Quantitative Risk Reduction Estimation Tool For Control Systems Miles A. McQueen Wayne F. Boyer Mark A. Flynn R. Sam Alessi
[email protected] Idaho National Laboratory (INL), Control System Security Center (CSSC) Idaho Falls, Idaho, U.S.A. 83415
March 28, 2006
Critical Infrastructure (CI)
Control Systems Security Center
2
Critical Infrastructure Control Systems
Control Systems Security Center
3
Risk to CI from Control System Compromise Risk = F (threatsCS, vulnerabilitiesCS, consequencesCI) • Threats • Intelligent adversary •Targeted •Random • Known • Unknown
•Vulnerabilities •Known •Unknown •External to system •Internal to system
•Consequences Control Systems Security Center
4
Control System Risk Estimation: Ad hoc, subjective approach • Current ad hoc, subjective estimation approach • • • •
Dependent on “expert’s” knowledge Lack of objective goals with specific measurables Lack of comparable results ...
• Assertions we have heard: • Our protocols are proprietary so we are safe. • If there is even one vulnerability left in the system then it is no more • • • • •
secure than before. Vulnerabilities were significantly reduced so the system is much more secure. My system is secure. We have no rogue devices on our system. No possible consequences. … Control Systems Security Center
5
Control System Risk Estimation: Needs improvement • Aim for engineering process driven by science • Greater identification and quantification of security • • •
measures for components Estimable component security interaction with the system (or subsystems) Quantifiable evaluation of different security configurations Accepted foundation for reasoning about the security of a system
Control Systems Security Center
6
Risk Estimation (Case Study)
Control Systems Security Center
7
Threat Threati = ( Intenti , Capabilityi , Opportunityi ) Taxonomies Cyber Threats to Critical Infrastructure (blackhat) [25]
Threats to Critical Infrastructure [9]
Cyber Attacker Categories [5]
Hacker/Script Kiddies/Hobbyist Disgruntled Employee Insider aiding others
Criminal group Foreign intelligence services Hackers
Hacktivist Industrial Espionage
Hacktivists Information Warfare
Terrorist groups Nation States Anti-Capitalism/Anti-Globalization and terrorist Sympathizers Thrill Seekers
Foreign Espionage
Insider threat
Terrorist
Virus writers
State Sponsored Attack
Focus on adversary’s capability and opportunity
Control Systems Security Center
8
Defensive Controls •
Technical controls • Encryption • Control system • External communication channels • Firewalls • Control system • Network segmentation • Intrusion protection systems • Anti-virus software • …
•
Administrative controls • Personnel security • Training and awareness • Security policy • Maintenance • System audits • …
Control Systems Security Center
9
Risk Reduction Estimation Models Model: An abstract model (or conceptual model) is a theoretical construct that represents physical, biological, or social processes, with a set of variables and a set of logical and quantitative relationships between them. Models in this sense are constructed to enable reasoning within an idealized logical framework about these processes and are an important component of scientific theories. Idealized here means that the model may make explicit assumptions that are known to be false in some detail. Such assumptions may be justified on the grounds that they simplify the model while, at the same time, allowing the production of acceptably accurate solutions. --Wikipedia Risk reduction estimation models
• Fault trees • Attack trees • Attack graphs
Control Systems Security Center
10
Fault Trees Estimate P factor for overall risk calculation
RRE_3_STAR
Attack from one or more expert hackers
Independent safety functions are compromised
E_HACKER
INDEP_SAFETY
9.5E-1
Domain control not used or ineffective 6.1.23 2.0E-6
Business system encryption not used or inadequate
Control System encryption not used or inadequate
4.0E-2
Admin detection and protection items fail
Engineering detection and protection items fail
DETECT_PROTECT
ENG_CONTROLS
System is compromised by an Insider or Novice Outsider
Outer firewall settings inadequate 6.1.9
3.0E-1
Intrusion detection system inadequate 6.1.11
5.0E-1
1.0E-6
Inner Firewall not installed
5.0E-1
Outer Firewall not installed
5.0E-1
Encryption not installed
5.0E-6
IDS not installed
5.0E-6
DOMAIN_CONTROL
ENCRYPT_BUS
ENCRYPT_CS
BASICS
OUT_FIREWALL
IDS
IN_FW_INSTALL
OUT_FW_INSTALL
ENCRYPT_INST
IDS_INST
Passwords inadequate
HMI Security settings are inadequate
Environmental
Anti-virus protection inadequate
Inner firewall inadequate 6.1.9
Trained operator commits random error
Wireless access is inadequately protected
Event Monitoring is inadequate 6.1.21
Physical Security 6.1.14 6.1.20
Environmental Security
HMI_SETTINGS
ENV_1
ANTI-VIRUS
IN_FIREWALL
OPERATOR_ERROR
WIRELESS_PORT
EVENT_MONITORING
PHYSICAL_SEC
Configuration manage- ment is not maintained 6.1.24
