System Theoretic Approach To Cybersecurity

System Theoretic Approach To Cybersecurity Dr. Qi Van Eikema Hommes Lecturer and Research Affiliate Hamid Salim Stuart Madnick Professor IC3.mit.edu 1

Research Motivations Cyber to Physical Risks with Major Consequences Source: Hitachi

Presentation Outline Research Motivations Approaches System Theoretic Accident Model and Processes (STAMP) Causal Analysis based on STAMP (CAST) System Theoretic Process Analysis (STPA) Case Study CAST Applied to the TJX Case Future Research Directions 3

System Theoretic Accident Process and Modeling (STAMP) Controller Model of controlled Process Control Actions Feedback Controlled Process 4

A Generic Control Structure 5

The Approaches The System Theoretic Model: STAMP Looking forward: System Theoretic Process Analysis (STPA) Looking backwards: Causal Analysis using System Theory (CAST) 6

STPA Process Safety or Security Problem to Prevent Hazard Inadequate Control Actions Causes Design and Management Requirements and Controls 7

CAST Process 1 System and hazard definition 2 System level safety/security requirements 3 Draw control structure 4 Proximate events 5 Analyze the physical system 6 Moving up the levels of the control structure 7 Coordination and communication 8 Dynamics and change over time 9 Generate recommendations. 8

Presentation Outline Research Motivations Approach System Theoretic Accident Model and Processes (STAMP) Causal Analysis based on STAMP (CAST) Case Study CAST Applied to the TJX Case Future Research Directions 9

TJX (TJ Maxx & Marshalls) Case Study TJX is a US-based major off-price retailer. Revenues > $25 billion (FY2014) Victim of largest (by number of cards) cyber-attack in history, when announced in 2007. Cost to TJX > $170 million, per SEC filings. Cyber-attack launched from a store on Miami, FL in 2005 by exploiting Wi-Fi vulnerability. Hackers ultimately reached corporate payment servers and stole current transaction data. Cyber-attack lasted for over 1.5 years Sources: Federal/State Court records (primary), TJX SEC Filings, Others (NYT, WSJ, Globe, FTC, Academic papers, Journal articles). 10

CAST Step 1: Identify System and Hazards System TJX payment card processing and management system Hazards at system level System allows for unauthorized access to customer information 1 2 System and hazard definition System level safety/security requirements 3 Draw control structure 4 Proximal events 5 6 Analyze the physical system Moving up the levels of the control structure 7 8 9 Coordination and communication Dynamics and change over time Generate recommendations. 11

CAST Step 2: Define System Security Requirements Protect customer information from unauthorized access. Provide adequate training to staff for managing security technology infrastructure. Minimize losses from unauthorized access to payment system. 1 2 System and hazard definition System level safety/security requirements 3 Draw control structure 4 Proximal events 5 6 7 8 9 Analyze the physical system Moving up the levels of the control structure Coordination and communication Dynamics and change over time Generate recommendations. 12

CAST Step 3: Hierarchical Control Structure 13

Proximal Event Chain 1 System and hazard definition 2 System level safety/security requirements 3 Draw control structure 4 Proximal events 5 Analyze the physical system 6 Moving up the levels of the control structure 7 Coordination and communication 8 Dynamics and change over time 9 Generate recommendations. 14

Breaching Marshalls Store 1. AP- Open authentication vs Shared Key authentication. 2. WEP publically known weak algorithm compromised. 3. Sniffers used to monitor data packets. 4. Hackers steal store employee account information and gain access to TJX corporate servers. 15

Hackers Establish VPN Connectivity 1. Hackers use Marshalls AP to install VPN connection. 2. VPN is between TJX corporate server and hacker controlled servers in Latvia. 3. Code installed on TJX corporate payment processing server. 16

