Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
1. I AM THE CAVALRY
http://iamthecavalry.org
@iamthecavalry
SHOULDN’T YOU BE ALSO?
2. CLAUS CRAMON HOUMANN
Infosec Community Manager @ Peerlyst
(A start-up Infosec community/Social platform that wants to turn the
tables on cyber security)
Infosec Consultant
The Analogies contributor
Twitter: @claushoumann
6. WHERE DO WE SEE CONNECTIVITY NOW?
In Our Bodies In Our Homes
In Our InfrastructureIn Our Cars
7. HEARTBLEED + (UNPATCHABLE) INTERNET OF
THINGS == ___ ?
In Our Bodies In Our Homes
In Our InfrastructureIn Our Cars
8. SAY BABY MONITORS AGAIN?
In Our Homes
Source: Rapid7 research/Mark Stanislav: Baby monitors
https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-
25. NEVER DOUBT THAT A SMALL GROUP
OF THOUGHTFUL, COMMITTED
CITIZENS CAN CHANGE THE WORLD;
IT’S THE ONLY THING
THAT EVER HAS.
- MAR GAR ET MEAD
( A N A M E R I C A N C U LT U R A L A N T H R O P O L O G I S T )
26. •The
The Cavalry isn’t coming… It falls to us
Problem Statement
Our society is adopting connected
technology faster than we are able to
secure it.
Mission Statement
To ensure connected technologies with
the potential to impact public safety
and human life are worthy of our trust.
Collecting existing research, researchers, and resources
Connecting researchers with each other, industry, media, policy, and legal
Collaborating across a broad range of backgrounds, interests, and skillsets
Catalyzing positive action sooner than it would have happened on its own
Why Trust, public safety, human life
How Education, outreach, research
Who Infosec research community
Who Global, grass roots initiative
WhatLong-term vision for cyber safety
Medical Automotive
Connected
Home
Public
Infrastructure
I Am The Cavalry
27. Connections and Ongoing Collaborations
5-Star Framework
5-Star Capabilities
Safety by Design – Anticipate failure and plan mitigation
Third-Party Collaboration – Engage willing allies
Evidence Capture – Observe and learn from failure
Security Updates – Respond quickly to issues discovered
Segmentation & Isolation – Prevent cascading failure
Addressing Automotive Cyber Systems
Automotive
Engineers
Security
Researchers
Policy
Makers
Insurance
Analysts
Accident
Investigators
Standards
Organizations
https://www.iamthecavalry.org/auto/5star/
28. www.iamthecavalry.org
@iamthecavalry
5-Star Cyber Safety
Formal Capacities
1. Safety By Design
2. Third Party
Collaboration
3. Evidence Capture
4. Security Updates
5. Segmentation and
Isolation
Plain Speak
1. Avoid Failure
2. Engage Allies To Avoid
Failure
3. Learn From Failure
4. Respond to Failure
5. Isolate Failure
29. www.iamthecavalry.org
@iamthecavalry
Highlights from the past year
• Atlantic Council workshop and paper1
• FDA Pre-Market Guidance and Workshop2
• IEEE Workshop
• Embraced by healthcare community conferences
• Atlantic Council Cyber Wednesday3
• Vulnerability Disclosure Policies
• Vulnerability Disclosure Brainstorming and
Education with FDA
• Safety Communications BEFORE evidence of
harm
1http://www.atlanticcouncil.org/publications/reports/the-healthcare-internet-of-things-rewards-and-risks
2http://www.fda.gov/MedicalDevices/NewsEvents/WorkshopsConferences/ucm412979.htm
3http://www.atlanticcouncil.org/events/webcasts/cyber-risk-wednesday-the-healthcare-internet-of-things-rewards-and-risks
With FDA as a key partner
32. AND MORE IN OTHER AREAS
COMING
We try to connect researchers to
1. Lawmakers to inform of meaningful changes to laws to enforce
secure by default
2. Vendors/producers to inform of secure ways to build securely by
design and of identified vulnerabilities
3. Purchasers of devices (example: Pacemakers, car distributors) to
explain to them why they need to contractually demand security – if
there is demand vendors will supply
https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf –vulnerable baby monitors
Baby monitors: Sure, but who’s monitoring? Who do we want monitoring?
