Cyber Security Assurance in the Smart City
Murray Rosenthal, CISA, CRISC Risk Management, Cyber Security and Compliance Strategic Planning and Architecture Information & Technology Division City of Toronto
[email protected]
Agenda
Background Establishing Context Applicability Architecture
Threat Modeling Governance and Recent Developments Summation
Concepts Cyber Security Cyber Physical Systems (CPS)
Information Security
•Internet of Things, M2M, sensors, SCADA, ICS, PCS…
Critical Infrastructure
Architecture
Universe of Discourse
Information Technology
Smart City
Operational Technology
Scope of Interest
< Background/ >
< Establishing Context/ >
https://www.linkedin.com/pulse/strong-rigorous-scientific-foundation-cyber-ecosystem-shawn-riley
http://securingsmartcities.org/wp-content/uploads/2016/03/Pen-Testing-A-City-wp.pdf
Massively Disruptive Forces Trends, technologies, processes, and ideas that fundamentally alter the status quo and re-shape it.
Mobility
Cloud
(functionality convergence)
(XaaS outboarding)
Big Data (analytics)
Orders of Complexity
CyberPhysical Systems (exploitation of edge devices)
Smart City (digital by design)
Smart City Framework – Transitioning the Operating Model Smart City Framework Current Operating Model
http://shop.bsigroup.com/upload/Smart_cities/BSI-PAS-181-executive-summary-UK-EN.pdf
Smart City
Smart City
(whole of government)
(whole of everything)
service by design digitaldigitization
Spheres of Influence
Defining Smart City
Scope of Interest
Critical Infrastructure Sectors by Geography Canada 1
Energy and Utilities
2
Information and Communication Technology
3
United States 1
Energy
2
Communications
3
Information Technology
Finance
4
Financial Services
4
Health Care
5
Healthcare and Public Health
5
Food
6
Food and Agriculture
6
Water
7
Water and Wastewater Systems
7
Transportation
8
Transportation Systems
8
Safety
9
Emergency Services
9
Government
10
Government Facilities
10
Manufacturing
11
Critical Manufacturing
12
Chemical
13
Dams
14
Commercial Facilities
15
Defense Industrial Base
16
Nuclear Reactors, Material and Waste
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/index-en.aspx https://www.dhs.gov/critical-infrastructure-sectors
http://www.cepa.com/wp-content/uploads/2014/10/ng-cepa2014.pdf
< Applicability/ >
CPS Abstraction – Generalized Workflow control commands sent to actuators
Monitoring
data acquisition from sensors
physical processes and environment
Cyber-Physical Infrastructure Systems Actuation
Networking
action execution based on results generated during Computing phase
valid computed result of physical system states inform the controller to select valid commands
- data aggregation - data diffusion
Computing correctness of physical processes based on data collected during Monitoring phase
physical aggregation of data in network
CPS Applicability (non-exhaustive)
http://www.nist.gov/el/upload/12-Cyber-Physical-Systems020113_final.pdf
Principal Attack Vectors in an Unsecured Time Network
https://s3.amazonaws.com/nist-sgcps/cpspwg/pwgglobal/CPS_PWG_Draft_Framework_for_Cyber-Physical_Systems_Release_0_8_September_2015.pdf
Dark Actors (Anarchists, hacktivists) Attackers Bot-net operators Criminal groups Foreign intelligence services Industrial spies Insiders Phishers Spammers Spyware/malware authors Terrorists
http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
CPS adversaries differing motivations + behaviours
Cyber Security Scope of Interest Cyber Security Assurance
discipline
is concerned with
Critical Infrastructure Protection
objective
such as
sector
Government
cyber security scope of interest
that employs
Service Digitization
digital business disruption/ optimization approach
through
Smart City
strategy
to leverage
Operational Technology (fit-for-purpose) comprised of
edge
Cyber-Physical Systems (CPS) IoT PCS sensors M2M
ICS
SCADA
and integrate with
orchestration