Flow for Sales of Stolen Payment Card Information. Via Bank in Latvia 17

Proximal Event Chain 1 System and hazard definition 2 System level safety/security requirements 3 Draw control structure 4 Proximal events 5 Analyze the physical system 6 Moving up the levels of the control structure 7 Coordination and communication 8 Dynamics and change over time 9 Generate recommendations. 18

CAST Step 5: Analyzing the Physical Process (TJX Retail Store) 19

CAST Step 5: Analyzing the Physical Process (TJX Retail Store) Safety Requirements and Constraints Emergency and Safety Equipment Failures and Inadequate of the Above Equipment Physical Contextual Factors 20

CAST Step 5: Analyzing the Physical Process (TJX Retail Store) Safety Requirements and Constraints Prevent unauthorized access to customer information. Emergency and Safety Equipment Wi Fi network Access Point (AP) authentication Wi Fi encryption algorithm 21

CAST Step 5: Analyzing the Physical Process (TJX Retail Store) Failures and Inadequacy Retail store Wi Fi AP misconfigured Inadequate encryption technology WEP decrypting key were freely available on the internet. Inadequate monitoring of data activities on the Wi Fi. Physical Contextual Factors Early adopter of Wi Fi Learning curve and training 22

Proximal Event Chain 1 System and hazard definition 2 System level safety/security requirements 3 Draw control structure 4 Proximal events 5 Analyze the physical system 6 Moving up the levels of the control structure 7 Coordination and communication 8 Dynamics and change over time 9 Generate recommendations. 23

Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure Safety Requirements and Constraints Emergency and Safety Equipment Failures and Inadequate of the Above Equipment Physical Contextual Factors 24

Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure Safety Requirements and Constraints Prevent unauthorized access to customer information. Emergency and Safety Equipment Payment card data is encrypted during transmission and storage Conform to Payment Card Industry Data Security Standard (PCI DSS) 25

Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure Failures and Inadequacy Payment data briefly stored and then transmitted unencrypted to the bank. Not compliant with PCI DSS. Fifth Third Bancorp had limited influence on TJX Physical Contextual Factors PCI DSS is not legally required by States (except for NV) and Federal Government. Fifth Third Bancorp has no regulatory role 26

Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure 27

Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure State Legislature PCI DSS is a law in the State of Nevada, but not in Massachusetts where TJX is headquartered. TJX creates jobs and generate revenue in Massachusetts. Legislature may be reluctant to impose constraints. 28

Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure 29

Step 6: Analysis of Higher Levels of the Hierarchical Safety Control Structure Federal Regulatory agency: Most Cyber Security standards are voluntary and are written broadly. At the time of the attack, no regulation existed for the overall retail industry. 30

Proximal Event Chain 1 System and hazard definition 2 System level safety/security requirements 3 Draw control structure 4 Proximal events 5 Analyze the physical system 6 Moving up the levels of the control structure 7 Coordination and communication 8 Dynamics and change over time 9 Generate recommendations. 31

Step 7: Coordination and Communication Lack of coordination for PCI DSS Compliance 32

Step 7: Coordination and Communication Aware of PCI DSS compliance issue. 33

Step 7: Coordination and Communication Cyber Security spending was not the highest priority. Aware of PCI DSS compliance issue. 34

Step 7: Coordination and Communication Missing support 35

Step 7: Coordination and Communication Missing support Uninformed 36

Step 7: Coordination and Communication No single person responsible for cyber security 37

Proximal Event Chain 1 System and hazard definition 2 System level safety/security requirements 3 Draw control structure 4 Proximal events 5 Analyze the physical system 6 Moving up the levels of the control structure 7 Coordination and communication 8 Dynamics and change over time 9 Generate recommendations. 38

CAST Step 8: Dynamics and Migration to a High Risk State Initially cyber security risk was low because vulnerabilities were unknown to everyone experts, businesses, and hackers. Flaws in managerial decision making process. Information availability: recent experiences strongly influence the decision (i.e., no break ins so far.) 39

