Understanding STPA-Sec Through a Simple Roller Coaster...

© Copyright William Young Mar 2016 [email protected]

Understanding STPA-Sec Through a Simple Roller Coaster Example

William Young Jr PhD Candidate, Engineering Systems Division

Systems Engineering Research Lab Massachuse<s Ins>tute of Technology

2016 STAMP Conference Boston, MA

March 23, 2016


DISCLAIMER:

The views expressed in this presentation are are those

of the presenter and do not reflect the official policy or

position of the United States Air Force, Department of

Defense, Air Education and Training Command, Air

University, Air War College, or the U.S. Government

2


Need to Address Security Pre-‐Architecture

3

Concept Development Production Utilization Retirement

Effe

ctiv

enes

s &

Cos

t to

Fix

Low

High

Problem Analysis Solution Development & Implementation

Systems Engineering Lifecycle

STPA-‐Sec Iden@fies and frames the security problem

Focus of tradi@onal security efforts

STPA-‐Sec Helps Rigorously Frame the “Right” Security Problem


Just Because You Can, Doesn’t Mean You Should…Just Because it Works, Doesn’t Mean is Can Be Secured


Whole System

SubSystem 1

Subsystem 2

Component

HW SW Human

Func@onal Purpose

Abstract Func@on

General Func@on

Physical Func@on

Physical Form

Whole -‐ Part

Ends -‐ Means

Conceptual

Physical

Tradi@onal Security Engineering Focus STPA-‐Sec Focus


Scenario: You are part of the ACME Roller Coaster Company Security

Team

The R&D team has proposed a new 5D coaster.

6 *Original Scenario created by Danny Holtzman of MITRE Corp


Scenario: You are part of the ACME Corporation Security Team

The CEO would like details from your team. “I want to know if building the Smart Coaster represents a risk to our operations that we should accept,” she says! “If we do accept the risk, what can you do about it as the security team?”

7


Key Stakeholder is the ACME CEO

•  You interview the CEO and she provides you some key insights –  The ride represents a bet on the company’s future, she does

not want the stock to take a hit –  She is concerned about losing company IP gained through

R&D for the coaster –  She was a student of Nancy Leveson during her grad school

time at MIT and cares about safety –  She likes the concept of creating a tailored thrill profile, but

states, “Don’t do an OPM!” –  She states that she is unwilling to create a ride that doesn’t

deliver on ACME’s reputation for thrilling rides –  Smart coaster likely will be the most expensive roller coaster

ever built and she doesn’t want it damaged

8


•  Overview: Synthesize a concise statement that describes what the system is supposed to do

•  Elicit purpose, method, goals through discourse with stakeholders (& documents)

•  Craft the description of the Functional Model –  “A System to do {What = Purpose} by means of {How

= Method} in order to contribute to {Why = Goals}”

•  Method will normally be a set of high-level activities representing stakeholders’ essential tasks / activities

9

Defining and Framing the Problem

Define & Frame Problem

Iden>fy Unacceptable

Losses

Iden>fy System Hazards / Constraints

Create Func>onal Control Structure

ID Hazardous Control Ac>ons

Generate Causal

Scenarios Mi>ga>ons and Controls


A Potential Solution Based on Scenario:

10

•  A System to deliver a safe, but thrilling experience to riders by means of loading, tailoring, launching, thrilling, offloading in order to contribute to con@nuing profitability and enhance reputa@on of ACME

This is a Statement Explicitly Describing the Problem, our Preferred Approach and the Overall Goal


Unacceptable Losses from Scenario:

L1: Death or serious injury to rider or operator L2: Significant devalua@on of Acme stock L3: Significant Damage to Smart Coaster L4: Loss of Acme Intellectual Property L5: Loss of company reputa@on L6: Loss of consumer (rider) PII

11

L4 & L6 Would Generally Be Outside the Scope of TradiFonal Safety Analysis



Losses




Generate Causal



Hazards for the Example

12

H1: Rider or operator exposed to dangerous physiological condi@ons

H2: Rider unsecure during ride opera@ons

H3: Smart Coaster operated outside of established parameters

H4: Intellectual Property exposed to unauthorized individuals

H5: Company takes ac@ons inconsistent with stated values

H6: Consumer (rider) PII exposed to unauthorized individuals

H7: Smart coaster fails to deliver calculated rider experience

H8: Worker in close proximity to track or car while ride in mo@on

H4 & H6 are Security Concerns, but all Others Could be Safety or Security



Losses




Generate Causal



ACTIVITIES ENTITIES Onboard Diagnose Profile Launch Analyze Offboard Charge Attendant

Operator Operator Station Track

Car

Rider

En@ty / Ac@vity Diagram



Losses




Generate Causal



E-‐A Diagram Block in Detail

Analyze

Operator Monitors system for alerts via the operator station displays. Warning indications provided for unsafe conditions, status of rider restraints, status of car gyros and readiness for expected maneuvers. Provides emergency stop command if required to stop ride and return to a safe state.



