keeping data safe - nil · masao ito nil software corp. email: [email protected] 7/sep/2017 an approach...
TRANSCRIPT
MasaoItoNILSoftwareCorp.email:[email protected]
7/Sep/2017
AnApproachforDataSecurityintheEraofIndustry4.0
keepingdatasafe
©2017NILsoftwarecorp.
Introduction
2
▪ In the Industry 4.0 era, there is the difference between thephysicalandlogicalviewofthefactory.Forexample,amachineowned by a company, but it might be controlled by anothercompany.
▪ As for safety and security, itmight be desirable to analyse thesystem(ofsystems)byasingleapproach.Focusingontheearlyphaseof systemdevelopment,we try toconider thepossibilityofanapproach.
©2017NILsoftwarecorp. 3
ProduktProdukt
Verwaltungs-schaleVerwaltungs-schale
CompanyB
CompanyC
CompanyA
Machine
Processes
Human
Data Administrativeshell
Product
Product
TrustCenter
Administrativeshell
Machine
Components
Components
Components
CACA
CA
Industry3.0 StrongerIndustry4.0 Industry4.0 Familiar
Industry3.0to4.0
Industry3.0
Machine
ProcessesData
Product
CompanyB CompanyA
HumanCompanyC
IT-SecurityinIndustrie4.0https://www.plattform-i40.de/I40/Redaktion/EN/Downloads/Publikation/it-security-in-i40.html
Industry3.0
Industry4.0
©2017NILsoftwarecorp. 4
TheessentialprerequisiteforasuccessfulimplementationofIndustrie4.0isasecureandtrustworthytreatmentofdataandareliableprotectionofinter-companycommunicationfromexternalattacks.
Itsays,
©2017NILsoftwarecorp. 5
inter-company
intra-factory
inter-machine
intra-machine intra-machine
intra-factory
inter-machine
intra-machine intra-machine
Industry4.0
noairgaps?intra-factories
inter-machine
intra-machine intra-machine
inter-factory
companyB
companyA
intra-company
©2017NILsoftwarecorp. 6
ComparisonofStandards@concptphase
Security ISA/IEC62443Safety ISO26262
©2017NILsoftwarecorp. 7
Comparisonofsecurityandsafetystandards
▪ Security
▪ ISA/IEC62443 (ISA99) is thecomprehensivestandards forsecurityof theindustrialautomationandcontrolsystem(IACS).Itaimstoprevent:▪ endangermentofpublicoremployeesafety
▪ lossofpublicconfidence
▪ violationofregulatoryrequirements
▪ lossofproprietaryorconfidentialinformation
▪ economicloss
▪ impactonnationalsecurity
▪ Safety
▪ ISO26262
▪ ISO26262isintendedtobeappliedtosafety-relatedsystemsthatincludeone or more electrical and/or electronic (E/E) systems and that areinstalledinseriesproductionpassengercarswithamaximumgrossvehiclemassupto3500kg.
©2017NILsoftwarecorp. 8
ISA/IEC62443useszone&conduitmodel
Zone Zone
Conduit
©2017NILsoftwarecorp. 9
RTU/PLC
IO
SCADAServer
Primary Control Center
SCADAServer
Backup Control Center
Zone and Conduit of IACS
Control Zone
・・・・
IO
RTU/PLC
IO IO
RTU/PLC
IO
Control Zone
IO
RTU/PLC
IO IO
Information ZoneEnterprise Zone
・・・ ・・・
▪ Gateway
▪ End-Point
▪ Data Center
▪ Network
inter-factory or -company
intra-factory
intra-factoryinter-machine
intra-machine
SCADA:SupervisoryControlAndDataAcquisitionRTU:RemoteTerminalUnitPLC:ProgrammableLogicController
©2017NILsoftwarecorp. 10
Reference IECReference Title
ISA-TR62443-0-3 N/A GapassessmentofANSI/ISA-99.02.01-2009
ISA-62443-1-1 IEC/TS62443-1-1 Modelsandconcepts
ISA-TR62443-1-2 IEC/TR62443-1-2 Masterglossaryoftermsandabbreviations
ISA-62443-1-3 IEC62443-1-3 Systemsecuritycompliancemetrics
ISA-TR62443-1-4 IEC/TR62443-1-4 Securitylifecycleandusecases
ISA-62443-2-1 IEC62443-2-1RequirementsforanIACSsecuritymanagementsystem