Nearly all merchants have been breached.
Nearly all F100 have lost intellectual property and trade secrets.
Acceptable fraud rates…
With consequences including flesh & blood… what IS an acceptable failure rate for cars?
MURPHY’S LAW PHOTO: http://www.localwineandspirits.com/labels/murphyslaw_front.jpg
BOMB photo: http://tribune.com.pk/story/607940/casualties-four-li-militants-die-in-ied-explosion-in-khyber-agency/
A superhero to the rescue! We all love superheroes, right?
Ripples interact
Ripples can cause abnormally large waves
Or a tsunami – but tsunami’s can change/break a lot of things and are a safety risk, and they create fear
Security researchers are also working on the issue, in our shared domain.
Goal: More informed decision-making, not supplant their judgment with ours
https://www.iamthecavalry.org/domains/automotive/5star/
★ Safety by Design
https://www.iamthecavalry.org/domains/automotive/5star/
★ Safety by Design
Do you have a published attestation of your Secure Software Development Lifecycle, summarizing your design, development, and adversarial resilience testing programs for your products and your supply chain?
The public is informed and assured of your commitment to safety when you publish the extent to which you ensure that software is reasonably free of flaws. The goal is to convey confidence to the general public and to allow consumers to make informed choices among market alternatives. Software manufacturers, such as Microsoft and others, make this attestation and could serve as a model for automakers.
Key Elements:
Standard Based: Use of vetted ISO, NIST, or Industry standards would both accelerate an organization’s maturity and ensure more predictable, normalized, comprehensive practices.
Supply Chain Rigor: Well-governed, traceable hardware & software supply chains enable more defensible products and more agile remediation times – especially amidst variable quality, security, and provenance.
Reduction of Elective Attack Surface & Complexity: There are relationships between security and: complexity, interfaces, attack surfaces, code flaws per thousand lines of code, etc. As such, more secure designs seek to minimize these types of exposure.
Independent, Adversarial Resilience Testing: Adversarial testing should be carried out by qualified individuals, independent of those who designed and implemented the code. These individuals can be internal resources under a different organizational branch or third-parties.
http://www.microsoft.com/en-us/sdl/video/default.aspx
https://www.iamthecavalry.org/domains/automotive/5star/
★ Safety by Design
Do you have a published attestation of your Secure Software Development Lifecycle, summarizing your design, development, and adversarial resilience testing programs for your products and your supply chain?
The public is informed and assured of your commitment to safety when you publish the extent to which you ensure that software is reasonably free of flaws. The goal is to convey confidence to the general public and to allow consumers to make informed choices among market alternatives. Software manufacturers, such as Microsoft and others, make this attestation and could serve as a model for automakers.
Key Elements:
Standard Based: Use of vetted ISO, NIST, or Industry standards would both accelerate an organization’s maturity and ensure more predictable, normalized, comprehensive practices.
Supply Chain Rigor: Well-governed, traceable hardware & software supply chains enable more defensible products and more agile remediation times – especially amidst variable quality, security, and provenance.
Reduction of Elective Attack Surface & Complexity: There are relationships between security and: complexity, interfaces, attack surfaces, code flaws per thousand lines of code, etc. As such, more secure designs seek to minimize these types of exposure.
Independent, Adversarial Resilience Testing: Adversarial testing should be carried out by qualified individuals, independent of those who designed and implemented the code. These individuals can be internal resources under a different organizational branch or third-parties.
https://www.iamthecavalry.org/domains/automotive/5star/
★ Third Party Collaboration
Do you have a published Coordinated Disclosure policy inviting the assistance of third-party researchers acting in good faith?