FEEDBACK

Control Ac@ons

•  Fairly detailed control structure model can be created from a very abstract document •  We can then do analysis for security to facilitate early trades


Par@al Step I Table Entries for Emergency Stop Command from the Operator



Losses




Generate Causal


Screen Shot from XSTAMPP


Why Would Operator Not Provide Emergency Stop When Required?

•  HCA: Operator Does Not Provide Emergency Stop to Operator Control Sta@on when Dangerous Condi@ons Present

High Level Problems to be Resolved: 1)  Inadequate process behavior– Operator control sta@on doesn’t provide Emergency Stop Command when Operator has sent it 2) Inadequate control – Operator issues the Emergency Stop but it is not received by the operator sta@on 3) Inappropriate decision – Operator doesn’t issue the Emergency Stop with indica@ons that dangerous condi@ons are present 4) Inadequate feedback– Operator never receives indica@ons of dangerous condi@ons when condi@ons are present



Losses




Generate Causal



Wargaming

•  Evaluate effects of Aiack on Constraint

•  Assess cost of constraint approach, cost of aiack, complexity of aiack

•  Red Select General Aiack Class to Violate Constraint

•  Blue Constraint Enforcement Strategy

Blue Move

Red Move

Assess Effects

Assess Costs

19

Blue Focus on Enforcing Constraint, Red Focus on ViolaFng Constraint… Goal is to “Fix” Problem Through EliminaFon or MiFgaFon Above Component


Observa@ons Ac@on (Test)

Cultural Tradi@ons

Gene@c Heritage

New Informa@on Previous

Experience

Analyses & Synthesis Feed

Forward

Implicit Guidance & Control

Implicit Guidance & Control

Unfolding Interac@on

With Environment Unfolding

Interac@on With

Environment Feedback

Feed Forward

Decision (Hypothesis)

Feed Forward

Feedback

Outside Informa@on

Unfolding Circumstances

Observe Orient Decide Act

SENSOR CONTROL ALGORITHM

PROCESS MODEL ACTUATOR

Controlled Process

20

STPA-‐Sec OperaFonalizes John Boyd’s OODA Loop (Defense Department’s OperaFonal Framework for Cyber Warfare)


Informa@on Lifecycle

21

!

! 102!

failure to adequately provide or enforce constraints leads to losses of most concern to the mission

owners. The selected subset of scenarios is subjected to further scrutiny using the information

lifecycle.

Figure 3.14 Information Lifecycle (Jabbour and Muccio)

Figure 3.14 can be used to structure and document the analysis of the selected scenarios. For each

scenario, the control actions associated with the particular hazardous scenario are transferred from

the Hazardous Control Action table prepared during Activity II. For each Hazardous Control Action,

engineers examine the underlying system components used to accomplish each function. The

purpose is to hone the scenario further by showing how vulnerabilities in a particular component

performing one of the information lifecycle functions could lead to the loss.

Actual security experts validated the utility of using a table such as the one depicted above during

missions conducted as part of high-fidelity wargames. Blue Team members performed their

Protective Needs Assessment using an alternative methodology. A Red Team member trained on an

early version of STPA-Sec and Jabbour and Muccio’s information lifecycle model combined the two

in order to discover how to disrupt the Blue Force mission. Through the combination, the expert was

able to perform a much more thorough security analysis and, in turn, uncover new previously

undiscovered vulnerabilities.

Both the alternative methodology and STPA-Sec identified a piece of critical information required

for Blue Team mission success. The information requirement was fairly obvious. However, only

Information Lifecycle Stages 1) information generation 2) information processing 3) information storage 4) information communication 5) information consumption 6) information destruction

2 1 4

3 6

5

Ref: (K. Jabbour & Muccio, 2013; K. M. Jabbour, Sarah, 2011)

InformaFon Lifecycle Adds ConsideraFons to STPA-‐Sec


D4 Evalua@on

22

!

! 134!

