Why Security Fails in Federated Systems

Transcription

1 Why Security Fails in Federated Systems Dr. Clifford Neuman, Director USC Center for Computer Systems Security Information Sciences Institute University of Southern California CSSE Research Review University of Southern California 7 March 2012

2 Securing the Uncontrollable Security is About Boundaries We must understand the boundaries Containment of compromise is based on those boundaries Federated Systems Cross Boundaries Federation is about control And the lack of central coordinated control By definition, we can t control parts of the system. Protecting such systems requires constraints at the boundaries.

3 Federated Systems The Power Grid Utilities, Operators, Customers with differing objectives. Cloud Computing Companies, providers, users The Financial System Each financial firm must protect itself The Internet Numerous independent domains of control.

4 How Federation Fails Traditional Security It s about protecting the perimeter. Imposing policy on ability to access protected resources. In Federated Systems The adversary is within the perimeter. There are conflicting policies. The failure lies in not defining the perimeter Or more precisely, in choosing the wrong one Allowing the boundaries to change Not implementing correct containment at the boundary

5 The Correct Perimeters Systems can be secure for a particular function We need to define perimeters for particular functions In the Power Grid Billing and Business operations are one function SCADA and infrastructure control are another. In the smart grid, customer access and HAN control a third In the Banking System Each bank has its own perimeter Inter-bank and transaction systems have their own Interactions with customers are all in individual protection domains

6 Changing Boundaries Federated systems change over time They evolve with new kinds of participants E.g. Power grid Smart Grid Now the customer is part of the control loop New peers join the federation Not all my be as trusted An adversary could acquire an existing participant Mis-guided public policy could require expansion of protection domains. This is why a monolithic security domain will not work.

7 Containment Containment techniques must be appropriate to the boundary and the function to be protected. Firewalls, Application Proxies, Tunnels (VPN s) suitable in the Cyber Domain. Cyber-Physical boundaries require different techniques. We must understand cyber and physical paths We must understand the coupled systems of systems impact of faults originating in single domain. We must understand the C-P impact of Cyber attack automation We need to group similar, yet distinct protection domains.

8 Cyber-Physical Threat Propagation Cyber-Cyber Automation and amplification, Mitigated by traditional security techniques Cyber-Physical PLC s, example, control of Electric Vehicles, Mitigate with policy and contain at next level. Physical-Cyber Coordinated Destruction, Mitigate through redundancy Physical-Physical Cascading Failures, Mitigate through physical means, e.g. circuit breakers Transitive Combinations Unexpected interactions, e.g. i-phone, leaf.

9 Secure Application Architecture Understanding and enforcing the goals of a system Systems Engineering High level coarse-grained security goals/policy need to be specified as part of system requirements. These need to be captured as defined protection domains or fault containment regions. Some of these can be enforced by the network, O/S, and middleware of the system. Separate from the fine-grained discretionary policies.

10 Summary Today s large systems are federated Understanding these systems requires proper definition of security boundaries (Protection Domains) System-of-System interactions must be understood and controlled. Failures occur when the boundaries do not match requirements. System engineering must define protection domains and fault containment regions to protect the mission requirements. Development and deployment environments should be developed that can enforce protections at these boundaries based on high level system specifications.

11 For More Information For updates and related information