Information Technology (general purpose)
core
elements
Information Security Assurance ca. 2005
ISO/IEC 15408-1:2009, Information Technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model
Cyber Security - Smart City Context CIA Triad (inverted)
Cyber Security Assurance
discipline
is concerned with
Availability
Critical Infrastructure Protection
objective
Integrity such as
sector
Government
identification authorization Privacy
authentication non-repudiation
that employs
cyber security scope of interest
IDentity of Things (IDoT)
Service Digitization
digital business disruption/ optimization approach
through
Smart City
strategy
to leverage
Trustworthiness
Cyber Security Assertions
Confidentiality
Safety
Operational Technology (fit-for-purpose) comprised of
Reliability
Resiliency
edge
Cyber-Physical Systems (CPS) IoT PCS sensors M2M
ICS
SCADA
and integrate with
orchestration
Information Technology (general purpose)
core
elements
If you remember nothing else…
https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf
OT and IT Representation – CPS Logical Architecture Exemplar Operational Technology Enclave
http://www.iiconsortium.org/edge-intelligence.htm
Information Technology Enclave
< Architecture/ >
Internet of Things (CPS) – Generalized Topology
http://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf
Architecture Executive Perspective (Planner)
Ø strategy bound the problem define the scope of interest
Context
Business Mgt. Perspective (Owner) Concept
Architect Perspective (Designer) Logical
Engineer Perspective (Builder/Contractor) Physical
Technician Perspective (Subcontractor) Components
Ø business architecture develop owner requirements v “architectural drawings” what do business owners want to do conceptually
Ø logical architecture develop design requirements v“architectural plans”, “as designed representations” how is the object actually designed based on the concept
Ø physical architecture develop physical requirements v“as planned representations” how will the object actually operate based on the design overall physical implementation of the design
Ø component (technology) architecture develop individual component specifications v“tooling configurations”, “run books”, “procedures” how will the individual components actually be configured individual technology specifications of the physical architecture
Architecture Executive Perspective (Planner)
Ø
strategy bound the problem define the scope of interest
Context
abstractness– highest model detail - lowest
transformation Business Mgt. Perspective (Owner)
Ø
Concept
business architecture develop owner requirements v “architectural drawings” what do business owners want to do conceptually
transformation Architect Perspective (Designer)
Ø
Logical
logical architecture develop design requirements v“architectural plans”, “as designed representations” how is the object actually designed based on the concept
abstractness level – ↓ model detail - ↑
transformation Engineer Perspective (Builder/Contractor)
Ø
Physical
physical architecture develop physical requirements v“as planned representations” how will the object actually operate based on the design overall physical implementation of the design
transformation Technician Perspective (Subcontractor)
Ø
out of band
Components
Enterprise Perspective (Operations) Instantiation
Ø
component (technology) architecture develop individual component specifications v“tooling configurations”, “run books”, “procedures” how will the individual components actually be configured individual technology specifications of the physical architecture
functioning target operating environment (TOE) run steady-state, production environment
abstractness level – lowest model detail - highest
REIFICATION THE PASSAGE OF AN IDEA THROUGH A COMPLETE SET OF TRANSFORMATIONS THAT RESULTS IN THE INSTANTIATION – REALIZATION/OPERATIONALIZATION – OF THE ORIGINAL IDEA.
