SEPTEMBER 6 , 2018 ETFA 2018 Cyber Security Research ...ieee-etfa2018.com/files/Obermeier_Presentation.pdfSupport of IEC 60870-5-104, IEC 61850, OPC, HART, ProfiNet, Modbus,…? Real

CONFIDENTIAL

SEPTEMBER 6TH, 2018 – ETFA 2018

Cyber Security Research ChallengesAn Industry PerspectiveSebastian Obermeier

—Past: Security is about Creativity - Winning an ebay Auction in 2003

September 4, 2018 Slide 2

20182003

—Past: Security is about Creativity - Winning an ebay Auction in 2003


2003

1. Cyber Security in Power and Automation

2. Specifics of Industrial Cyber Security

3. Challenges

4. Summary and Conclusion


Agenda

About me

Sebastian Obermeier• Dr. rer. nat. in Computer

Science from the University of Paderborn, Germany• Thesis on Database

Transaction Management in Mobile Ad-Hoc Networks

• Joined ABB in 2008 as scientist for cyber security

• Since 2017 Group Research Area Manager Software


Introducing ABB

What

(Offering)

For whom (Customers)

Where (Geographies)

Utilities Industry Transport & Infrastructure

~35% of revenue ~40% of revenue ~25% of revenue

Globally

Asia, Middle East, Africa 38% Americas 29% Europe 33%

~$34 bn revenue ~100 countries ~132,000 employees

Pioneering technology

Products 58% Systems 24% Services & software 18%

Providing technology for tomorrow‘s innovations

ABB Corporate Research



Key figures

– ~ 700 highly qualified scientists and engineers,

– in 7 corporate research centers

around the world,

– in 8 global research areas aligned

to ABB’s core technologies,

– >300 patents and > 700publications annually

Raleigh/Bloomfield

Ladenburg

Dättwil

Västerås

Kraków

Bangalore

Beijing /Shanghai

Software in the focus


Role of Software in Power and Automation Technology

Hardware equipment with software inside

Software programming /automation engineering

Software products

Software systems with

hardware components

Software based services

Digitalization Platform

> 50% of offering is software-related

> 3’000 software developers

Smallest software application

Large software application

ABB software business – facts

3-pole contactor

~100 lines of software code

Network Manager

>5 million lines of software code

Comparable to airplane avionics and control system

Software Based Technologies in 2018


Robotics Software-Defined Machines

AI and MachineLearning

Internet-Connectable Devices

Cloud Computing

Blockchain and Cryptocurrency

Cyber SecurityAR/Virtual Reality

A definition in the context of power and automation technology

Cyber security

September 4, 2018 *Merriam-Webster’s dictionarySlide 9

Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack*

Measures taken to protect the reliability, integrity and availability of power and automation technologies against unauthorized access or attack

Traditional Power and automation technology

Confidentiality

– Prevent disclosure of information to unauthorized entities

Integrity

– Prevent modification of information by unauthorized entities

Availability

– Ensure access to information and services to authorized entities

Authentication

– Verify the claimed identity of entities

Authorization / Access control

– Manage the permissions of authenticated entities

Auditability

– Be able to reconstruct the complete system behavior history

Accountability (Non-repudiability)

– Provide irrefutable proof to a third party of who initiated a certain action

Objectives


What is Cyber Security?

Why is cyber security an issue?


Cyber Security in Power and Automation

Modern automation, protection, and control systems are highly specialized IT systems

– Leverage commercial off the shelf IT components

– Use standardized, IP-based communication protocols

– Are distributed and highly interconnected

– Use mobile devices and storage media

– Based on software

Increased attack surface as compared to legacy, isolated systems

Communication with external (non-OT) systems

Attacks from/over the IT world

Power and automation today Cyber security issues

Recent cyber security events

September 4, 2018 https://www.securityweek.com/notpetya-attack-costs-big-companies-millionsSlide 12

$300 million of profits lost due to cyber attack

– One of the world’s biggest container shipping companies, A.P. Moller-Maersk A/S reported the loss in their third quarter financial report.

Sales, distribution and financial networks impacted

– Mondelez International, owner of U.K. chocolate maker Cadbury, estimated the cost of an attack at $150 million in lost sales and incremental expenses

Drug production halted

– Drug and vaccine manufacturer Merck & Co Inc. suffered a worldwide disruption of its operations, halting production of drugs. The financial impact was estimated at around US$135 million.

