A CROSS-SECTOR PERSPECTIVE ON PRODUCT CYBER SECURITY

Download A Cross-Sector Perspective on Product Cyber. Security. Dr Robert Oates. Software Centre of Excellence,. Rolls-Royce plc. Private – Rolls-Ro...

0 downloads 516 Views 732KB Size
A Cross-Sector Perspective on Product Cyber Security

Dr Robert Oates Software Centre of Excellence, Rolls-Royce plc

© 2016 Rolls-Royce plc The information in this document is the property of Rolls-Royce plc and may not be copied or communicated to a third party, or used for any purpose other than that for which it is supplied without the express written consent of Rolls-Royce plc. This information is given in good faith based upon the latest information available to Rolls-Royce plc, no warranty or representation is given concerning such information, which must not be taken as establishing any contractual or other commitment binding upon Rolls-Royce plc or any of its subsidiary or associated companies.

Trusted to deliver excellence Private – Rolls-Royce Proprietary Information

Key Messages •

All industrial sectors are seeing a rise in cyber security risk



There is a wealth of standards and guidance • •



Some of it doesn’t work Some of it does work

There are things missing

Private – Rolls-Royce Proprietary Information

2

3

The Software Centre of Excellence

Civil Aerospace

Defence Aerospace

Marine

Nuclear

Power Systems

Software Centre of Excellence

Process Improvement

Auditing

Private – Rolls-Royce Proprietary Information

Standardisation & Best Practice

Tooling

Project Work

Binding Factors Across the Organisation -

-

Safety critical systems

-

High impact of failure

-

Multiple interfaces and entities Emergent behaviour

Complex systems -

-

Strongly regulated sectors -

-

Critical National Infrastructure

Private – Rolls-Royce Proprietary Information

-

4

High level of evidence for changes/updates Pace of technology is faster than pace of regulatory change Aggressive, highly motivated attackers

Why is cyber security risk growing in all sectors?

Attacker Capability / Motivation

Technical Sources

Cultural Sources

Private – Rolls-Royce Proprietary Information

5

Technical Sources of Risk

6

Higher Performance Systems

• Better monitoring & analysis means more data • More reliance on data means a higher impact of losing data Hyperconnectivity integrity/availability New services require moreexhaustive interconnectivity •• System complexity makes testing impossible COTS • Internet facing services • Internet-of-things technologies •• Market driving use of COTS instead of dedicated, bespoke More connections invalidate old models of “trusted networks” solutions Big Data • COTS equipment is easier for researchers to analyse and attack • Big data increases business reliance on high-integrity data which means new, publicised vulnerabilities

Risk

Private – Rolls-Royce Proprietary Information

Cultural Sources of Risk When does product cyber security not get dealt with? Low awareness / complacency: “Nobody would attack us” Poor regulatory / legal environment: “We don’t need this”

Poor skills / capability: “This is too hard” Inability to communicate problems to people who can solve them: “Nobody’s going to do anything about this” Low economic margin sectors: “You first” Poor economic incentives: “Nobody wants this” It will be dealt with further up the supply chain: “Not our problem” Private – Rolls-Royce Proprietary Information

7

Attacker Resources Knowledge •

Commonalities with IT



Cheaper systems components



Shared tools and understanding

Time / Money •

Hackers as a service / niching



Vulnerability marketplace



Nation sponsored

Impunity



Complex, international prosecution



Poor capability/resourcing of law enforcement agencies

Private – Rolls-Royce Proprietary Information

8

How do we engineer secure systems?

People

Process

Technology

Best Practice Market Drivers: insurance/regulation, market demand Private – Rolls-Royce Proprietary Information

9

Cross-Sector Cyber Security Standards/Guidance Landscape Architecture / Intelligence

Generic Requirements

General

NIST SP80064

Department of Homeland Security Resources

IEC 62443

Specific

10

CESG IS1&2 UK Defence (now retired)

NERC NEI 08/09 – Nuclear (US)

ED200 Series

UK Defence

Nuclear

Development

Private – Rolls-Royce Proprietary Information

Aerospace

What Doesn’t Work? Airgaps “Solutioneering” – Technology-specific Prescriptive Security Assuming safety makes you secure Assuming IT techniques will read across

Private – Rolls-Royce Proprietary Information

11

What Works? - Process Proportionate, risk-based controls

Understand risk Keep costs down Keep risks down

Private – Rolls-Royce Proprietary Information

12

13

What Works? - Process System Reliability

Security

Cyber Security

• System level quality factors • Through life quality factors • Preventing harm Private – Rolls-Royce Proprietary Information

Safety Data Safety

• Design principles • Risk driven design change • Controls that are proportionate to risks

Design Principles in Opposition: Diversity Safety

Security Outputs

P(failure) = (0.0001) 0.0001 2

Likelihood of attack?

X

Implementation specific vulnerabilities Uncertainty: Low, de-risked from extensive testing and well established process

System A

System

System B

Specification vulnerabilities Component vulnerabilities

Extremely Low risk system Private - Rolls-Royce Proprietary Information

Inputs

Inputs

Inputs

Risky system!

Maintenance Processes in Opposition: Patching Safety

Security Outputs

P(failure) = (0.0001)2

Likelihood of attack?

Vulnerability Report Uncertainty: High! What has the patch done to our systems?

System A

System B

Need to retest, recertify….

Low risksystem! system Risky Private – Rolls-Royce Proprietary Information

Less Risky Risky system! system? Inputs

Inputs

16

Risk Driven Design Processes Inputs: i) Organisation: ->What’s our risk appetite? ii) Functional Requirements -> What are we making?

Initial Design to Design Principles

Technical Risk Assessment

Risk Treatment Plan

Update Design

Identify Mitigations

Private - Rolls-Royce Proprietary Information

no

Are risks acceptable?

yes

Next phase

What Works? - People Security is everybody’s responsibility

Training Routes to escalation Incident response planning Security Champions Communication

Private – Rolls-Royce Proprietary Information

17

What’s Missing? Systems Engineering for Safety and Security • Is a common risk model possible? • Is a common impact model possible? Efficient Incident Response • Forensics • Team members Intelligence Focus • Where do you get threat intelligence from? • How do you use it? Private – Rolls-Royce Proprietary Information

18