Failure to control access to system information
Adequate security policy does not exist
Adequate security procedures do not exist
Security Training is inadequate
System audits not done or not evaluated 6.1.10, .12, .13
Inadequate System Security Administration
Personnel security controls inadequate 6.1.4
SECUR_PROCEDURES
SECUR_TRAINING
1.0E-6 STRONG_PW
9.0E-6
1.0E-6 CONFIG_MANAGE
1.0E-6
5.0E-6 INFO_ACCESS
5.0E-1
1.0E-6
1.0E-6 SECUR_POLICY
5.0E-6
Administrator slow to patch known problems 5.0E-6 PATCHING_SLOW
1.0E-6
1.0E-6 SYSTEM_AUDIT
1.0E-6
4.0E-6 SECUR_ADMIN
5.0E-6
Demilitarized Zone absent or ineffective 6.1.23
1.0E-6 ENVIRO_SEC
2.0E-6 DMZ
1.0E-6 PERSON_SECUR
Necessary security procedures do not exist 1.0E-6 OTHER_SECUR_PROCED
Control Systems Security Center
11
Attack Trees Security Analyst
Control Systems Security Center
12
Attack Graphs
RTU_CONTROL
root_APPS root_OC
E B user_APPS
D,1 root_DEVW
user_OC
P,3
user_DEVW
R,1
START
root_DAS
LAUNCH user_DAS root_PRT
B,2
user_PRT user_HIST
Legend (type of compromise): R Reconnaissance E escalate D damage P Penetrate B Breach Perimeter
root_HIST
user_AD user_ICCP root_AD
root_ICCP
Example Shortest Path: 1+2+3+1 = 7
Control Systems Security Center
13
Attack Graph R&D 1000 Attack graph toolkit 100
MulVAL
Seconds
10
1 0
10
20
30
40
50
60
0.1
0.01
0.001 Num be r of hos ts
Control Systems Security Center
14
Some Potential Measures for Use In Risk Reduction Estimation •
Time to compromise
•
Attack surface estimation
•
Privilege escalation attack evaluation
•
Anti-virus effectiveness
•
Vulnerability rates
•
Patch rates
•
Signature update rates
•
Response rates
•
Virus release rates
•
IDS false negatives
•
Percent patched
•
…
novice
begin
interm
expert
Control Systems Security Center
15
Conclusions Goal: Control System Quantitative Risk Reduction Estimation Research Issues • Establishment of relevant security related measures for components (and networks) • Estimation of unknown component vulnerabilities • Creation of tractable and believable risk models • Estimation of threat environment • Invention of improved risk reduction estimation engines • Development of passive network discovery tool Conclusions • Focus on credible measures and models for components (and networks) • Take baby steps; It is time to advance the state of the art Control Systems Security Center
16
INL R&D Collaborative Opportunities Long Term Goal: Develop technical metrics that can serve as an underlying objective basis for security standards that support risk based control system design and procurement activities.
Technical Measures and Models • Security measures and models is an immature field:
• No widely accepted effectiveness measures related to cyber security • No widely accepted models for estimating risk to components or networks
• Opportunities • Develop engineering underpinnings for current best practices • Develop statistical measures and models for components (and networks) • To address the unknowns • To translate low level measures into higher level, more meaningful security • • •
information Develop logical (and tractable) descriptions • For automated reasoning • For risk based evaluation of attacks and countermeasures Develop game theoretic approaches (future) Develop improved measures and testing methodologies • For measures of defensive device effectiveness • For system and component “hardness”
Information Sharing
Control Systems Security Center
17
Attack Surface Measurement Tool char array[100]; char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0" "\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned int addr; addr = strtoul(argv[1], NULL, 16); memset(array, 'c', 91); memcpy(array, shellcode, 45); memcpy(array+92, &addr, sizeof(addr)); array[99] = '\0'; execl ("./vulnerable", "vulnerable", array, NULL);
666 667 668 669 670 671 672 673 674 675 676 677 678 679
FD_ZERO: pr_inet_listen: int (pool *p,conn_t *c,int backlog), listen: pr_signals_handle: 252 pr_log_pri: 3 strerror: end_login: 246 pr_inet_resetlisten: int (pool *p,conn_t *c), pr_inet_set_block: int (pool *p,conn_t *c), fcntl: FD_SET: semaphore_fds: 320 check_shutmsg: 465 disc_children: void (void),
Source Base S Privilege
Access Rights
root*
root*
root
DEP
DExP
IEP
8
8
1
unauth
13
14
5
root
auth
12
13
2
S
unauth
13
6
3
S
auth
6
4
0
S
anon
6
4
0
S Untrusted data items Type
Access Rights
file
root
52
file
S
18
file
world
36
Control Systems Security Center
Count
18
MulVal for Components Prolog Windows Rules excerpt: /* Rule 2: Use privilege to get what you want. */ seAccessCheckResourceAtomic(allowed, _Resource, RequestedAccess, processToken(_Owner, PrivList, _Groups, _TokenRestrictedSids)):validAccess(RequestedAccess), hasSuperPrivilege(true, PrivList).
Access privilege escalation graph:
Sudhakar and Dr. Appel
Control Systems Security Center
19
Questions?
[email protected] Idaho National Laboratory, Control System Security Center (CSSC) Idaho Falls, Idaho, U.S.A. 83415
Control Systems Security Center
20
