Cyber Security Assurance in the Smart City

Murray Rosenthal, CISA, CRISC Risk Management, Cyber Security and Compliance Strategic Planning and Architecture Information & Technology Division City of Toronto [email protected]

Agenda

Background Establishing Context Applicability Architecture

Threat Modeling Governance and Recent Developments Summation

Concepts Cyber Security Cyber Physical Systems (CPS)

Information Security

•Internet of Things, M2M, sensors, SCADA, ICS, PCS…

Critical Infrastructure

Architecture

Universe of Discourse

Information Technology

Smart City

Operational Technology

Scope of Interest

< Background/ >

< Establishing Context/ >

https://www.linkedin.com/pulse/strong-rigorous-scientific-foundation-cyber-ecosystem-shawn-riley

http://securingsmartcities.org/wp-content/uploads/2016/03/Pen-Testing-A-City-wp.pdf

Massively Disruptive Forces Trends, technologies, processes, and ideas that fundamentally alter the status quo and re-shape it.

Mobility

Cloud

(functionality convergence)

(XaaS outboarding)

Big Data (analytics)

Orders of Complexity

CyberPhysical Systems (exploitation of edge devices)

Smart City (digital by design)

Smart City Framework – Transitioning the Operating Model Smart City Framework Current Operating Model

http://shop.bsigroup.com/upload/Smart_cities/BSI-PAS-181-executive-summary-UK-EN.pdf

Smart City

Smart City

(whole of government)

(whole of everything)

service by design digitaldigitization

Spheres of Influence

Defining Smart City

Scope of Interest

Critical Infrastructure Sectors by Geography Canada 1

Energy and Utilities

2

Information and Communication Technology

3

United States 1

Energy

2

Communications

3

Information Technology

Finance

4

Financial Services

4

Health Care

5

Healthcare and Public Health

5

Food

6

Food and Agriculture

6

Water

7

Water and Wastewater Systems

7

Transportation

8

Transportation Systems

8

Safety

9

Emergency Services

9

Government

10

Government Facilities

10

Manufacturing

11

Critical Manufacturing

12

Chemical

13

Dams

14

Commercial Facilities

15

Defense Industrial Base

16

Nuclear Reactors, Material and Waste

http://www.publicsafety.gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/index-en.aspx https://www.dhs.gov/critical-infrastructure-sectors

http://www.cepa.com/wp-content/uploads/2014/10/ng-cepa2014.pdf

< Applicability/ >

CPS Abstraction – Generalized Workflow control commands sent to actuators

Monitoring

data acquisition from sensors

physical processes and environment

Cyber-Physical Infrastructure Systems Actuation

Networking

action execution based on results generated during Computing phase

valid computed result of physical system states inform the controller to select valid commands

- data aggregation - data diffusion

Computing correctness of physical processes based on data collected during Monitoring phase

physical aggregation of data in network

CPS Applicability (non-exhaustive)

http://www.nist.gov/el/upload/12-Cyber-Physical-Systems020113_final.pdf

Principal Attack Vectors in an Unsecured Time Network

https://s3.amazonaws.com/nist-sgcps/cpspwg/pwgglobal/CPS_PWG_Draft_Framework_for_Cyber-Physical_Systems_Release_0_8_September_2015.pdf

Dark Actors  (Anarchists, hacktivists)  Attackers  Bot-net operators  Criminal groups  Foreign intelligence services  Industrial spies  Insiders  Phishers  Spammers  Spyware/malware authors  Terrorists

http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf

CPS adversaries differing motivations + behaviours

Cyber Security Scope of Interest Cyber Security Assurance

discipline

is concerned with

Critical Infrastructure Protection

objective

such as

sector

Government

cyber security scope of interest

that employs

Service Digitization

digital business disruption/ optimization approach

through

Smart City

strategy

to leverage

Operational Technology (fit-for-purpose) comprised of

edge

Cyber-Physical Systems (CPS) IoT PCS sensors M2M

ICS

SCADA

and integrate with

orchestration

Information Technology (general purpose)

core

elements

Information Security Assurance ca. 2005

ISO/IEC 15408-1:2009, Information Technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model

