© Copyright William Young Mar 2016 [email protected]
Understanding STPA-Sec Through a Simple Roller Coaster Example
William Young Jr PhD Candidate, Engineering Systems Division
Systems Engineering Research Lab Massachuse<s Ins>tute of Technology
2016 STAMP Conference Boston, MA
March 23, 2016
© Copyright William Young Mar 2016 [email protected]
DISCLAIMER:
The views expressed in this presentation are are those
of the presenter and do not reflect the official policy or
position of the United States Air Force, Department of
Defense, Air Education and Training Command, Air
University, Air War College, or the U.S. Government
2
© Copyright William Young Mar 2016 [email protected]
Need to Address Security Pre-‐Architecture
3
Concept Development Production Utilization Retirement
Effe
ctiv
enes
s &
Cos
t to
Fix
Low
High
Problem Analysis Solution Development & Implementation
Systems Engineering Lifecycle
STPA-‐Sec Iden@fies and frames the security problem
Focus of tradi@onal security efforts
STPA-‐Sec Helps Rigorously Frame the “Right” Security Problem
© Copyright William Young Mar 2016 [email protected]
Just Because You Can, Doesn’t Mean You Should…Just Because it Works, Doesn’t Mean is Can Be Secured
© Copyright William Young Mar 2016 [email protected]
Whole System
SubSystem 1
Subsystem 2
Component
HW SW Human
Func@onal Purpose
Abstract Func@on
General Func@on
Physical Func@on
Physical Form
Whole -‐ Part
Ends -‐ Means
Conceptual
Physical
Tradi@onal Security Engineering Focus STPA-‐Sec Focus
© Copyright William Young Mar 2016 [email protected]
Scenario: You are part of the ACME Roller Coaster Company Security
Team
The R&D team has proposed a new 5D coaster.
6 *Original Scenario created by Danny Holtzman of MITRE Corp
© Copyright William Young Mar 2016 [email protected]
Scenario: You are part of the ACME Corporation Security Team
The CEO would like details from your team. “I want to know if building the Smart Coaster represents a risk to our operations that we should accept,” she says! “If we do accept the risk, what can you do about it as the security team?”
7
© Copyright William Young Mar 2016 [email protected]
Key Stakeholder is the ACME CEO
• You interview the CEO and she provides you some key insights – The ride represents a bet on the company’s future, she does
not want the stock to take a hit – She is concerned about losing company IP gained through
R&D for the coaster – She was a student of Nancy Leveson during her grad school
time at MIT and cares about safety – She likes the concept of creating a tailored thrill profile, but
states, “Don’t do an OPM!” – She states that she is unwilling to create a ride that doesn’t
deliver on ACME’s reputation for thrilling rides – Smart coaster likely will be the most expensive roller coaster
ever built and she doesn’t want it damaged
8
© Copyright William Young Mar 2016 [email protected]
• Overview: Synthesize a concise statement that describes what the system is supposed to do
• Elicit purpose, method, goals through discourse with stakeholders (& documents)
• Craft the description of the Functional Model – “A System to do {What = Purpose} by means of {How
= Method} in order to contribute to {Why = Goals}”
• Method will normally be a set of high-level activities representing stakeholders’ essential tasks / activities
9
Defining and Framing the Problem
Define & Frame Problem
Iden>fy Unacceptable
Losses
Iden>fy System Hazards / Constraints
Create Func>onal Control Structure