Avoiding malware infections

A global material solutions company with hundreds of sites was infected with a ransomware virus. ABB 800xA systems were the only systems not impacted.

Compelling numbers from customers

https://www.securityweek.com/notpetya-attack-costs-big-companies-millions

A Different Set of Requirements

Cyber Security has specific challenges

September 4, 2018 Source: Slide 13

Traditional IT Industry

What is being protected Data Physical process

Impact area Disclosure of information; financial loss Safety, availability, financial, environment

Security objective Confidentiality, privacy Availability, integrity

Operating Systems Windows, Linux, … Windows at HMI, RTOS at field devices

Availability requirements 99%99.9% - 99.999%(downtime per year: 8.76 hours to 5.26 min)

System Lifetime 3 – 10 years 5 – 25 years

Logging and Forensics Standard practice Limited

Patching Standard schedule; can be expeditedNon-standard; could be a long time between updates

Why traditional approaches don’t (always) work


Office IT vs. Industrial Control Systems

Lock out accounts for 10 minutes after 3 bad password tries

Install patches as soon as they are released and reboot

Use of firewalls and intrusion detection systems

Use of crypto functions to protect data in transit

Use of intrusion prevention systems

Operator has no control over process for 10 minutes!

Control system reboot means shutting down the whole plant

Support of IEC 60870-5-104, IEC 61850, OPC, HART, ProfiNet, Modbus,…?

Real time constraints cannot be met due to limited resources on embedded devices

One false positive might have fatal consequences

IT best practices Potential consequence for OT

There is a lot to learn from information systems security, but approaches and technologies need to be applied with care

Target security level defines remaining risk

There is no 100% security

Attacker capabilitiesSecurity level

Product

features

Solution

aspects

Physical

security

Organisational

measures

(processes)

Mainresponsibility

ManufacturerIntegrator

Operator

Risks not covered by the business target security level

Business Target security level

Security aspects

- Intelligence

- Organisedcrime

- Disgruntledemployee(operator)

- Hacker

National Target security level

ABB Group Cyber Security Council


ABB has a formally established cyber security organization reporting to top management

Div

isio

ns

Electrification Products

Robotics and Motion

Power Grids IndustrialAutomation

Cro

ss

fu

nc

tio

ns

IT security Service ResearchCorporate security

Legal Insurance risk management

Communication

ABB Group Cyber Security Council

ABB AbilityTM

Representation

Dig

ita

l AB

B

Cy

be

r s

ec

uri

ty

pro

gra

m m

gm

t.

http://imagebank.abb.com/ABB.DocumentManagement.SitePages/DocumentViewPage.aspx?ID=6519&ListId=4ef91416-2d21-48b6-8f0d-f74390c80771&Source=http://imagebank.abb.com/Lists/ABB/DocumentManagement/Document/Forms/AdvancedThumbnails.aspx?CategoryId=&Filter=0&Sort=Title&Asc=True&PageSize=20&View=1&Language=&k=research

http://imagebank.abb.com/ABB.DocumentManagement.SitePages/DocumentViewPage.aspx?ID=6519&ListId=4ef91416-2d21-48b6-8f0d-f74390c80771&Source=http://imagebank.abb.com/Lists/ABB/DocumentManagement/Document/Forms/AdvancedThumbnails.aspx?CategoryId=&Filter=0&Sort=Title&Asc=True&PageSize=20&View=1&Language=&k=research


Develops forward-looking cyber security concepts and technology

Authentication, remote access, security monitoring, security engineering, product/system security assessments, tracking market trends, …

Evaluates security relevant technologies

Adapts enterprise security to industrial control systems context

Research Challenges

Addressing high availability requirements of control systems

Simplification of security engineering

Diversity in security solution approaches across BUs

ABB Motivation

Satisfying customer requirements for security

Drive industry standards

…a topic for ABB Corporate Research

Cyber Security

Month DD, Year | Slide 17

© ABB Group



Power and Automation Security

Changed ABB’s internal processes

Automated Security Hardening

Created an approach for minimal invasive security

hardening

Authentication Architecture

Allowed using a plant-wide password

Example Results

Threat Modeling

Created a system wide threat modeling approach

—Future Research challenges


Traditional Security Challenges Privacy

AI/ML and Security Quantum Computing Blockchain and Distributed Ledgers

Industrial challenges

New opportunities and risks Quantum Safe cryptography Replacement of a trusted 3rd party

