System Aware Cyber Security Barry Horowitz University of Virginia March 2014
Our Team SIE Faculty: Horowitz, Beling Research Scientists: Jones, Suhler, Lau CS Faculty: Skadron, Humphrey Post Doc: Li ECE Faculty: Williams Research Scientist: Elks Students 1 PhD, 5 MS, 4 Undergraduate External Partners University: GTRI (UAV integration lead) Industry: Mitre(Distributed Sim for Ops Concept Development) Leidos(Army/AF Exploitation System Support) SiCore(Secure Electronics at the Board Level)
System Aware Cyber Security Operates at the system application-layer, For security insideof the network and perimeter protection provided for the whole system Directly protects the most critical system functions Solutions are embedded within the protected functions Addresses supply chain and insider threats Includes physical systems as well as information systems Solution-space consists of reusable design patterns,reducing unnecessary duplications of design and evaluation efforts Design Patterns can be implemented in a super secure programmable Sentinel Specific implementation, being addressed through prototyping, involves development of a secure Sentinel for monitoring a system and taking restoration actions when appropriate. Research includes addressing critical issue of the humans in the loop and concept of operations Working with Mitre team at Creech AFB Research includes decision support tools for selection of solutions Planning for Work Shop with Naval Cyber Command in October time frame
Broad Objective Reversing cyber security asymmetry from favoring our adversaries (small investment in straight forward cyber exploits upsetting major system capabilities), to favoring the US (small investments for protecting the most critical system functions using System Aware cyber security solutions that require very complex and high cost exploits to defeat)
Broad Objective Reversing cyber security asymmetry from favoring our adversaries (small investment in straight forward cyber exploits upsetting major system capabilities), to favoring the US (small investments for protecting the most critical system functions using System Aware cyber security solutions that require very complex and high cost exploits to defeat) Focus on Defense Against Exploits that Impact System Performance (e.g., Data Corruption, Functional Degradation, System Latencies)
Solution Selection Blue Team Identifies and prioritizes critical system functions and risks Red Team Identifies most desirable/lowest cost attacks (cost measured in complexity, risk of discovery, dollars required, etc.) Blue Team Identifies the set of security design patterns that address results of Blue/Red team prioritization analyses Green Team Conducts cost/asymmetry analyses and selects desired solution that fits budget constraints
Solution Selection Blue Team Identifies and prioritizes critical system functions and risks Red Team Identifies most desirable/lowest cost attacks (cost measured in complexity, risk of discovery, dollars required, etc.) Blue Team Identifies the set of security design patterns that address results of Blue/Red team prioritization analyses Green Team Conducts cost/asymmetry analyses and selects desired solution that fits budget constraints Exploring integrated use of SysML tools and Attack Tree tools to support solution selection
SENTINEL ARCHITECTURE FOR MONITORING FOR CYBER ATTACKS
High Level Architectural Overview Internal Controls Outputs System to be Protected Internal Measurements Sentinel Providing System-Aware Security
High Level Architectural Overview Internal Controls Reconfiguration Controls Outputs System to be Protected + Diverse Redundancy Internal Measurements Sentinel Providing System-Aware Security Super Secure
High Level Architectural Overview Internal Controls Reconfiguration Controls Outputs System to be Protected + Diverse Redundancy Internal Measurements Sentinel Providing System-Aware Security Super Secure
System Aware Cyber Security Design Patterns Design Patterns combine design techniques from 3 communities Cyber Security Fault-Tolerant Systems Automatic Control Systems (for physical systems) The System Aware solution designers need to come from the communities related to system design and system engineering, providing a new orientation to complement the established approaches of the information assurance community
