Security Implications ofFuture Networking and

Communications Systems

Presented to:IEEE GlobeCom 2005

St. Louis, MODecember 1, 2005

Joan Woodard, Ph.D.Executive Vice-President

Sandia National Laboratories

Laboratories

Introduction

Some Characteristics of Future Networking and Communication

Systems• More information, accessed

and processed faster• Increased Use of

reconfigurable logic (soft hardware) rather than “ASICs” or Software

• Quantum Information Technology – will improve cryptanalysis – improve encryption techniques – bring new challenges for

communication systems.

• More malicious code attacksSandia is working to improve our posture in all of these areas.

Shocking Facts about Information Security

• SCADA Attack – Malicious code implant caused

rupture of Gas pipeline in Siberia, largest non-nuclear explosion on record <3KT>, 1982

• NIPRNET Attack – SuperSlammer worm infected 60%

of NIPRNET computers in eight minutes.

• Nuclear Power Plant Attack – A recent worm infected business

network at Ohio’s Davis-Besse nuclear power plant, spread to process control network (fortunately off-line at the time).

• Botnet Attack – Used for Denial of Service– Potentially used for criminal activity

Our reliance on Information andInformation Technology is inconsistent

with our ability to protect it.

Two general approaches to address this problem

• Lower our dependence on information and information technology

• Improve our ability to protect information and information technology

How do we lower our dependence on secure information?

• To the extent that we can minimize reliance on the need for information in new systems designs, we should.

• However in general we expect our dependence on information to grow.

How do we improve our ability to protect information and information systems?

A: Improve basic processesB: Improve system protections

- Technological- People

C: Improve high assurance methodsD: Improve modeling/simulation

A: Improve Basic Processes

• Define security processes for:– Identifying information that is sensitive to unauthorized

disclosure, modification, denial of service, and misuse– Identifying those authorized for disclosure, modification,

reconfiguration (denial) of service– Preventing unauthorized access, monitor use, respond

appropriately– Accrediting information systems for protection of the

assets they contain

Assessment & Red Teaming Based on Threat Analysis

Attack graphs are used to understand options from a

threat perspective.

Red Team & Assessment Adversarial Modeling Process is used to refine definition of threat

B: Improve System Protections (Technological)

• Use a well-founded Risk Assessment Methodology*:– Identification of threats to specific assets– Map protections to these “threat-asset pairs” – Analyze “residual risk”– Iterate to achieve “acceptable” risk

(Better metrics will improve this process…)

• Better Protection Technology– better encryption– better configuration control– better access control– applying system of systems …– other technologies

*For example: “A Security Methodology for Computer Networks”, L. G. Pierson and E. L. Witzke,AT&T Technical Journal, May-June 1988

Better Protection Technology

High Speed Encryption

Communication Security Protocols

1996 R&D 100 Award:Scaling Encryption

B: Improve System Protections (People)

• Better Personnel assurance – Principle of Least Privilege– Minimize insider threat– Design in “deterrence”– Practice “Need-to-Know”– Security conscious users

report anomalies

C: Improve High Assurance Methods

• Today’s computers are designed to execute any arbitrary program (even malicious ones)

• Build “inherent security” into systems from the start, rather than “bolting on later”

• Need trusted systems built from trusted and untrusted components (composed from “COTS” elements)– Trusted Computing Group (TCG) – Microsoft’s Next Generation Secure Computing Base

(NGSCB)

D: Improve Modeling/Simulation

• Detect unknown vulnerabilities– Current stand-alone SCADA systems being

replaced with internet connected ones– More people have access – disruptions can be caused by hackers who

have no training in control systems engineering

– the use of the Internet exposes SCADA systems to all the inherent vulnerabilities of interconnected computer networks that are currently being exploited by hackers, organized crime, terrorists organizations, and nation states.

• Especially vulnerable is the electric power grid.– Complex systems– Interconnected infrastructures– Cascading failures

D: Improve Modeling/Simulation

System Dynamics Modeling• Characteristics

– Based on Stocks and Flows of Infrastructure Goods, Commodities, and Finances

– Performs Quick Simulations and Analyses of Aggregate, Dynamic Infrastructure Interactions

– Provides Systems-Wide View of Infrastructure Operations, Including Interdependencies Effects

• Uses– Quantified Consequences for Evaluating Risks– Limiting Factors Under Different Ambient Conditions, Hypothetical Events, Policies– Effects of Alternatives, Pathways, Redundancies, and Inventories– Potential Magnitude, Location and Timing of Disruptions that Propagate to Other

Infrastructures and Regions– Positive and Negative Feedbacks from Interdependencies and their Net Effect on the

Supply/Demand Balance

How do we protect against loss ofphysical assets (today)?

• Passive protection (fortification (concrete), disguise/hide)

• Armed guards and legal authority to use lethal force

• Monitoring/response (video cameras, sensors, response force)

• Insurance (measured value, characterized threat, risk management)

• Investigation (was there a theft? What was its value? Who did it?)

• Deterence?

Information assets differ from physical assets

• Can be given away and still kept• Can be stolen and not missed• Can be distributed almost instantly• Cannot easily tell if it is authentic or not• Complexity (system of systems)• Forensics

How do we protect against loss ofinformation assets today?

• Passive protection (firewall functions, proxy devices, encryption, etc)– Basic problem is discrimination between good and

bad/authorized or unauthorized access• Posting guards (N/A)• Monitoring/response (computer intrusion detection systems

an pagers to summon a system manager)• Insurance (backups protect against data corruption and

system failure, but it data valuation and threat characterization is hard)

• Investigation (logs, digital forensics tools, but complexity, large data, lack of computer awareness makes this hard)

• Hard to determine how much security is enough?• How to balance physical protective systems and cyber

protective systems in order to minimize risk and minimize overall cost for both protective systems.

