engineering safety and security in the era of the ...safety.addalot.se/upload/2017/1-2 oates.pdf ·...

32
Trusted to deliver excellence © 2017 Rolls-Royce plc The information in this document is the property of Rolls-Royce plc and may not be copied or communicated to a third party, or used for any purpose other than that for which it is supplied without the express written consent of Rolls-Royce plc. This information is given in good faith based upon the latest information available to Rolls-Royce plc, no warranty or representation is given concerning such information, which must not be taken as establishing any contractual or other commitment binding upon Rolls-Royce plc or any of its subsidiary or associated companies. Engineering Safety and Security in the era of the Industrial Internet of Things Dr Robert Oates Private Rolls-Royce Proprietary Information

Upload: others

Post on 11-Jun-2020

4 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Trusted to deliver excellence

© 2017 Rolls-Royce plc

The information in this document is the property of Rolls-Royce plc and may not be copied or communicated to a third party, or used for any purpose other

than that for which it is supplied without the express written consent of Rolls-Royce plc.

This information is given in good faith based upon the latest information available to Rolls-Royce plc, no warranty or representation is given concerning

such information, which must not be taken as establishing any contractual or other commitment binding upon Rolls-Royce plc or any of its subsidiary or

associated companies.

Engineering Safety and Security in

the era of the Industrial Internet of

Things

Dr Robert Oates

Private – Rolls-Royce Proprietary Information

Page 2: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Talk Structure

- Who am I?

- What is Product Cyber Security?

- Why is it important to understand the interactions between safety and security?

- How do safety and security interact?

Private – Rolls-Royce Proprietary Information

2

Page 3: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Private – Rolls-Royce Proprietary Information

Product Cyber Security Team3

Civil Aerospace

Defence Aerospace

Marine NuclearPower

Systems

Product Cyber Security Team

ProcessImprovement

Auditing Standardisation&

Best Practice

Project Support

Tooling

Page 4: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding
Page 5: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Sources of Product Cyber Security Risk5

Private – Rolls-Royce Proprietary Information

Attacker Capability / Motivation

Technical Sources

Cultural Sources

Page 6: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Technical Sources of Risk

Private – Rolls-Royce Proprietary Information

6

Higher Performance Systems

Hyperconnectivity

COTS

Big Data

Technical CyberRisk

Page 7: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Example: Maritime Sector

Private – Rolls-Royce Proprietary Information

7

ThrustHeading

Organisation

Automation FunctionsAutomation

FunctionsAutomation Functions

Monitoring Functions

Remote OperationLikelihood

Impact

• Data driven services

• Automation and remote access

• Wireless sensor networks

• Internet of Things

Vessel

Crew

Automation FunctionsAutomation

FunctionsIoTComponents

IoT Services

Organisation

Page 8: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Attacker Capability – Who is attacking?

CNI Attackers (From GAO):

• Nation states

• Terrorists

• Industrial spies and organised crime

• Hacktivists

• Hackers

8

Private – Rolls-Royce Proprietary Information

Page 9: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Attacker resources9

AttackerCapability

/Motivation

Private – Rolls-Royce Proprietary Information

Page 10: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

What can we do about PCS Risk?

Private – Rolls-Royce Proprietary Information

12

People

Process Technology

Page 11: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Risk Driven Design Processes13

Private - Rolls-Royce Proprietary Information

Technical Risk Assessment

Risk Treatment

Plan

Are risks acceptable?

Identify Mitigations

Update Design

Initial Design to Design Principles

Inputs:

i) Organisation:

->What’s our risk appetite?

ii) Functional Requirements

-> What are we making?

Next phaseyes

no

Page 12: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Secure Development Objectives

Private – Rolls-Royce Proprietary Information

14

Innate Security

Reactive Security

Security requirements across all sub systems to ensure that the system is secure at the system level

Active security features/subsystems that detect and react to intrusions

Information Assurance

The argument that the system is secure, through life

Page 13: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Changing Cultures

Security is everybody’s responsibility

Private – Rolls-Royce Proprietary Information

15

Training

Routes to escalation

Incident response planning

Security Champions

Communication

Page 14: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Changing Cultures

Proportionate, risk-based controls

Private – Rolls-Royce Proprietary Information

16

Keep costs down

Keep risks down

Understand risk

Page 15: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Risk Sources

Risk

Cyber Security

Attacks

Safety

Accidents

Economic

Financial Loss

17

Private – Rolls-Royce Proprietary Information

Page 16: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Statement 1

Product cyber security is a risk source that needs

to be addressed

18

Private – Rolls-Royce Proprietary Information

Page 17: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Fundamental Question

Can a software intensive system be

deemed safe if it isn’t secure?

