Secure Product Development With Rapid Start Get started now and launch your secure product on-time. Hal Aldridge

Transcription

1 Secure Product Development With Rapid Start Get started now and launch your secure product on-time Hal Aldridge

2 Secure Product Development With Rapid Start applications that communicate with Cloud services. Rapid Start is based on lightweight processes incorporating established security principles and best practices that provide confidence that the product will be robust to most real-world security threats. Most importantly, Rapid Start keeps the product team focused on launching the product with the features that will make it a success. Common Security Problems in IoT/ICS The first time an organization develops a secure product, it can be difficult getting started. The goal as Executive, Product Manager, Project Manager, Architect, or Developer is to get the security features implemented and the product launched on budget/schedule. The product will likely succeed or fail on the innovations/features unrelated to security. At best, the security features will allow the product to meet requirements and not get in the way. At worst, the security features will end up on the critical path in the product schedule and take away time/money that could be used making the product better. How do does an organization get started developing a secure product? The amount of security information available on the Internet is huge. Assigning an Engineer to search for security technologies and implement them is not an effective solution. General security training and certification is usually targeted at attacking and defending operational IT systems, not implementing security in products. Most security consultants have an operational IT background and have not developed or launched a product. Secure product development is about understating the security risks, determining risks are unacceptable, mitigating the unacceptable risks efficiently, and reducing the other risks as project time/budget will allow. The goal of this white paper is to present practical methods for adding security to a product efficiently reducing risk. The Secmation Rapid Start presented here provides series of actionable steps to build security into a new or existing product. It is tailored for the requirements of Automation, Internet of Things (IoT), Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), and other Embedded Security Computer and Network Security is an ongoing source of concern for governments, industries, companies, and individuals worldwide. The most common threats are cataloged in recent reports from organizations including Symantec [1] and HP Security Research [2]. These reports cover a broad-spectrum of applications from mobile to cloud. Specific to IoT Applications, the Open Web Application Security Project (OWASP) in its IoT Top Ten project [3] has determined the most prevalent vulnerabilities in IoT. HP has used that information for a study [4] where they compared the OWASP list to 10 of the most popular IoT devices on the market. HP found that five of the OWASP vulnerabilities were found in 60-80% of the devices. Similar work is available for ICS security. NIST has identified Threat Sources, Vulnerabilities, and Incidents in ICS [5] that show how ICS systems have been successfully attacked. In 2013, the Department of Homeland Security s ICS Computer Emergency Response Team (CERT) cataloged 177 exploitable vulnerabilities found in ICS products from 52 vendors [6]. Many famous ICS attacks like Stuxnet and less famous attacks exploit vulnerabilities like those found in these ICS products. Comparing the OWASP IoT, HP IoT, NIST ICS, and ICS-CERT ICS reports, IoT and ICS applications have common vulnerabilities. For example, HP determined 8 out of 10 IoT devices it studied had authorization issues while ICS-CERT found 44% of the exploitable vulnerabilities found in ICS products were authorization related. IoT and ICS systems share many common characteristics: embedded processing, distributed networks, small form factor, etc. While the security of ICS devices has been of concern since the mid-2000s, IoT security concerns are more recent and security has not been a priority in some existing products. Page 1

