Cyber Resilience Organizer and Moderator: Bharat Doshi Senior Research Scientist US Army CERDEC S&TCD

Transcription

1 Cyber Resilience Organizer and Moderator: Bharat Doshi Senior Research Scientist US Army CERDEC S&TCD 1

2 Panelists Dr. Patrick McDaniel, Professor, Compute Science & Engineering Department, Pennsylvania State University Dr. Nader Mehravari, MBCP, MBCI Cyber Risk and Resilience Management Team Software Engineering Institute Carnegie Mellon University Mr. Jim Gosler, Senior Fellow, Johns Hopkins University Applied Physics Laboratory (JHU/APL) 2

3 Questions What is Cyber Resilience? Anything special about 'Resilience' in Cyber domain? Why is 'Cyber Resilience' important? Why is it needed? What changes as we focus on 'Cyber Resilience'? Why is 'Cyber Resilience' challenging to achieve? Are there particular techniques/approach that have been successful? What is likely to succeed? 3

4 Patrick McDaniel Professor in the Computer Science and Engineering Department at the Pennsylvania State University Co-director of the Systems and Internet Infrastructure Security Laboratory IEEE Fellow, and Chair of the IEEE Technical Committee for Security and Privacy. Patrick's research efforts currently focus on network, telecommunications, systems security, languagebased security, and technical public policy. The Program manager and lead scientist for the newly created Cyber-Security Collaborative Research Alliance. 4

5 A Science of Cyber-Resilience Professor Patrick McDaniel Cyber-Security Collaborative Research Alliance Pennsylvania State University 5

6 What is Cyber-Resilience? A property of a system process or environment to sustain performance, fidelity, and access in the presence of Component Failures Resource starvation Adversarial action Human error Internet (edge) (remote hosts/servers) (hosts/desktops) LAN (perimeter) (server) 6

7 Physical Resilience Environment Humans are constantly put into vehicles that travel of MPH thousands of feet off the ground in unpredictable conditions. Pilot training and skills uneven Failure costs are immense Science/engineering: Difficult to get into a spin Hands-off flight is stable Engines are very robust Human performance: Constant failure detection Contingency planning Procedure driven recovery 7 Challenge: how to transfer centuries of resilience science to cyber?

8 Why Cyber-Resilience? Many outside of the security community want a science to predict whether a specific system will be compromised... which is impossible. In all likelihood it is probably impossible to ascertain whether any general-purpose computing systems is compromise-able. What can we hope to accomplish? Probabilistically identify where compromise is likely. Identify modifications to the system/environment that will reduce the likelihood of compromise. Adapt to compromise and isolate and control impacts of adversarial action! 8

9 Cyber-resilience requires making progress in the face of adversarial action is related but distinct from security which prevents adversarial action from being effective 9

10 Cyber-resilience operational challenge: Given a security and environmental state, what cyber-maneuvers best mitigate attacker actions and maximize operation success? Operation survivability is modeled as a continuous optimization (reconfiguration) of the security configuration and network capabilities in response to detected adversarial operations and situational needs of users and defenders. Cost and risk metrics are used to select optimal strategies and configurations that maximize operation success probabilities while mitigating adversarial actions. 10

11 The technical community does not know how to engineer resilient systems, and Security measurement (state, security posture, rates of change, intent, impact) Security configuration and reconfiguration Autonomic systems design (e.g., MTD) Risk collection and analysis Cyber decision making These are disciples with limited results because they are very difficult but must be overcome for us to realize operationally robust systems. Progress will lead to a science of cyber-resilience 11

12 Nader Mehravari CERT Division of SEI at CMU Current Areas: Operational Resilience Cyber Security Critical Infrastructure Protection and Sustainment Risk Management Etc. 33 Years: CERT (4), Lockheed Martin (19), Bell Labs (10) 12

13 Cyber Resilience Protecting and Sustaining Organizational Missions in Face of Modern Cyber Risk Dr. Nader Mehravari, MBCP, MBCI Cyber Risk and Resilience Management Team Software Engineering Institute Carnegie Mellon University October 28, Carnegie Mellon University

14 Outline 1. Setting the Stage Operational Stress Resilience Defined Risk and Resilience 2. From Resilience to Cyber Resilience Cybersecurity to Cyber Resilience 3. Techniques for Introducing, Improving and Managing Cyber Resilience Organizational Aspects Risk Management Aspects Non-Technology Aspects 14