CAST Step 8: Dynamics and Migration to a High Risk State (Cont.) My understanding is that we can be PCI compliant without the planned FY07 upgrade to WPA technology for encryption because most of our stores do not have WPA capability without some changes. WPA is clearly best practice and may ultimately become a requirement for PCI compliance sometime in the future. I think we have an opportunity to defer some spending from FY07 s budget by removing the money for the WPA upgrade, but would want us all to agree that the risks are small or negligible. TJX CIO, Nov. 2005 Above is a message from CIO in November 2005 to his staff, requesting agreement on his belief that cyber security risk is low. There were only two opposing views, a majority of his staff agreed. This confirmation trap led to postponing upgrades. 40

Comparison of Results from FTC and CTC Investigations and STAMP/CAST Analysis No. Recommendation CPC FTC STAMP/CAST 1 Create an executive level role for managing cyber security risks. No * Yes 2 PCI-DSS integration with TJX processes. No No Yes 3 Develop a safety culture. No No Yes 4 Understand limitations of PCI-DSS and standards in general. No No Yes 5 Review system architecture. No No Yes 6 Upgrade encryption technology. Yes No Yes 7 Implement vigorous monitoring of systems. Yes No Yes 8 Implement information security program. No Yes Yes CPC = Canadian Privacy Commission FTC = Federal Trade Commission * = Indicates recommendations that are close to STAMP/CAST based analysis but also has differences. 41

Research Contributions 1. Highlighted need for system thinking and systems engineering approach to cyber security. 2. Tested STAMP/CAST as a new approach for managing cyber security risks. 3. Discovered new insights when applying STAMP/CAST to the TJX case. 4. Recommendations provide a basis for preventing similar events in the future. 42

Application to Cyber Physical System (Stuxnet Example) 43

Application to Cyber Physical System (Stuxnet Example) Unauthenticated command is allowed from any source. 44

Application to Cyber Physical System (Stuxnet Example) Tempered feedback sensor data 45

Application to Cyber Physical System (Stuxnet Example) Tempered Algorithm 46

Future Research Directions Continue applying CAST for Cyber Security attack analysis and generate comprehensive list of recommendations that include: Improvements to mitigate technology vulnerabilities Ways to address systemic issues related to management, decision making, culture, policy and regulation. Apply the System Theoretic Process Analysis (STPA) approach to identify system vulnerability prior to an attack. Identify leading indicators The US Air Force had a successful example and is implementing STPA as a cyber security measure. Compatible with NIST standard on cyber security 47

Next Steps (IC)3 is starting a project to ensure the cyber security of complex power systems. Other project ideas? Http://ic3.mit.edu 48

Questions? Qi Van Eikema Hommes qhommes@mit.edu 49

Backups 50

Research Motivations Increased cyber intrusions and attacks Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyberspace. We rely on this vast array of networks to communicate and travel, power our homes, run our economy, and provide government services. Yet cyber intrusions and attacks have increased dramatically over the last decade, exposing sensitive personal and business information, disrupting critical operations, and imposing high costs on the economy. U.S. Department of Homeland Security Study Cybersecurity as a complex sociotechnical system problem. We want to prevent, not react to cyber attacks. 51

System Theoretic Accident Causality Model STAMP: System Theoretic Accident Modeling Process Professor Nancy Leveson: Engineering a Safer World, MIT Press 2012. System Theory: Hierarchy and emergence Communication and control STAMP models: the effects of complex system interactions The role of human actions and decisions as a part of the whole system 52

