System Aware Cyber Security NDIA Barry Horowitz University of Virginia February, 2013 1 Sponsor: DoD, through the Stevens Institute”s SE Research Center.

System Aware Cyber SecurityNDIA

Barry HorowitzUniversity of Virginia

February, 2013

1

Sponsor: DoD, through the Stevens Institute”sSE Research Center

System Aware Cyber Security• Research is in its 3rd Year• Today‘s discussion focused on:

• Classes of Solutions (Design Patterns)• Initial Prototype Implementation for an

Autonomous Surveillance System

2

Broad Objective

Reversing cyber security asymmetry from favoring our adversaries (small investment in straight forward cyber exploits upsetting major system capabilities), to favoring the US (small investments for protecting the most critical system functions using System Aware cyber security solutions that require very complex and high cost exploits to defeat)

3

Broad Objective

Reversing cyber security asymmetry from favoring our adversaries (small investment in straight forward cyber exploits upsetting major system capabilities), to favoring the US (small investments for protecting the most critical system functions using System Aware cyber security solutions that require very complex and high cost exploits to defeat)

Focus on Defense Against Exploits that Impact System Performance (e.g., Data Corruption, Functional

Degradation, System Latencies)4

System Aware Cyber Security

• Operates at the system application-layer,• For security inside of the network and perimeter

protection provided for the whole system• Directly protects the most critical system functions• Solutions are embedded within the protected functions

• Addresses supply chain and insider threats• Includes physical systems as well as information

systems• Solution-space consists of reusable design patterns,

reducing unnecessary duplications of design and evaluation efforts

• Design Patterns can be implemented in a super secure programmable Sentinel (S3) 5

System-Aware Cyber Security Architecture

• System-Aware Cyber Security Architectures combine design techniques from 3 communities– Cyber Security – Fault-Tolerant Systems– Automatic Control Systems

• The System-Aware solution designers need to come from the communities related to system design and system engineering, providing a new orientation to complement the established approaches of the information assurance community

A Set of Techniques Utilized in System-Aware Security

Cyber Security*Data Provenance*Moving Target (Virtual Control for Hopping)

*Forensics

Automatic Control*Physical Control for Configuration Hopping (Moving Target, Restoral)*State Estimation Techniques (Data Integrity)*System Identification (Data Integrity, Restoral)

Fault-Tolerance*Diverse Redundancy (DoS, Automated Restoral)*Redundant Component Voting (Data Integrity, Restoral)

A Set of Techniques Utilized in System-Aware Security

Cyber Security*Data Provenance*Moving Target (Virtual Control for Hopping)

*Forensics

Automatic Control*Physical Control for Configuration Hopping (Moving Target, Restoral)*State Estimation (Data Integrity)*System Identification (Tactical Forensics, Restoral)

Fault-Tolerance*Diverse Redundancy (DoS, Automated Restoral)*Redundant Component Voting (Data Integrity, Restoral)

This combination of solutions requires adversaries to:• Understand the details of how the targeted systems actually

work

A Set of Techniques Utilized in System-Aware Security

Cyber Security*Data Provenance*Moving Target (Virtual Control for Hopping)

*Forensics

Automatic Control*Physical Control for Configuration Hopping (Moving Target, Restoral)*State Estimation (Data Integrity)*System Identification (Tactical Forensics, Restoral)

Fault-Tolerance*Diverse Redundancy (DoS, Automated Restoral)*Redundant Component Voting (Data Integrity, Restoral)

This combination of solutions requires adversaries to:• Understand the details of how the targeted systems actually

work• Develop synchronized, distributed exploits consistent with how

the attacked system actually works

A Set of Techniques Utilized in System-Aware Security

Cyber Security*Data Provenance*Moving Target (Virtual Control for Hopping)

*Forensics

Automatic Control*Physical Control for Configuration Hopping (Moving Target, Restoral)*State Estimation (Data Integrity)*System Identification (Tactical Forensics, Restoral)

Fault-Tolerance*Diverse Redundancy (DoS, Automated Restoral)*Redundant Component Voting (Data Integrity, Restoral)

This combination of solutions requires adversaries to:• Understand the details of how the targeted systems actually

work• Develop synchronized, distributed exploits consistent with how

the attacked system actually works• Corrupt multiple supply chains

Integration of Fault Tolerance, Automatic Control and Information Assurance

• What’s Different for each technology community– Fault Tolerance

• Asymmetric attacks vs random failures• Synchronized dependent attacks on system components vs random coupling of

independent failures• Time varying, situation-related, attacks vs random intermittent failures• Need to adjust detection criteria based upon pre-mission intelligence and other a priori information regarding attack

– Automatic Control• High rates of system reconfiguration (configuration hopping)• Roles of the operator