Cyber Security - Smart City Context CIA Triad (inverted)

Cyber Security Assurance

discipline

is concerned with

Availability

Critical Infrastructure Protection

objective

Integrity such as

sector

Government

identification authorization Privacy

authentication non-repudiation

that employs

cyber security scope of interest

IDentity of Things (IDoT)

Service Digitization

digital business disruption/ optimization approach

through

Smart City

strategy

to leverage

Trustworthiness

Cyber Security Assertions

Confidentiality

Safety

Operational Technology (fit-for-purpose) comprised of

Reliability

Resiliency

edge

Cyber-Physical Systems (CPS) IoT PCS sensors M2M

ICS

SCADA

and integrate with

orchestration

Information Technology (general purpose)

core

elements

If you remember nothing else…

https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf

OT and IT Representation – CPS Logical Architecture Exemplar Operational Technology Enclave

http://www.iiconsortium.org/edge-intelligence.htm

Information Technology Enclave

< Architecture/ >

Internet of Things (CPS) – Generalized Topology

http://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf

Architecture Executive Perspective (Planner)

Ø strategy  bound the problem  define the scope of interest

Context

Business Mgt. Perspective (Owner) Concept

Architect Perspective (Designer) Logical

Engineer Perspective (Builder/Contractor) Physical

Technician Perspective (Subcontractor) Components

Ø business architecture  develop owner requirements v “architectural drawings”  what do business owners want to do conceptually

Ø logical architecture  develop design requirements v“architectural plans”, “as designed representations”  how is the object actually designed based on the concept

Ø physical architecture  develop physical requirements v“as planned representations”  how will the object actually operate based on the design  overall physical implementation of the design

Ø component (technology) architecture  develop individual component specifications v“tooling configurations”, “run books”, “procedures”  how will the individual components actually be configured  individual technology specifications of the physical architecture

Architecture Executive Perspective (Planner)

Ø

strategy  bound the problem  define the scope of interest

Context

abstractness– highest model detail - lowest

transformation Business Mgt. Perspective (Owner)

Ø

Concept

business architecture  develop owner requirements v “architectural drawings”  what do business owners want to do conceptually

transformation Architect Perspective (Designer)

Ø

Logical

logical architecture  develop design requirements v“architectural plans”, “as designed representations”  how is the object actually designed based on the concept

abstractness level – ↓ model detail - ↑

transformation Engineer Perspective (Builder/Contractor)

Ø

Physical

physical architecture  develop physical requirements v“as planned representations”  how will the object actually operate based on the design  overall physical implementation of the design

transformation Technician Perspective (Subcontractor)

Ø

out of band

Components

Enterprise Perspective (Operations) Instantiation

Ø

component (technology) architecture  develop individual component specifications v“tooling configurations”, “run books”, “procedures”  how will the individual components actually be configured  individual technology specifications of the physical architecture

functioning target operating environment (TOE)  run  steady-state, production environment

abstractness level – lowest model detail - highest

REIFICATION THE PASSAGE OF AN IDEA THROUGH A COMPLETE SET OF TRANSFORMATIONS THAT RESULTS IN THE INSTANTIATION – REALIZATION/OPERATIONALIZATION – OF THE ORIGINAL IDEA.