ID Hazardous Control Ac>ons
Generate Causal
Scenarios Mi>ga>ons and Controls
© Copyright William Young Mar 2016 [email protected]
A Potential Solution Based on Scenario:
10
• A System to deliver a safe, but thrilling experience to riders by means of loading, tailoring, launching, thrilling, offloading in order to contribute to con@nuing profitability and enhance reputa@on of ACME
This is a Statement Explicitly Describing the Problem, our Preferred Approach and the Overall Goal
© Copyright William Young Mar 2016 [email protected]
Unacceptable Losses from Scenario:
L1: Death or serious injury to rider or operator L2: Significant devalua@on of Acme stock L3: Significant Damage to Smart Coaster L4: Loss of Acme Intellectual Property L5: Loss of company reputa@on L6: Loss of consumer (rider) PII
11
L4 & L6 Would Generally Be Outside the Scope of TradiFonal Safety Analysis
Define & Frame Problem
Iden>fy Unacceptable
Losses
Iden>fy System Hazards / Constraints
Create Func>onal Control Structure
ID Hazardous Control Ac>ons
Generate Causal
Scenarios Mi>ga>ons and Controls
© Copyright William Young Mar 2016 [email protected]
Hazards for the Example
12
H1: Rider or operator exposed to dangerous physiological condi@ons
H2: Rider unsecure during ride opera@ons
H3: Smart Coaster operated outside of established parameters
H4: Intellectual Property exposed to unauthorized individuals
H5: Company takes ac@ons inconsistent with stated values
H6: Consumer (rider) PII exposed to unauthorized individuals
H7: Smart coaster fails to deliver calculated rider experience
H8: Worker in close proximity to track or car while ride in mo@on
H4 & H6 are Security Concerns, but all Others Could be Safety or Security
Define & Frame Problem
Iden>fy Unacceptable
Losses
Iden>fy System Hazards / Constraints
Create Func>onal Control Structure
ID Hazardous Control Ac>ons
Generate Causal
Scenarios Mi>ga>ons and Controls
© Copyright William Young Mar 2016 [email protected]
ACTIVITIES ENTITIES Onboard Diagnose Profile Launch Analyze Offboard Charge Attendant
Operator Operator Station Track
Car
Rider
En@ty / Ac@vity Diagram
Define & Frame Problem
Iden>fy Unacceptable
Losses
Iden>fy System Hazards / Constraints
Create Func>onal Control Structure
ID Hazardous Control Ac>ons
Generate Causal
Scenarios Mi>ga>ons and Controls
© Copyright William Young Mar 2016 [email protected]
E-‐A Diagram Block in Detail
Analyze
Operator Monitors system for alerts via the operator station displays. Warning indications provided for unsafe conditions, status of rider restraints, status of car gyros and readiness for expected maneuvers. Provides emergency stop command if required to stop ride and return to a safe state.
© Copyright William Young Mar 2016 [email protected]
© Copyright William Young Mar 2016 [email protected]
FEEDBACK
Control Ac@ons
• Fairly detailed control structure model can be created from a very abstract document • We can then do analysis for security to facilitate early trades
© Copyright William Young Mar 2016 [email protected]
Par@al Step I Table Entries for Emergency Stop Command from the Operator
Define & Frame Problem
Iden>fy Unacceptable
Losses
Iden>fy System Hazards / Constraints
Create Func>onal Control Structure
ID Hazardous Control Ac>ons
Generate Causal
Scenarios Mi>ga>ons and Controls
Screen Shot from XSTAMPP
© Copyright William Young Mar 2016 [email protected]
Why Would Operator Not Provide Emergency Stop When Required?
