SystemAware Cyber Security Architecture Rick A. Jones October, - - PowerPoint PPT Presentation

System‐Aware Cyber Security Architecture

Rick A. Jones October, 2011

Research Topic DescripAon

• System‐Aware Cyber Security Architecture

– Addresses supply chain and insider threats – Embedded into the system to be protected – Includes physical systems as well as informaAon systems

• Requires system engineering support tools for

evaluaAng architectures factors

• To facilitate reusability requires establishment of

candidate Design PaMern Templates and iniAaAon of a design library

– Security Design – System Impact Analyses

2 ASRR 10/11 October 2011

IncorporaAng Recognized Security FuncAons into an Integrated System‐Aware Security SoluAon

• Fault‐Tolerance

– Diverse ImplementaAons of Common FuncAons – Data ConAnuity Checking via VoAng

• Cyber Security

– Moving Target with Diversity

• Physical ConfiguraAon Hopping
• Virtual ConfiguraAon Hopping

– Adversary‐SensiAve System ReconstrucAon

• AutomaAc Control Systems

– Data ConAnuity Checking via State EsAmaAon – System IdenAficaAon

• TacAcal Forensics

3 ASRR 10/11 October 2011

System‐Aware Security Architecture

4 ASRR 10/11 October 2011

System to be Protected Inputs Outputs Internal Measurements System-Aware Security Sub-System Internal Controls

System‐Aware Cyber Security Subsystem

5 ASRR 10/11 October 2011

System-Aware Security Sub- System

System Control Signaling Measurement Analysis Security Control Decisions Measurements

System to be Protected

Hopping & Restoral Control

System‐Aware Security Analysis

6 ASRR 10/11 October 2011

Mission-Risk Ranked System Functions (1) (2) (3) (4) … (N) Selected set for hopping Number

• f hopped

functions System Latency Delay in compromise detection Mission Risk Rate of hopping System Latency

System‐Aware Security for Facility Defense

7 ASRR 10/11 October 2011

Facility Defense System to be Secured

• We consider a facility defense system

consisAng of:

– Streaming sensors conAnuously monitoring discrete areas – Streaming Servers distribuAng sensor data, received over a wired network, to mobile users

• ver a wireless broadcast network

– Mobile users receiving alerts and streaming data regarding potenAal problems

8 ASRR 10/11 October 2011

IllustraAve Architectural Diagram for Candidate Facility Defense System for System‐Aware Security

9

PotenAal Cyber AMacks

• Replay aMacks masking malicious acAvity iniAated

through

– Sensor system – Streaming servers – User devices

• DoS aMacks addressed through redundancy

– Sensor system – Streaming servers – OperaAonal procedures and redundancy regarding user devices

10 ASRR 10/11 October 2011

System‐Aware SoluAon for Securing the Facility Defense System

• Replay aMack defense

– Diversely Redundant Streaming Sensors, with VoAng (Data ConAnuity Checking) – Diversely Redundant, Virtually Hopped Streaming Servers – Diverse User Devices, with RotaAng User Surveillance Assignments and Device Use – Mobile User based Data ConAnuity Checking

• DoS defense

– Redundancy at the Sensor and Streaming server levels – Streaming servers / User feed back loops to enable redistribuAon of data and job responsibiliAes

11 ASRR 10/11 October 2011

IllustraAve System‐Aware SoluAon Architecture

12

10 20 30 40 50 60 70 80 90 100 100 150 200 250 500 Max Possible # of Observable Regions Stream Fidelity (Kbps) No VoAng/Single Stream ConAnuous 3 Stream VoAng

Observable Regions / User Fidelity Impacts of 3 Stream ConAnuous VoAng

13

10 20 30 40 50 60 70 80 90 100 100 150 200 250 500 Max Possible # of Observable Regions Stream Fidelity (Kbps) No VoAng/Single Stream ConAnuous 3 Stream VoAng

