Spezifikation, Verifikation, Testtheorie

Transcription

Informationssicherheit
eingebetteter Systeme
21.10.2009: Einleitung
Prof. Dr. Holger Schlingloff
Institut für Informatik
und
Fraunhofer FIRST
Ankündigungsfolie vom 8.10.2009
•
•
•
•
•
Titel „Informationssicherheit eingebetteter Systeme “
Zeit: Mittwoch 11:15 – 12:45, RUD25, 4.113
Beginn: 21.10. (!)
Prüfbar: JA (mündliche Prüfung)
Inhalt
Einführung in eingebettete Systeme
Grundlagen Informationssicherheit
Bedrohungen und Schutzmaßnahmen
Spezielle Herausforderungen an Rechenleistung, Energie,
Kommunikation
Entwicklungsprozesse
Embedded Security © Prof. Dr. H. Schlingloff 2009
21.10.2009
2
„Informationssicherheit eingebetteter Systeme“
• Reihe von Vorlesungen zum Thema
„Eingebettete Systeme – Produktivität und Qualität“
„Eingebettete Systeme – Sicherheit und Zuverlässigkeit“
• Baut NICHT auf VL vom SS auf
Wiederholungen evtl. unvermeidbar
Zwei Seiten der selben Medaille
• Verwandte Vorlesungen
Zuverlässige Systeme, Eigenschaften mobiler und
eingebetteter Systeme
Kryptologie, Elektronische Signaturen
21.10.2009
3
Hinweise
• Vorlesung entfällt:
am 18. & 25.11. (SEFM)
am 16.12. (Koll. UHB)
• Ersatz: Vorlesungen von M. Conrad
Thema Automotive Security
Termin nach Vereinbarung (WebEx!)
• Blockvorlesung M. Roggenbach
15.-17.1.2010
22.-24.1.2010
21.10.2009
4
Blockvorlesung „Algebraische Spezifikation“
• Titel: „Algebraische Spezifikation von Software und
•
Hardware“ (H. Schlingloff / M. Roggenbach)
Veranstaltungsform: Block-Kurs an 2 Wochenenden
15.1. nachmittags, 16.1., 17.1.
22.1. nachmittags, 23.1., 24.1
• Inhalt
Spezifikationsformalismen
Common Algebraic Specification Language
Industrielle Anwendungsbeispiele
Werkzeuge (Theorembeweiser, Transformatoren)
21.10.2009
5
Further Remarks
• Slides will be in English ☺
• We will have a few mascots
indicating a break ☺
• Slides (without cartoons)
available on web site
http://www2.informatik.hu-berlin.de/~hs/Lehre/2009-SS_EmSec/index.html
after the lecture
21.10.2009
6
Recommended Reading
• Claudia Eckert: IT-Sicherheit
Konzepte - Verfahren – Protokolle,
div. Auflagen, Oldenbourg
• Matt Bishop, Computer Security
- Art and Science, Addison-Wesley
• Peter Marwedel, Embedded System
Design, Springer
21.10.2009
7
The Topic “Embedded Security”
• “Fashion” research topic
• Not yet very mature
many research papers
some real, some imagined threats
different lectures with different emphasis
• Industrial relevance questionable
however, significant standard methods exist
“state-of-the-art” must be followed
21.10.2009
8
Contents – What You Should Learn
• Embedded systems design
• Foundations of security
• Threats and protective measures
information security threats
technical systems threats and measures
• Special challenges for embedded systems
security processing gap
battery gap
assurance gap
• Processes and methods
structured development methods
validation and proof, formal methods
21.10.2009
9
Structure
1. Introductory example
2. Embedded systems
engineering
1. definitions and terms
2. design principles
3. Foundations of security
1. threats, attacks, measures
2. construction of safe systems
4. Design of secure systems
1. design challenges
2. safety modelling and
assessment
3. cryptographic algorithms
5. Communication of
embedded systems
1.
2.
remote access
sensor networks
6. Algorithms and
measures
1.
2.
3.
4.
digital signatures
key management
authentification
authorization
7. Formal methods for
security
1.
2.
protocol verification
logics and proof methods
21.10.2009
10
Introductory Example
• “Malicious Control System Cyber
Security Attack Case Study –
Maroochy Water Services, Australia”
Reference: M. D. Abrams, J. Weiss; Annual Computer
Security Applications Conference, Dec. 2008
http://csrc.nist.gov/sec-cert/ics/papers.html
• Actual control system cyber event
resulted in environmental and economic damage
malicious attack by knowledgeable insider, who had been
a trusted contractor employee
timelines, control system response, and control system
policies well investigated
21.10.2009
11
Attack Synopsis
• Players: V.B., Hunter Watertech, Maroochy Shire Council
Mr. B. had worked for Hunter Watertech, a small Australian firm that
installed radio-controlled sewage equipment for the Maroochy Shire
Council in Queensland, Australia (a rural area of great natural beauty
and a tourist destination )
coming from a “strained relationship” with Hunter Watertech,
B applied for a job with the Maroochy Shire Council
the Council decided not to hire him
he decided to “get even” with both the Council and his former
employer
• On at least 46 occasions the offender issued remote radio
commands to the sewage equipment of Maroochy Shire
these commands caused 800.000 litres of raw sewage to spill out into
local parks, rivers and even the grounds of a Hyatt Regency hotel
huge environmental and financial damage: marine life died, the creek
water turned black and the stench was unbearable for residents
21.10.2009
12
Time Line
•
•
•
•
1997-December 1999: B employed by Hunter Watertech
Dec. 3, 1999: B resigns, seeks City Council employment
Early January 2000: B turned down
Feb 9-Apr 23, 2000: system experiences a series of faults