E

XT

EN

T o

f EFF

EC

T

Tot

al DENY

DESTROY Pa

rtia

l

DISRUPT

DEGRADE

Temporary Permanent

DURATION of EFFECT

Figure 4.7 Potential Effects of SC-AC-03 Violation

The mission impacts resulting from violations of other constraints in Table 4.6 could be similarly

placed on the chart. Violations of constraints represent a proxy for effective attacks. Effective

attacks exploit vulnerabilities. However, as noted in the NIST guidance, most vulnerabilities result

from missing or ineffective controls.

Since time and resources are always limited, the severity of mission impact resulting from a violation

of a particular constraint is one way to select which constraints should be subjected to additional

scrutiny during the scenario development process. Constraints whose violation leads to more

significant outcomes can be identified not on the basis of probability of exploit, but rather on the

basis of consequences. Consequence is a function of system design and within the scope of the

engineering team.

Engineers and designers have much greater control over the severity of a successful attack than they

do the selection of what a particular attacker will target. Applying the most effort towards protection

of most critical functionality is a reasonable approach. Placing all constraints on the D4 chart is one

method to prune away constraints that may benefit from more extensive scenario development and

scrutiny.

Placing constraints on the D4 chart may also help suggest non-technical work-arounds that may

further mitigate the effects of violations. For example, if violating a particular constraint is deemed

to introduce a temporary and partial (disruptive) effect to the mission, analyzing why the constraint

belongs in that particular category may reveal alternative operational workarounds that might

SC#AC#03'

Ref: (K. Jabbour & Muccio, 2013; K. M. Jabbour, Sarah, 2011)

Where Does HCA ViolaFon Scenario Fall on D4 Impact to Goal?

Rider personal data Intercepted in transit

Goal: “con>nuing profitability and enhance reputa>on of ACME”


Why using wireless?

HIPAA Concerns?

Proprietary Algorithms stored separately?

Rider PII stored & transmiied?

Missing feedback?


STPA-‐Sec Integra@on with NIST Risk Management Framework (DoD Example)

DoDI 8510.01, March 12, 2014

ENCLOSURE 6 28

Figure 3. RMF for IS and PIT Systems

a. Step 1 - Categorize System (1) Categorize the system in accordance with Reference (e) and document the results in the security plan. Categorization of IS and PIT systems is a coordinated effort between the PM/SM, ISO, IO, mission owner(s), ISSM, AO, or their designated representatives. In the categorization process, the IO identifies the potential impact (low, moderate, or high) resulting from loss of confidentiality, integrity, and availability if a security breach occurs. For acquisition programs, this categorization will be documented as a required capability in the initial capabilities document, the capability development document, the capabilities production document, and the cybersecurity strategy within the program protection plan (PPP). Specific guidance on determining the security category for information types and ISs is included in the KS. (2) Describe the system (including system boundary) and document the description in the security plan. (3) Register the system with the DoD Component Cybersecurity Program. See DoD Component implementing policy for detailed procedures for system registration. (4) Assign qualified personnel to RMF roles. The members of the RMF Team are required to meet the suitability and fitness requirements established in DoD 5200.2-R (Reference (y)). RMF Team members must also meet appropriate qualification standards in accordance with Reference (p). RMF team member assignments must be documented in the security plan.

Security Analysis via STPA-SEC

Defines the MSN, relevant losses, and

hazardous system states to be controlled

Defines the requirements to guide selec>on &

deconflic>on of NIST “Controls”

Provides mission Context to helps engineer and implement the selected

NIST “Controls” Provides a rubric to assess the

actual vs planned implementa>on of the NIST

“Controls”

Provides audit trail and rationale to

support and enable senior leader analysis and decision making

Provides list of leading indicators of system

drifting into insecurity (to be monitored and assessed against

proposed system changes)



Losses




Generate Causal



Conclusion

•  Must think carefully about defining the security problem

–  Perfectly solving the wrong security problem doesn’t really help

•  STPA-‐Sec provides a means to clearly link security to the broader mission or business objec@ves

•  STPA-‐Sec does not replace exis@ng security engineering methods, but enhances their effec@veness


Understanding STPA-Sec Through a Simple Roller Coaster Example

William Young Jr PhD Candidate, Engineering Systems Division

Systems Engineering Research Lab Massachuse<s Ins>tute of Technology

2016 STAMP Conference Boston, MA

March 23, 2016

Date post:	02-Jun-2020
Category:	Documents
Upload:	others
View:	5 times
Download:	0 times

Understanding STPA-Sec Through a Simple Roller Coaster...

Documents