ISA-TR62443-2-2 IEC/TR62443-2-2ImplementationguidanceforanIACSsecuritymanagementsystem
ISA-TR62443-2-3 IEC/TR62443-2-3 PatchmanagementintheIACSenvironment
ISA-62443-2-4 IEC62443-2-4 RequirementsforIACSsolutionsuppliers
ISA-TR62443-3-1 IEC/TR62443-3-1 SecuritytechnologiesforIACS
ISA-62443-3-2 IEC62443-3-2 Securityriskassessmentandsystemdesign
ISA-62443-3-3 IEC62443-3-3 Systemsecurityrequirementsandsecuritylevels
ISA-62443-4-1 IEC62443-4-1 Productdevelopmentrequirements
ISA-62443-4-2 IEC62443-4-2 TechnicalsecurityrequirementsforIACScomponents
ISA/IEC62443Standards
©2017NILsoftwarecorp. 11
IEC62443-1-1 ISO26262Part3(ConceptPhase)ConceptPhase(Identificationstep,Conceptstep)
3-5:ItemDefinition3-6:InitiationoftheSafetyLifecyle
AnalysisPhase(Definitionstep) 3-7:HazardAnalysisandRiskAssessment3-8:FunctionalSafetyConcept
TheEarlyStageofProcess
Table1.ComparissonoftheearlystagebetweenIEC62443withISO26262
• Continuedevelopingthesecurityprogram• Establishsecurityfunctionalrequirementsforindustrialautomationandcontrolsystemsandequipment,
productionsystems,informationsystems,andpersonnel• Performvulnerabilityassessmentoffacilitiesandassociatedservicesagainstthelistofpotentialthreats• Discoveranddeterminelegalrequirementsforindustrialautomationandcontrolsystems• Performariskanalysisofpotentialvulnerabilitiesandthreats• Categorizerisks,potentialimpactstotheenterprise,andpotentialmitigations• Segmentsecurityworkintocontrollabletasksandmodulesfordevelopmentoffunctionaldesigns• Establishnetworkfunctionaldefinitionsforsecurityportionsofindustrialautomationandcontrol
systems
©2017NILsoftwarecorp. 12
3.2.107securitylevellevelcorrespondingtotherequiredeffectivenessofcountermeasuresandinherentsecuritypropertiesofdevicesandsystemsforazoneorconduitbasedonassessmentofriskforthezoneorconduit[13].
SecurityLevel
• TargetSL User
• CapabilitySL UserandVendor
• AchivedSL User
SecurityLevel QualitativeDescription
1 LOW2 Medium3 High
©2017NILsoftwarecorp. 13
4.2.2.1 Developabusinessrational
4.2.3.1 Selectariskassessmentmethodology
4.2.3.2 Provideriskasssessmentbackgroundinformation
4.2.3.3 Conductahigh-levelriskassessment
4.2.3.4 Identifytheindustrialautomationandcontrolsystems
4.2.3.5 Developsimplenetworkdiagrams
4.2.3.6 Prioritizesytems
4.2.3.7 Performadetailedvulnerabilityassessment
4.2.3.8 Identifyadetailedriskassessmentmethodology
4.2.3.9 Conductadetailedriskassessment
4.2.3.10 Identifythereassessmentfrequencyandtriggeringcriteria
4.2.3.11 Integratephysical,HSEandcybersecurityriskassessmentreuslts
4.2.3.12 ConductriskassessmentsthroughoutthelifecycleoftheIACS
4.2.3.13 Documenttheriskassessment
4.2.3.14 Maintainvulnerabilityassessmentrecords
IEC62443Riskanalysisrequirements
high-level
detailed
risk,likelyhood
ThetargetSL(SecurityLevel)doesNOTidentifiedhere
©2017NILsoftwarecorp. 14
RiskAnalysis
ISA/IEC62334-2-1p.48
SecurityLevel(SL)canbedeterminedafterestablishedthezoneandconduitmodel
©2017NILsoftwarecorp. 15
ISA/IEC62334-2-1p.122
SecurityLevelLifecyleModel:AssessPhase
©2017NILsoftwarecorp. 16
ISA/IEC62443vs.ISO2626standard
▪ Thebothstandardsdefinerequired(security/safety) level intheearlystage:targetSL(62443),ASIL(26262).
▪ But, in 26262, we give the ASIL only to the item (abstractsystem),andlaterapplythemtoparts(c.f.ASILdecomposition).
▪ In62443,wegive the targetSL toeachzone (or conduit) afterdesigningthezone-conduitmodel.