A Set of Techniques Utilized in System Aware Cyber Security Cyber Security * Data Provenance * Moving Target (Virtual Control for Hopping) * Forensics Fault-Tolerance * Diverse Redundancy (DoS, Automated Restoral) * Redundant Component Voting (Data Integrity, Restoral) Automatic Control * PhysicalControl for Configuration Hopping (Moving Target, Restoral) * State Estimation Techniques (Data Integrity) * System Identification (Data Integrity, Restoral)
Cyber Security * Data Provenance * Moving Target (Virtual Control for Hopping) * Forensics A Set of Techniques Utilized in System-Aware Security Fault-Tolerance * Diverse Redundancy (DoS, Automated Restoral) * Redundant Component Voting (Data Integrity, Restoral) Automatic Control * PhysicalControl for Configuration Hopping (Moving Target, Restoral) * State Estimation Techniques (Data Integrity) * System Identification (Data Integrity, Restoral) This combination of solutions requires adversaries to: Understand the details of how the targeted systems actually work
Cyber Security * Data Provenance * Moving Target (Virtual Control for Hopping) * Forensics A Set of Techniques Utilized in System-Aware Security Fault-Tolerance * Diverse Redundancy (DoS, Automated Restoral) * Redundant Component Voting (Data Integrity, Restoral) Automatic Control * PhysicalControl for Configuration Hopping (Moving Target, Restoral) * State Estimation Techniques (Data Integrity) * System Identification (Data Integrity, Restoral) This combination of solutions requires adversaries to: Understand the details of how the targeted systems actually work Develop synchronized, distributed exploits consistent with how the attacked system actually works
Cyber Security * Data Provenance * Moving Target (Virtual Control for Hopping) * Forensics A Set of Techniques Utilized in System-Aware Security Fault-Tolerance * Diverse Redundancy (DoS, Automated Restoral) * Redundant Component Voting (Data Integrity, Restoral) Automatic Control * PhysicalControl for Configuration Hopping (Moving Target, Restoral) * State Estimation Techniques (Data Integrity) * System Identification (Data Integrity, Restoral) This combination of solutions requires adversaries to: Understand the details of how the targeted systems actually work Develop synchronized, distributed exploits consistent with how the attacked system actually works Corrupt multiple supply chains
Design Patterns Being Prototyped Diverse Redundancy for post-attack restoration Diverse Redundancy + Verifiable Votingfor trans-attack attack deflection Physical Configuration Hopping for moving target defense Virtual Configuration Hopping for moving target defense Data Consistency Checkingfor data integrity and operator display protection Parameter Assurancefor parameter controlled SW functions System Restoration using diverse redundancy
Parameters in Systems Parameters control how systems function for instance: Detection Thresholds For example, target detection for active sensors (Radar), Passive sensors (SIGINT), impacting missed detection/false alarm performance Modes of operation for Smart Systems that modify performance on a situational basis CFAR (Constant False Alarm Rate) in sensor systems Flight control boundary values For example, bounds on accelerations, velocity, altitude Navigation Waypoints Tracking algorithm parameters determine sensitivity and latencies for position/velocity estimates relative to timing of accelerations Communication system mode parameters, impacting QOS
Parameters in Systems Parameters control how systems function for instance: Detection Thresholds For example, target detection for active sensors (Radar), Passive sensors (SIGINT), impacting missed detection/false alarm performance Modes of operation for Smart Systems that modify performance on a situational basis CFAR (Constant False Alarm Rate) in sensor systems Flight control boundary values For example, bounds on accelerations, velocity, altitude Navigation Waypoints Tracking algorithm parameters determine sensitivity and latencies for position/velocity estimates relative to timing of accelerations Communication system mode parameters, impacting QOS Parameter tables provide an organized means for changing operating modes in smart, situational aware system designs and a high leverage opportunity for exploits