19

Private – Rolls-Royce Proprietary Information

Page 18: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

The Enemies of Safety / The Results of Attacks

Non-determinism

Uncontrolled change

Poor communication/understanding

Private – Rolls-Royce Proprietary Information

20

Page 19: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Private - Rolls-Royce Proprietary Information

SECURITY

SAFETY

CRYPTO

Page 20: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Risk Driven Design Processes22

Private - Rolls-Royce Proprietary Information

Page 21: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Statement 2

Understanding the link to safety can make things

1. Safer

2. More secure

3. Cheaper

23

Private – Rolls-Royce Proprietary Information

Page 22: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding
Page 23: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Risk Direction: Safety

Private – Rolls-Royce Proprietary Information

25

Supplier Customer

Safety Risk

Financial Risk

Recompense

Page 24: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Risk Direction: Security

Private – Rolls-Royce Proprietary Information

26

Supplier

Customer

Security Risk

Legal Risk

Recompense

Attacker

Page 25: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Patching safety critical systems

Vulnerability

Researcher

Supplier

Malicious

Actors

System

Integrator

Discovery

Research

?

Exploitation

Research

?Remedial

actionsPatch application

Testing

and

recertification

Patch creation

Private – Rolls-Royce Proprietary Information

Page 26: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Patching safety critical systemsDiscovery

Patch application

Testing

and recertification

Discovery Discovery

. . .

. . .

. . .

Vulnerability

Researcher

Supplier

Malicious

Actors

System

Integrator

Response

cycleResponse

cycleResponse

cycle

Private – Rolls-Royce Proprietary Information

Page 27: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Design Principles in Opposition: Diversity

Private - Rolls-Royce Proprietary Information

Inputs

Outputs

System

Safety Security

P(failure) = 0.0001 Likelihood of attack?P(failure) = (0.0001)2

Implementation specific vulnerabilities

Specification vulnerabilities

Component vulnerabilities

Uncertainty: Low, de-risked from extensive testing and well established process

Low risk system Risky system!

System B

System A

Inputs Inputs

X

Extremely

Page 28: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Understanding Risk

Private – Rolls-Royce Proprietary Information

30

SafetySecurity

Data SafetyCyber

Security

• System level quality factors• Through life quality factors• Preventing harm• Design principles• Risk driven design change• Controls that are proportionate to risks

Page 29: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Technology

Private – Rolls-Royce Proprietary Information

31

Resist Detect and React

Network architecture• Interface control• Firewalls• Data diodes• Segregation

Protocol Selection

Cryptographic techniques• Cryptographic agility – quantum!• Legal issues

Multi-source localisation

Manual override

IDS• What is normal?• Interaction with watchdogs• Does “Adaptive” = “Non-deterministic” ?

Logging• Review processes

Reactions• Security responses shouldn’t

compromise safety• Safety responses shouldn’t

compromise security

Page 30: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

…but there are things missing.

Systems Engineering for Safety and Security

• Is a truly common risk model possible?

Efficient Incident Response

• Design for Forensics

• Team members

Intelligence Focus

• Where do you get threat intelligence from?

• How do you embed live intelligence into an engineering/maintainance process?

32

Private – Rolls-Royce Proprietary Information

Page 31: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

Statement 3

The interactions are complex. Some solutions exist,

but there is a way to go

33

Private – Rolls-Royce Proprietary Information

Page 32: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding

In Conclusion

1. Product cyber security is a risk source that

needs to be addressed

2. Understanding the link to safety can make

things

1. Safer

2. More secure

3. Cheaper

3. The interactions are complex, solutions exist

but there is a way to go

34

Private – Rolls-Royce Proprietary Information