SESSION ID: #RSAC Marie Moe From Ukraine to Pacemakers! The Real-World Consequences of Logical Attacks HTA-F03 Research Scientist SINTEF @MarieGMoe Éireann Leverett Founder and CEO Concinnity Risks @concinnityrisks
SESSIONID:
#RSAC
MarieMoe
FromUkrainetoPacemakers!TheReal-WorldConsequencesofLogicalAttacks
HTA-F03
ResearchScientistSINTEF@MarieGMoe
Éireann LeverettFounderandCEOConcinnityRisks@concinnityrisks
#RSAC
Ataleofengineersandintegrity…
2
#RSAC
Theinternetisn’tvirtual.
3
Infactitneverwas.
Itjustwasn’t‘embodied’yet.
Whatcanweexpectofcyber-physicalsecurityandfailures?
Inotherwords,howdeepistheiceberg?
#RSAC
IT/OTBigPicture
4
#RSAC
C02Model(LetgooftheCIA)Controllability Observability Operability
Inability tobring theprocessor systemintoadesiredstate.
Examplefailuresinclude:
Inability tomeasurestateandmaintainsituationalawareness.
Examplefailuresinclude:
Inabilityofthedevicetoachieveacceptableoperations.
Examplefailuresinclude:• Control networknot in
acontrollablestate• Thereisno longera
control sequencewhichcanbring thesystemintoanintended state
• Thesequenceofthecontrol commands isunknown totheoperator (becauseithasbeenalteredorpotentiallyaltered)
• Actuatorhaslostconnectivityorpower
• Inability tomonitorsensors(dataintegritylossand/or lossofavailability)
• Untrustworthy measurement(datahaslostveracity)
• Measurementofallnecessaryquantitiesattheright locationsisnolongerpossible
• Inability tointerpret themeasurementse.g.changing thelanguageofalerts
• Inability tomaintainoptimaloperationsunder attack
• Thephysicaldevicehasbeendamagede.g.motorburntout,gearteethgrounddown,pressurevesselburst
• Inability tosafelyshutdown
• Multipleoperatorsworkingagainsteachother through samecontrol channel
#RSAC
Let’ssimplify:Howmanyactuators?
Itisthegrowthofactuatorsalesthatwilldefinecyber-physicalhacking,evenmoresothanthehackersthemselves.
#RSAC
Insecurityisatransitiveproperty
•Ifmycomputer issecure•Andmyhouseissecure•Itdoesn’t implymyphoneissecure
Securityisn’t!
•mypasswordsareknown
Ifmyemailisinsecure:
•myprivatekeysareknown•itcould*still* be spawningreverseshells
Ifmycomputerwas insecure:
•Whatisthesumofvulnerabilities?•Let’sseehowinsecurity transitivity looksintime…
Soinsecurity istransitive intimealso!
#RSAC
Vulnerablepopulationsasatimeline.
2015SecurityMetricsfortheAndroidEcosystem(Thomas,Beresford,Rice)
#RSAC
Insecurityiscompose-able
Vulnerabilitiescanbebuiltintoemergentcapabilities.
It isdifficulttopredicttheemergent
capabilityfornon-physicaleffects.
Whenyouaddinphysicaleffects,
yougetcombinatorialexplosion.
Howwouldyou“map”allpossibleemergentphysical
effects?
#RSAC
Nowwithaddedphysicaleffects!
Thesystemisvulnerable
Ifthereexistsavulnerablee
Ifthereexistsavulnerableu
Ifthereexistsavulnerableym
UnexpectedPhysicaleffects
RemembertheC02Model?
Let’sdeepdiveintothat…
#RSAC
Sensorsarevulnerable
Padmavathi,DrG.,andMrsShanmugapriya."Asurvey ofattacks,securitymechanisms andchallengesinwireless sensornetworks."
#RSAC
Actuatorsarevulnerable
“ICannotBePlayedonRecordPlayerX”
Hasbeentruesince(atleast):vonNeumann’sSelf-replicatingkinematics
Asimpleexampleiscarsdrivingthemselvesofftheroad
Acomplexexamplewouldbearoboticarmunpluggingits’networkorpowercable.
Wehaven’tevendiscussedhowthey’re‘digitally’vulnerableyet,butthatistruetoo.