Smart City – A Complete Set of Transformations CYBER SECURITY AND CRITICAL INFRASTRUCTURE PROTECTION GENERALLY, AND IN THE SMART CITY CONTEXT IN PARTICULAR, ARE NOT SOLELY ABOUT THE TECHNOLOGY REQUIRED TO SAFEGUARD OPERATIONAL TECHNOLOGY ASSETS AND RELATED INVESTMENTS. THEY ARE ABOUT THE TOTAL SET OF TRANSFORMATIONS REQUIRED TO TAKE CYBER SECURITY AND CRITICAL INFRASTRUCTURE PROTECTION FROM CONCEPT TO INSTANTIATION, OR OPERATION. EVEN A TOTAL SET OF TECHNOLOGY MODELS, IN THE ABSENCE OF ANY OTHER ARCHITECTURAL SPECIFICATIONS AT THEIR RESPECTIVE LAYERS OF ABSTRACTION, WILL NOT YIELD A COMPLETE DESCRIPTION OF SOME HIGHER ORDER CONCEPT, IN THIS CASE CYBER SECURITY CONTEXTUALIZED TO ADDRESS SPECIFIC ORGANIZATIONAL, SMART CITY REQUIREMENTS. WITHOUT THE TRANSCRIPTION OF MANAGEMENT’S INTENTIONS INTO DETAILED SPECIFICATIONS THROUGH WHICH ACTUAL ENGINEERING WORK CAN BE DONE, ASSUMPTIONS ABOUT THE COMPLEX OBJECT – SMART CITY – ARE GOING TO BE NECESSARILY MADE. THOSE ASSUMPTIONS ARE NEITHER RIGHT NOR WRONG, BUT ANY ARCHITECTURAL ASPECT LEFT UNEXPRESSED IS TACIT APPROVAL ABOUT THE COMFORT THE ORGANIZATION HAS WITH IT BEING LEFT IN AN IMPLICIT STATE OF NON-EXPRESSION.
Enterprise Architecture
authoritative
urban legend
Reproduced with kind permission from Zachman International.
Security Architecture
authoritative
urban legend
Reproduced with kind permission from the SABSA Institute.
Bodies of Knowledge – Cyber Security + Smart City by Viewpoint 2010
2011
2012
Executive Perspective (Planner) Context PSC Canada’s Cyber Security Strategy PSC, DHS Canada-United States Action Plan for Critical Infrastructure
ISO/IEC ISO/IEC 27032:2012, Information technology – Security techniques – Guidelines for cybersecurity
2013
2014
2015
2016
PSC
EO 13636 Improving Critical Infrastructure Cybersecurity
PSC Action Plan for Critical Infrastructure, 2014-2017
PPD-21 Critical Infrastructure Security and Resilience
BSI PAS 181: Smart city framework – Guide to establishing strategies for smart cities and communities
Ø Ø Ø
securingsmartcities.org The Smart City Department: Cyber Security Role and Implications
CCTX SCADA Security Portal Canada $237 million in cyber security funding over the next five years
2016 Budget, Ontario, Ministry of Finance Digital Government Action Plan Ø Chief Digital Officer
* SABSA Institute SABSA Enhanced NIST Cybersecurity Framework (SENC)
Ø
Cybersecurity National Action Plan (CNAP) Fact Sheet Executive Order -- Commission on Enhancing National Cybersecurity Ø Federal CISO Ø
GCTC (NIST, usignite) Establish and demonstrate replicable, scalable and sustainable models for incubation and deployment of interoperable, standards-based IoT solutions and demonstrate their measurable benefits in smart communities/cities
Business Mgt. Perspective (Owner) Concept
* DHS (OCIA) The Future of Smart Cities: Cyber-Physical Infrastructure Risk
Architect Perspective (Designer) Logical
NIST Framework for Improving Critical Infrastructure Cybersecurity, V1.0
NIST (CPS Public WG) Draft Framework for Cyber-Physical Systems
*
NIST RFI “Views on the Framework for Improving Critical Infrastructure Cybersecurity”
Bodies of Knowledge are not the architecture. They inform the architecture. Bodies of Knowledge are externalities. They say nothing about the organization itself.
OCF (formerly OIC) “… to help unify IoT standards so that companies and developers can create IoT solutions and devices that work seamlessly together.”