Observable Regions / User Fidelity Impacts of 3 Stream ConAnuous VoAng

Loss in User PresentaAon Fidelity

14

10 20 30 40 50 60 70 80 90 100 100 150 200 250 500 Max Possible # of Observable Regions Stream Fidelity (Kbps) No VoAng/Single Stream ConAnuous 3 Stream VoAng

Observable Regions / User Fidelity Impacts of 3 Stream ConAnuous VoAng

ReducAon in Maximum Observable Regions

15

Duty Cycle VoAng for Increasing the Possible Number of Observable Regions

• Concept – Use of Ame division for voAng permits an increase

in the number of possible surveillance points

– User compares streams concurrently received from mulAple diversely redundant servers to discover disconAnuiAes – 3 parameters can be uAlized to govern voAng

• Number of Observed Regions
• Deemed acceptable VoAng Interval for data conAnuity checking

across all regions

• Streaming period Ame alloMed for conAnuity checking (VoAng

Time), which can be less than the VoAng Interval

– Given the VoAng Time can be a subset of the VoAng Interval, the use of Ame division can be uAlized to manage informaAon distribuAon over the broadcast network, interleaving mulAple streams for voAng users with single streams for other users who are not voAng

16 ASRR 10/11 October 2011

IllustraAve System‐Aware SoluAon Architecture with Duty Cycle VoAng

17

IllustraAve System‐Aware SoluAon Architecture with Duty Cycle VoAng

18

IllustraAve System‐Aware SoluAon Architecture with Duty Cycle VoAng

19

Duty Cycle VoAng for Increasing the Possible Number of Observable Regions

User 3 Time Time Time Wireless Network Time User 2 User 1 Column Heights = Data / Time Interval

20

Observable Regions / User Fidelity Impacts of 3 Stream ConAnuous VoAng

10 20 30 40 50 60 70 80 90 100 100 150 200 250 500 Max Possible # of Observable Regions Stream Fidelity (Kbps) No VoAng/Single Stream ConAnuous 3 Stream VoAng Duty Cycle VoAng

21

AddiAonal Collateral System Impacts

• Common Cause Failures are reduced
• MTBF increases in relaAonship to the individual diverse

component reliabiliAes

• Development cost increases based on the cost to develop

voAng and duty cycle management components, as well as to resolve lower level technical issues that may arise

– SynchronizaAon needs – Sohware integraAon – Performance impact measurements and enhancement needs (e.g. CPU uAlizaAon, memory, and energy usage)

• One Ame and life cycle cost increase in relaAonship to the

increased complexity

22

Scoring Framework

23

Need: Methodology for EvaluaAng AlternaAve Security SoluAons for a ParAcular System

• A methodology is required in order to clarify

reasoning and prioriAzaAons regarding unavoidable cyber security vagaries:

– RelaAonships between soluAons and adversarial responses – MulAdimensional contribuAons of individual security services to complex aMributes, such as deterrence

• Scores can be derived in many different forms

– Single scalar value where bigger is beMer – 2 scalar values: (1) security value added, (2) system‐level disvalues – MulA‐objecAve component scores providing more transparency

24 ASRR 10/11 October 2011

Metrics

• AMack phase‐based security value factors:

– Pre‐AMack (Deterrence) – Trans‐AMack (Defense) – Post‐AMack (RestoraAon)

• Would include collateral system impact

metrics for the security architecture:

• Performance
• Reliability, Safety
• Complexity, Costs

25 ASRR 10/11 October 2011

ASRR 10/11 October 2011 26

System‐Aware Security System Scoring Matrix

Value Factors Deterrence Real Time Defense Restor‐ aDon Collateral System Impacts Implemen‐ taDon Cost Life Cycle Cost Other Security Services Diversity (s1) s11 s12 s1j Hopping (s2) s21 s22 s2j Data ConAnuity Checking (s3) s31 s32 s3j TacAcal Forensics (s4) s41 s42 s4j Other (si) si1 si2 sij RelaDve Value Weights k1 k2 k3 k4 k5 k6 kj