Future View/Future ThreatFor example,• Game changing technologies• Composing Trusted Systems from both Trusted and Untrusted

components • Solutions for broad classes of problems rather than individual cases• Methods of detecting unknown malicious code rather than known

•More sophisticated threat with wider range of access points (wireless laptops, PDA’s, cell phones, etc.)

How much is enough?R

isk

Investment

User

Unskilled, Unorganized

SecurityPolicy

ImplementationEnforcement

Auditing

Total Systematic Risk

Threat Level

Security Engineering and Intelligence Function

Non

-Sys

tem

atic

T

hre

ats

Skilled, Unorganized

Skilled, Organized

Mitigationfor specific

threats

Acceptable RiskRegion

Hacker

Hacker Coalitions

Organized Crime

Terrorists, Nation State

Technologies that will “change the game”

• Reconfigurable Logic (soft hardware) is replacing ASIC technology in many markets… we will require new techniques to assure these devices are configured and maintained as intended (without introduction of “malware”, just as we have virus checkers, etc. today for software)

• Tamper-Resistant Cryptographic Authentication of hardware and software (continuously, as programs are executing) will turn low assurance systems into high assurance systems.

• Quantum Information Technology will improve cryptanalysis (rendering some encryption techniques obsolete) and also improve encryption techniques (introducing new challenges for communication systems, especially in long haul telecommunications).

Tamper-Resistant Cryptographic Authentication

• Problem: Current computing architectures are “inherently insecure” because they are designed to execute ANY arbitrary sequence of instructions therefore subject to subversion by malicious code.

• Goal: Produce a cryptographic method of “tamper-proofing” code over a large portion of the software/hardware life cycle by decrypting/authenticating each instruction within the CPU.

• Accomplishments: Demonstrated “shrink-wrapping” of applications running in reconfigurable processor and now increasing cryptographic protection. Initial “security analysis” completed. Next step would incorporate chip level physical tamper-proofing techniques and apply to specific applications.

Cryptographically Enabled CPU

Code distribution

Trusted facility

- Ascertain code correctness- Compile and “shrinkwrap” code- Apply copy protections, ifnecessary

ObjectFile

Memory

Object 1

Code

Data

K1,c

K1,d

Object 2

Code

Data

K2,c

K2,d

Object n

Code

Data

Kn,c

Kn,d

Key-agile Encryptor/decryptor

Code and DataSegment pointers

Address Data orInstructions

Address Data orInstructions

CPU

Protected Volume

(Trusted Facility)

*“Secure Computing using Cryptographic Assurance of Execution Correctness”, in Proceedings, 2004 International Carnahan Conference on Security Technology

Scope of Protection in the Software Lifecycle: Security Analysis

• Objective: Protect against introduction of malicious code over a large portion of the software life cycle

Requirements Design Code Compile Package Distribute Install Execute

Load Fetch Decode

exploit exploit exploitexploit

Quantum Information Technology

• Security of current key exchange systems is based on inability to factor large numbers*

• A quantum computer is inherently well suited to this problem (Shor’s algorithm provides exponential speedup)– May threaten security of current cryptosystems

• Recent physics experiments have demonstrated feasibility of QC concept on small scale (few qubits)

From D. P. DiVincenzo, Quant. Inf. Comp. 1 (Special), 1 (2001)

*Bouwmeester, et al., The Physics of Quantum Information, 2000.

• Quantum Cryptography (Quantum Encoding for Secrecy) will improve this situation

-- Currently slow, short distances, not applicable to storage

Trusted systems from trusted &untrusted components

• Certification of highly trusted COTS elements• Need methodology to combine trusted and less

trusted components so as to improve the security of an infrastructure

• Goal: Increase infrastructure security, reduce cost of security

• Virtualized Architecture

Improve security of infrastructure composed of trusted and less trusted components.

Current Situation

• Current computing architectures are “inherently insecure” -- they are designed to execute ANY arbitrary sequence of instructions.– Need to modify computing architecture– Achieve modification by incorporating encryption and

authentication into the fetching of the instruction stream– Careful revision of computing architecture can accomplish

this while preserving huge investment in software/hardware infrastructure

– First applications will be “high consequence” ones that can sustain the performance degradation of the cryptographic overhead

– Combine these more trusted components with less trusted components to achieve a more secure infrastructure at manageable cost.

Technical Problem

• Problem: Current methods of enforcing security policy depend on security patches, anti-virus protections, and configuration control in the end user’s computer at ever increasing intervals.

• Goal: To “harden” computer infrastructure with a combination of high assurance and low assurance (and higher performing) components. (at a lower cost than replacing the entire infrastructure with high assurance components)

Infrastructure Security

Req

uire

d Se

curit

y Pe

rson

nel

Current Methodology

Scalability Goal

Improve security of infrastructure composed of trusted and less trusted components.

Challenges to Industry

• “Sell security” (insert “inherently secure” requirements into business model)– Assure vs “Assure Against”– Security vs time-to-market

»vs cost»vs ease of use»vs information richness

– Collective Security vs Personal Autonomy• Adopt security methodology countering

“incremental security”• Human factors engineering

Challenges to Research Community

Focus on cyber security technology Increase government and academic partnerships

Challenges To All

• Facilitate information sharing on threats, vulnerabilities

Concluding Thoughts

• Systems are increasingly complex and interconnected

• Threat is becoming more sophisticated• New technologies will impact security • The attackers are far ahead of the defenders

Paradigm shift: We need a quantum leap in security by designing inherently secure information systems.

Questions?