– Information Assurance• System Aware solutions• Collateral, system-specific, performance impacts of embedded security solutions

• Plus:

– Require secure implementation of solutions

Design Patterns Being Prototyped

• Diverse Redundancy for post-attack restoration• Diverse Redundancy + Verifiable Voting for trans-attack

attack deflection• Physical Configuration Hopping for moving target defense• Virtual Configuration Hopping for moving target defense• Data Consistency Checking for data integrity and operator

display protection• Parameter Assurance for parameter controlled SW functions• System Restoration using diverse redundancy

12

Design Patterns Being Prototyped

• Diverse Redundancy for post-attack restoration• Diverse Redundancy + Verifiable Voting for trans-attack

attack deflection• Physical Configuration Hopping for moving target defense• Virtual Configuration Hopping for moving target defense• Data Consistency Checking for data integrity and operator

display protection• Parameter Assurance for parameter controlled system

functions• System Restoration using diverse redundancy

As new applications are addressed, new design patterns will emerge, leading to an expanding

library for reuse

14

CASE 1: SHIP CONTROL SYSTEM FOR PHYSICAL PLANT

“A System-Aware Cyber Security Method for Shipboard Control Systems”- Accepted for 2012 IEEE Homeland Security Conference• Guy L. Babineau

Northrop Grumman Naval & Marine Systems Division• Rick A. Jones and Barry Horowitz

University of VirginiaDepartment of Systems and Information Engineering

Block Diagram Illustrating the Current System Architecture

15

System-Aware Security Solution

16

17

18

5 10 200

1

2

3

4

5

6

7

8

UDP Packets Lost per 10,000 Sent

Experiment 1Experiment 2Experiment 3Experiment 4Experiment 5Experiment 6Experiment 7Experiment 8Experiment 9Experiment 10

Hopping Rate in Seconds

Num

ber o

f Pac

kets

Lost

per

10,

000

Sent

5 10 200

2

4

6

8

10

12

14

16

TCP Packet Resent per 10,000 Sent

Experiment 1Experiment 2Experiment 3Experiment 4Experiment 5Experiment 6Experiment 7Experiment 8Experiment 9Experiment 10

Hopping Rate in Seconds

Num

ber o

f Pac

kets

Res

ent p

er 1

0,00

0 Se

nt

19

CASE 2: DYNAMIC SYSTEM MODELS AND STATE ESTIMATION TECHNOLOGY FOR DATA INTEGRITY AND OPERATOR DISPLAY ATTACKS

Barry M. Horowitz, Katherine Pierce, Application of Diversely Redundant Designs, Dynamic System Models and State Estimation Technology to the Cyber Security of Physical Systems, Systems Engineering, Volume 16, No. 3, 2013

The Problem Being Addressed• Highly automated physical system• Operator monitoring function, including criteria for human

over-ride of the automation• Critical system states for both operator observation and

feedback control – consider as least trusted from cyber security viewpoint

• Other measured system states – consider as more trusted from cyber security viewpoint

• CYBER ATTACK: Create a problematic outcome by disrupting human display data and/or critical feedback control data.

20

21

ProtectedPhysical System

System Operator

InformationConsistency

Checking

Cyber Attack Alerts and Responses

State Estimator 1

Diversely Redundant State Estimator 2

Applicable Subsystems and Users

Simplified Block Diagram for Inference-Based Data Integrity Detection System

Simulated System Output Based Upon Controller Attack

22

Simulated Regulator AttackTrue Monitored State Operator Observed State

Inferred Monitored StateΔ in Operator and Inferred States

23

Case 3: Parameter Assurance

24

Parameters in Systems• Parameters control how systems function – for instance:

– Detection Thresholds• For example, target detection for Active sensors (Radar), Passive sensors (SIGINT),

impacting missed detection/false alarm performance

– Decision Thresholds• Tactical: Satellite time-to-collision decision time, impacting timing for taking

action; obstacle avoidance threshold before taking action • Strategic: Mission Planning System mission timing parameters

– Flight control boundary values• For example, artificial bounds on accelerations, altitude

– Navigation Waypoints– Tracking algorithm parameters determine sensitivity and latencies for

position/velocity estimates relative to timing of accelerations– Communication system mode parameters, impacting QOS

25

Parameters in Systems• Parameters control how systems function – for instance:

– Detection Thresholds• For example, target detection for Active sensors (Radar), Passive sensors (SIGINT),

impacting missed detection/false alarm performance

– Decision Thresholds• Tactical: Satellite time-to-collision decision time, impacting timing for taking

action; obstacle avoidance threshold before taking action • Strategic: Mission Planning System mission timing parameters

– Flight control boundary values• For example, artificial bounds on accelerations, altitude