#RSAC
Networkdevicesarevulnerable
SwitchesGetStitches
Ifconnectivity isrequiredbyyourbusinessmodel,theneverynetworkingdeviceismypointof
subversionagainstyourbusiness.
#RSAC
ProtocolsareVulnerable
CommonCybersecurityVulnerabilities inIndustrialControlSystemsDHS2011
#RSAC
Alarmsarevulnerable
#RSAC
#RSAC
Guest:RobertMLee
@RobertMLee
Fordeeper analysis:
ics.sans.org/duc5
Please tweet widely J
#RSAC
Ukranian OutageReturnPeriod
0.8Twh lostmapstoroughlya1in2 yeareventbyUSstandards
Sowhilethis issignificantfromahackingperspective,itisnotverysignificantfromapowerengineeringperspective.
0,01%
0,10%
1,00%
10,00%
100,00%
1000,00%
10000,00%
0,30 3,00 30,00 300,00 3000,00
Freq
qencyo
fOccuran
ce
LostPower(TWh)
#RSAC
ThecostofUSpoweroutages
19
LaCommare,KristinaHamachi,andJosephH.Eto."UnderstandingthecostofpowerinterruptionstoUSelectricityconsumers."LawrenceBerkeleyNationalLaboratory (2004)
#RSAC
“IoT cannotbeimmortalandunfixable.”-DanGeerBlackHat 2014
WhowillberesponsibleforIRcostsforIoT?AreweprivatisingsalesandsocialisingIR?
Isinsurancestartingtomakesenseyet?
Ifnotforcriticalinfrastructure,thenareyoureadytotalkaboutmedicaldevicecyberinsurance?
#RSAC
PersonalInfrastructure
Yourrelianceonaninfrastructureisinverselyproportionaltohowinvisibleitistoyou.
Weallrelyonoxygen,ourlungs,andourhearts,buthowoftentowethinkaboutthem?
Howoftendowedomaintenanceordebugthem?
#RSAC
MyPersonalCriticalInfrastructure
22
Pacemaker/ICDProgrammer
Homemonitoringunit
CellularorTelephoneNetwork Webportal
InductivenearfieldcommunicationMICS/
ISM
POTS/SMS
#RSAC
Debuggingme
#RSACWhatisthesamebetweenbigandlittleinfrastructure?
Thecostoffailureis“embedded”(damage)
TheEconomicImpactsofInadequateInfrastructureforSoftwareTesting(2002)
Thistableshouldbeextendedtabletoinclude:
Vulnerabilityexploitedinthewild
And
Vulnerabilityexploitedinaninfrastructure
#RSAC
Nowourvulnerabilityis“embodied”
VehicletoVehicle SmartGrid Robotics
TrafficControl Maritime Industrialmanufacturing
AutonomousVehicles
LogisticsSystems Aircraft
Soisthecostoffailure!
#RSAC
Asymmetricadversarialeconomics.
Harm Type Impact Payload reuse Costofremedy
Socialcost
Data Non-Zero Sum High Low IndividualPhysical ZeroSum Low High Collective
#RSAC
Sowhatshouldourdesigngoalsbe?
Recover-ability.
Reducetransitivity
ofinsecurityinTIME.
COMBATPersistence
Anti-contagion
Reducetransitivityofinsecuritybetween:
Networks Components Libraries Systems Credentials Organisations
#RSAC
ThehiddencostoftheSolowresidual?
1. Quantifythecosttosocietyfora10houroutagetoeachcriticalinfrastructureinthelargestregioncoveredbyonecompany.
2. Quantifythecostof70%/50%/30%/1%vulnerableIoT deployments.
3. Quantifythecostofmedicaldevicephysicalimpactson1%/5%/20%ofthepopulation.
28
Ithink this iswhere we went wrong.We focused on ”how does/can itfail;...nothowmuch will itcost us?”
#RSAC
#RSAC
Applywhatyouhavelearnedtoday
30
RenametheIoTStartwritinguse-cases!
ThefailureofyourcodecanruinourfutureGohomeandquantifythecostoffailure!
TheSirensongofimpactassessmentrankingThepayloadisnottheexploit
Quantifythecostofafailureinyoursystem.
Areyouresilient?
#RSAC
Questions&Thank you!
MarieMoewww.sintef.no/en@MarieGMoe
Éireann Leverettwww.concinnityrisks.com@concinnityrisks@blackswanburst
RobertMLeewww.dragossecurity.com@RobertMLee