3 While neither ICS or IoT security concerns have been studied as long as more general IT systems, the root cause of most of the ICS and IoT issues is the same as the IT systems. For example, OWASP and NIST both link their IoT and ICS studies to the Common Weakness Enumeration (CWE) database. CWE identifies and catalogs common code vulnerabilities found in IT applications and systems. Why is this commonality interesting? One of the principles of security engineering is that most of the real-world security vulnerabilities leading to successful attacks come from the same, preventable root causes. These root causes are common configuration, architecture, and coding issues that have been enumerated in multiple lists such as the CWE SANS Top 25 [7] and the SANS Top 20 Security Controls [8]. Resolving these root causes will not prevent advanced attacks from succeeding, but it will significantly reduce security risks. If these common security issues are known, why is security still an area of significant concern? IT systems are made up of large amounts of code and equipment from multiple sources and IT systems are complex and change configuration regularly. It is difficult to ensure that all the code has been checked to remove the common vulnerabilities and the systems properly configured. As a result, the attacks that exploit these vulnerabilities are used because they work and are commonly available to attackers. The key to developing secure IoT/ICS products is to understand that developers can take advantage of the best practices developed for IT tailored for IoT/ICS. IoT/ICS developers can implement the tailored practices more successfully than possible in an IT application resulting in a more secure product at lower cost. This secure development is possible by leveraging features that make IoT/ICS different than IT such as smaller codebase, established interfaces, functional separation, and required testing. This white paper focuses on actionable processes, techniques, and tools to rapidly enable security in IoT/ICS products. Security Design The goals of security design are: developing a framework robust to most threats the product will see in its planned application, protecting what needs to be protected minimizing risk, minimizing complexity of the system so security can be tested/verified, specifying the security for implementation, and interfering as little as possible with system functionality. Rapid Start uses a simple security design philosophy based on five security principles: Trust, Separation, Least Privilege, CIA, and Secure Coding. A system design using these principles enables secure operation of an IoT/ICS system before, during, and after an attack. Trust Can computer code, a network device, or a file sent by be trusted? Does it come from a known, reputable source? Has it been shown to function properly? Will the organization that created it stand behind their work? Answering these types of questions determine how much trust there is data, code, or systems. Like most things in security, the trust determination is really a risk management decision. For a trusted system, the software that manages start-up, system configuration, security, monitoring, and safe operations must be trusted to reduce risk of it being affected by an attack. Developing trusted code can be expensive and may force rewriting available, running code. For a properly architected system, all software in the system does not need to be trusted enabling faster development and code reuse. However, this untrusted software may contain exploitable security vulnerabilities that could cause a security event (data breach, etc.). The trusted code must be separated from the untrusted code so that exploiting the untrusted code does not gain access to security critical data, control critical system functions, or contaminate the system the interfering with operation of the trusted code. Separation A fundamental concept in security is that the more complex a system is the less likely it is to be secure. Larger codebases have more opportunities to contain vulnerabilities. Complex the networks/protocol are the more opportunities for unsecure configurations or unsecured accesses. Most importantly, more complex systems make it harder to validate the security so the real security risk is unknown. The concept of Separation is a method to manage complexity. Instead of a single, large grouping of functions, data, or networks running in a single, fully connected environment, Separation attempts to more related functions to different environments and provide isolation between environments. A common computing that enforces Separation is Virtualization. The Virtual Machines are isolated form each other by Page 2

4 a Hypervisor. The more Trusted the Hypervisor, the more reliable the isolation. Modern Operating Systems (OS) have been used as Hypervisors and, if properly configured, can enforce Separation and Least Privilege (discussed next) needed for IoT/ICS. Secure system architecture design separates the trusted and untrusted processes, networks, I/O, and other functions and rigorously controls any interfaces between them. Architectural separation is not feasible all of the time. Some sharing of resources by trusted and untrusted processes is inevitable. In the shared case, focus must be on limiting the risk that the untrusted functions will interfere with the secure operation of the trusted functions. Least Privilege An important security concept is that the less access a user/device has to a system, the lower security risk they are. No Privilige would imply the highest security. Least Privilege is the compromise between maximizing security and enabling enough access for reliable operation. Security polices, access control, etc. in OS and security functions have restrictive options. To truly enforce Least Privilege, best practice is to start with the most restrictive configuration and to add the connectivity needed rather than start with full connectivity and take selected connectivity away. Operationally, most IT systems seek a compromise to keep users happy and not require excessive help desk tickets/approvals to add access. For an IoT/ICS applications, the access required is normally well established by design enabling effected Least Privilege configuration. Confidentiality, Integrity, and Availability Confidentiality, Integrity, and Availability (CIA) is a guiding principle in security. Confidentiality relates to protecting data from unauthorized actors from seeing it (i.e. encrypting a database containing private information). Integrity relates to assuring the data has not been corrupted and comes from the authorized source (i.e. a properly signed contract). Availability relates to having access to the information when it is needed (i.e. having the correct password to access the data). The goals of these principles can conflict (ex. All system passwords were reset to protect data confidentiality and now authorized users cannot access the data they need). For IoT/ICS applications, CIA should be considered carefully to ensure effective, reliable system operation. For example, not all data in these applications is confidential, but much of the data must have its integrity verified and be available. Erroneous CIA decisions can lead to poor, unreliable product performance. CIA is important to how IoT/ICS products interact with external trusted computers, networks, clouds, etc. Good security practice is to assume all data is invalid/malicious until checked by a trusted process and proven safe/correct. Focusing on verifying security and implementing protocols correctly will increase the security of the system. Secure Coding Writing trusted code is the same as writing high reliability code. The code is designed to meet a set of specific requirements, implemented using design standards, reviewed by group of peers, and tested to validate it meets the requirements. Like Safety, Security adds its own set of criteria that must be considered in the development process. Effective guidance is available to provide a starting point in secure code design [9], code review [10], and testing [11] including use of Automated Testing. These best practices are adaptable to an organizations preference for Waterfall or Agile [12] process. The security specific activities can be part of a Secure Design Lifecycle Processes (SDLC) such as the Microsoft SDL [13]. Depending on the level of security required, the risk tolerance for the organization, and the threats in an application, the rigor of the SDLC implementation is adjusted to fit the product needs. A Page 3

