiscussedhowthey’re‘digitally’vulnerableyet,butthatistruetoo.

#RSAC

Networkdevicesarevulnerable

SwitchesGetStitches

Ifconnectivity isrequiredbyyourbusinessmodel,theneverynetworkingdeviceismypointof

subversionagainstyourbusiness.

#RSAC

ProtocolsareVulnerable

CommonCybersecurityVulnerabilities inIndustrialControlSystemsDHS2011

#RSAC

Alarmsarevulnerable

#RSAC

#RSAC

Guest:RobertMLee

@RobertMLee

Fordeeper analysis:

ics.sans.org/duc5

Please tweet widely J

#RSAC

Ukranian OutageReturnPeriod

0.8Twh lostmapstoroughlya1in2 yeareventbyUSstandards

Sowhilethis issignificantfromahackingperspective,itisnotverysignificantfromapowerengineeringperspective.

0,01%

0,10%

1,00%

10,00%

100,00%

1000,00%

10000,00%

0,30 3,00 30,00 300,00 3000,00

Freq

qencyo

fOccuran

ce

LostPower(TWh)

#RSAC

ThecostofUSpoweroutages

19

LaCommare,KristinaHamachi,andJosephH.Eto."UnderstandingthecostofpowerinterruptionstoUSelectricityconsumers."LawrenceBerkeleyNationalLaboratory (2004)

#RSAC

“IoT cannotbeimmortalandunfixable.”-DanGeerBlackHat 2014

WhowillberesponsibleforIRcostsforIoT?AreweprivatisingsalesandsocialisingIR?

Isinsurancestartingtomakesenseyet?

Ifnotforcriticalinfrastructure,thenareyoureadytotalkaboutmedicaldevicecyberinsurance?

#RSAC

PersonalInfrastructure

Yourrelianceonaninfrastructureisinverselyproportionaltohowinvisibleitistoyou.

Weallrelyonoxygen,ourlungs,andourhearts,buthowoftentowethinkaboutthem?

Howoftendowedomaintenanceordebugthem?

#RSAC

MyPersonalCriticalInfrastructure

22

Pacemaker/ICDProgrammer

Homemonitoringunit

CellularorTelephoneNetwork Webportal

InductivenearfieldcommunicationMICS/

ISM

POTS/SMS

#RSAC

Debuggingme

#RSACWhatisthesamebetweenbigandlittleinfrastructure?

Thecostoffailureis“embedded”(damage)

TheEconomicImpactsofInadequateInfrastructureforSoftwareTesting(2002)

Thistableshouldbeextendedtabletoinclude:

Vulnerabilityexploitedinthewild

And

Vulnerabilityexploitedinaninfrastructure

#RSAC

Nowourvulnerabilityis“embodied”

VehicletoVehicle SmartGrid Robotics

TrafficControl Maritime Industrialmanufacturing

AutonomousVehicles

LogisticsSystems Aircraft

Soisthecostoffailure!

#RSAC

Asymmetricadversarialeconomics.

Harm Type Impact Payload reuse Costofremedy

Socialcost

Data Non-Zero Sum High Low IndividualPhysical ZeroSum Low High Collective

#RSAC

Sowhatshouldourdesigngoalsbe?

Recover-ability.

Reducetransitivity

ofinsecurityinTIME.

COMBATPersistence

Anti-contagion

Reducetransitivityofinsecuritybetween:

Networks Components Libraries Systems Credentials Organisations

#RSAC

ThehiddencostoftheSolowresidual?

1. Quantifythecosttosocietyfora10houroutagetoeachcriticalinfrastructureinthelargestregioncoveredbyonecompany.

2. Quantifythecostof70%/50%/30%/1%vulnerableIoT deployments.

3. Quantifythecostofmedicaldevicephysicalimpactson1%/5%/20%ofthepopulation.

28

Ithink this iswhere we went wrong.We focused on ”how does/can itfail;...nothowmuch will itcost us?”

#RSAC

#RSAC

Applywhatyouhavelearnedtoday

30

RenametheIoTStartwritinguse-cases!

ThefailureofyourcodecanruinourfutureGohomeandquantifythecostoffailure!

TheSirensongofimpactassessmentrankingThepayloadisnottheexploit

Quantifythecostofafailureinyoursystem.

Areyouresilient?

#RSAC

Questions&Thank you!

MarieMoewww.sintef.no/en@MarieGMoe

Éireann Leverettwww.concinnityrisks.com@concinnityrisks@blackswanburst

RobertMLeewww.dragossecurity.com@RobertMLee