Transcript Sys Aware Cyber Sec NDIA Feb Pres

System Aware Cyber Security
NDIA
Barry Horowitz
University of Virginia
February, 2013
Sponsor: DoD, through the Stevens Institute”s
SE Research Center
1
System Aware Cyber Security
• Research is in its 3rd Year
• Today‘s discussion focused on:
• Classes of Solutions (Design Patterns)
• Initial Prototype Implementation for an
Autonomous Surveillance System
2
Broad Objective
Reversing cyber security asymmetry from favoring our
adversaries (small investment in straight forward cyber exploits
upsetting major system capabilities), to favoring the US (small
investments for protecting the most critical system functions
using System Aware cyber security solutions that require very
complex and high cost exploits to defeat)
3
Broad Objective
Reversing cyber security asymmetry from favoring our
adversaries (small investment in straight forward cyber exploits
upsetting major system capabilities), to favoring the US (small
investments for protecting the most critical system functions
using System Aware cyber security solutions that require very
complex and high cost exploits to defeat)
Focus on Defense Against Exploits that Impact System
Performance (e.g., Data Corruption, Functional
Degradation, System Latencies)
4
System Aware Cyber Security
• Operates at the system application-layer,
• For security inside of the network and perimeter
protection provided for the whole system
• Directly protects the most critical system functions
• Solutions are embedded within the protected functions
• Addresses supply chain and insider threats
• Includes physical systems as well as information
systems
• Solution-space consists of reusable design patterns,
reducing unnecessary duplications of design and
evaluation efforts
• Design Patterns can be implemented in a super
secure programmable Sentinel (S3)
5
System-Aware Cyber Security Architecture
• System-Aware Cyber Security Architectures
combine design techniques from 3
communities
– Cyber Security
– Fault-Tolerant Systems
– Automatic Control Systems
• The System-Aware solution designers need to
come from the communities related to
system design and system engineering,
providing a new orientation to complement
the established approaches of the information
assurance community
A Set of Techniques Utilized in System-Aware Security
Cyber Security
Fault-Tolerance
Automatic Control
*Data Provenance
*Diverse Redundancy
*Physical Control for
*Moving Target
(DoS, Automated Restoral)
Configuration Hopping
(Virtual Control for Hopping) *Redundant Component Voting
(Moving Target, Restoral)
*Forensics
(Data Integrity, Restoral)
*State Estimation Techniques
(Data Integrity)
*System Identification
(Data Integrity, Restoral)
A Set of Techniques Utilized in System-Aware Security
Cyber Security
Fault-Tolerance
Automatic Control
*Data Provenance
*Diverse Redundancy
*Physical Control for
*Moving Target
(DoS, Automated Restoral)
Configuration Hopping
(Virtual Control for Hopping) *Redundant Component Voting
(Moving Target, Restoral)
*Forensics
(Data Integrity, Restoral)
*State Estimation
(Data Integrity)
*System Identification
(Tactical Forensics, Restoral)
This combination of solutions requires adversaries to:
• Understand the details of how the targeted systems actually
work
A Set of Techniques Utilized in System-Aware Security
Cyber Security
Fault-Tolerance
Automatic Control
*Data Provenance
*Diverse Redundancy
*Physical Control for
*Moving Target
(DoS, Automated Restoral)
Configuration Hopping
(Virtual Control for Hopping) *Redundant Component Voting
(Moving Target, Restoral)
*Forensics
(Data Integrity, Restoral)
*State Estimation
(Data Integrity)
*System Identification
(Tactical Forensics, Restoral)
This combination of solutions requires adversaries to:
• Understand the details of how the targeted systems actually
work
• Develop synchronized, distributed exploits consistent with how
the attacked system actually works
A Set of Techniques Utilized in System-Aware Security
Cyber Security
Fault-Tolerance
Automatic Control
*Data Provenance
*Diverse Redundancy
*Physical Control for
*Moving Target
(DoS, Automated Restoral)
Configuration Hopping
(Virtual Control for Hopping) *Redundant Component Voting
(Moving Target, Restoral)
*Forensics
(Data Integrity, Restoral)
*State Estimation
(Data Integrity)
*System Identification
(Tactical Forensics, Restoral)
This combination of solutions requires adversaries to:
• Understand the details of how the targeted systems actually
work
• Develop synchronized, distributed exploits consistent with how
the attacked system actually works
• Corrupt multiple supply chains
Integration of Fault Tolerance, Automatic Control and
Information Assurance
• What’s Different for each technology community
– Fault Tolerance
• Asymmetric attacks vs random failures
• Synchronized dependent attacks on system components vs random coupling of
independent failures
• Time varying, situation-related, attacks vs random intermittent failures
• Need to adjust detection criteria based upon pre-mission intelligence and other
a priori information regarding attack
– Automatic Control