5 security guidance based approach incorporated with a reasonably rigorous, established software development process will perform the same function as an SDLC for most IoT/ICS applications. The security design philosophy discussed limits the amount of trusted code through good architectural decisions. Trusted code is needed to boot and configure/update the system correctly. During normal operations, trusted code performs security critical functions, monitoring, and configuration changes. During an attack, trusted code provides a trusted fallback mode for safe, minimum operations and/or shutdown. and fix/resolve the issues that lead to the higher risk areas. The use of automated testing tools has become best practice in software design. The ability of these tools to provide reliable coverage and detection of coding problems make them an excellent investment if used correctly and the issues found fixed. Static Analysis Tools are used to test source code when it is not executing. A good starting point for Static Analysis for trusted code and a good compromise to improve untrusted code security quickly is to focus on common security coding issues. The Common Weakness Enumeration program discussed earlier maintains a CWE Compatibility Program [14] with a list of available products that detect issues related to the CWE database. Secmation Rapid Start The Secmation Rapid Start uses principles presented in this white paper to enable development of secure products. It is targeted towards the specific needs of Automation, Internet of Things (IoT), Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), and other Embedded Security applications that communicate with Cloud services. The Secmation Rapid Start is a collection of lightweight processes and best practices that: Untrusted functions make up the majority of the code in most applications. The untrusted code can perform functions such as operator interfaces, data reduction, control algorithms, etc. that can be very complex and utilize significant system resources. Much of this code can be pre-existing, open source, and/or of variable quality. The goal of the security design is to protect these untrusted functions from attack. However, some attacks can get through the defenses provided and, at least initially, not be detected. It is difficult and expensive in many applications to start over and develop/re-develop the code in these untrusted functions with the same rigor as trusted code. An effective compromise is to target the most common security issues (i.e. from the CWE/SANS top 25), prioritize the issues found by risk to the system, Enables IoT/Embedded product developers to rapidly implement the level of security that their applications require Provides actionable tasks to implement security, not general process guidance Focuses the product team on development instead of becoming security experts Launches secure products now with path to grow to full Security Design Lifecycle Process The Rapid Start steps that guide the development team in designing, implementing, testing, releasing and maintaining product security are summarized next. The full Rapid Start available from Secmation includes specific, actionable guidance on how the steps can be performed effectively. Page 4

