A Cross-Sector Perspective on Product Cyber Security

Transcription

1 A Cross-Sector Perspective on Product Cyber Security Dr Robert Oates Software Centre of Excellence, Rolls-Royce plc 2016 Rolls-Royce plc The information in this document is the property of Rolls-Royce plc and may not be copied or communicated to a third party, or used for any purpose other than that for which it is supplied without the express written consent of Rolls-Royce plc. This information is given in good faith based upon the latest information available to Rolls-Royce plc, no warranty or representation is given concerning such information, which must not be taken as establishing any contractual or other commitment binding upon Rolls-Royce plc or any of its subsidiary or associated companies. Trusted to deliver excellence

2 Key Messages 2 All industrial sectors are seeing a rise in cyber security risk There is a wealth of standards and guidance Some of it doesn t work Some of it does work There are things missing

3 The Software Centre of Excellence 3 Civil Aerospace Defence Aerospace Marine Nuclear Power Systems Software Centre of Excellence Process Improvement Auditing Standardisation & Best Practice Tooling Project Work

4 Binding Factors Across the Organisation 4 - Safety critical systems - High impact of failure - Complex systems - Strongly regulated sectors - Critical National Infrastructure - Multiple interfaces and entities - Emergent behaviour - High level of evidence for changes/updates - Pace of technology is faster than pace of regulatory change - Aggressive, highly motivated attackers

5 Why is cyber security risk growing in all sectors? 5 Attacker Capability / Motivation Technical Sources Cultural Sources

6 Technical Sources of Risk 6 Higher Performance Systems Better monitoring & analysis means more data More reliance Hyperconnectivity on data means a higher impact of losing data integrity/availability Risk System New services complexity require makes more exhaustive interconnectivity testing impossible Internet facing COTS services Internet-of-things technologies Market More connections driving use of invalidate COTS instead old models of dedicated, of trusted bespoke networks solutions Big Data COTS equipment is easier for researchers to analyse and attack Big data increases business reliance on high-integrity data which means new, publicised vulnerabilities

7 Cultural Sources of Risk 7 When does product cyber security not get dealt with? Low awareness / complacency: Nobody would attack us Poor regulatory / legal environment: We don t need this Poor skills / capability: This is too hard Inability to communicate problems to people who can solve them: Nobody s going to do anything about this Low economic margin sectors: You first Poor economic incentives: Nobody wants this It will be dealt with further up the supply chain: Not our problem

8 Attacker Resources Knowledge Commonalities with IT Cheaper systems components Shared tools and understanding 8 Time / Money Hackers as a service / niching Vulnerability marketplace Nation sponsored Impunity Complex, international prosecution Poor capability/resourcing of law enforcement agencies

9 How do we engineer secure systems? 9 People Process Technology Best Practice Market Drivers: insurance/regulation, market demand

10 Specific General Cross-Sector Cyber Security Standards/Guidance Landscape Development Architecture / Intelligence Generic Requirements 10 NIST SP Department of Homeland Security Resources IEC CESG IS1&2 UK Defence (now retired) NERC NEI 08/09 Nuclear (US) ED200 Series UK Defence Nuclear Aerospace

11 What Doesn t Work? 11 Airgaps Solutioneering Technology-specific Prescriptive Security Assuming safety makes you secure Assuming IT techniques will read across

12 What Works? - Process 12 Proportionate, risk-based controls Understand risk Keep costs down Keep risks down

13 What Works? - Process 13 System Reliability Security Cyber Security Safety Data Safety System level quality factors Through life quality factors Preventing harm Design principles Risk driven design change Controls that are proportionate to risks

14 Design Principles in Opposition: Diversity Safety Outputs Security P(failure) = (0.0001) 2 Likelihood of attack? X Implementation specific vulnerabilities Uncertainty: Low, de-risked from extensive testing and well established process System A System System B Specification vulnerabilities Component vulnerabilities Extremely Low risk system Inputs Inputs Inputs Risky system! Private - Rolls-Royce Proprietary Information

15 Maintenance Processes in Opposition: Patching Safety P(failure) = (0.0001) 2 Outputs Security Likelihood of attack? Vulnerability Report Uncertainty: High! What has the patch done to our systems? System A System B Need to retest, recertify. Low Risky risk system! Inputs Inputs Less Risky Risky system! system?

16 Risk Driven Design Processes 16 Inputs: i) Organisation: ->What s our risk appetite? Initial Design to Design Principles Technical Risk Assessment ii) Functional Requirements -> What are we making? Update Design Risk Treatment Plan Identify Mitigations no Are risks acceptable? yes Next phase Private - Rolls-Royce Proprietary Information

17 What Works? - People 17 Security is everybody s responsibility Training Routes to escalation Incident response planning Security Champions Communication

18 What s Missing? 18 Systems Engineering for Safety and Security Is a common risk model possible? Is a common impact model possible? Efficient Incident Response Forensics Team members Intelligence Focus Where do you get threat intelligence from? How do you use it?