Data Consistency Checking DYNAMIC SYSTEM MODELS AND STATE ESTIMATION TECHNOLOGY FOR DATA INTEGRITY AND OPERATOR DISPLAY ATTACKS Barry M. Horowitz, Katherine Pierce, Application of Diversely Redundant Designs, Dynamic Systems Models and State Estimation Technology to the Cyber Security of Physical Systems, Systems Engineering, Volume 16, No. 3, 2013 20
Simplified Block Diagram for Inference-Based Data Integrity Detection System System Operator ˆx 1lt Applicable Subsystems and Users Cyber Attack Alerts and Responses Protected Physical System y 1 y 2 State Estimator 1 Diversely Redundant State Estimator 2 ˆx 1lt ˆx 1mt Information Consistency Checking 21
Simulated System Output Based Upon a Physical Cyber Attack 22
23 Simulated Regulator Attack
To Achieve a Selected Acceptable False Alarm Rate, Estimation Difference for Alarming As a function of: # of Indirect Measurement Sensors and Sensor Accuracy 54 Tau is the minimum distance between direct and indirect estimates used to trigger an alarm with acceptable False Alarm Rate 49 44 39 34 29 States comprising x 2 0 x b x c x d 0 x b x c 0 T T 24 19 0 x b 0 0 T 14 9 4 0 0.2 0.4 0.6 0.8 1 1.2 L=20 Point Detection Window 24
54 49 44 39 34 29 Tau is the distance between direct and indirect estimates used to trigger an alarm with acceptable False Alarm Rate States comprising x 2 0 x b x c x d 0 x b x c 0 T T 24 19 0 x b 0 0 T 14 9 4 0 0.2 0.4 0.6 0.8 1 1.2 L=20 Point Detection Window Using three Sensors for indirect estimation is far better than 2, but using 2 sensors is not much better than 1 Accuracy of sensors matters 25
CASE 2 SHIP CONTROL SYSTEM FOR PHYSICAL PLANT A System-Aware Cyber Security Method for Shipboard Control Systems Accepted for 2012 IEEE Homeland Security Conference Guy L. Babineau Northrop Grumman Naval & Marine Systems Division Rick A. Jones and Barry Horowitz University of Virginia Department of Systems and Information Engineering 26
27 Block Diagram Illustrating the Current System Architecture
Possible Cyber Threats Embedded in Redundant Ship Communications Switches Denial of Service Data Modification Show good data for what is actually out-of-spec information Show bad data for what is actually in-spec information Change operator inputs
29 System-Aware Security Solution
Experimental Configuration: Impact on Packet Losses Turbine Control: Sender Establish 16 TCP connections and 34 UDP connections with Control Station over Cisco Switch Establish 16 TCP connections and 34 UDP connections with Control Station over Dell Switch Rudder Control: Sender Establish 16 TCP connections and 34 UDP connections with Control Station over Cisco Switch Establish 16 TCP connections and 34 UDP connections with Control Station over Dell Switch Control Station Receiver In each connection, sender continuously sends packets (packet size: 1KB, speed 250Kbps) for 1 hour. 30
UDP and TCP Packet Losses Due to Hopping Number of Packets Lost per 10,000 Sent Number of Packets Resent per 10,000 Sent 8 7 6 5 4 3 2 1 0 16 14 12 10 8 6 4 2 0 UDP Packets Lost per 10,000 Sent 5 10 20 Hopping Rate in Seconds TCP Packet Resent per 10,000 Sent 5 10 20 Hopping Rate in Seconds Experiment 1 Experiment 2 Experiment 3 Experiment 4 Experiment 5 Experiment 6 Experiment 7 Experiment 8 Experiment 9 Experiment 1 Experiment 2 Experiment 3 Experiment 4 Experiment 5 Experiment 6 Experiment 7 Experiment 8 Experiment 9 Experiment 10 31
AUTONOMOUS SURVEILLANCE SYSTEM ON BOARD A UAV
GAUSS GTRI AIRBORNE UNMANNED SENSOR SYSTEM FOUR SENSOR OBJECTIVE BASELINE Multi-Channel Radar (8 channels) ESA Antenna: 8 phase centers, each 4 x 4 elements X-band, 600 MHz BW (design; 1 GHz max) Arbitrary Waveform Capable (1 st design LFM) Acquisition Modes: DMTI, SAR, HRR, HRRD, CCD Multi-Channel SIGINT Near 1 and 2 GHz Bands Two orthogonal dipole pairs: TDOA geo-location Ambient Complex-Baseband Spectrum Analysis Signal Copy Selected Sub-Bands Gimbaled, Stabilized EO/IR Camera Ball High Precision GPS & INS (eventual swarm capable inter-uav coherent RF sensors) Modified Griffon Aerospace Outlaw (MQ-170) Extended Range (ER) Unmanned Aircraft System (UAS) CAPABILITIES Electronic Scanning; No Antenna Mechanical Gimbal Multi-TB On-Board Data Recording Reconfigurable for Other Sensors: LIDAR, HSI, Chem-Bio Multi-Platform Distributed Sensor Experiments (eg, MIMO) Autonomous & Collaborative Multi-Platform Control Space for Future GPU/FPGA On-Board Processing Length 9.2 ft Wingspan 16 ft GTOW ~180 lbs Payload ~35-40 lbs Ceiling 14 kft Cruise speed 70 knts Endurance 9 hrs