A collaboration policy supports a positive, productive collaboration between the automotive industry and security researchers. Researchers are invited to contribute to automotive safety as willing allies to help discover and address flaws before adversaries and accidents can impact vehicle safety. Such coordinated exchanges are more positive, productive, and impactful than other alternatives. Your attestation serves as a commitment and a protocol for teaming.
Key Elements:
Standard Based: Use of vetted ISO standards for vendor side disclosure practice and for internal vulnerability handling (ISO 29147 and ISO 30111) accelerate an organization’s maturity and ensure predictable, normalized interfaces to researchers and facilitators.
Positive Incentives: Positive “Recognition & Reward” systems can further encourage and stimulate participation in bug reporting. Several prominent “Hackathon,” “Hall of Fame,” and “Bug Bounty” programs have proven successful and continue to drive iterative improvements. Exemplars can be provided.
Known Interfaces: Independent vulnerability disclosure coordinators have normalized the interfaces between affected manufacturers and third-party researchers. These include non-profits organizations, bug bounty companies and government agencies. This too can support both greater efficiency and greater participation.
http://www.k9tec.com/wp-content/uploads/2011/10/beware-of-dog-shepherd.jpg
Vs
https://img1.etsystatic.com/046/0/8940891/il_214x170.676543507_88cr.jpg
https://www.iamthecavalry.org/domains/automotive/5star/
★ Third Party Collaboration
Do you have a published Coordinated Disclosure policy inviting the assistance of third-party researchers acting in good faith?
A collaboration policy supports a positive, productive collaboration between the automotive industry and security researchers. Researchers are invited to contribute to automotive safety as willing allies to help discover and address flaws before adversaries and accidents can impact vehicle safety. Such coordinated exchanges are more positive, productive, and impactful than other alternatives. Your attestation serves as a commitment and a protocol for teaming.
Key Elements:
Standard Based: Use of vetted ISO standards for vendor side disclosure practice and for internal vulnerability handling (ISO 29147 and ISO 30111) accelerate an organization’s maturity and ensure predictable, normalized interfaces to researchers and facilitators.
Positive Incentives: Positive “Recognition & Reward” systems can further encourage and stimulate participation in bug reporting. Several prominent “Hackathon,” “Hall of Fame,” and “Bug Bounty” programs have proven successful and continue to drive iterative improvements. Exemplars can be provided.
Known Interfaces: Independent vulnerability disclosure coordinators have normalized the interfaces between affected manufacturers and third-party researchers. These include non-profits organizations, bug bounty companies and government agencies. This too can support both greater efficiency and greater participation.
https://www.iamthecavalry.org/domains/automotive/5star/
★ Evidence Capture
Do your vehicle systems provide tamper evident, forensically-sound logging and evidence capture to facilitate safety investigations?
Safety investigations drive substantial improvements, and records of electronic systems operations give visibility into root causes that may otherwise be opaque. These records can plainly show sources of error, be they malfunctions, design defects, human error or deliberate attack. Those waiting for proof of hacking or electronic sabotage will not find evidence without such logging and evidence collection in place. This capability will require more effort, over time, than others on this list, but it is foundational for improving safety in the long-term so starting now will help us achieve this goal.
Key Elements:
Logging and Legal Standards: Lowest Common denominator syntax and verbosity would increase the value within a manufacturer and across the industry. Also, conforming to existing legal standards of care around cyber forensics would be prudent (e.g. for chain of evidence).
Improve effectiveness of NHTSA: The National Highway Transportation Safety Administration (NHTSA) investigates automobile safety issues. In the absence of a “black box” capability as in airplanes, these investigations lack full visibility into potential causes of safety issues. Collecting and retaining data as recommended will facilitate their investigations and improve their ability to perform causal analyses.
Privacy Sensitivity: The universal benefits/subset of features of a “black box” as outlined here can meet its intended functions without requiring privacy and surveillance infractions of citizens across the complexities of various states/countries/jurisdictions. Debates over the capture of data like GPS movement tracking or other recordings of citizens can be decoupled from safety to avoid unnecessary entanglement.
https://anthrograph.files.wordpress.com/2012/04/blackbox1.jpg
https://www.iamthecavalry.org/domains/automotive/5star/
★ Evidence Capture
Do your vehicle systems provide tamper evident, forensically-sound logging and evidence capture to facilitate safety investigations?