Science of Smart City Operations and Platforms Engineering (SCOPE) WG, GCTC CPS extensibility, scalability, interoperability, replicability and smartness
cross-industry collaboration
IIC Industrial Internet Reference Architecture CSA Security Guidance for Early Adopters of the Internet of Things (IoT) CIS Internet of Things Security Companion to the CIS Critical Security Controls CIS The CIS Critical Security Controls for Effective Cyber Defense
OWASP Internet of Things (IoT) Project attack surface areas
testing guides
Engineer Perspective (Builder/Contractor) Physical
security guidance
Enterprise Perspective (Operations) Instantiation cybersecurity (CI) smart city (IoT, cyber physical systems (CPS))
design principles
top vulnerabilities
IoT/SCADA s/w weaknesses
* securingsmartcities.org, CSA Cyber Security Guidelines for Smart City Technology Adoption
Technician Perspective (Subcontractor) Components
developer guidance
Draft NISTIR 8063 Primitives and Elements of Internet of Things (IoT) Trustworthiness
Ø Ø Ø Ø
GSMA IoT Security Guidelines IoT Security Guidelines for Service Ecosystems IoT Security Guidelines for Endpoint Ecosystems IoT Security Guidelines for Network Operators
Pure-play “Greenfield” CPS Vendors (IoT, M2M, ICS, SCADA, PCS, ...)/Home-grown ”Brownfield” Legacy Devices Integrated with CPS Functionality
Functioning Smart City Functioning Cyber Security Assurance Program City BSI – British Standards Institute CCTX – Canadian Cyber Threat Exchange CIS – Center for Internet Security CSA – Cloud Security Alliance DHS – Department of Homeland Security EO – Executive Order GCTC – Global City Teams Challenge IIC – Industrial Internet Consortium
ISO - International Organization for Standardization NIST – National Institute of Standards and Technology OCF – Open Connectivity Foundation OCIA – Office of Cyber and Infrastructure Analysis OWASP - Open Web Application Security Project PPD – Presidential Policy Directive PSC – Public Safety Canada
< Threat Modeling/ >
Semantic Model for Developing Threat Models in the Smart City Context
Attack Surface (sector-specific vertical)
Sector (transportation, etc.)
Abuse Case (general description)
Vector (abuse case narrative)
Vector
Abuse Case
Vector
Abuse Case
Vector
Attack Surface
Vector
Abuse Case
Vector
Vector
Abuse Case/Threat Modeling
Smart City Attack Surfaces and Vectors (non-exhaustive) Sector – Water and Wastewater Systems Attack Surface – Smart Water Treatment Abuse Case: Smart Water Treatment Facility Disruption Vector 1: A malicious actor conducts a cyber-attack on a smart water treatment facility to prevent proper functionality, endangering the systems and public health. Vector 2: A malicious actor gains remote access to a smart wastewater facility to cause water system backups and potential environmental damage. Attack Surface – Smart Water Distribution Abuse Case: Smart Water Distribution System Disruption Vector 1: A malicious actor remotely attacks smart water distribution systems to damage system components, disable system sensors, disrupt storage and flows, or distribute contaminated water. Vector 2: A malicious actor disrupts storm water-management systems during severe weather to create unsafe conditions, strain storm water-management systems, and compound the consequences of inclement weather. Attack Surface – Smart Water Storage Abuse Case: Infiltration of a Smart Water Storage Facility Vector 1: A malicious actor targets smart pumps, valves, and other components in smart water storage facility control systems to manipulate water flow. Vector 2: A malicious actor manipulates safety sensors to mask the presence of dangerous substances in smart water-storage facilities. https://ics-cert.us-cert.gov/sites/default/files/documents/OCIA%20-%20The%20Future%20of%20Smart%20Cities%20-%20Cyber-Physical%20Infrastructure%20Risk.pdf
CPS Threat Model 9. key attack
8. eavesdrop
Monitoring
1. MitM (replay)
physical processes and environment
7. MitM (replay)
Actuation
Networking
action execution based on results generated during Computing phase
6. DoS (flood )
2. DoS ( flood)
- data aggregation - data diffusion
3. MitM (replay)
Computing correctness of physical processes based on data collected during Monitoring phase 5. MitM (replay) 4. eavesdrop
http://people.cis.ksu.edu/~danielwang/Investigation/CPS_Security_threat/05724910.pdf
CPS Threat Model and Cyber Security Assertions Applicability CIA Triad (inverted) 9. key attack
Availability Integrity
Monitoring
Confidentiality
physical processes and environment
7. MitM (replay)
1. MitM (replay)