– Navigation Waypoints– Tracking algorithm parameters determine sensitivity and latencies for

position/velocity estimates relative to timing of accelerations– Communication system mode parameters, impacting QOS

Parameter tables provide an organized means for changing parameters and a high leverage opportunity

for exploits 26

Parameter Assurance Design Pattern• Parameter change detection

– Case 1: Exploit changes values in a parameter table - Monitor parameter tables and operator actions to determine if an automated change occurred

– Case 2: Embedded exploit over-rides table parameter values as part of its execution - Monitor computer-derived decisions and data that led to the derived decisions to estimate the corresponding parameter that caused the result, and compare to parameter table value

• Parameter restoration (complex process/simplified explanation)– Reverse parameter value – Inhibit responsive change-back– Inform appropriate operator(s)

27

Sentinel Concept for Monitoring Critical System Functions

28

Example: Autonomous Surveillance Platform Protection

29

Sentinel with Low Scale, More Securable SW and HW

• Our research to-date indicates that:– Monitoring functions require limited processing capacity and

small computer programs– Voting requires limited processing and small computer

programs– The timing and synchronization factors for monitoring and

control functions are not demanding– The functions of a Sentinel can be distributed across many

small, diverse redundant machines

30

Sentinel with Low Scale, More Securable SW and HW

• Our research to-date indicates that:– Monitoring functions require limited processing capacity and small

computer programs– Voting requires limited processing and small computer programs– The timing and synchronization factors for monitoring and control

functions are not demanding– The functions of a Sentinel can be distributed across many small,

diverse redundant machines

The securing of the Sentinel can use security techniques that may not be practical for large

system application, but can potentially be suitable for a low-scale application as represented by the

System-Aware Sentinel 31

Example: Autonomous Surveillance Platform Protection

Config. hoppingDiverse redundancyPort HoppingDedicated voting processingSW power utilization fingerprintSW CPU and memory usage fingerprint

• For Security Control Only• Spread Spectrum Waveform• Low Data Rate

32

Super Secure Sentinel (S3) Design Concept

33

High Level Architectural Overview

System to be

Protected

Sentinel Providing

System-Aware Security

Internal MeasurementsOutputs

Internal Controls

34

Sentinel Data Flow

35

Switchable DiverselyRedundant Components

Possible Sentinel HW/SW Architectures

• Footprint sensitive programmable family of HW with support SW for different types of programmable features:– Virtual hopping, – Physical hopping, – SW signature analysis, – Diverse redundancy (HW and SW)

• IaaS-based Sentinel (Sentinel as a Service) for systems which are not seriously constrained by footprint limits, using private Cloud technology for agility and flexibility– Virtual hopping (within a Cloud-based Sentinel)– Diversity for critical Cloud components (e.g., diverse

Hypervisors)– Hopping across geographically dispersed Private Clouds

• Certified Sentinels36

Integrating System-of-Systems Security

37

Perimeter Monitor(s)

System 1 Sentinel

Network Monitor(s)

System 2 Sentinel

System 3 Sentinel

System “n” Sentinel

Going Forward• UVA/GTRI are developing the operational prototype

– For emulation this year– For field testing next year

• UVA is refining & adding to our concepts and evaluations for• Operator in the loop part of the System-Aware Cyber Security approach• Architecture decision support tools for selecting cost-effective System

Aware solutions • Need new application cases resulting in new Design Patterns

– Command and Control systems– Big Data Systems

• Expand efforts on the S3 Sentinel and alternate implementation approaches, including private Cloud-based approaches

• Need to get industry engaged, to:– Pursue applications – Create design patterns and implementations– Integrate their Systems Groups and their IA Groups for System-Aware

Security applications 38

Publications• B. M. Horowtiz and K. M. Pierce, The integration of diversely redundant

designs, dynamic system models, and state estimation technology to the cyber security of physical systems, Systems Engineering, Volume 16, No. 3 (2013)

• R. A. Jones and B. M. Horowitz, A system-aware cyber security architecture, Systems Engineering, Volume 15, No. 2 (2012), 224-240.

• J. L. Bayuk and B. M. Horowitz, An architectural systems engineering methodology for addressing cyber security, Systems Engineering 14 (2011), 294-304.

• G. L. Babineau, R. A. Jones, and B. M. Horowitz, A system-aware cyber security method for shipboard control systems, 2012 IEEE International Conference on Technologies for Homeland Security (HST), 2012

• R.A. Jones, T.V. Nguyen, and B.M. Horowitz, System-Aware security for nuclear power systems, 2011 IEEE International Conference on Technologies for Homeland Security (HST), 2011, pp. 224-229.

• R. A. Jones and B. M. Horowitz, System-Aware cyber security, itng, 2011 Eighth International Conference on Information Technology: New Generations, 2011, pp. 914-917.

• 39