• HCA: Operator Does Not Provide Emergency Stop to Operator Control Sta@on when Dangerous Condi@ons Present
High Level Problems to be Resolved: 1) Inadequate process behavior– Operator control sta@on doesn’t provide Emergency Stop Command when Operator has sent it 2) Inadequate control – Operator issues the Emergency Stop but it is not received by the operator sta@on 3) Inappropriate decision – Operator doesn’t issue the Emergency Stop with indica@ons that dangerous condi@ons are present 4) Inadequate feedback– Operator never receives indica@ons of dangerous condi@ons when condi@ons are present
Define & Frame Problem
Iden>fy Unacceptable
Losses
Iden>fy System Hazards / Constraints
Create Func>onal Control Structure
ID Hazardous Control Ac>ons
Generate Causal
Scenarios Mi>ga>ons and Controls
© Copyright William Young Mar 2016 [email protected]
Wargaming
• Evaluate effects of Aiack on Constraint
• Assess cost of constraint approach, cost of aiack, complexity of aiack
• Red Select General Aiack Class to Violate Constraint
• Blue Constraint Enforcement Strategy
Blue Move
Red Move
Assess Effects
Assess Costs
19
Blue Focus on Enforcing Constraint, Red Focus on ViolaFng Constraint… Goal is to “Fix” Problem Through EliminaFon or MiFgaFon Above Component
© Copyright William Young Mar 2016 [email protected]
Observa@ons Ac@on (Test)
Cultural Tradi@ons
Gene@c Heritage
New Informa@on Previous
Experience
Analyses & Synthesis Feed
Forward
Implicit Guidance & Control
Implicit Guidance & Control
Unfolding Interac@on
With Environment Unfolding
Interac@on With
Environment Feedback
Feed Forward
Decision (Hypothesis)
Feed Forward
Feedback
Outside Informa@on
Unfolding Circumstances
Observe Orient Decide Act
SENSOR CONTROL ALGORITHM
PROCESS MODEL ACTUATOR
Controlled Process
20
STPA-‐Sec OperaFonalizes John Boyd’s OODA Loop (Defense Department’s OperaFonal Framework for Cyber Warfare)
© Copyright William Young Mar 2016 [email protected]
Informa@on Lifecycle
21
!
! 102!
failure to adequately provide or enforce constraints leads to losses of most concern to the mission
owners. The selected subset of scenarios is subjected to further scrutiny using the information
lifecycle.
Figure 3.14 Information Lifecycle (Jabbour and Muccio)
Figure 3.14 can be used to structure and document the analysis of the selected scenarios. For each
scenario, the control actions associated with the particular hazardous scenario are transferred from
the Hazardous Control Action table prepared during Activity II. For each Hazardous Control Action,
engineers examine the underlying system components used to accomplish each function. The
purpose is to hone the scenario further by showing how vulnerabilities in a particular component
performing one of the information lifecycle functions could lead to the loss.
Actual security experts validated the utility of using a table such as the one depicted above during
missions conducted as part of high-fidelity wargames. Blue Team members performed their
Protective Needs Assessment using an alternative methodology. A Red Team member trained on an
early version of STPA-Sec and Jabbour and Muccio’s information lifecycle model combined the two
in order to discover how to disrupt the Blue Force mission. Through the combination, the expert was
able to perform a much more thorough security analysis and, in turn, uncover new previously
undiscovered vulnerabilities.
Both the alternative methodology and STPA-Sec identified a piece of critical information required
for Blue Team mission success. The information requirement was fairly obvious. However, only
Information Lifecycle Stages 1) information generation 2) information processing 3) information storage 4) information communication 5) information consumption 6) information destruction
2 1 4
3 6
5
Ref: (K. Jabbour & Muccio, 2013; K. M. Jabbour, Sarah, 2011)
InformaFon Lifecycle Adds ConsideraFons to STPA-‐Sec
© Copyright William Young Mar 2016 [email protected]
D4 Evalua@on
22
!
! 134!
E
XT
EN
T o
f EFF
EC
T
Tot
al DENY
DESTROY Pa
rtia
l
DISRUPT
DEGRADE
Temporary Permanent
DURATION of EFFECT
Figure 4.7 Potential Effects of SC-AC-03 Violation
The mission impacts resulting from violations of other constraints in Table 4.6 could be similarly
placed on the chart. Violations of constraints represent a proxy for effective attacks. Effective
attacks exploit vulnerabilities. However, as noted in the NIST guidance, most vulnerabilities result
from missing or ineffective controls.
Since time and resources are always limited, the severity of mission impact resulting from a violation
of a particular constraint is one way to select which constraints should be subjected to additional
scrutiny during the scenario development process. Constraints whose violation leads to more
significant outcomes can be identified not on the basis of probability of exploit, but rather on the
basis of consequences. Consequence is a function of system design and within the scope of the
engineering team.