CAST Step 4: Proximate Event Chain 1. In 2005 TJX decided not to upgrade to a stronger encryption algorithm and continued using deprecated WEP encryption. 2. In 2005, hackers use war driving method to discover a misconfigured Access Point (AP) at a Marshalls store in Miami, FL. 3. Hackers join the store network and start monitoring data traffic. 4. In 2005, they exploited inherent encryption algorithm weaknesses at the store, and decrypted the key to steal employee account and password. 5. Using stolen account information, hackers accessed corporate payment card processing servers in Framingham, MA. 6. In late 2005 hackers downloaded customer payment card data from TJX corporate transaction processing servers in Framingham, MA using Marshalls store connection in Florida. 7. In 2006 hackers discover vulnerability, that TJX was processing and transmitting payment card transactions without encryption. 53

CAST Step 4: Proximate Event Chain (Cont.) 8. In 2006 hackers installed a script on TJX corporate servers to capture unencrypted payment card data. 9. In 2006 hackers used TJX corporate servers as staging area and create files containing customer payment card data and started downloading files using Marshalls store network. 10. In late 2006 hackers installed a dedicated VPN connection between TJX server in Framingham, MA and a server in Latvia. 11. In 2006 hackers started moving files directly from TJX server to the Latvian server. 12. In December 2006, TJX was alerted by a credit card company of possible data breach of TJX systems, initiating an investigation. 13. In January 2007, TJX announced publically that it was a victim of a cyberattack. 54

CAST Step 5: Analyzing the Physical Process (TJX Retail Store) (Cont.) Safety Requirements and Constraints: Prevent unauthorized access to customer information. Emergency and Safety Equipment (Controls): Wi Fi network Access Point (AP) authentication Wi Fi encryption algorithm Use of account id/password Failures and Inadequate Controls: Retail store Wi Fi AP misconfigured and allowed unauthenticated access. Inadequate monitoring of data activities on the retail store Wi Fi. Inadequate encryption technology WEP decrypting key were freely available on the internet. TJX collecting customer information that was not required Physical Contextual Factors: TJX was an early adopter of first generation Wi Fi technology at its over 1200 retail stores in 2000 Requiring a significant learning curve, training, and a new knowledge base in a short span of time. 55

CAST Step 8: Dynamics and Migration to a High Risk State (Cont.) My understanding is that we can be PCI compliant without the planned FY07 upgrade to WPA technology for encryption because most of our stores do not have WPA capability without some changes. WPA is clearly best practice and may ultimately become a requirement for PCI compliance sometime in the future. I think we have an opportunity to defer some spending from FY07 s budget by removing the money for the WPA upgrade, but would want us all to agree that the risks are small or negligible. TJX CIO, Nov. 2005 Above is a message from CIO in November 2005 to his staff, requesting agreement on his belief that cyber security risk is low. There were only two opposing views, a majority of his staff agreed. This confirmation trap led to postponing upgrades. 56

CAST Step 9: Recommendations 1. According to PCI Security Standards Council, compliance is a business issue requiring management attention and need to integrate PCI-DSS requirements within appropriate components on development and operations parts of the control structure. a. Doing so would not ensure full protection against a cyber-attack, but it will help manage the risk more effectively. b. Ensure that TJX is shielded from liability, because TJX was fined $880,000* by VISA for non-compliance plus another $41 million 2. Understand objectives of standards and align them with cyber security and business needs, but PCI-DSS not fully adequate. a. Data must be encrypted when sent over a public network, but not when transmitted within TJX, over intranet or behind a firewall. b. PCI-DSS did not mandate using stronger encryption WPA until 2006, even though WPA was available in 2003. 57

CAST Step 9: Recommendations (Cont.) 3. Building a safety culture at TJX Specific steps can include: a. Safety critical entities can include encryption technology, hardware components (AP, servers, etc.), data retention/disposal/archival policies, a list of Key Threat Indicators (KTI)* to include in monitoring metric, and prevailing cyber security trends. b. Implement a plan to manage these entities with periodic reviews to update the list of safety critical entities. c. A dedicated executive role with cyber security responsibilities, will allow for a consistent view of TJX security technology across the organization. * KTI can be network traffic beyond an established threshold at TJX stores, number of network connections at odd hours of the day, etc. 58