Visibility & Control: Addressing Supply Chain Challenges to Trustworthy Software-Enabled Things
Robert A. Martin Sr. Secure Software & Technology Prin. Eng. Trust & Assurance Cyber Technologies Dept. Cyber Solutions Technical Center
IIC Forum | Long Beach, CA
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Everything is Becoming Software-Enabled and Connected, Either through Task Dependency, Supply Chain, or Information Flow
Today Your System is: • attackable or • susceptible to a hazard…
We need to be assured When this Other System that not only are our own gets subverted through: systems trustworthy but • an un-patched vulnerability; • a mis-configuration; also everything we • an application weakness; depend upon… • a counterfeit item; • tainted software or hardware; or • the system’s susceptibility to a hazard…
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 How is Software-Enabled and Connected (aka Cyber) Becoming so Pervasive? Context: 1976 Chevy Vega
The only software was behind the wheel – no microelectronics.
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Critical Functions Migrated into Software & Microelectronics (SW/HW)
Electric throttle valve control
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Control/Communication Transitioned from Point-to-Point Wiring to Network-based
Air Anti- Con- Engine Lock dition Control Lighting Power Brakes Locks
Dash- board
Airbag Trans- Active Power Power mission Suspen- Seats Control sion Win- Air dows Anti- Con- Engine Lock dition Control Lighting Power Brakes CAN Locks CAN CAN CAN Connected Software and HW CAN (microelectronics) High Speed CAN Dash- Low Speed
board CAN CAN CAN CAN CAN Power Airbag Trans- Active CAN Seats mission Suspen- Power Control sion Win- dows © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Critical Functions Are Migrating into Connected SW/HW
Anti-Lock Brakes Transmission Control Lighting Air Conditioning Power Locks Airbag Power Seats Power Windows
Smart Catalytic Converter
Beam Shaping Headlights
Beam Splitting Headlights © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Multiple Types of Networks Are Appearing
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Many Critical Functions Now Need to be Updated and Sustained…
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 The Connectivity and Complexity of Connected Software-Enabled Systems is Still Expanding
Driverless Cars, ADAS, V2V, V2I, Safety
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 All types of Enterprises are Facing these Same Changes…
Medical Buildings Aeronautics Manufacturing
Energy Shipping
Vehicles
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 These Changes Go Well beyond Traditional Information Technology…
Water Treatment Status & Health Monitoring Oil & Gas
Hydro Power & Dam Mngt Smart Munitions
Remote Management
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Secure Behavior Reliable Behavior
Safe Behavior MIND THE GAP
Resilient Behavior Privacy Expectations
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 – Need Assurance of More Than Security – Need Assured Trustworthy Systems
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Pervasiveness of connected SW & SW-enabled capabilities requires supply chain security skills / new awareness of SW risks IT Risk Operational Risk
Loss of data or capability Loss of safety or reliability Loss of property or lives
Scratch Built Software Assembled Software
Majority of products built with Use of open source and 3rd party libraries, no 3rd Party dependencies modules, frameworks, and services Multi-party software updating/patching Traditional Computers Software Enabled Everything
Servers databases Healthcare Implantable Medical Smart Munitions Desktops office apps Aeronautics Smart Manufacturing Intelligent Vehicles Laptops e-mail Smart Energy Water Treatment Intelligent Shipping Tablets browsers Oil & Gas Hydro Power Dam Management Switches Routers Microgrids Smart Cities Building Management Autonomous Systems
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 For Software-Enabled IIoT Version Control is Crucial
Tracking details for SW & HW components Services • SW & HW Part numbers/names • SW & HW versions • Libraries & Frameworks Used • Tool Chain Used/Flags/Options Applications • Languages & versions used
Source Code Operating System
Libraries & Firmware Frameworks
Compilers MicroElectronics
Language Specifications
