Hazmat Signs for Industrial Software ... If They Existed, What Would They Look Like?

Hazmat Signs for Industrial Software …if they existed, what would they look like?

Bryan Owen PE, OSIsoft LLC

cred-c.org | 1 Most Industrial Software is ‘Toxic’

cred-c.org | 2 Toxicity The degree to which a chemical substance can damage an organism • Whole organism • Organs, • Tissue, • Or even cellular damage.

cred-c.org | 3 Toxin Categories

Biological Corrosive Physical Non-Ionizing Hazard Hazard Hazard Radiation Hazard

cred-c.org | 4 “Cyber” – Bio Hazard

Abuse of legitimate ICS functionality • Stuxnet • Crashoverride / Industroyer

Biological • Eg Protocols: IEC101, IEC104, and Hazard IEC61850

cred-c.org | 5 “Cyber” – Corrosive Hazard

Non-ICS specific Ransomware & Wipers • Brickerbot • Not Petya / WannaCry • Shamoon Corrosive Hazard • Eg Protocols: SMB, Telnet

cred-c.org | 6 “Cyber” – Physical Hazard

Enlistment in bots • Carna • Mirai • Reaper • And many other similar threats Physical Hazard

cred-c.org | 7 “Cyber” – Radio Hazards

Recent malware targeting radios • BadBIOS • BlueBorne • WPA2 Krack Non-Ionizing Radiation Hazard

cred-c.org | 8 Chemical Hazard Labels – NFPA Diamond

FLAMABILITY 0 4 Least Most Serious Serious HEALTH REACTIVITY 0 Will Not Burn SPECIAL HAZARDS Shock and Heat 3 May Detonate

cred-c.org | 9 Cyber Hazard Labels: “C-I-A Triad Model”

Remote, Anonymous, Default 4 Configuration, Root Access INTEGRITY Remote, Anonymous, Default 3 Configuration, User Access Remote, Authenticated, Default CONFIDENTIALITY AVAILABILITY 2 Configuration, Root Access Remote, Authenticated, Custom 1 Configuration, Write Access SPECIAL HAZARDS Remote, Authenticated, Read 0 Access

cred-c.org | 10 Cyber Hazard Labels: “V-A-T Model (OSSTMM)” 1/2 VISIBILITY ACCESS 4 Remote management endpoints 3 Remote write access endpoints VISIBILITY TRUST 2 Remote read access endpoints

SPECIAL Device broadcasts HAZARDS 1 0 No targets visible remotely

cred-c.org | 11 Cyber Hazard Labels: “V-A-T Model (OSSTMM)” 2/2 TRUST ACCESS Unmanaged 3P components, 3P 4 managed trust infrastructure 3 Unmanaged 3P components VISIBILITY TRUST 2 3P managed trust infrastructure SPECIAL Self-managed 3P components, HAZARDS 1 trust infrastructure Trusted foundry with 0 transparency

cred-c.org | 12 Cyber Hazard Labels: Cornell “SoS” Blueprint Blueprint for a science of cybersecurity The Next Wave Vol. 19 No. 2 | 2012 Fred B. Schneider Safety • No ‘bad thing’ happens ISOLATION Liveness • Some ‘good thing’ happens OBFUSCATION MONITORING

SPECIAL HAZARDS

cred-c.org | 13 Special Cyber Hazards: “Observables”

• Digital signature or unique hash • Documentation of third party components • Important dates (creation, last modified) • Memory safe frameworks and languages • User mode vs kernel or root A badness-omemter can’t • Execution flags (ASLR, CFG, DEP, NX, etc…) tell you that you’re secure. It can only tell you that • Network protocol safety you’re not. • Software update mechanism

Badness-ometers are good. Do you own one? by Gary McGraw https://www.synopsys.com/blogs/software-security/badness-ometers-are-good-do-you-own-one

cred-c.org | 14 Idea: Safety Data Sheets

cred-c.org | 15 Cyber Security Data Sheets Cyber Security Technical Assessment Methodology: Vulnerability Identification and Mitigation 3002008023 Final Report, October 2016

Michael Thow – EPRI Steve Hagan – Fisher Valves Dan Griffin – JW Secure John Connelly – Exelon Inman – Lanier – Fisher Valves Justin Kosar – Assoc. Electric Cooperative Manu Sharma – Exelon Mike Hagen – Fisher Valves Andrew Dettmer – Assoc. Electric Cooperative Kenneth Levandoski – Exelon Andrew Clark – Sandia National Laboratory Steve Ricker – East Kentucky Power Cooperative Brad Yeates – Southern Company Matthew Coulter – Duke Energy Phillip Turner – Sandia National Laboratory Scott Junkin – Southern Company Susan Ritter – Duke Energy Tim Wheeler – Sandia National Laboratory Richard Atkinson – Arizona Public Service Mark Denton – Duke Energy Alice Muna – Sandia National Laboratory Sandra Bittner – Arizona Public Service Norman Geddes – Southern Eng. Services Christine Lai – Sandia National Laboratory

cred-c.org | 16 EPRI TAM Overview

cred-c.org | 17 EPRI TAM – Attack Surface Characterization

cred-c.org | 18 Reference Cyber Security Data Sheets A key part of the Supply Chain • Step 1 & 2 by EPRI, Vendors, and Big Idea: other Stakeholders You can create a • Starting point for tailored CSDS CSDS too!

Cyber Security Technical Assessment Methodology: Vulnerability Identification and Mitigation 3002008023

cred-c.org | 19 http://cred-c.org

@credcresearch

facebook.com/credcresearch/

Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security