Smart City – A Complete Set of Transformations CYBER SECURITY AND CRITICAL INFRASTRUCTURE PROTECTION GENERALLY, AND IN THE SMART CITY CONTEXT IN PARTICULAR, ARE NOT SOLELY ABOUT THE TECHNOLOGY REQUIRED TO SAFEGUARD OPERATIONAL TECHNOLOGY ASSETS AND RELATED INVESTMENTS. THEY ARE ABOUT THE TOTAL SET OF TRANSFORMATIONS REQUIRED TO TAKE CYBER SECURITY AND CRITICAL INFRASTRUCTURE PROTECTION FROM CONCEPT TO INSTANTIATION, OR OPERATION. EVEN A TOTAL SET OF TECHNOLOGY MODELS, IN THE ABSENCE OF ANY OTHER ARCHITECTURAL SPECIFICATIONS AT THEIR RESPECTIVE LAYERS OF ABSTRACTION, WILL NOT YIELD A COMPLETE DESCRIPTION OF SOME HIGHER ORDER CONCEPT, IN THIS CASE CYBER SECURITY CONTEXTUALIZED TO ADDRESS SPECIFIC ORGANIZATIONAL, SMART CITY REQUIREMENTS. WITHOUT THE TRANSCRIPTION OF MANAGEMENT’S INTENTIONS INTO DETAILED SPECIFICATIONS THROUGH WHICH ACTUAL ENGINEERING WORK CAN BE DONE, ASSUMPTIONS ABOUT THE COMPLEX OBJECT – SMART CITY – ARE GOING TO BE NECESSARILY MADE. THOSE ASSUMPTIONS ARE NEITHER RIGHT NOR WRONG, BUT ANY ARCHITECTURAL ASPECT LEFT UNEXPRESSED IS TACIT APPROVAL ABOUT THE COMFORT THE ORGANIZATION HAS WITH IT BEING LEFT IN AN IMPLICIT STATE OF NON-EXPRESSION.

Enterprise Architecture

authoritative

urban legend

Reproduced with kind permission from Zachman International.

Security Architecture

authoritative

urban legend

Reproduced with kind permission from the SABSA Institute.

Bodies of Knowledge – Cyber Security + Smart City by Viewpoint 2010

2011

2012

Executive Perspective (Planner) Context PSC Canada’s Cyber Security Strategy PSC, DHS Canada-United States Action Plan for Critical Infrastructure

ISO/IEC ISO/IEC 27032:2012, Information technology – Security techniques – Guidelines for cybersecurity

2013

2014

2015

2016

PSC

EO 13636 Improving Critical Infrastructure Cybersecurity

PSC Action Plan for Critical Infrastructure, 2014-2017

PPD-21 Critical Infrastructure Security and Resilience

BSI PAS 181: Smart city framework – Guide to establishing strategies for smart cities and communities

Ø Ø Ø

securingsmartcities.org The Smart City Department: Cyber Security Role and Implications

CCTX SCADA Security Portal Canada $237 million in cyber security funding over the next five years

2016 Budget, Ontario, Ministry of Finance Digital Government Action Plan Ø Chief Digital Officer

* SABSA Institute SABSA Enhanced NIST Cybersecurity Framework (SENC)

Ø

Cybersecurity National Action Plan (CNAP) Fact Sheet Executive Order -- Commission on Enhancing National Cybersecurity Ø Federal CISO Ø

GCTC (NIST, usignite) Establish and demonstrate replicable, scalable and sustainable models for incubation and deployment of interoperable, standards-based IoT solutions and demonstrate their measurable benefits in smart communities/cities

Business Mgt. Perspective (Owner) Concept

* DHS (OCIA) The Future of Smart Cities: Cyber-Physical Infrastructure Risk

Architect Perspective (Designer) Logical

NIST Framework for Improving Critical Infrastructure Cybersecurity, V1.0

NIST (CPS Public WG) Draft Framework for Cyber-Physical Systems

*

NIST RFI “Views on the Framework for Improving Critical Infrastructure Cybersecurity”

Bodies of Knowledge are not the architecture. They inform the architecture. Bodies of Knowledge are externalities. They say nothing about the organization itself.

OCF (formerly OIC) “… to help unify IoT standards so that companies and developers can create IoT solutions and devices that work seamlessly together.”

Science of Smart City Operations and Platforms Engineering (SCOPE) WG, GCTC CPS extensibility, scalability, interoperability, replicability and smartness

cross-industry collaboration

IIC Industrial Internet Reference Architecture CSA Security Guidance for Early Adopters of the Internet of Things (IoT) CIS Internet of Things Security Companion to the CIS Critical Security Controls CIS The CIS Critical Security Controls for Effective Cyber Defense

OWASP Internet of Things (IoT) Project attack surface areas

testing guides

Engineer Perspective (Builder/Contractor) Physical

security guidance

Enterprise Perspective (Operations) Instantiation cybersecurity (CI) smart city (IoT, cyber physical systems (CPS))

design principles

top vulnerabilities

IoT/SCADA s/w weaknesses

* securingsmartcities.org, CSA Cyber Security Guidelines for Smart City Technology Adoption