• High rates of system reconfiguration (configuration hopping)
• Roles of the operator
– Information Assurance
• System Aware solutions
• Collateral, system-specific, performance impacts of embedded security
solutions
• Plus:
– Require secure implementation of solutions
Design Patterns Being Prototyped
• Diverse Redundancy for post-attack restoration
• Diverse Redundancy + Verifiable Voting for trans-attack
attack deflection
• Physical Configuration Hopping for moving target defense
• Virtual Configuration Hopping for moving target defense
• Data Consistency Checking for data integrity and operator
display protection
• Parameter Assurance for parameter controlled SW functions
• System Restoration using diverse redundancy
12
Design Patterns Being Prototyped
• Diverse Redundancy for post-attack restoration
• Diverse Redundancy + Verifiable Voting for trans-attack
attack deflection
• Physical Configuration Hopping for moving target defense
• Virtual Configuration Hopping for moving target defense
• Data Consistency Checking for data integrity and operator
display protection
• Parameter Assurance for parameter controlled system
functions
• System Restoration using diverse redundancy
As new applications are addressed, new design
patterns will emerge, leading to an expanding
library for reuse
CASE 1: SHIP CONTROL SYSTEM FOR
PHYSICAL PLANT
“A System-Aware Cyber Security Method for Shipboard Control Systems”Accepted for 2012 IEEE Homeland Security Conference
• Guy L. Babineau
Northrop Grumman Naval & Marine Systems Division
• Rick A. Jones and Barry Horowitz
University of Virginia
Department of Systems and Information Engineering
14
Block Diagram Illustrating the Current
System Architecture
15
System-Aware Security Solution
16
17
UDP Packets Lost per 10,000 Sent
Number of Packets Lost per 10,000 Sent
8
7
Experiment 1
6
Experiment 2
5
Experiment 3
Experiment 4
4
Experiment 5
3
Experiment 6
2
Experiment 7
Experiment 8
1
Experiment 9
0
5
10
20
Experiment 10
Hopping Rate in Seconds
TCP Packet Resent per 10,000 Sent
Number of Packets Resent per 10,000 Sent
16
14
Experiment 1
12
Experiment 2
10
Experiment 3
Experiment 4
8
Experiment 5
6
Experiment 6
Experiment 7
4
Experiment 8
2
Experiment 9
Experiment 10
0
5
10
Hopping Rate in Seconds
20
18
CASE 2: DYNAMIC SYSTEM MODELS
AND STATE ESTIMATION TECHNOLOGY
FOR DATA INTEGRITY AND OPERATOR
DISPLAY ATTACKS
Barry M. Horowitz, Katherine Pierce, Application of Diversely Redundant
Designs, Dynamic System Models and State Estimation Technology to the
Cyber Security of Physical Systems, Systems Engineering, Volume 16, No.
3, 2013
19
The Problem Being Addressed
• Highly automated physical system
• Operator monitoring function, including criteria for human
over-ride of the automation
• Critical system states for both operator observation and
feedback control – consider as least trusted from cyber
security viewpoint
• Other measured system states – consider as more trusted
from cyber security viewpoint
• CYBER ATTACK: Create a problematic outcome by disrupting
human display data and/or critical feedback control data.
20
Simplified Block Diagram for Inference-Based
Data Integrity Detection System
xˆ1lt
System
Operator
Applicable
Subsystems
and Users
Cyber Attack
Alerts and
Responses
Protected
Physical
System
y1
y2
State Estimator 1
Diversely Redundant
State Estimator 2
xˆ1lt
xˆ1mt
Information
Consistency
Checking
21
Simulated System Output Based Upon Controller
Attack
22
Simulated Regulator Attack
True Monitored State
Operator Observed State
Δ in Operator and Inferred States
Inferred Monitored State
23
Case 3: Parameter Assurance
24
Parameters in Systems
• Parameters control how systems function – for instance:
– Detection Thresholds
• For example, target detection for Active sensors (Radar), Passive sensors (SIGINT),
impacting missed detection/false alarm performance
– Decision Thresholds
• Tactical: Satellite time-to-collision decision time, impacting timing for taking
action; obstacle avoidance threshold before taking action
• Strategic: Mission Planning System mission timing parameters
– Flight control boundary values
• For example, artificial bounds on accelerations, altitude
– Navigation Waypoints
– Tracking algorithm parameters determine sensitivity and latencies for
position/velocity estimates relative to timing of accelerations
– Communication system mode parameters, impacting QOS
25
Parameters in Systems
• Parameters control how systems function – for instance:
– Detection Thresholds
• For example, target detection for Active sensors (Radar), Passive sensors (SIGINT),
impacting missed detection/false alarm performance
– Decision Thresholds
• Tactical: Satellite time-to-collision decision time, impacting timing for taking
action; obstacle avoidance threshold before taking action
• Strategic: Mission Planning System mission timing parameters
– Flight control boundary values
• For example, artificial bounds on accelerations, altitude
– Navigation Waypoints
– Tracking algorithm parameters determine sensitivity and latencies for
position/velocity estimates relative to timing of accelerations
– Communication system mode parameters, impacting QOS
