Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

Transcription

1 Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems Copyright 2018 UL LLC. All rights reserved. No portion of this material may be reprinted in any form without the express written permission of UL LLC. or as otherwise provided in writing.

2

3 The Problem With the growth of IIoT in the ICS space, there is a need for cybersecurity testing of Components Products Systems to mitigate the risk of cyber incidents in operational networks. 3

4 The Problem While many specifications and guidance documents provide information on secure product development principles, there is still a need to test and measure the security posture of products using comprehensive testing criteria and an important certification management process throughout the life of a component. 4

5 The Problem What should the security testing include and what are important attributes to measure and evaluate? What are supply chain considerations? How do you maintain certified status in the age of ICS vulnerabilities? 5

6 Testing and Certifying Products and Systems

7 How to Measure Security Evaluate Service Suppliers Component Security Device Security Device Configuration Device Implementation Supply Chain Logistics Service Suppliers Competency Service Suppliers Security Risks Implementation Security Practices Risk Assessment Monitoring System Security Implemented Security Controls Site Policies Site Continuous Assessment and Monitoring Vendor Security Practices Secure Development Cycle Suppliers Security Risks 7

8 The IoT Cyber Threat 3.5M 3.8M 4.0M 70% 66% 70% of IoT devices are vulnerable to attack (Source:HP) 28% to 47% By 2018, 66% of networks will have experienced an IoT security breach (Source: IDC Research) % to 47% of organizations have experienced IoT-related breaches (Source: Forrester/CISCO) In 2016, the average consolidated total cost of a data breach was $4M USD (Source: 2016 Ponemon Study)

9 WHAT EXISTS TODAY STANDARDS LANDSCAPE Security Standards and Guidance Documents UL 2900 FISMA HIPAA PCI ISO/IEC TR ISO/IEC DHS C 3 VP & CRR CIS Controls (formerly 'SANS Top 20 ) ISO/IEC Series Cyber Essentials (UK) NERC CIP NIST SP KRITIS(Germany) ANSSI CIIP(France) EU-NIS Directive EU-GDPR Top 35 Mitigation Strategies (AU) ISO/IEC DIS / O-TTPS NIST Cybersecurity Framework & SP r4 Security Controls ITU-T CYBEX 1500 Series 9

10 Supply Chain 10

11 Security can be measured effectively if it is planned 11

12 Where to focus your resources THREAT The Attacker: Nation States Professional Activity Hobbyists Insiders/Employees RISK The Asset to be Appropriated: Control Center Control Access Control Building OPPORTUNITY VULNERABILITY A Flaw: Poorly Written Code Improper Installation Hard Coded Passwords Inadequate Security Attributes

13 Understanding Security Risks Through Threat Modeling Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application. RISK Impact Possibility Ease Of Exploitation Damage Potential Degree of Mitigation Discoverability Number of Affected Components Exploitability Reproducibility

14 The First Measure A risk analysis framework A list of identified threats for the product, device and systems and its security objectives An assessment of the impact of each identified threat An assessment of the likelihood of each identified threat Risk management criteria 14

15 Products and Systems have 2 Bill of Materials Developers H ardware B I L L OF MAT E R I A L S ( B OM) S o f t w are B I L L OF MAT E R I A L S ( S B OM) Internal Customers General Release Internal Internally Developed Software External Externally Developed Custom Software Commercially off-the-shelf Components Open-Source Components 15

16 CWE and CVE Relationship Weaknesses Reported Vulnerabilities Unreported Prior to Exploit Non-Disclosed Vulnerabilities Weaknesses with little known undisclosed exploits, not yet publicly exploited Unknown Weaknesses Uncharacterized flaws with unknown exploit potential CVEs Publicly known vulnerabilities and exposures with patches Zero-Day Vulnerabilities Previously unmitigated weaknesses that have been exploited with little or no warning and do not yet have a patch CWEs Characterized, discoverable, and potentially exploitable weaknesses with known mitigation

17 Software Composition Analysis In 2014, a Synopsys engineer downloaded a SCADA software package from the vendor s developer website. It was discovered that over 700 known vulnerabilities affected the product. *

18 The Second Measure A Software Composition Analysis A list of CVEs found in the product Severity of CVEs applicable Solutions of resolving CVEs 18

19 The Third Measure

20 The Third Measure A Software Weakness Analysis A list of CWEs found in the product Severity of CWEs applicable Solutions of resolving CWEs 20

21 Common Attack Mechanisms 01 MALWARE Viruses, Trojans, and Worms Botnets Ransomware ADVANCED PERSISTENT THREATS Requires Resources Specific Target DENIAL OF SERVICE (DoS) Overwhelm System Degrade Performance COMMON Phishing Brute Force Back Door

22 Recent Security Breaches ZDI researchers reviewed the 2015 and 2016 ICSCERT HMI advisories to identify all of the solutions that had bugs fixed within the last two years * Hacker Machine Interface The State of SCADA HMI Vulnerabilities Trend Micro Zero Day Initiative Team

23 The Fourth Measure Assess and Evaluate the Security Controls in the product Authentication Remote Communications Cryptography Software Updates Security Event Logging 23

24 Penetration Testing Conditions DOS Authentication Privilege Escalation Vulnerabilities found Security configuration 24

25 The Fifth Measure Structured Penetration Testing OF Risk Analysis Security Controls CVEs remaining in product CWEs remaining in product 25

26 Testable Criteria Repeatable and Reproducible

27 The Fifth Measure CONTENTS STRUCTURED PENETRATION TESTING STRUCTURED PENETRATION TESTING Risk Product Assessment Management Software Composition Analysis Fuzzing Static Code Analysis Security Controls Risk Management Process 27

28 What is UL 2900? NETWORK-CONNECTABLE PRODUCTS & SYSTEMS AUTOMOTIVE LIGHTING APPLIANCES SMART HOME HVAC BUILDING AUTOMATION ALARM SYSTEMS SMART METERS MEDICAL DEVICES FIRE SYSTEMS INDUSTRIAL CONTROL SYSTEMS lot YOUR NETWORK CONNECTABLE PRODUCT AND/OR SYSTEM Submit product or system for discrete testing (One or more individual tests) Submit product or system for certification testing (All tests) UL CAP Services RISK MANAGEMENT TESTING Known Vulnerabilities Fuzz Testing Code & Binary Analysis Access Control & Authentication Cryptography Remote Communication Software Updates Structured Penetration Testing YOUR REPORT AND/OR CERTIFICATION Test Report Certificate TRAINING SERVICES ADVISORY SERVICES REVIEW SERVICES KEY TAKEAWAYS: RISK MITIGATION INNOVATION COMPETITIVE ADVANTAGE

29 UL 2900 Standards General Product Requirements UL Software Cybersecurity Industry Product Requirements UL Healthcare Systems General Process Requirements UL General Process Requirements UL Industrial Control Systems UL SDL UL Building Security Controls LEGEND: Published Not Yet Published UL New Initiatives UL New Initiatives

30 Q&A Copyright 2017 UL LLC. All rights reserved. No portion of this material may be reprinted in any form without the express written permission of UL LLC. or as otherwise provided in writing.