2. DoS ( flood)
IDentity of Things (IDoT) identification authorization
authentication non-repudiation
Privacy
Trustworthiness
Cyber Security Assertions
8. eavesdrop
Actuation
Networking
action execution based on results generated during Computing phase
- data aggregation - data diffusion
Safety 6. DoS (flood)
Computing correctness of physical processes based on data collected during Monitoring phase
Reliability
Resiliency
3. MitM (replay)
5. MitM (replay)
http://people.cis.ksu.edu/~danielwang/Investigation/CPS_Security_threat/05724910.pdf
4. eavesdrop
< Governance and Recent Developments/ >
Cyber Security Conceptual Risk Management Framework Business Requirements strategic controls
operational controls
tactical controls
Audit Oversight
Cyber Security Technology Based on http://www.iiroc.ca/industry/Documents/CybersecurityBestPracticesGuide_en.pdf
https://pages.nist.gov/smartcitiesarchitecture/
Working Groups Vocabulary and Reference Architecture Cybersecurity and Privacy Timing and Synchronization Data Interoperability Use Cases
CPS Framework – Domains, Facets, Aspects
https://s3.amazonaws.com/nist-sgcps/cpspwg/pwgglobal/CPS_PWG_Draft_Framework_for_Cyber-Physical_Systems_Release_0_8_September_2015.pdf
CPS Framework – All Facets View
https://s3.amazonaws.com/nist-sgcps/cpspwg/pwgglobal/CPS_PWG_Draft_Framework_for_Cyber-Physical_Systems_Release_0_8_September_2015.pdf
Innovation Markers and Security Intervention A prototypical model to describe the lifecycle of a Smart City initiative (“I9”).
Stages
Phases
Plan Citizen-centric design Investigate •crowd sourcing Ideate Itemize (conduct due •competitive hack(list the (document care services) a-thons the services)
assessments)
What
Who
Brainstorm thumbnail sketches of Smart City services.
Describe the benefit/value proposition (intangibles).
Monetize feasibility/ economic value (tangibles).
service sponsor
PPP – public-private partnerships
innovation marker
security intervention
Privacy Security Legal Information Management … stakeholders
Partnerships • academia • R+D • private sector Invest • NFP (capitalize the services) Confirm the financing model (PPP). Develop the business case. service sponsor
Develop
Run
Innovate (develop the services)
Incubate (isolate the services)
Describe the architecture. (engineer)
Beta-test functionality.
Design the solution. (manufacture)
Determine fitfor-purpose.
Review
Implement (stage the services)
Instantiate (operate the services)
Iterate (improve the services)
Promote to production.
Run in steadystate.
Create an enhancements backlog.
technology sponsor
< Summation/ >
Seminal Messages “Universe of Discourse” - An (arcane) term that you will grow to appreciate over time. If you cannot articulate the boundaries of your cyber security assurance scope, and do not have the organizational vocabulary through which you express it, nothing authoritative will take root. For your own good, adopt a programmatic approach to cyber security assurance. Simply put: START WITH THE BUSINESS. This is not a drill! Culture eats strategy (and technology) for breakfast – No matter how defined your cyber security strategy may be, it will be destroyed by dark organizational culture. If your understanding of cyber security does not include architecture, you will necessarily (a) place the sustainability of your organization's cyber security efforts in peril by focusing on technology to the exclusion of anything else, and (b) make dangerous, and indefensible, assumptions about cyber security design and operation. Grow up - You don't know everything about cyber security and, yes, hero culture is dead. If partnerships and intelligence exchange were ever considered critical for business success, they are absolutely essential in the cyber security assurance context. IDentity of Things (IDoT) – The identification of edge devices, authenticating to them and authorizing permissions to embedded, on-board functionality will necessarily form part of your cyber security assurance posture. Develop a (legal) recourse strategy that protects your organization against vendors who ship porous cyber-physical systems. Consider how your organization will position itself to address Smart City: holistically and integrated, or vertical and siloed. Consider the establishment of a Smart City Department as the formal accountability office.
Cyber Security Assurance in the Smart City
Murray Rosenthal, CISA, CRISC Risk Management, Cyber Security and Compliance Strategic Planning and Architecture Information & Technology Division City of Toronto
[email protected]