Pumps were not running when they should have been
Alarms were not reporting to the central computer
A loss of communication between the central computer and various
pumping stations.
• Mar 16, 2000: Hunter Watertech tried to troubleshoot system
• Apr 19, 2000: Log indicates that a certain system program
•
had been run (manually) at least 31 times
Apr 23, 2000: Alarms at four pumping stations were disabled
using the identification of a fake pumping station
21.10.2009
13
Time Line (continued)
• Apr 23, 2000: B, who was under police surveillance, was
•
•
•
•
•
pulled over by police with computer equipment in car
“Later investigations found B's laptop had been used at the
time of the attacks and his hard drive contained software for
accessing and controlling the sewage management system“
(http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/)
B asserted in a taped conversation that all the items in the
vehicle were his own. He said he had been up to Rainbow
Beach and that he used the computer for study, personal
correspondence and work in his family business
B sought to establish that some of the electronic messages
that gave rise to the charges could have been caused by
system malfunction or by error of Council employees
Oct 31, 2001: B convicted in trial, sentenced to 2 years
Mar 21, 2002: Appeal rejected
21.10.2009
14
Evidence Found in B’s Vehicle
• Laptop
software reloaded February 28, 2000
software used in the sewerage system (re)installed February 29
•
- run at least 31 times prior to April 19
- last run on April 23
“Motorola M120 two-way radio”
(same type used in the Council’s system)
tuned into the frequencies of the repeater stations
serial numbers matched delivery docket provided by the supplier of
the radios to Hunter Watertech
• “PDS Compact 500” computer control device
address set to spoof pumping station
serial number identified it as a device which should have been in the
possession of Hunter Watertech
21.10.2009
15
Consideration
• Obviously, this was a “malicious attack”. Why?
• Obviously, the offender had to be jailed.
Why?
• Obviously, he was the offender. Why?
• Obviously, this could have been prevented.
How?
21.10.2009
16
Observations (1/3)
• B was an insider who was never an employee of the
organization he attacked
Employee of contractor that supplied IT/control system
technology
- With his knowledge he was the “ultimate insider”
Difficulty to protect against insider attacks
• Contractor’s responsibilities unspecified / inadequate
Management, technical and operational cyber security
controls
Personnel security controls
- Background investigations
- Protection from disgruntled employees
21.10.2009
17
Observations (2/3)
• As a skilful adversary, B was able to disguise his
actions
A number of anomalous events occurred before
recognition that the incidents were intentional
Extensive digital forensics were required to determine that
a deliberate attack was underway
• Importance to determine whether intentional attack,
or unintentional flaw or error
Insufficient means to differentiate attacks from
malfunctions
No existing cyber security policies or procedures
No cyber security defences
21.10.2009
18
Observations (3/3)
• Radio communications used in system insecure or improperly
configured
Wireless devices and software should be secured to the extent
possible using physical and logical controls
Security controls not implemented or used properly
• Lack of adequate logging mechanisms for forensic purposes
• Insufficient further measures
Anti-virus
Firewall protection
Appropriate use of encryption
Upgrade-able systems (from a security perspective)
Proper staff training
Security auditing and control.
21.10.2009
19
Learning From the Maroochy Shire Cyber Attack
• Public record of an intentional, targeted attack by a
knowledgeable person on an industrial control system
teaches us to consider:
Critical physical, administrative, and supply chain vulnerabilities
Vulnerabilities coming from suppliers or others outside the
organization
Contractor and sub-contractor personnel as a potential attack source
• Need to be concerned with both inside & outside attack
• Difficulty in identifying a control system cyber incident as a
•
•
malicious attack and retaking control of a “hijacked” system
A determined, knowledgeable adversary could potentially
defeat most controls
Structured defence-in-depth security is best
21.10.2009
20
Abrams / Weiss Political Conclusions
• Public and private sector enterprises today are highly
dependent on information systems to carry out their
missions and business functions
• Developments in embedded systems have seen
these traditionally closed systems become open and
internet-connected, thus putting the national
services critical infrastructure at risk
• To achieve mission and business success, enterprise
information systems must be dependable in the face
of serious cyber threats
• To achieve information system dependability, the
systems must be appropriately protected
2b discussed: Do you agree with these statements?
21.10.2009
21

Spezifikation, Verifikation, Testtheorie

Transcription

Similar documents

Deductive Reasoning Agents

Vorlesung: „Künstliche Intelli Künstliche Intelligenz“