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 The Supply Chain for Software-Enabled Capabilities is Opaque
Tier 4 Manufacturer/ ? Supplier ? ? ? ? Tier 2 Manufacturer/ Tier 3 Manufacturer/ Tier 4 Manufacturer/ ? Customer Supplier Supplier Supplier ? Tier 3 Manufacturer/ Supplier Contractor ? Tier 2 Manufacturer/ ? Integrating Supplier Manufacturer/ US ? Supplier Tier 3 Manufacturer/ Global ? Supplier
Tier 2 Manufacturer/ Tier 2 Manufacturer/ Foreign Supplier Supplier
Off-shore Foreign Supplier Location Software COTS US Foreign Developers
Supplier Reuse Acquire
Develop Outsource In-house ? ? ? ? ? © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Market Transparency through “Software Bill of Materials” • Third party components are a known systemic risk. • Transparency can drive tools and behavior to document risk, support mitigations, and drive better SW development practices. • NTIA at Commerce launched an open, community-driven, cross- sector “multistakeholder process” to promote software component transparency. • Understand the problem and define basics of SBOM • Develop use cases across sectors on how such data can be used, today and in the future. • Guidance on how to use existing standards to implement SBOM • Software ID tags (SWID) • Software Package Data Exchange (SPDX) • First phase deliverable mid-November 2019 • More info or to join: [email protected]
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 NTIA Transparency Phase 1 Final Products
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Lowering Adoption Hurdles for SBOMs
• Water • Agriculture and Food • Public Health • Energy • Telecommunications • Transportation • Banking and Finance • Chemical Industry • Key Assets • Postal and Shipping
End Users in Industry, Government, and Commerce
• Medical Devices • Merchandise • Automobiles • Trains • Vessels/Boats • Building Mngt Sys • Software
Product & Service Suppliers
INTEGRATED DEVELOPMENT CLOUD TOOLS ENVIRONMENTS (IDES) Tool-to-Tool FRAMEWORKS BUILD CHOREOGRAPHY SOURCE CODE & SBOM Exchange PACKAGE Standard effort REPOSITORIES SOFTWARE COMPOSITION ANALYSIS Tools & Capabilities for Software
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Ecosystem of SW Development, Integration, and Management Tools
Vulnerability Information
Licensing Package Repos Information (Public & Private)
Test
Source Code Repos (Public & Private) Operations
Build choreography Software Composition Analysis Capabilities Developer “Desktops”
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 SW Development, Integration, and Management Tools Source Code & Package Repositories Amazon ECR, Assembla, Azure Container Registry, Beanstalk, Bitbucket, Codebase, Docker, GitHub, GitLab, Glitch, Google Container Registry, JFrog Artifactory, JFrog Xray, inedo, Kubernetes, Launchpad, Maven, Nexus (Sonatype), Phabricator, ProjectLocker, Repository Hosting, Savannah, SourceForge, SourceRepo, Subversion, and Unfuddle
Build & Build Choreography Capabilities Ansible, Autorabit, Bamboo, Bitrise, Buildkite, Buildroot, CircleCI, CMake, CruiseControl, Final builder, GCC, Gitlab CI, GoCD, Integrity, Jenkins, Strider CD, TeamCity, Terraform, Travis CI, Urbancode, and Vagrant
Developer Desktops (Embedded, Web, Cloud, Desktops/Servers) IDEs: Android Studio, AppCode, Atom, BlueJ, CLion, Cloud9 IDE, Code Blocks, CodeCharge Studio, CodeLobster, CodePen, DataGrip, Eclipse, GoLand, IDLE, IntelliJ IDEA, LINX, Microsoft Visual Studio, Software Composition Analysis: MPLAB, NetBeans, PhpStorm, Pycharm, Rider, RubyMine, Spiralogics Application Architecture, Black Duck Software Composition Analysis (Synopsys), WebStorm, Xcode, and Zend Studio CAST Highlight (CAST Software), Finate State, FlexNet Frameworks: .NET, Angular, Ansible, Apache Spark, ASP.NET, Bootstrap, Chef, Cordova, CryEngine, Code Insite (Flexera), Ion Channel, Insignary, Django, Drupal, Express, Flask, Flutter, Hadoop, HTML5 Builder, Laravel, Node.js, Pandas, Puppet, SourceClear, Sonatype, Snyk, and WhiteSource React Native, React.js, Ruby on Rails, Spring, TensorFlow, Torch/PyTorch, Unity D, Unreal Engine, Visual Online, Vue.js, and Xamarin Cloud Tools: Azure, AWS CodeBuild, Cloud Foundry, Google Cloud Build, Kwatee, Pivotal, and Red Hat
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Usage Scenarios for Tool-to-Tool SBoM
