Working Together to Build Confidence

Cybersecurity & Risks Analysis

Djenana Campara Chief Executive Officer

Member, Object Management Group Board of Directors

Co-Chair, System Assurance Task Force

2

Cyber Security

Trust in System’s ability to Execute Trusted Behavior

Only and to Prevent Malicious Attacks

with

objective to

Protect Information, Assets & Services Against

Compromise

12/6/2016 (c) KDM Analytics Inc.

OMG Security Community Focus

• Systematic Threat Risk & Vulnerability Analysis (TRV) Unique, cost-effective approach Automated analysis Supported by integrated tools

3 12/6/2016 (c) KDM Analytics Inc.

4

Threat, Risk and Vulnerability Analysis (TRV)

How system can be attacked?

What is the impact of successful attacks?

What are the Vulnerabilities that are exploited by successful attacks?

Goal: Risk Assessment Methodology within the RMF that is systematic, objective and allows automation and that can answer a tough question: How do we know that all threats have been addressed

Risk

It Starts by Understanding …

12/6/2016 (c) KDM Analytics Inc.

Failing to understand ALL threats …

5

• Not enough to trust credentials

• Firewall is no longer sufficient protection

• Ignorance MUST NOT be an option • Organized Crime • Smart and

knowledge sharing Hackers

Effective threat mitigation can only be achieved through identifying, analyzing, classifying and understanding the threat and related risk: Cause & Effect

12/6/2016 (c) KDM Analytics Inc.

The Challenge: Where are the Vulnerabilities

05/12/2016 6

• The point of entry to the system is the individual user

• The actual security perimeter is often much larger than anticipated

• Stakeholders often accept risk that they are not aware of

The researcher successfully hacked the principal system on-boards like ADS-B and ACAR

POSTED IN SCADA / ICS SECURITY ON APRIL 8, 2014

(c) KDM Analytics Inc.

7

Undiscovered Vulnerabilities can Result in Massive Losses

• STUXNET - Sophisticated, multilevel targeted attack on SCADA system resulted in modification of system’s behavior

– layered attack against three different systems initially exploiting four zero-day vulnerabilities within Windows systems and using it as spring board to install itself on PLC devices unnoticed with aim to periodically modify the frequency and thus affects the operation of the connected motors by changing their rotational speed and leading to destruction of centrifuges

• A cyberattack against Polish flagship carrier LOT grounded more than 1,400 passengers at Warsaw’s Frederic Chopin Airport (June 2015)

– The airline said in a statement on its website that the “IT attack” meant it was unable to create flight plans and flights were not able to depart from Warsaw.

• The International Civil Aviation Organization (ICAO) last year highlighted long-known vulnerabilities in a new aircraft positioning communication system, ADS-B, and called for a working group to be set up to tackle them

– Researchers have shown that ADS-B, a replacement for radar and other air traffic control systems, could allow a hacker to remotely give wrong or misleading information to pilots and air traffic controller

12/6/2016 (c) KDM Analytics Inc.

COMPREHENSIVE AND SYSTEMATIC RISK ANALYSIS

Overcoming the Challenge

8 12/6/2016 (c) KDM Analytics Inc.

Examining Existing Risk Management Methodologies: Providing Assurance & Automation?

• ISO/IEC 13335 • ISO/IEC 15408 • ISO/IEC 15443 • ISO/IEC 27001 • CRAMM (UK) • EBIOS (France) • Mehari (France) • Magerit (Spain) • HTRA (Canada) • NIST SP-800-30 (US) • Octave (SEI CMU) • RiskAn (Czech Rep) • Microsoft Threat Analysis Methodology • Open Group FAIR • & others

Challenges: 1) no interoperability (an issue in a

coalition context) 2) few approaches deal with discernable

concepts to be automatable 3) few approaches are systematic enough to provide assurance

9 12/6/2016 (c) KDM Analytics Inc.

“Ingredients” of risk (ISO 15408)

10 12/6/2016 (c) KDM Analytics Inc.

Assurance through vulnerability detection

11 12/6/2016 (c) KDM Analytics Inc.

Assurance through asset protection

12 (c) KDM Analytics Inc. 12/6/2016

Assurance through standard controls

13 (c) KDM Analytics Inc. 12/6/2016

Each step can be a reasonable starting point

14

Understand how system can be

attacked

Understand impact of vulnerabilities

Identify vulnerabilities

in system

Understand entry points

12/6/2016 (c) KDM Analytics Inc.

Goal: Justifiable Risk Management

Justifiable risk management = end-to-end risk mitigation assurance

15 (c) KDM Analytics Inc. 12/6/2016

16 (c) KDM Analytics Inc.

Justifiable Risk Management: FORSA Methodology – Influenced by Standard Efforts

• Achieving justifiable risk management requires a methodology that – Is systematic (can enumerate all threats) – Deals with discernable concepts – Considers assurance (can provide confidence and justification)

• We selected most suitable methodologies, combined them and further

enhanced to – Fully support assurance – Support import of structured Enterprise operational views (e.g. DoDAF/UAF) – Support automation of the methodology steps

• Including multi-stage attack identification

FORSA: - Fact Oriented - Repeatable - Security - Assurance

12/6/2016

Methodology describes the sequence of steps

Identified Risks

How ?

Who cares ? Assets and Targets

Owners and criteria sensitivity

Undesired events, Operational Impact severity Attack scenarios

Likelihood

What to do about it ? Controls, mitigation options

By who ? and Why ?

Threat Sources

So what ?

To what ?

(c) KDM Analytics Inc. 17 12/6/2016

FORSA STEPS

The corresponding FORSA steps

What?