©2017NILsoftwarecorp. 17
DetectionofAnomalityofData
©2017NILsoftwarecorp. 18
RTU/PLC
IO
SCADAServer
PrimaryControlCenterZone
SCADAServer
BackupControlCenter
Catchthethreatsintheconduit
ControlZone
・・・・
IO
RTU/PLC
IO IO
RTU/PLC
IO
ControlZone
IO
RTU/PLC
IO IO
InformationZoneEnterpriseZone
・・・ ・・・
▪ Virusenteredanditemittedthewronginformation
SCADA:SupervisoryControlAndDataAcquisitionRTU:RemoteTerminalUnitPLC:ProgrammableLogicController
▪ InfectedUSBmemorywasinserted
▪ Theaccesscontrolwasviolatedbecauseofpoormechanism
©2017NILsoftwarecorp. 19
Itattackssystems(centrifugeseparator)thatspinbetween807hzto1210hz,onceitfoundthem,itmanipulatedtheoperationofthemotorsbychangingtheirrotationalspeed.
itmodifiedthefrequencyanywherefrom1410hzto2hz,allwhilesendingfalsedatabacktotheoperators.
W32.Stuxnet
©2017NILsoftwarecorp. 20
Zone_AConduit_a
Conduit:Flowdata
Itreturnsfalse;Thecontentsandthetimingofdataisvalid,butthedatawronglygooutthrouththeconduit.
Zone:Saveddata
ValidityOfFlowData(Direction,Contents,Timing)
Verificationfunction
ValidityOfStoredData(Action,Contents,Timing)
Direction: toZone_A/fromZone_A
Itreturnsfalse;Thedatawasupdatedtimely,butthecontentsofitiswrong.
Action: Create/Read/Update/DeletetotheData
Possibilityofsecurityviolation
©2017NILsoftwarecorp. 21
DetectioninISO26262
▪ In 26262, fault detection is important, such as Fault TolerantIntervalTime(FTTI).
Thesafetygoalcanincludefeaturessuchasthefaulttoleranttimeinterval,orphysicalcharacteristics(e.g.amaximumlevelofunwantedsteering-wheeltorque,maximumlevelofunwantedacceleration)iftheywererelevanttotheASILdetermination.(ISO262623-7.4.4.6)
Clean
Attacking
Detected
(Safe)
(Fault)
(TransitionToSafeState)
SecureState
©2017NILsoftwarecorp. 22
Fault FaultDetection
PossibleHazzard
T<=DiagnosticTestInterval
FaultReactionTime
FaultTorelantTimeInterval
Time
Faultreactiontimeandfaulttoleranttimeinterval(ISO26262-1Fig.4)
NormalOperation
(SafeState)
TransitionedtoSafeState
EmergencyOperationInterval
FTTI
FTTI&EmergencyOperationInterval
©2017NILsoftwarecorp. 23
Attacking AttackDetection
PossibleHazzard
T<=DiagnosticTestInterval
FaultReactionTime
Time
NormalOperation
TransitiontoSecureState
EmergencyOperationInterval
ATTI:AttackTorelantTimeInterval
(SecureState)
AttackTorelantTimeInterval
©2017NILsoftwarecorp. 24
• TocalculateFTTI,weneedthevariousflowpaths
RefinedController
Input
Output
Error
aController
InputChecker
OutputChecker
RuntimeChecker(FaultDetection)(TransittoSafeState)
GenericmechanismtocalculateFTTI
©2017NILsoftwarecorp. 25
• DetectionmechanismandcalculationofATTI
RefinedRepository
Input
Output
Error
DataRepository
InputChecker
OutputChecker
RuntimeChecker
GenericmechanismtocalculateATTI
(AttackDetection)(TransittoSecureState)
©2017NILsoftwarecorp. 26
Conclusion
▪ In industry 4.0 era, the network of a company will be opened toothercompanytocommunicateeachother.So,wehavetofocusonthe security and data that is transferred between companies andstoredinthosecompanies.
▪ TheIACSusesthezoneandconduitmodeltokeepthemsecure.Thezone is in a layer according to its security level.The conduit is thecommunication channel between the zones.We have to think thesecurityofzone(andthedatainit)andconduit.
▪ Asforconceptmodel,therearesomedifferencesbetweensecuritystandard (IEC 62443) and the safety standard (ISO 26262). In ISO26262,we give theASIL to an item, that is the abstraction of thesystem. On the other hand, in IEC 62443, we just assess therequirementandcontextinthecontextphase.Inthenextstep,wegive the SL to each zone (and conduit).We need the zones andconduitsafterfirstdesign.
©2017NILsoftwarecorp. 27
Conclusion
▪ The zone and conduit model has the rationale. However, ifanythingbreaksit,itishardtodetecttheintruderandtoprotecta system. In this presentation, we provide the model fordetectionbasedon the ISO26262definition andour approachforFTTIcalculation.TheATTIistheattacktoleranttimeinterval,and to assure thisATTI we can use the mechanism for attackdetection.