Current Project Exploits and Solutions Exploits Waypoint Manipulation from ground or onboard the aircraft Meta Data manipulation on imagery GPS embedded data manipulation Pointing control of surveillance camera Solutions Airborne and ground-based detection of attacker waypoint changes, classifying the nature of the attack, and restoration Airborne detection of meta data manipulation Airborne detection of embedded GPS attack Airborne detection of attacker control of camera pointing and correction
Example: Autonomous Surveillance Platform Protection
Characteristics of Monitoring Applications Support Highly Secure Sentinel Implementations Experience To-Date Shows: Very small monitoring apps (< 500 SLOC) No requirement for high performance or tight synchronization No complex intertwining of applications Manageable number of hardware components Diverse low cost hardware is available, supporting diverse OS s, diverse programming languages, diverse communications protocols, etc.
Example: Autonomous Surveillance Platform Protection Config. hopping Diverse redundancy Port Hopping Dedicated voting processing SW power utilization fingerprint SW CPU and memory usage fingerprint For Security Control Only Spread Spectrum Waveform Low Data Rate
Ethernet Switch Autopilot 900 MHz Com Port 1 Com Port 2 Com Port 3 Com Port 4 Com Port 5 radio TPU signal Trigger ground attack Comm no flow control Payload Stream 1 Payload Stream 2 Payload Passthrough 450 MHz Link All RS-232 Sentinel messages RS-232 RPi1 (autopilot attack) Com Port 1 Com Port 2 Snooper 1 RS-232 2.4 GHz radio Ethernet Gimbal Communications Ethernet RS-232 Gimbal Com Port 1 Com Port 2 RPi2 (gimbal attack) From Sentinel Analog video (NTSC) RS-232 Snooper 2 VPS radio 4.4 GHz Ground Station Aircraft Operator Interface Payload Operator Interface Cyber Officer Interface Piccolo Command Center Viewpoint Cyber Station 2.4 GHz radio Sentinel RS-232 Output Two Snooper RS-232 Input 3 Rpiwith 2 Com Port / 1 Ethernet each RS-232 External GPS Com Port 1: Autopilot Communications TPU signal: Coordinate with Display Masking Attack Payload Stream 2: Sentinel Warning Messages Payload Pass-through: Gimbal data flow Com Port 2: Dedicated 450 MHz link for secondary ground station Rpi 1: Hosts waypoint attacks Rpi 2: Changes GPS information on gimbal Rpi 3,4,5: Hosts voting algorithms for Sentinel Passive Snooper To Switch 4.4 GHz radio Digital encoder
HUMANS
Roles for Humans Pre-mission configuration of the Sentinel Selection of design patterns Entry of mission data Entry of Sentinel reporting requirements Adjusting attack detection criteria based upon Pre- Mission Intel Deciding on responses to detected attacks Fast post-attack forensic analysis
Exploring New Operational Concepts Cyber Officer Led Cyber Attack Response Team (Intel Officer, SurvOfficer, Pilot, Exploitation Officer, Commander) Varying Context surrounding Detections False Alarms Developing a Distributed Simulation/Personin-the-Loop capability to explore human factors including a Creech AF Base Mitre research team
Follow-on Prototype Application of System Aware Cyber Security Concept CLOUD COMPUTING
Cloud Computing Exploiting Cloud Agility for Securely Monitoring Systems Assuring integrity of an operational Cloud platform
Implementation of a Sentinel Utilizing Cloud Services Goal for project task: Investigate the use of private cloud platforms for hosting Sentinel application components and design patterns. Enable Diverse Redundancy and Configuration Hopping security design patterns by delivering Sentinel application services across a private cloud architecture utilizing: Multiple hypervisors working on different operating systems within a single private cloud infrastructure (OpenStack). Multiple cloud infrastructures (add Microsoft Hyper-V Cloud Services).