Parameter tables provide an organized means for
changing parameters and a high leverage opportunity
26
for exploits
Parameter Assurance Design Pattern
• Parameter change detection
– Case 1: Exploit changes values in a parameter table - Monitor
parameter tables and operator actions to determine if an
automated change occurred
– Case 2: Embedded exploit over-rides table parameter values as
part of its execution - Monitor computer-derived decisions and
data that led to the derived decisions to estimate the
corresponding parameter that caused the result, and compare
to parameter table value
• Parameter restoration (complex process/simplified
explanation)
– Reverse parameter value
– Inhibit responsive change-back
– Inform appropriate operator(s)
27
Sentinel Concept for Monitoring
Critical System Functions
28
Example: Autonomous Surveillance
Platform Protection
29
Sentinel with Low Scale, More Securable
SW and HW
• Our research to-date indicates that:
– Monitoring functions require limited processing capacity and
small computer programs
– Voting requires limited processing and small computer
programs
– The timing and synchronization factors for monitoring and
control functions are not demanding
– The functions of a Sentinel can be distributed across many
small, diverse redundant machines
30
Sentinel with Low Scale, More Securable
SW and HW
• Our research to-date indicates that:
– Monitoring functions require limited processing capacity and small
computer programs
– Voting requires limited processing and small computer programs
– The timing and synchronization factors for monitoring and control
functions are not demanding
– The functions of a Sentinel can be distributed across many small,
diverse redundant machines
The securing of the Sentinel can use security
techniques that may not be practical for large
system application, but can potentially be suitable
for a low-scale application as represented by the
System-Aware Sentinel
31
Example: Autonomous Surveillance
Platform Protection
Config. hopping
Diverse redundancy
Port Hopping
Dedicated voting processing
SW power utilization fingerprint
SW CPU and memory usage fingerprint
• For Security Control
Only
• Spread Spectrum
Waveform
• Low Data Rate
32
Super Secure Sentinel (S3)
Design Concept
33
High Level Architectural Overview
Internal Controls
Outputs
Internal
System to Measurements
be
Protected
Sentinel
Providing
System-Aware
Security
34
Sentinel Data Flow
Switchable
Diversely
Redundant
Components
35
Possible Sentinel HW/SW Architectures
• Footprint sensitive programmable family of HW with support
SW for different types of programmable features:
–
–
–
–
Virtual hopping,
Physical hopping,
SW signature analysis,
Diverse redundancy (HW and SW)
• IaaS-based Sentinel (Sentinel as a Service) for systems which
are not seriously constrained by footprint limits, using private
Cloud technology for agility and flexibility
– Virtual hopping (within a Cloud-based Sentinel)
– Diversity for critical Cloud components (e.g., diverse
Hypervisors)
– Hopping across geographically dispersed Private Clouds
• Certified Sentinels
36
Integrating System-of-Systems Security
Network Monitor(s)
Perimeter
Monitor(s)
System 1 Sentinel
System 2
Sentinel
System 3
Sentinel
System “n”
Sentinel
37
Going Forward
• UVA/GTRI are developing the operational prototype
– For emulation this year
– For field testing next year
• UVA is refining & adding to our concepts and evaluations for
• Operator in the loop part of the System-Aware Cyber Security approach
• Architecture decision support tools for selecting cost-effective System
Aware solutions
• Need new application cases resulting in new Design Patterns
– Command and Control systems
– Big Data Systems
• Expand efforts on the S3 Sentinel and alternate implementation
approaches, including private Cloud-based approaches
• Need to get industry engaged, to:
– Pursue applications
– Create design patterns and implementations
– Integrate their Systems Groups and their IA Groups for System-Aware
38
Security applications
Publications
• B. M. Horowtiz and K. M. Pierce, The integration of diversely redundant
designs, dynamic system models, and state estimation technology to the
cyber security of physical systems, Systems Engineering, Volume 16, No. 3
(2013)
• R. A. Jones and B. M. Horowitz, A system-aware cyber security
architecture, Systems Engineering, Volume 15, No. 2 (2012), 224-240.
• J. L. Bayuk and B. M. Horowitz, An architectural systems engineering
methodology for addressing cyber security, Systems Engineering 14
(2011), 294-304.
• G. L. Babineau, R. A. Jones, and B. M. Horowitz, A system-aware cyber
security method for shipboard control systems, 2012 IEEE International
Conference on Technologies for Homeland Security (HST), 2012
• R.A. Jones, T.V. Nguyen, and B.M. Horowitz, System-Aware security for
nuclear power systems, 2011 IEEE International Conference on
Technologies for Homeland Security (HST), 2011, pp. 224-229.
• R. A. Jones and B. M. Horowitz, System-Aware cyber security, itng, 2011
Eighth International Conference on Information Technology: New
39
Generations, 2011, pp. 914-917.