15 What do you see here? 15 15

16 Look Again! 16 A tree under operational stress, while achieving its business mission. 16

17 Scope of Operational Stress Natural or Manmade Information Accidental or Intentional Small or Large Affecting Technology Facilities Information Technology or Operational Technology Kinetic of Cyber People Supply Chain / Raw Material 17

18 re sil ience noun [ri-ˈzil-yəns] power or ability to return to the original form, position, etc., after being bent, compressed, or stretched ability of an ecosystem to return to its original state after being disturbed physical property of a material that can return to its original shape or position after deformation that does not exceed its elastic limit Resiliency ability to recover from or adjust easily to misfortune or change ability to provide and maintain an acceptable level of service in the face of faults and challenges to normal operation ability to recover readily from illness, depression, adversity, or the like capability of a strained body to recover its size and shape after deformation 18

19 Operational Resilience The emergent property of an entity that can continue to carry out its mission in the presence of operational stress and disruption that does not exceed its limit The ability of an entity to Prevent disruptions from occurring; And when struck by a disruption, the ability to quickly respond to and recover from a disruption in the primary business processes. 19

20 An Analogy: Health Is there a place that you can purchase health? Is there a place where health is manufactured? How do you become healthy? Health & Resilience: They are both emergent properties. 20

21 Federal Government s Definition The term "resilience" means the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents. February 2013 Executive Order (Improving Critical Infrastructure Cybersecurity) & Presidential Policy Directive PPD 21 (Critical Infrastructure Security and Resilience) 21

22 Not a New Concept For example, a formalization from 2008: Framework for managing and improving operational resilience A process improvement model 22

23 Operational Risk and Resilience A form of risk affecting day-to-day business operations A very broad risk category from high-frequency low-impact to low-frequency high-impact Exacerbated by actions of people systems and technology failures failed internal processes external events All Risk Faced by an Entity Operational Risk Operational resilience emerges from effective management of operational risk. 23

24 From Operational Risk to Cybersecurity Risk All Risk Faced by an Entity Operational Risk Cybersecurity Risk Cyber Resilience Operational Resilience 24

25 Cyber Intrusions are a Fact of Life 25

26 Traditional Information Security Function Protect / Shield / Defend / Prevent Is necessary Is not sufficient Fails too frequently 26

27 from Cybersecurity The desire to go Information Security IT Security OT Security to 27

28 Operational Resilience Starts at Asset Level Asset Protect Event Sustain Manage Conditions of Risk Keep assets from exposure to disruption (e.g., Fault-Tolerance & High- Availability Designs; Preparedness; Information Security) Manage Consequences of Risk Keep assets productive during adversity (e.g., Disaster Recovery, Business Continuity, Pandemic Planning, Crisis Management, COOP) 28

29 Techniques for Improving and Managing Cyber Resilience 29

30 Organizational Aspects How should organizational strategies, structures, roles, and responsibilities be adapted? Example: Traditional vs. Modern chief information security officer (CISO) 30

31 Prevention is futile 31

32 Modern CISO Protect / Shield / Defend / Prevent Monitor / Detect / Hunt Respond/ Recover / Sustain Management, Governance, Compliance, Education, Risk Management. 32

33 Risk Management Aspects How should organizations adapt their overall operational and cyber risk management principles and practices? Example: Integration, coordination, and convergence of operational and cyber risk management activities. 33

34 Continually balance protection and sustainment activities IT Security Info Security High-Availability Fault-Tolerance Physical Security Protection Activities COOP IT DR Incident Mgmt Crisis Mgmt Business Cont. Sustainment Activities 34

35 Integrate and coordinate all operational risk management activities Protection Activities Sustainment Activities 35

36 Integrate and coordinate all operational risk management activities Continuity of Operation (COOP) Contingency Planning Cyber Protection Supply Chain Continuity Pandem ic Planning Workforce Continuity Health & Safety Privacy Business Continuity Preparedness Planning Informati on Security IT Disaster Recovery Crisis Communications Crisis Manageme nt IT Operations Enterprise Risk Management Emergency Management Risk Manageme nt Operational Risk Management Workforce Continuity Physical Security Business Continuity IT Disaster Recovery Cyber & Operational Resilience Health & Safety Emergency Management Supply Chain Continuity IT Operations Information Security Crisis Management 36