Safety investigations drive substantial improvements, and records of electronic systems operations give visibility into root causes that may otherwise be opaque. These records can plainly show sources of error, be they malfunctions, design defects, human error or deliberate attack. Those waiting for proof of hacking or electronic sabotage will not find evidence without such logging and evidence collection in place. This capability will require more effort, over time, than others on this list, but it is foundational for improving safety in the long-term so starting now will help us achieve this goal.
Key Elements:
Logging and Legal Standards: Lowest Common denominator syntax and verbosity would increase the value within a manufacturer and across the industry. Also, conforming to existing legal standards of care around cyber forensics would be prudent (e.g. for chain of evidence).
Improve effectiveness of NHTSA: The National Highway Transportation Safety Administration (NHTSA) investigates automobile safety issues. In the absence of a “black box” capability as in airplanes, these investigations lack full visibility into potential causes of safety issues. Collecting and retaining data as recommended will facilitate their investigations and improve their ability to perform causal analyses.
Privacy Sensitivity: The universal benefits/subset of features of a “black box” as outlined here can meet its intended functions without requiring privacy and surveillance infractions of citizens across the complexities of various states/countries/jurisdictions. Debates over the capture of data like GPS movement tracking or other recordings of citizens can be decoupled from safety to avoid unnecessary entanglement.
https://www.iamthecavalry.org/domains/automotive/5star/
★ Security Updates
Can your vehicles be securely updated in a prompt and agile manner?
Security and functionality flaws require the ability to be remediated in a prompt, reliable, secure manner. If emergent security issues cannot be remediated quickly and easily, the window of exposure is increased and the cost of recall, repair, and restitution will grow significantly. The recent HeartBleed flaw put hundreds of thousands of devices at risk. Without the ability to update software in the field, similar flaws in automobiles would require carmakers to undertake a costly factory recall or accept the associated consequences of perpetual, critical security issues.
Key Elements:
Secure Updating System: While updating is a necessary capability, an insecure update design could facilitate adversaries or trigger accidents. Authenticity and quality verification preserves the integrity of the updates and leads to a safer mechanism that can prevent digital tampering or unexpected failures.
Service Level Agreements (SLA): While it is critical to be able to update a vulnerable system, valuable aspects like Mean Time To Repair (MTTR) will vary amongst manufacturers. Those who commit to a faster delivery and/or a higher standard of quality will better ensure safety.
Robust Notification/Communication: Public communication should be transparent and forthright. Decades of experience in the software industry have taught that the best way to ensure security and safety are: notification of when and where flaws exist, their severity, contents of the update, and clear instructions.
https://www.iamthecavalry.org/domains/automotive/5star/
★ Security Updates
Can your vehicles be securely updated in a prompt and agile manner?
Security and functionality flaws require the ability to be remediated in a prompt, reliable, secure manner. If emergent security issues cannot be remediated quickly and easily, the window of exposure is increased and the cost of recall, repair, and restitution will grow significantly. The recent HeartBleed flaw put hundreds of thousands of devices at risk. Without the ability to update software in the field, similar flaws in automobiles would require carmakers to undertake a costly factory recall or accept the associated consequences of perpetual, critical security issues.
Key Elements:
Secure Updating System: While updating is a necessary capability, an insecure update design could facilitate adversaries or trigger accidents. Authenticity and quality verification preserves the integrity of the updates and leads to a safer mechanism that can prevent digital tampering or unexpected failures.
Service Level Agreements (SLA): While it is critical to be able to update a vulnerable system, valuable aspects like Mean Time To Repair (MTTR) will vary amongst manufacturers. Those who commit to a faster delivery and/or a higher standard of quality will better ensure safety.