How?

Analysis of valuables, sensitivities and Impacts => severity

Analysis of targets, Entries and attacks => likelihood

1. Operational Context Identification 2. System Facts 3. Asset Identification 4. Undesired Event Identification 5. Attack Group Identification 6. Threat Scenario Analysis 7. Safeguard Identification 8. Vulnerability Analysis 9. Risk Identification 10. Risk Analysis

Enterprise Architecture

Risk

FORSA STEPS

The sequence of steps is designed to increase confidence, and therefore increase assurance

(c) KDM Analytics Inc. 18 12/6/2016

Results of Justifiable Risk Analysis

ID Description Severity Likeli-hood

Level Resi-dual

Confi-dence

R01 Hacker gains access to confidential assets by information gathering on stored files

high high high low 80%

R02 Targeted virus or timebomb affects integrity or availability of network by attacking programmable node

high high high low 80%

R03 Hacker subverts node by remote attack exploiting vulnerabilities in programmable node’s code

high medium high low 80%

R04 Hacker subverts programmable node by remote attack exploiting vulnerabilities in system software on programmable node

high medium medium low 80%

R05 Criminal learns about forensic activity by attacking software on programmable node

medium high medium low 80%

R06 Targeted virus or timebomb affects availability of other assets by attacking software on programmable node

medium high medium low 80%

R07 Malicious user subverts programmable node by locally attacking node’s code

medium low medium low 70%

19 (c) KDM Analytics Inc. 12/6/2016

20 (c) KDM Analytics Inc.

Risk Assessment Methodology Driven by the Assurance Case

Assurance Case

System Facts

Assurance Process

Risk Metamodel

Assurance Case is structured according to the Risk Metamodel

Assurance Case provides guidance on how to collect evidence

Risk Metamodel describes evidence

Assurance Process delivers evidence

Risk Metamodel describes evidence

System Facts are evidence to the Assurance Case

e.g. operational facts from DoDAF/UAF

Supported by inference rules, Uses generic taxonomies

• Integrating System Assurance into Risk Assessment Methodology • Utilizing Assurance Case to deliver Risk Assessment • Automating end-to-end process

12/6/2016

Unique Approach – Influenced by Standard Efforts

21 (c) KDM Analytics Inc.

•National Vulnerability Database •Compliance Specifications •Fault Patterns •Code Security Defects •Threat-Risk Analysis models

Cybersecurity Knowledge

KDM Blade

Threat Risk Analysis Reports

CONOPS Software System

• threat scenarios • undesired events • system vulnerabilities • safeguards • prioritized risk

Collection of facts A top-down, operational risk analysis producing a quantitative risk report, including risk distribution by component, business assets and threats; associated vulnerability characteristics A bottom-up, targeted vulnerability analysis producing a quantitative residual risk focused on deep analysis of the riskiest components identified/prioritized in the top-down risk report

Effective measurement, prioritization and mediation of the assurance risks posed by system vulnerabilities

12/6/2016

22

Ecosystem Foundation: Common Fact Model Data Fusion & Semantic Integration

Risk Analysis OTRM (Situational awareness)

ISO 15026 SACM GSN/CEA

UPDM/UAF SysML

SFPM/SFP SCAP/CVE Note: SFPs are created using SBVR standard

KDM/ISO 19506 KDM/ISO 19506

Tools integration possible only through standards 12/6/2016 (c) KDM Analytics Inc.

Top Down Operational Risk Analysis

Risk Manager Engine

Risk Knowledge Base

1

DoDAF/UAF

Enterprise Architecture

Risk Assessment

Report

Risk Analyst “in a box”

Manual Adjustments or Manual

Input

Blade Risk Manager

Automatically extracted

facts

4

5

DoDAF Analytics

score & feedback

2

3

7

GUI 6

Manual Input option if no structured data available

1a

(c) KDM Analytics Inc. 23

Risk Report includes: • Constructed risk statements & calculated risk • Constructed risk distribution by components, business assets, and threats • Identified associated vulnerability characteristics

12/6/2016

Bottom Up Vulnerability Analysis: Cost-effective, Targeted

TOIF normalized

data

Raw data

TOIF associated with risks through

SFP &

operational context

TOIF associated with entry points and

attack vectors

Manually validated findings

Evidence & counterevidence to risk statements

Stronger evidence & counterevidence

Because of the filtering – may apply noisier tools for better coverage and

assurance

Normalized data

Mul

tiple

vul

nera

bilit

y de

tect

ion

tool

s

Increased coverage overlaps=confidence

Low level of abstraction & overload, esp on binary code

TOIF

– To

ols O

utpu

t Int

egra

tion

Fram

ewor

k

(c) KDM Analytics Inc. 24

Risk statements obtained from top down risk analysis

12/6/2016

25

Lockheed Martin Case Study

• Identified standards and Frameworks are supported by tools • Lockheed Martin’s performed evaluations

– Structured Assurance Models • Bring structured order to chaos • Interrelated Claims – Arguments – Evidence between various sources of evidence

– System Risk Manager • Analysis of DoDAF model Operation, System, … Views • Automated Gap Assessments in Models • Threat Risk Assessment capability on DoDAF models

– Tools Output Integration Framework (TOIF) and Risk Analyzer tools have demonstrated

• Significant improvement in Software Flaw and Vulnerability assessments • Lower labor costs • Significantly lower tool costs

OMG System Assurance Modeling Tools can Reduce Security Engineering Life-cycle costs 20-50%.

12/6/2016 (c) KDM Analytics Inc.

26

Thank you

12/6/2016 (c) KDM Analytics Inc.