engineering safety and security in the era of the ...safety.addalot.se/upload/2017/1-2 oates.pdf ·...
TRANSCRIPT
Trusted to deliver excellence
© 2017 Rolls-Royce plc
The information in this document is the property of Rolls-Royce plc and may not be copied or communicated to a third party, or used for any purpose other
than that for which it is supplied without the express written consent of Rolls-Royce plc.
This information is given in good faith based upon the latest information available to Rolls-Royce plc, no warranty or representation is given concerning
such information, which must not be taken as establishing any contractual or other commitment binding upon Rolls-Royce plc or any of its subsidiary or
associated companies.
Engineering Safety and Security in
the era of the Industrial Internet of
Things
Dr Robert Oates
Private – Rolls-Royce Proprietary Information
Talk Structure
- Who am I?
- What is Product Cyber Security?
- Why is it important to understand the interactions between safety and security?
- How do safety and security interact?
Private – Rolls-Royce Proprietary Information
2
Private – Rolls-Royce Proprietary Information
Product Cyber Security Team3
Civil Aerospace
Defence Aerospace
Marine NuclearPower
Systems
Product Cyber Security Team
ProcessImprovement
Auditing Standardisation&
Best Practice
Project Support
Tooling
Sources of Product Cyber Security Risk5
Private – Rolls-Royce Proprietary Information
Attacker Capability / Motivation
Technical Sources
Cultural Sources
Technical Sources of Risk
Private – Rolls-Royce Proprietary Information
6
Higher Performance Systems
Hyperconnectivity
COTS
Big Data
Technical CyberRisk
Example: Maritime Sector
Private – Rolls-Royce Proprietary Information
7
ThrustHeading
Organisation
Automation FunctionsAutomation
FunctionsAutomation Functions
Monitoring Functions
Remote OperationLikelihood
Impact
• Data driven services
• Automation and remote access
• Wireless sensor networks
• Internet of Things
Vessel
Crew
Automation FunctionsAutomation
FunctionsIoTComponents
IoT Services
Organisation
Attacker Capability – Who is attacking?
CNI Attackers (From GAO):
• Nation states
• Terrorists
• Industrial spies and organised crime
• Hacktivists
• Hackers
8
Private – Rolls-Royce Proprietary Information
Attacker resources9
AttackerCapability
/Motivation
Private – Rolls-Royce Proprietary Information
What can we do about PCS Risk?
Private – Rolls-Royce Proprietary Information
12
People
Process Technology
Risk Driven Design Processes13
Private - Rolls-Royce Proprietary Information
Technical Risk Assessment
Risk Treatment
Plan
Are risks acceptable?
Identify Mitigations
Update Design
Initial Design to Design Principles
Inputs:
i) Organisation:
->What’s our risk appetite?
ii) Functional Requirements
-> What are we making?
Next phaseyes
no
Secure Development Objectives
Private – Rolls-Royce Proprietary Information
14
Innate Security
Reactive Security
Security requirements across all sub systems to ensure that the system is secure at the system level
Active security features/subsystems that detect and react to intrusions
Information Assurance
The argument that the system is secure, through life
Changing Cultures
Security is everybody’s responsibility
Private – Rolls-Royce Proprietary Information
15
Training
Routes to escalation
Incident response planning
Security Champions
Communication
Changing Cultures
Proportionate, risk-based controls
Private – Rolls-Royce Proprietary Information
16
Keep costs down
Keep risks down
Understand risk
Risk Sources
Risk
Cyber Security
Attacks
Safety
Accidents
Economic
Financial Loss
17
Private – Rolls-Royce Proprietary Information
Statement 1
Product cyber security is a risk source that needs
to be addressed
18
Private – Rolls-Royce Proprietary Information
Fundamental Question
Can a software intensive system be
deemed safe if it isn’t secure?
19
Private – Rolls-Royce Proprietary Information
The Enemies of Safety / The Results of Attacks
Non-determinism
Uncontrolled change
Poor communication/understanding
Private – Rolls-Royce Proprietary Information
20
Private - Rolls-Royce Proprietary Information
SECURITY
SAFETY
CRYPTO
≠
Risk Driven Design Processes22
Private - Rolls-Royce Proprietary Information
Statement 2
Understanding the link to safety can make things
1. Safer
2. More secure
3. Cheaper
23
Private – Rolls-Royce Proprietary Information
Risk Direction: Safety
Private – Rolls-Royce Proprietary Information
25
Supplier Customer
Safety Risk
Financial Risk
Recompense
Risk Direction: Security
Private – Rolls-Royce Proprietary Information
26
Supplier
Customer
Security Risk
Legal Risk
Recompense
Attacker
Patching safety critical systems
Vulnerability
Researcher
Supplier
Malicious
Actors
System
Integrator
Discovery
Research
?
Exploitation
Research
?Remedial
actionsPatch application
Testing
and
recertification
Patch creation
Private – Rolls-Royce Proprietary Information
Patching safety critical systemsDiscovery
Patch application
Testing
and recertification
Discovery Discovery
. . .
. . .
. . .
Vulnerability
Researcher
Supplier
Malicious
Actors
System
Integrator
Response
cycleResponse
cycleResponse
cycle
Private – Rolls-Royce Proprietary Information
Design Principles in Opposition: Diversity
Private - Rolls-Royce Proprietary Information
Inputs
Outputs
System
Safety Security
P(failure) = 0.0001 Likelihood of attack?P(failure) = (0.0001)2
Implementation specific vulnerabilities
Specification vulnerabilities
Component vulnerabilities
Uncertainty: Low, de-risked from extensive testing and well established process
Low risk system Risky system!
System B
System A
Inputs Inputs
X
Extremely
Understanding Risk
Private – Rolls-Royce Proprietary Information
30
SafetySecurity
Data SafetyCyber
Security
• System level quality factors• Through life quality factors• Preventing harm• Design principles• Risk driven design change• Controls that are proportionate to risks
Technology
Private – Rolls-Royce Proprietary Information
31
Resist Detect and React
Network architecture• Interface control• Firewalls• Data diodes• Segregation
Protocol Selection
Cryptographic techniques• Cryptographic agility – quantum!• Legal issues
Multi-source localisation
Manual override
IDS• What is normal?• Interaction with watchdogs• Does “Adaptive” = “Non-deterministic” ?
Logging• Review processes
Reactions• Security responses shouldn’t
compromise safety• Safety responses shouldn’t
compromise security
…but there are things missing.
Systems Engineering for Safety and Security
• Is a truly common risk model possible?
Efficient Incident Response
• Design for Forensics
• Team members
Intelligence Focus
• Where do you get threat intelligence from?
• How do you embed live intelligence into an engineering/maintainance process?
32
Private – Rolls-Royce Proprietary Information
Statement 3
The interactions are complex. Some solutions exist,
but there is a way to go
33
Private – Rolls-Royce Proprietary Information
In Conclusion
1. Product cyber security is a risk source that
needs to be addressed
2. Understanding the link to safety can make
things
1. Safer
2. More secure
3. Cheaper
3. The interactions are complex, solutions exist
but there is a way to go
34
Private – Rolls-Royce Proprietary Information