Engineers and designers have much greater control over the severity of a successful attack than they
do the selection of what a particular attacker will target. Applying the most effort towards protection
of most critical functionality is a reasonable approach. Placing all constraints on the D4 chart is one
method to prune away constraints that may benefit from more extensive scenario development and
scrutiny.
Placing constraints on the D4 chart may also help suggest non-technical work-arounds that may
further mitigate the effects of violations. For example, if violating a particular constraint is deemed
to introduce a temporary and partial (disruptive) effect to the mission, analyzing why the constraint
belongs in that particular category may reveal alternative operational workarounds that might
SC#AC#03'
Ref: (K. Jabbour & Muccio, 2013; K. M. Jabbour, Sarah, 2011)
Where Does HCA ViolaFon Scenario Fall on D4 Impact to Goal?
Rider personal data Intercepted in transit
Goal: “con>nuing profitability and enhance reputa>on of ACME”
© Copyright William Young Mar 2016 [email protected]
Why using wireless?
HIPAA Concerns?
Proprietary Algorithms stored separately?
Rider PII stored & transmiied?
Missing feedback?
© Copyright William Young Mar 2016 [email protected]
STPA-‐Sec Integra@on with NIST Risk Management Framework (DoD Example)
DoDI 8510.01, March 12, 2014
ENCLOSURE 6 28
Figure 3. RMF for IS and PIT Systems
a. Step 1 - Categorize System (1) Categorize the system in accordance with Reference (e) and document the results in the security plan. Categorization of IS and PIT systems is a coordinated effort between the PM/SM, ISO, IO, mission owner(s), ISSM, AO, or their designated representatives. In the categorization process, the IO identifies the potential impact (low, moderate, or high) resulting from loss of confidentiality, integrity, and availability if a security breach occurs. For acquisition programs, this categorization will be documented as a required capability in the initial capabilities document, the capability development document, the capabilities production document, and the cybersecurity strategy within the program protection plan (PPP). Specific guidance on determining the security category for information types and ISs is included in the KS. (2) Describe the system (including system boundary) and document the description in the security plan. (3) Register the system with the DoD Component Cybersecurity Program. See DoD Component implementing policy for detailed procedures for system registration. (4) Assign qualified personnel to RMF roles. The members of the RMF Team are required to meet the suitability and fitness requirements established in DoD 5200.2-R (Reference (y)). RMF Team members must also meet appropriate qualification standards in accordance with Reference (p). RMF team member assignments must be documented in the security plan.
Security Analysis via STPA-SEC
Defines the MSN, relevant losses, and
hazardous system states to be controlled
Defines the requirements to guide selec>on &
deconflic>on of NIST “Controls”
Provides mission Context to helps engineer and implement the selected
NIST “Controls” Provides a rubric to assess the
actual vs planned implementa>on of the NIST
“Controls”
Provides audit trail and rationale to
support and enable senior leader analysis and decision making
Provides list of leading indicators of system
drifting into insecurity (to be monitored and assessed against
proposed system changes)
Define & Frame Problem
Iden>fy Unacceptable
Losses
Iden>fy System Hazards / Constraints
Create Func>onal Control Structure
ID Hazardous Control Ac>ons
Generate Causal
Scenarios Mi>ga>ons and Controls
© Copyright William Young Mar 2016 [email protected]
Conclusion
• Must think carefully about defining the security problem
– Perfectly solving the wrong security problem doesn’t really help
• STPA-‐Sec provides a means to clearly link security to the broader mission or business objec@ves
• STPA-‐Sec does not replace exis@ng security engineering methods, but enhances their effec@veness
© Copyright William Young Mar 2016 [email protected]
Understanding STPA-Sec Through a Simple Roller Coaster Example
William Young Jr PhD Candidate, Engineering Systems Division
Systems Engineering Research Lab Massachuse<s Ins>tute of Technology
2016 STAMP Conference Boston, MA
March 23, 2016