Refer, Transfer or Purchase Proper and Legal (definition of what it is) (conditions about its use) Pedigree Known Sw Vulns (history of how it was produced) (known fixes are applied to it) Provenance Assurance (chain of custody of it) (safe-secure-resilient) Integrity SBoM of a SW Service (cryptographic basis of unalteredness) (SBoM of sw delivering service) Supply Chain Sequence Integrity
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Usage Scenarios and Tool-to-Tool SBOM candidate elements Usages SBoM elements Correlated Info Refer, Transfer or Purchase Author of SBoM (definition of what it is) 1 SBoM population method Pedigree •------SBoM Time-Stamp 2 (history of how it was produced) •------Supplier Provenance •------3 (chain of custody of it) Components •------(sources, executables, patches) Integrity •------4 (cryptographic basis of unalteredness) •------Version Intellectual Property •------Notes Constraints 5 •------Licenses SBoM Hash/Signature SBoM Known SW Vulns 6 (known fixes are applied to it) Created Using Created By Assurance 7 (secure-safe-resilient) Item Hash/Signature SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Usages SBoM elements Correlated Info Refer, Transfer or Purchase Author of SBoM (definition of what it is) 1 SBoM population method Pedigree •------SBoM Time-Stamp None 2 (history of how it was produced) •------Supplier Provenance •------3 (chain of custody of it) Components •------(sources, executables, patches) Integrity •------4 (cryptographic basis of unalteredness) •------Version Intellectual Property •------Notes Constraints 5 •------Licenses SBoM Hash/Signature SBoM Known SW Vulns 6 (known fixes are applied to it) Created Using Created By Assurance 7 (secure-safe-resilient) Item Hash/Signature SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 SBoM elements Usages Correlated Info Refer, Transfer or Purchase Author of SBoM (definition of what it is) 1 SBoM population method Pedigree •------SBoM Time-Stamp None 2 (history of how it was produced) •------Supplier Provenance •------3 (chain of custody of it) Components •------(sources, executables, patches) Integrity •------4 (cryptographic basis of unalteredness) •------Version Intellectual Property •------Notes Constraints 5 •------Licenses SBoM Hash/Signature SBoM Known SW Vulns 6 (known fixes are applied to it) Created Using Created By Assurance 7 (secure-safe-resilient) Item Hash/Signature SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 SBoM elements Usages Correlated Info Refer, Transfer or Purchase Author of SBoM (definition of what it is) 1 SBoM population method Pedigree •------SBoM Time-Stamp None 2 (history of how it was produced) •------Supplier Provenance •------3 (chain of custody of it) Components •------(sources, executables, patches) Integrity •------4 (cryptographic basis of unalteredness) •------Version Intellectual Property •------Notes Constraints 5 •------Licenses SBoM Hash/Signature SBoM Known SW Vulns 6 (known fixes are applied to it) Created Using Created By Assurance 7 (secure-safe-resilient) Item Hash/Signature SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 SBoM elements Usages Correlated Info Refer, Transfer or Purchase Author of SBoM (definition of what it is) 1 SBoM population method Pedigree •------SBoM Time-Stamp None 2 (history of how it was produced) •------Supplier Provenance •------3 (chain of custody of it) Components •------(sources, executables, patches) Integrity •------4 (cryptographic basis of unalteredness) •------Version Intellectual Property •------Notes Constraints 5 •------Licenses SBoM Hash/Signature SBoM Known SW Vulns 6 (known fixes are applied to it) Created Using Created By Assurance 7 (secure-safe-resilient) Item Hash/Signature SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Usages SBoM elements Correlated Info Refer, Transfer or Purchase Author of SBoM (definition of what it is) 1 SBoM population method