6 Determine What Needs to be Protected and Identify Risks Rely on industry guidance, security providers, and customer requirements to define most security requirements. Use Risk Management process to identify security risks and plan to mitigate them. Keep focus on unacceptable security risks that will stop/delay product launch. Perform limited threat modeling on selected high-risk areas to refine security requirements and assist design process. Design Architecture Based on Simple Security Principles and Properly Configured OS Determine security critical/trusted functions and separate from untrusted functions to simplify system security design. Design I/O and Network topology to maintain separation between critical and non-critical functions. Specify restrictive interfaces between trusted and untrusted functions Harden the Operating System using available security guidance to enable security features and enforce separation. Start with maximum-security settings (e.g. mandatory access control, least privilege) and only lower them when absolutely required for system operation. Build Small Trusted Codebase to Protect Interfaces and Fight Through Attack Developed trusted code is required to implement security critical functions, basic safety systems, minimum operating capability to use if attacked, and protect interfaces between trusted and untrusted code/network. Focus internal resources on product specific elements (safety, minimum operations, specific interfaces). Adopt and use a minimum set of best coding practices, perform code review, and use static analysis tools for unit testing. Outsource security critical functions to experts. Keep product team s focus on launching the product, not developing security expertise. Specify what security critical functions the product needs and purchase existing/contract development for required code. Fix Normally Occurring Security Issues in Existing Code using Automated Tools For an existing codebase the product needs that will not be part of trusted functions, focus on fixing the primary causes of security problems. Goal is to reduce an attackers capability to contaminate a system resources shared with trusted code (e.g. memory) through a successful attack Use automated static analysis tools pre-programmed to rapidly identify the common security issues, prioritize the identified areas to fix, and update Perform Security Testing Focused High Risks using Automated Tools/External Resources Design test plan focusing on unacceptable product security risks with would delay launch. Prioritize other security testing on a cost/risk basis. Integrate system and ensure functionality is operating properly with minimal/no security active. Place under configuration control. Perform security testing using automated dynamic testing tools including fuzzing. Outsource security penetration testing. Select outside testing firm with security expertise in product s application area. Using outside testing experts will find issues unanticipated by development team. Fix security issues found related to unacceptable risks that would stop launch. Prioritize other issues based on risk/cost. Develop Security Response/Maintenance Plan and Release Product Develop security maintenance plan to gather security operational data, collect security related issues, develop patches, and securely distribute updates. Develop security response plan to react to major security issues. Allocate trained response team, have basic code in place to diagnose/remediate, and develop communications plan. Hold final security review and brief management on any remaining security issues. Decision to release product is formal/informal acceptance of those remaining risks Page 5

7 How Secmation Can Help Secmation provides engineering, technology, and tools to add information security to new and existing products. We specialize in emerging security applications that are not well served by traditional IT solutions. Our goal is to demystify security design, manage/develop it like any other technology, and keep product teams focused on the success of their product. We are product developers first and security experts second. We understand the challenges product teams have and integrate with them providing our security experience to support a successful launch. Secmation provides the tools the product team needs to implement security with minimal overhead. Our experts have experience in: secure systems engineering, security architecture, secure software and hardware design, implementation, testing, and support enabling us to assist the full product lifecycle. Secmation expertise can help get secure products launched now and provide a path towards improved security capability reducing time/cost of future products. Secmation provides Security Consulting Services Develop security requirements, provide alternatives for security solutions, evaluate security implementations, participate in design reviews, and assist in remediating security issues Security Architecture and Engineering Design security architectures, develop security specifications, develop security plans, develop secure code, and security testing Security Project Management Project plans, make/buy assistance, and vendor management Training Not general security certification or academic security courses. Targeted/customized technical, process, and tool training to get the product team familiar with best security practices. Proposal Development Sell security to senior management and customers. We Assist in proposal/business case strategy, implementation, review, and presentation. Contact Info For further information on Rapid Start or to discuss your secure product development needs, please visit Secmation s website at or send to info@secmation.com. Page 6

8 References/Links [1] Internet Security Risk Report Volume 20, Symantec, ort.jsp [2] Cyber Risk Report 2015, HP Security Research - [3] OWASP Internet of Things Top Ten Project - _Ten_Project [4] Internet of Things Research Study, HP, ENW [5] Guide to Industrial Control Systems (ICS) Security, NIST Special Publication , Rev 2, Final Public Draft - [6] ICS-Cert Monitor, DHS, January-April 2014 edition - cert.us-cert.gov/sites/default/files/monitors/ics- CERT_Monitor_%20Jan-April2014.pdf [7] CWE/SANS Top 25 Most Dangerous Software Errors - [8] Critical Security Controls, SANS Institute - [9] Fundamental Practices for Secure Code Development, Second Edition, SAFECode, [10] OWASP Code Review Project - _Project [11] OWASP Testing Project - [12] Practical Security Stories and Security Tasks for Agile Development Environments, SAFECode, y0712.pdf [13] Microsoft Security Development Lifecycle - [14] CWE Compatible Products and Services - Page 7