Technician Perspective (Subcontractor) Components

developer guidance

Draft NISTIR 8063 Primitives and Elements of Internet of Things (IoT) Trustworthiness

Ø Ø Ø Ø

GSMA IoT Security Guidelines IoT Security Guidelines for Service Ecosystems IoT Security Guidelines for Endpoint Ecosystems IoT Security Guidelines for Network Operators

Pure-play “Greenfield” CPS Vendors (IoT, M2M, ICS, SCADA, PCS, ...)/Home-grown ”Brownfield” Legacy Devices Integrated with CPS Functionality

Functioning Smart City Functioning Cyber Security Assurance Program City BSI – British Standards Institute CCTX – Canadian Cyber Threat Exchange CIS – Center for Internet Security CSA – Cloud Security Alliance DHS – Department of Homeland Security EO – Executive Order GCTC – Global City Teams Challenge IIC – Industrial Internet Consortium

ISO - International Organization for Standardization NIST – National Institute of Standards and Technology OCF – Open Connectivity Foundation OCIA – Office of Cyber and Infrastructure Analysis OWASP - Open Web Application Security Project PPD – Presidential Policy Directive PSC – Public Safety Canada

< Threat Modeling/ >

Semantic Model for Developing Threat Models in the Smart City Context

Attack Surface (sector-specific vertical)

Sector (transportation, etc.)

Abuse Case (general description)

Vector (abuse case narrative)

Vector

Abuse Case

Vector

Abuse Case

Vector

Attack Surface

Vector

Abuse Case

Vector

Vector

Abuse Case/Threat Modeling

Smart City Attack Surfaces and Vectors (non-exhaustive) Sector – Water and Wastewater Systems Attack Surface – Smart Water Treatment Abuse Case: Smart Water Treatment Facility Disruption Vector 1: A malicious actor conducts a cyber-attack on a smart water treatment facility to prevent proper functionality, endangering the systems and public health. Vector 2: A malicious actor gains remote access to a smart wastewater facility to cause water system backups and potential environmental damage. Attack Surface – Smart Water Distribution Abuse Case: Smart Water Distribution System Disruption Vector 1: A malicious actor remotely attacks smart water distribution systems to damage system components, disable system sensors, disrupt storage and flows, or distribute contaminated water. Vector 2: A malicious actor disrupts storm water-management systems during severe weather to create unsafe conditions, strain storm water-management systems, and compound the consequences of inclement weather. Attack Surface – Smart Water Storage Abuse Case: Infiltration of a Smart Water Storage Facility Vector 1: A malicious actor targets smart pumps, valves, and other components in smart water storage facility control systems to manipulate water flow. Vector 2: A malicious actor manipulates safety sensors to mask the presence of dangerous substances in smart water-storage facilities. https://ics-cert.us-cert.gov/sites/default/files/documents/OCIA%20-%20The%20Future%20of%20Smart%20Cities%20-%20Cyber-Physical%20Infrastructure%20Risk.pdf

CPS Threat Model 9. key attack

8. eavesdrop

Monitoring

1. MitM (replay)

physical processes and environment

7. MitM (replay)

Actuation

Networking

action execution based on results generated during Computing phase

6. DoS (flood )

2. DoS ( flood)

- data aggregation - data diffusion

3. MitM (replay)

Computing correctness of physical processes based on data collected during Monitoring phase 5. MitM (replay) 4. eavesdrop

http://people.cis.ksu.edu/~danielwang/Investigation/CPS_Security_threat/05724910.pdf

CPS Threat Model and Cyber Security Assertions Applicability CIA Triad (inverted) 9. key attack

Availability Integrity

Monitoring

Confidentiality

physical processes and environment

7. MitM (replay)

1. MitM (replay)

2. DoS ( flood)

IDentity of Things (IDoT) identification authorization

authentication non-repudiation

Privacy

Trustworthiness

Cyber Security Assertions

8. eavesdrop

Actuation

Networking

action execution based on results generated during Computing phase

- data aggregation - data diffusion

Safety 6. DoS (flood)