Pedigree •------SBoM Time-Stamp None 2 (history of how it was produced) •------Supplier Provenance •------3 (chain of custody of it) Components •------(sources, executables, patches) Integrity •------4 (cryptographic basis of unalteredness) •------Version Intellectual Property •------Notes Constraints 5 •------Licenses SBoM Hash/Signature SBoM Known SW Vulns 6 (known fixes are applied to it) Created Using Created By Assurance 7 (secure-safe-resilient) Item Hash/Signature SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Usages SBoM elements Correlated Info Refer, Transfer or Purchase Author of SBoM (definition of what it is) 1 SBoM population method Pedigree •------SBoM Time-Stamp 2 (history of how it was produced) •------Vulnerability Knowledge Bases Supplier Vulnerability Management Systems Provenance •------3 (chain of custody of it) Components •------(sources, executables, patches) Integrity •------4 (cryptographic basis of unalteredness) •------Version Intellectual Property •------Notes Constraints 5 •------Licenses SBoM Hash/Signature SBoM Known SW Vulns 6 (known fixes are applied to it) Created Using Created By Assurance 7 (secure-safe-resilient) Item Hash/Signature SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Usages SBoM elements Correlated Info Refer, Transfer or Purchase Author of SBoM (definition of what it is) 1 SBoM population method Pedigree •------SBoM Time-Stamp 2 (history of how it was produced) •------Notes on exploitability of vulns Supplier Vulnerability Knowledge Bases Provenance •------Weakness Knowledge Bases 3 (chain of custody of it) Components •------(sources, executables, patches) Assessment Results Integrity •------Design Review 4 (cryptographic basis of unalteredness) •------Version Code Review Attack Surface Analysis Intellectual Property •------Notes Constraints Static Analysis 5 •------Licenses
SBoM Hash/Signature SBoM Dynamic Analysis Known SW Vulns Created Using Fuzz Testing 6 (known fixes are applied to it) Pen Testing Created By Assurance Blue Teaming Red Teaming 7 (secure-safe-resilient) Item Hash/Signature Organized as an Assurance Case SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Usages SBoM elements Correlated Info Refer, Transfer or Purchase Author of SBoM (definition of what it is) 1 SBoM population method Pedigree •------SBoM Time-Stamp 2 (history of how it was produced) •------Logging SBOMs of Services Used Supplier Provenance •------3 (chain of custody of it) Components •------(sources, executables, patches) Integrity •------4 (cryptographic basis of unalteredness) •------Version Intellectual Property •------Notes Constraints 5 •------Licenses SBoM Hash/Signature SBoM Known SW Vulns 6 (known fixes are applied to it) Created Using Created By Assurance 7 (secure-safe-resilient) Item Hash/Signature SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Usages SBoM elements Correlated Info Refer, Transfer or Purchase Author of SBoM (definition of what it is) 1 SBoM population method Pedigree •------SBoM Time-Stamp Desired sequence of ordered software 2 (history of how it was produced) •------supply chain steps, and requirements for Supplier Provenance •------each step for a specific project of interest 3 (chain of custody of it) Components •------(sources, executables, patches) Integrity •------4 (cryptographic basis of unalteredness) •------Version Intellectual Property •------Notes Constraints 5 •------Licenses SBoM Hash/Signature SBoM Known SW Vulns 6 (known fixes are applied to it) Created Using Created By Assurance 7 (secure-safe-resilient) Item Hash/Signature SBoM of a SW Service 8 (SBoM of sw delivering service) Supply Chain Sequence 9 Integrity
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Launched 24 Sep 2019
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 GCC
Microsoft Visual Studio Jenkins
NetBeans GitHub
CycloneDX
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Whitepaper CISQ OMG RFC ISO Std
• Socialize at Mar19 OMG meeting • Draft SBoM as a Whitepaper in 3-day CISQ SBoM working session at Sep OMG meeting • Prototype draft format in tool ecosystem, revise and draft RFC based on prototype results • Co-submit draft RFC w/CISQ to OMG at Dec19 or Mar20 meeting • Mar20/Jun20 OMG meeting – charter FTF • Jun20/Sep20 OMG meeting - approve as OMG Standard • Sep20/Dec20 Fast Track to ISO
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Software Development, Integration, and Management Tools
Software Tools
Software Software Tools Tools Software Software Software Tools Tools Tools
Multiple Software Bill of Marketplaces Materials (SBoM) ENTERPRISE MEDICAL FINANCIAL SOFTWARE INDUSTRY RETAIL MINING … ENERGY