Robust Notification/Communication: Public communication should be transparent and forthright. Decades of experience in the software industry have taught that the best way to ensure security and safety are: notification of when and where flaws exist, their severity, contents of the update, and clear instructions.
https://www.iamthecavalry.org/domains/automotive/5star/
★ Segmentation and Isolation
Do you have a published attestation of the physical and logical isolation measures you have implemented to separate critical systems from non-critical systems?
If systems share the same memory, computing, and/or circuitry (as most current generation cars do), these systems allow for loss of life and limb. Such risks are entirely avoidable and merit a higher standard of care. For instance, a malicious InfoTainment application or a compromise over Bluetooth or wireless should never have the ability to take control over critical functions such as disabling the brakes, deploying airbags, or turning the steering wheel. Hacking the InfoTainment system should never cause an accident.
Key Elements:
“Air Gaps”: Physical separation is the only way to ensure that non-critical systems can not adversely impact primary, operational, and safety systems (e.g. Hacking the stereo can never cause a crash). While some manufacturers are planning, discussing, or implementing logical isolation techniques, methods to circumvent these measures are routinely discovered and demonstrated.
System Integrity/Recovery: Techniques exist to indicate when a system has been compromised. Earlier detection can reduce the total duration and extent of the compromise as well as catalyze remediation. In some cases, a “fail safe” or “safe mode” can be an automatic fallback safety mechanism. Any choices should be scrutinized with experienced adversary/threat analysis as they may introduce new attack or denial of service opportunities.
Enhanced Assurance: Given the potential for harm, a higher rigor and level of assurance is merited. Third-party review and validation of architecture, implementation, and adversary resilience testing can raise confidence. Similarly, Operating System choices such as Mandatory Access Control (MAC) architectures reduce risk. “Formal Methods” of engineering and more secure protocols merit consideration. Evaluation examples may be instructive (e.g. “Common Criteria EAL 5+”).
http://www.bluebird-electric.net/submarines/submarine_pictures/skipjack_class_submarine_drawing_scorpion.gif
https://www.iamthecavalry.org/domains/automotive/5star/
★ Segmentation and Isolation
Do you have a published attestation of the physical and logical isolation measures you have implemented to separate critical systems from non-critical systems?
If systems share the same memory, computing, and/or circuitry (as most current generation cars do), these systems allow for loss of life and limb. Such risks are entirely avoidable and merit a higher standard of care. For instance, a malicious InfoTainment application or a compromise over Bluetooth or wireless should never have the ability to take control over critical functions such as disabling the brakes, deploying airbags, or turning the steering wheel. Hacking the InfoTainment system should never cause an accident.
Key Elements:
“Air Gaps”: Physical separation is the only way to ensure that non-critical systems can not adversely impact primary, operational, and safety systems (e.g. Hacking the stereo can never cause a crash). While some manufacturers are planning, discussing, or implementing logical isolation techniques, methods to circumvent these measures are routinely discovered and demonstrated.
System Integrity/Recovery: Techniques exist to indicate when a system has been compromised. Earlier detection can reduce the total duration and extent of the compromise as well as catalyze remediation. In some cases, a “fail safe” or “safe mode” can be an automatic fallback safety mechanism. Any choices should be scrutinized with experienced adversary/threat analysis as they may introduce new attack or denial of service opportunities.
Enhanced Assurance: Given the potential for harm, a higher rigor and level of assurance is merited. Third-party review and validation of architecture, implementation, and adversary resilience testing can raise confidence. Similarly, Operating System choices such as Mandatory Access Control (MAC) architectures reduce risk. “Formal Methods” of engineering and more secure protocols merit consideration. Evaluation examples may be instructive (e.g. “Common Criteria EAL 5+”).
Conferences
HIMSS Conference
HIMSS Events
Poland gov’t
NH-ISAC/SANS
in May FDA issued Safety Comm about Hospira pump PCA3 and PCA 5 as well, and we also issued a more generic one back in June 2013 that was not product specific. The key difference with this one is that this is the first time we strongly encouraged discontinued use of the device due to the cyber concerns.