37 Above and Beyond Technology Aspects What non-technology based tools and techniques could guide and assist organizations? Examples: Institutionalization and culture Use of structured (i.e., not ad hoc) frameworks Resilience Management Model 37

38 Create a culture of resilience 38

39 Invest in people and process (Not only in technology) 39

40 Utilize a proven and structured framework to guide resilience management activities Get model & tool Implement Improvements Perform Evaluation Prioritize and Plan Analyze Identified Gaps 40

41 What is Resilience Management Model? Framework for managing and improving operational resilience Guides implementation, mgmt., and sustainment of operational risk management activities Improves confidence in how an organization manages and responds to operational stress Focuses on What not How Applicable to a variety of organizations small or large simple or complex public or private an extensive super-set of the things an organization could do to be more resilient. - CERT-RMM adopter 41

42 A Sampling of CERT-RMM Applications and Derivatives 42

43 Notices Copyright 2015 Carnegie Mellon University and IEEE This material is based upon work funded and supported by the Department of Defense under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon and CERT are registered marks of Carnegie Mellon University. DM

44 Jim Gosler Senior Fellow at JHU/APL Member of several boards in DoD and IC (DSB, NSD, NSA Advisory Board,..) Cyber Security, Critical Infrastructure Protection, Counter-Proliferation, and Counter-Terrorism 33 years at Sandia, Fellow of Sandia, Visiting Scientist NSA, Senior Intelligence Service at CIA as the first Director of the Clandestine Information Technology Office (CITO). Several major awards DSB Study Report: Resiliency of Military Systems 44

45 The Digital Dimension CYBER Resilience Panel Jim Gosler October 28,

46 Defense Science Board Task Force The United States cannot be confident that our critical Information Technology (IT) systems will work under attack from a sophisticated and well-resourced opponent utilizing cyber capabilities in combination with all of their military and intelligence capabilities (a full spectrum adversary). 46

47 Resiliency of Military Systems in the Face of What? A normal and adversary free environment (MTBF) Abnormal but adversary free environment Act of God, user error, shock, fire, water, electrostatic, temperature, Conventional adversary jam, kinetic, Unconventional adversary (Somalia pirate Iran) Nation State adversary (China-Russia) Full spectrum Strategic preparation of the battlefield Aggressive use of global supply chain 47

48 Classes of Adversary Hacker ($10K) Criminal ($10M) Sophisticated ($10B) Red Team 48

49 Characteristics of Sophisticated Offensive Organization Significant Resources Worldwide Presence Mature Operational Tradecraft Diverse Network of Trusted Partners Diverse Network of Untrusted Partners Worldwide Secure Comms and Logistics Effective Security Program Mid-Point Collection Targeting and Analysis High Performance Computing and Cryptography Integration of Human and Technical Operations Integration of Offensive and Defensive Elements Ability to Operationally Introduce Exploitable Vulnerabilities Technically Feasible, Operationally Viable, Policy Friendly, and Politically Acceptable 49

50 The Ambiguity of Computer Network Defense Microelectronics and Software Satellite SCADA Weapons Network C 2 Logistics Switches Targets Common Perception of CND SIPRNET Cyber Defenses: Firewall Spyware Virus IDS Offensive Methods Entry Human Sigint ClanTech Cyber Special Liaison Deception Cover Company 50 Time, Place, Combination of Methods, and Secrecy

51 Risk Management 51

52 52

53 Observations NO short term answer. Technology alone will never be sufficient. NO Belly Button in charge, responsible, accountable across the full spectrum threat systems solution required. Strategies to deal with long term critical challenges must be sustainable across administrations and senior leadership rotation. Insufficient coupling between US offensive and defensive activities. Insufficient effort focused on development of a National technical cadre. IC not sufficiently engaged in the collection, analysis and reporting on the threat. IC reporting, in general, not actionable from defensive perspective. Many Senior decision makers lack sufficient insight into the criticality and complexity of this issue Risk Management difficult. Many Mission owners lack sufficient insight into strong connection between mission assurance and cyber assurance. Emphasis between enterprise networks and embedded systems is out-of-balance. Mission performance and functionality always trumps security. Probability of detection, probability of attribution, impact of defensive failure and consequence to the attacker are way out of balance. Principal adversaries of the US understand and are acting upon the asymmetric opportunities in this area the adversary gets a BIG VOTE. Our technical superiority could well become our greatest vulnerability in the face of tier 5/6 threats. 53