The Changing Threat Surface in. Embedded Computing. Riley Repko. Vice President, Global Cyber Security Strategy

The Changing Threat Surface in Embedded Computing Riley Repko Vice President, Global Cyber Security Strategy

Embedded Computing History First embedded system was the Apollo Guidance Computer First integrated circuit-based computers First alphanumeric/keypad user interface Designed by Charles Stark Draper at the MIT Instrumentation Laboratory Program was responsible for reducing the price of NAND gate integrated circuits from $1000 each to $3 each Enabled commercialization of embedded computers 2

Embedded Computing History (2) 1970s: First microprocessor (Intel 4004) designed originally for calculators 1980s: First microcontroller (Intel 8742) integrated memory into the same chip to simplify application in embedded systems It became more cost effective to use digital controls (e.g. Intel 4004 buttons) rather than analog controls (e.g. knobs) By 1980s embedded computing had become a mainstream component of consumer electronics Intel 8742 3

Modern Embedded Systems Pacemaker

Thermostat Cutlery Toys Power Grid 4 How is the Threat Surface Changing? Embedded systems are becoming much more complex Moore s law allows systems to be much more capable Allows developers to leverage third party libraries with less concern over meeting real-time

operating system (RTOS) timing constraints Integration of network and graphical user interfaces Opportunities for supply chain attacks and software bugs in more complex systems Internet of Things Internet connection for consumer electronics Lack of security on interfaces Rapid innovation without security standards Vulnerable AND connected to the Internet 5

Threat Model vs. Threat Surface Adversary System Policy Gaps Goals Policies Exploits T T h h r r e e a a

Adversary t t Implementation System Security S M u Capabilities o r Flaws Mechanisms f d a e c l e System Security Adversary Gaps in Detection Vulnerabilities Detection and

Accesses and Remediation Remediation Rate of Change Need to Better Increasing Manage 6

Security Best Practices To date security has focused on achieving security through compliance Most recent/famous example is the SANS Institute top 20 security controls Goal: If you comply with the security controls then your threat surface is manageably small

Problem: does not take into consideration the threat model May be overkill (unnecessarily expensive to implement) May be too little (insufficiently effective against nation-state APTs) 7

Failure of Security Mechanisms 8 Changing Landscape Executive Order 13636 issued in 2013 seeks to secure US critical infrastructure against increasing threat Critical infrastructure relies on a mixture of:

Information Technology (IT): standard computers and networks that can be secured using conventional security tools Operational Technology (OT): embedded and proprietary computers and networks that currently lack tools to effectively secure their operations The NIST Cybersecurity Framework provides a framework in which to consider cybersecurity New emphasis on risk-based approaches to cybersecurity Compliance-based approaches using best practices should provide an 80% solution but need to be customized based on the threat model Measure indicators of cybersecurity risk to assess whether security is getting better or worse 9

10 How is the Threat Model Changing? Industrial Control Systems (ICS) is increasingly targeted Why? New frontier for hackers as modern operating systems make hacking traditional IT targets more

difficult and less interesting More devices are connected to the Internet increasing opportunity Interest from nation-state actors and hactivists in being able to cause infrastructure outage No expectation of immediate use of vulnerabilities other than to demonstrate capabilities to adversaries Arms race for vulnerability development against ICS Combination of increased hacker interest and increased vulnerability leads to significant increase in risk 11

Embedded System Risk Pacemakers Automotive UAV Hijacking Smart Meters Appliances 12

Bad Actors Ellyne Phneah, China main source of cyberespionage attacks in 2012, ZDNet, April 2013 13

What Do We Do? 1. Hybrid strategy of compliance (best practices) and risk-based metrics to assess whether security is getting better or worse 5. Update security policies and 2. Integration of existing IT defensive countermeasures security tools and OT security based on threats to ensure (yet to be developed in most closed-loop process cases) tools to protect networks 4. Formulation of new approaches to attack response

3. Integration of traditional IDS and digital forensics to cope monitoring and new IDS-like with threats in ICS tools relevant to OT networks environments Need environment-relevant IT security tools Need new OT tools for Protect/Detect/Respond Need new environment-relevant approaches to risk management 14

ISA-99 Standards for Control Systems 15 Chemring Focusing on products and services to address the OT security gap, integrating across the entire NIST

CSF Partnering with companies to mature technologies for addressing OT security gaps in protection, detection, and response Partnering with companies to provide threat identification and recovery services Contact Riley Repko VP Global Cybersecurity Strategy rrepko@chemringgroup.com 16