Computing correctness of physical processes based on data collected during Monitoring phase

Reliability

Resiliency

3. MitM (replay)

5. MitM (replay)

http://people.cis.ksu.edu/~danielwang/Investigation/CPS_Security_threat/05724910.pdf

4. eavesdrop

< Governance and Recent Developments/ >

Cyber Security Conceptual Risk Management Framework Business Requirements strategic controls

operational controls

tactical controls

Audit Oversight

Cyber Security Technology Based on http://www.iiroc.ca/industry/Documents/CybersecurityBestPracticesGuide_en.pdf

https://pages.nist.gov/smartcitiesarchitecture/

Working Groups Vocabulary and Reference Architecture Cybersecurity and Privacy Timing and Synchronization Data Interoperability Use Cases

CPS Framework – Domains, Facets, Aspects

https://s3.amazonaws.com/nist-sgcps/cpspwg/pwgglobal/CPS_PWG_Draft_Framework_for_Cyber-Physical_Systems_Release_0_8_September_2015.pdf

CPS Framework – All Facets View

https://s3.amazonaws.com/nist-sgcps/cpspwg/pwgglobal/CPS_PWG_Draft_Framework_for_Cyber-Physical_Systems_Release_0_8_September_2015.pdf

Innovation Markers and Security Intervention A prototypical model to describe the lifecycle of a Smart City initiative (“I9”).

Stages

Phases

Plan Citizen-centric design Investigate •crowd sourcing Ideate Itemize (conduct due •competitive hack(list the (document care services) a-thons the services)

assessments)

What

Who

Brainstorm thumbnail sketches of Smart City services.

Describe the benefit/value proposition (intangibles).

Monetize feasibility/ economic value (tangibles).

service sponsor

PPP – public-private partnerships

innovation marker

security intervention

Privacy Security Legal Information Management … stakeholders

Partnerships • academia • R+D • private sector Invest • NFP (capitalize the services) Confirm the financing model (PPP). Develop the business case. service sponsor

Develop

Run

Innovate (develop the services)

Incubate (isolate the services)

Describe the architecture. (engineer)

Beta-test functionality.

Design the solution. (manufacture)

Determine fitfor-purpose.

Review

Implement (stage the services)

Instantiate (operate the services)

Iterate (improve the services)

Promote to production.

Run in steadystate.

Create an enhancements backlog.

technology sponsor

< Summation/ >

Seminal Messages  “Universe of Discourse” - An (arcane) term that you will grow to appreciate over time. If you cannot articulate the boundaries of your cyber security assurance scope, and do not have the organizational vocabulary through which you express it, nothing authoritative will take root.  For your own good, adopt a programmatic approach to cyber security assurance. Simply put: START WITH THE BUSINESS. This is not a drill!  Culture eats strategy (and technology) for breakfast – No matter how defined your cyber security strategy may be, it will be destroyed by dark organizational culture.  If your understanding of cyber security does not include architecture, you will necessarily (a) place the sustainability of your organization's cyber security efforts in peril by focusing on technology to the exclusion of anything else, and (b) make dangerous, and indefensible, assumptions about cyber security design and operation.  Grow up - You don't know everything about cyber security and, yes, hero culture is dead. If partnerships and intelligence exchange were ever considered critical for business success, they are absolutely essential in the cyber security assurance context.  IDentity of Things (IDoT) – The identification of edge devices, authenticating to them and authorizing permissions to embedded, on-board functionality will necessarily form part of your cyber security assurance posture.  Develop a (legal) recourse strategy that protects your organization against vendors who ship porous cyber-physical systems.  Consider how your organization will position itself to address Smart City: holistically and integrated, or vertical and siloed.  Consider the establishment of a Smart City Department as the formal accountability office.

Cyber Security Assurance in the Smart City

Murray Rosenthal, CISA, CRISC Risk Management, Cyber Security and Compliance Strategic Planning and Architecture Information & Technology Division City of Toronto [email protected]