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Exploitable Weaknesses, Vulnerabilities & Exposures • Weakness: mistake or flaw condition in ICT architecture, design, code, or process that, if left unaddressed, could under the proper conditions contribute to a cyber-enabled capability being 2005 vulnerable to exploitation; represents potential WEAKNESSES source vectors for zero-day exploits -- Common 2012 Weakness Enumeration (CWE) VULNERABILITIES Uncharacterized https://cwe.mitre.org/ Weaknesses CVEs Unreported or • Vulnerability: mistake in software that can be 1999 undiscovered directly used by a hacker to gain access to a (reported, CWEs publicly Vulnerabilities (characterized, system or network; configuration known Exposure: Zero-Day Vulnerabilities discoverable, vulnerabilities possibly exploitable issue of a mistake in logic that allows (previously unmitigated unauthorized access or exploitation – Common and weaknesses with 2002 exposures) weaknesses that are mitigations) Vulnerability and Exposure (CVE) exploited with little https://cve.mitre.org/ or no warning) • Exploit: take advantage of a weakness (or 2005 multiple weaknesses) to achieve a negative technical impact -- attack approaches from the set of known exploits are used in the Common Attack Pattern Enumeration and Classification (CAPEC) https://capec.mitre.org
The existence (even if only theoretical) of an exploit designed to take advantage of a weakness (or multiple weaknesses) and achieve a negative technical impact is what makes a weakness a vulnerability. © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Assurance needs to address the Hazards & Attacks that can impact SW-Based Mission Functions Known Hazard/Attack Weaknesses Counter Technical Mission/Business Threats Activation (CWEs) Measures Impacts to Impacts & Hazards Patterns - Actions* Mission (CAPECs) Capabilities
Hazard Weakness Item Impact /Attack
Asset
Hazard Weakness Item /Attack Impact
Function System & Hazard/ System Security Attack Weakness Engineering Impact Trades Asset
Weakness Item
“Counter Measures - Actions” include: choices about architecture, design, physical decomposition, and operational approaches; adding/changing security/safety functions, protection schemes, activities & processes; use of static & dynamic code assessments, dynamic testing, physical testing, and pen testing; attack surface & fault-tree analysis, architecture and design reviews
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Assurance needs to address the Hazards & Attacks that can impact SW-Based Mission Functions Known Hazard/Attack Weaknesses Counter Technical Mission/Business Threats Activation (CWEs) Measures Impacts to Impacts & Hazards Patterns - Actions* Mission (CAPECs) Capabilities
Hazard Weakness Item Impact /Attack
Asset
Hazard Weakness Item /Attack Impact
Function System & Hazard/ System Security Attack Weakness Engineering Impact Trades Asset
Weakness Item Most “Counter Measures - Actions” include: Important choices about architecture, design, physical decomposition, and operational approaches; ? Weakness adding/changing security/safety functions, protection schemes, activities & processes; use of static & dynamic code assessments, dynamic testing, physical testing, and pen testing; attack surface & fault-tree analysis, architecture and design reviews
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Utilizing Appropriate Detection Methods to Collect Evidence to Gain Assurance… Artifacts Detection Methods Coverage Design Review CONOPS Code Review Requirements Attack Surface Analysis CVE, Architecture Static Analysis Tool A CWE, Design CAPEC, … Process Static Analysis Tool B Most Code Important Dynamic Analysis Tool C Binary Quality Issues Running Binary Fuzz Testing
Environment of System Pen Testing
Use of Mission Software Blue Teaming
Red Teaming © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Multiple Sources of Assurance Evidence from Throughout the Lifecycle of the item(s) needing Assurance. CONOPS evaluation
Red Teaming Attack Surface Analysis
Blue Teaming Architecture Analysis Evidence
Penetration Testing Design Analysis/Review
Dynamic Runtime Analysis Static Analysis
Malformed Input Testing (Fuzzing)
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Different Perspectives on Assurance of Trust Insurer How do I Operator underwrite? • How do I use this? • Can I trust it? • Am I responsible if it makes a mistake? Researcher What technology is needed to ensure trust? Commander/ Manager • Can I reliably use in operations? • What changes operationally? Creator • How should I design and build? Regulator • Will I be liable for problems? Is it safe? Acquirer • How do I express Community requirements? Patron • Do I want this in my • Will it work they way • Is it safe? it should? backyard? • Should I use it? • Can I count on it? • Can I count on it?