ASRR 10/11 October 2011 27

System‐Aware Security System Scoring Matrix

Value Factors Deterrence Real Time Defense Restor‐ aDon Collateral System Impacts Implemen‐ taDon Cost Life Cycle Cost Other Security Services Diversity (s1) s11 s12 s1j Hopping (s2) s21 s22 s2j Data ConAnuity Checking (s3) s31 s32 s3j TacAcal Forensics (s4) s41 s42 s4j Other (si) si1 si2 sij RelaDve Value Weights k1 k2 k3 k4 k5 k6 kj sij = Assurance Level of the ith service as related to the jth value factor

∑∑

= =

=

p j n i ij js

k

1 1

sij = QuanAzed Assurance Level = 0…M

∑

=

=

p j j

k

1

1

Security Score Max Possible Score = n x M

28

Example Facility Defense Scoring Matrix

Value Factors Deterrence Real Time Defense Restor‐ aDon Collateral System Impacts Implemen‐ taDon Cost Life Cycle Cost Security Services Diversity (s1) 4 3 4 4 2 2 Hopping (s2) 3 4 3 1 2 3 Data ConAnuity Checking (s3) 2 4 3 1 4 3 TacAcal Forensics (s4) 3 4 5 4 2 RelaDve Value Weights

K1 =0.30 K2 = 0.20 k3 =0.10 K4 = 0.20 K5 = 0.05 K6 = 0.15

Max Possible Score = 20 Facility Defense Score = 11.5 Strongest Area is RestoraAon Weakest Area is Life Cycle Cost

On Going ExploraAon

• A pracAcal methodology for determining Assurance

Level Values

• Methodology for addressing uncertainty in assigning

Assurance Level Values

• Methodology for uAlizing RelaAve Value Weights
• Tradeoffs between scoring simplicity and

transparency of results

29 ASRR 10/11 October 2011

Structured Arguments for System Scoring

• Builds upon the legacy of work developed for safety and

informaAon assurance case evaluaAons

• UAlizes Goal Structuring NotaAon (GSN) for communicaAng

arguments to support assigned scores in a repeatable and clear manner

• System‐Aware security scoring arguments for a parAcular system

architecture include:

– Context supplied by the system owner and includes an available risk analysis for the system being protected and scoring guidelines – System supplier provides the list of security services to be applied and characterizes the purposes expected of security services that are deemed as most perAnent to reducing risk

• Specific claims about value factors and the anAcipated effects of security

services on these factors

• ExplanaAons of how each security service is anAcipated to impact specific

value factor claims, including explicitly dividing each service into policy, process, and technology components with corresponding explanaAons of value

30

Simplified DiagrammaAc RepresentaAon of a Structured Argument for Deterrence Scoring (1)

Architectural Deterrence Claim Assigned suitable scores for deterrence Service SelecDon Strategy Decompose the Architecture to isolate, for the purposes of scoring, security services that address deterrence Data ConDnuity Service Claim Improves deterrence Diversity Service Claim Forensics Service Claim Hopping Service Claim

See later slide

Scoring Assignment Strategy UAlize experts to score service claims with accompanying raAonale Context Risk analysis and scoring guidelines

31

Simplified DiagrammaAc RepresentaAon of a Structured Argument for Deterrence Scoring (2)

Data ConDnuity Service Claim Improves deterrence Data ConDnuity Service Claim (1) ExploitaAon design requires distributed exploit designers Data ConDnuity Service Claim (2) ExploitaAon design requires designers with deep systems knowledge Data ConDnuity Service Claim (n)

…..

32

Simplified DiagrammaAc RepresentaAon of a Structured Argument for Deterrence Scoring (3)

Data ConDnuity Service Claim Improves deterrence Data ConDnuity Service Claim (1) ExploitaAon design requires distributed exploit designers

Red Team Evidence Document System Design Team Evidence Document Intelligence Analysis Evidence Document

33

Simplified DiagrammaAc RepresentaAon of a Structured Argument for Deterrence Scoring (4)

Data ConDnuity Service Claim Improves deterrence Data ConDnuity Service Claim (2) ExploitaAon design requires designers with deep systems knowledge

System Design Team Evidence Document

34