Cyber Security Openstack (Folsom) Private Cloud Prototyping Platform Overview OpenStack Cloud Services Sentinel Cloud Compute Node 1 Cloud Controller OpenStack Controller Provisions and manages Compute, network and storage services to private cloud environment Manages delivery of virtual environments to user community Cloud Compute Node 2 Cloud Compute Node 3... Cloud Compute Node n Compute Nodes Answers requests and allocates resources (RAM, CPUs, Storage) to establish instances of Virtual machines Supports use of multiple Hypervisors KVM, QEMU, XEN, Hyper-V Serves apps that run across multiple operating systems Sentinel Sentinel Create Cyber-Diversity through monitors running on multiple OS s (e.g. Fedora, Windows, UNIX and Ubuntu) Different Hypervisors (KVM, QEMU, XEN and Hyper-V) Cyber Hopping capabilities between virtual instances of the monitoring software/ Video Pilot hop rate ~ 10 sec
Security Design Patterns Across Multiple Clouds Sentinel Sentinel Sentinel Openstack Private Cloud Monitored Applications Microsoft Private Cloud Create Diversity through the monitors running on multiple OS s and multiple Hypervisors on different cloud platforms Hopping capabilities between virtual instances of the monitors on different cloud platforms
AIMES Application AIMES Advanced Intelligence Multimedia Exploitation Suite, a LeidosSW product (formerly SAIC) used by AF and Army Monitor with a Cloud-based Sentinel Select system functions to protect using our decision support work bench and team decision making process Provide first iteration prototype solution set this coming Fall as a companion to the UAV-based Sentinel to secure the autonomous surveillance system
Cloud Computing Exploiting Cloud Agility for Securely Monitoring Systems Assuring integrity of an operational Cloud platform
Summary We have a 4 element concept with associated research activities focused on application layer security (System Aware) Solution selection methodology and tools Security design patterns Secure Sentinel implementation Operational Procedures We are both expanding design concepts for new applications and working on gaining visibility through current prototype applications By end of Summer/early Fall we will be starting in-flight evaluations of a UAV-based autonomous surveillance system application In March we will start research on applying Cloud computing based monitoring for securing AIMES system
System Aware Cyber Security Publications JOURNAL ARTICLES: B.M. Horowitz and R.A. Jones, Smart security sentinels for providing point defense cyber security of critical system functions, Submitted for journal peer review R. A. Jones, B. Luckett, P. Beling, B. M. Horowitz, Architectural Scoring Framework for the Creation and Evaluation of System-Aware Cyber Security Solutions, Journal of Environmental Systems and Decisions 33, no. 3 (2013): 341-361. B. M. Horowtizand K. M. Pierce, The integration ofdiverselyredundant designs, dynamic system models, and state estimation technology to the cyber security of physical systems, Systems Engineering, Volume 16, No. 4 (2013): 401-412 R. A. Jones and B. M. Horowitz, A system-aware cyber security architecture, Systems Engineering, Volume 15, No. 2 (2012), 224-240. J. L. Bayukand B. M. Horowitz, An architectural systems engineering methodology for addressing cyber security, Systems Engineering Volume 14, No. 3, (2011), 294-304. REFEREED CONFERENCE ARTICLES G. L. Babineau, R. A. Jones, and B. M. Horowitz, A system-aware cyber security method for shipboard control systems with a method described to evaluate cyber security solutions, 2012 IEEE International Conference on Technologies for Homeland Security (HST), 2012. R.A. Jones, T.V. Nguyen, and B.M. Horowitz, System-Aware security for nuclear power systems, 2011 IEEE International Conference on Technologies for Homeland Security (HST), 2011, pp. 224-229.