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Financial Health Reputation Basis of Trust Ownership Agreements Partners Facilities Security Leadership Cyber Security Personnel Software Assurance Training Hardware Assurance History External Influences Shipping Container Firmware/Bitstream Financial Stability Pallet Software Quality Maliciousness Box Software Composition Device Software Pedigree Organizational Security Hygiene Boards Software Provenance Quality Culture Counterfeit Chips (FPGA/ASIC) Updates Malicious Taint Suppliers
Physical Access/Touch Remote/Virtual Access/Touch Facilities Security Reputation Cyber Security History Software Assurance Ownership Hardware Assurance Personnel Training
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Need Standards to Drive Consistency in Discussing and Conveying Assurance due to the Sector-2-Sector linkages
Solar
Nuclear Electricity Generation Hydro
Wind Energy Rejected Residential Geothermal
Natural Gas Commercial Energy Services
Coal Industrial
Biomass
Transportation Petroleum
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Establishing Assurance - Reducing Uncertainty
Verification & Evidence Related standards: While Assurance does not provide Validation ISO/IEC 15026; additional security services or SACM, GSN/CAE Engineering safeguards, it does serve to reduce Evidence the uncertainty associated with Process vulnerabilities resulting from Architecture Assurance – Bad practices Evidence Assessment Argument – Incorrect & inefficient safeguards
Implementation Evidence The result of System Assurance is Assessment justified confidence delivered in Assurance the form of an Assurance Case Other Areas Evidence Case
TYPES OF EVIDENCE FOR AN ASSURANCE CASE Confidence demands objectivity, scientific method and cost-effectiveness
50 © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Assurance Claims with Support of ‘Substantial’ Reasoning
• Claims are assertions put forward for general acceptance
• The justification for claim based is on some grounds, the Stephen Toulmin, 1958 “specific facts about a precise situation that clarify and make good for a claim” • The basis of the reasoning from the grounds (the facts) to the Backing claim is articulated. • Toulmin coined the term “warrant” for “substantial argument”. • These are statements indicating the general ways of argument being applied in a particular case and implicitly relied on and Warrant whose trustworthiness is well established”. (probably) • The basis of the warrant might be questioned, so “backing” for the warrant may be introduced. grounds Backing might be the validation of the scientific and Modality claim engineering laws used.
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 The Basics of an Assurance Case
Assumptions & Preconditions Claim = Claim assertion to be proven Sub-Claim Sub-Claim
Argument = Argument Argument how evidence supports claim
Evidence = Evidence Evidence required documentation
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 The Assurance Case Medical Space Aeronautics Rail Automotive Shipping Autonomous Critical Infrastructure Cyber Physical Systems…
Dependability Engineering Innovation for Cyber Physical Systems
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Communicating Assurance to Gain Trust NIST SP800-160 NIST SP800-53r4
ISO/IEC 15026-2 Assurance Case OMG Structured Assurance Case Metamodel (SACM)
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 https://www.ida.org/-/media/feature/publications/a/as/a-sample-security-assurance-case-pattern/p-9278.ashx © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Tornado Operational Safety Case
Apportionment of Ownership: White = Generic, Green = Air Command, Orange = DE&S, Red = Contractors © 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 The Assurance Case for a System Builder using Assured Components
Exchange and Composition of Assurance Cases between tools and programs
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 The Assurance Case for a System Builder using Assured Components
Exchange and Composition of Assurance Cases between tools and programs
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 TRANSPARENT ASSURANCE AS A BASIS FOR TRUST - FUTURE
Assurance Case
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24 Questions? IIC Journal of Innovation – September 2018 issue on Trustworthiness https://www.iiconsortium.org/journal-of-innovation.htm “Assuring Trustworthiness in an Open Global Market of IIoT Systems via Structured Assurance Cases” https://www.iiconsortium.org/news/joi-articles/2018-Sept-JoI_Assuring_Trustworthiness-FINAL2.pdf
© 2019 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case No: 19-01876-24