Overview

(Fully) homomorphic encryption

—Cyber Security

September 4, 2018

Heterogeneity Situational Awareness

Vulnerabilities Compliance Sustaining Security

Traditional Industrial Challenges

Installed Base

—

Low-Security Cloud Computing

September 4, 2018 | Slide 21

Privacy

—

Medium-Security Cloud Computing


Privacy

—

High-Security Cloud Computing


Privacy

—

– Time-series data is encrypted on the fly before sending it to the server/cloud

– The client can run queries (range-queries, closest match) on the encrypted data and display the results

Proof-of-concept

September 4, 2018

Matús Harvan, Thomas Locher, Marta Mularczyk, Yvonne Anne Pignolet: Privacy-preserving Regression on Partially Encrypted Data. SECRYPT 2017: 255-266Matús Harvan, Samuel Kimoto, Thomas Locher, Yvonne Anne Pignolet, Johannes Schneider: Processing Encrypted and Compressed Time Series Data. ICDCS 2017: 1053-1062

Slide 24

Privacy

—

(Fully) Homomorphic Encryption

Privacy

September 4, 2018

[1] C. Gentry. Fully homomorphic encryption using ideal lattices. In Proceedings of the 41st ACM Symposium on Theory of Computing – STOC 2009,

pages 169–178. ACM, 2009

[2] https://github.com/shaih/HElib

Slide 25

Challenges

fx y

g

g

x'

f'y'

{7,23,42} min 7

{/ç,+»,=%} *)=*?

• Craig Gentry has proven that any computation on encrypted data is possible [1]

• But: Impractical performance and space requirements (encryption of 1 Bit up to: 2 hours + 2,3 GB, 100 trillion times slower than plaintext operations)

• Recent advancements in HElib [2]

• 15x to 75x faster, but still impractical for many applications

Novel Opportunities and Threats through AI

September 4, 2018 Source: Slide 26

AI/ML and Security

Traditional Approach AI Approach

Malware Identification Signature-based Predictive analytics

DDoS (Distributed Denial of Service) protection

Monitor network-traffic Global correlation and automated detection

Device specific protection Manual security updates Device and network-level anomaly detection

Social engineering Education on social hygieneSocial biometrics and user-based anomaly detection

Identifying vulnerabilities Reverse engineering, manual trial & error Automated testing and exploit generation

Creating Anti-Virus resistant malwareTest and manually change malware on detection

Automated Anti-Virus evasion using Generative Adversarial Networks

Spear fishing Manual interaction with victim Use of AI Bots, massive scalability

Attacking the computing engineRule based engines are static and pre-programmed

AI engines are fed with malicious data and derive wrong conclusions

—Quantum computing


Breaking cryptography?

Problem Size

Computing TimeConventional

ComputerQuantum Computer

„Quantum Supremacy“

Area

Image Recognition Vehicle

Routing?

Protein Folding?

Productionoptimization?

(e.g., steel plants)(global optimum)

[https://en.wikipedia.org/wiki/BQP]

• QC prototypes (Google, IBM) reach 50 – 70 qubits

• First QC algorithms are developed • Large-scale feasibility of QC is still unclear

• Break RSA public-key cryptosystems• Random number generators• Quantum key exchange

• Big players: IT companies and also governmental institutions

• Algorithm development: quantum mechanics competences are needed

• We are still in the very early phases of QC

Status-quo

Potential

Outlook

Which Problems can Quantum Computers solve?

Comparison of transaction systems


Trusted Third Party vs Distributed Ledger

Conventional System Blockchain System

Transaction after trusted 3rd party validates partners and data. Centrally managed, high-level security and trust required

Transaction after agreement of ledger participants.Distributed operation, tampering is detectable

Technical definition

Blockchain


Append-only database that

1. represents a verifiable list of records of items

2. is replicated, operates in near real-time

3. uses protocols, hashes, and digital signatures toprove identity, authenticity, and enforce access rights

• Specific participants can add new items and other participants validate them

• Certain participants can read existing items

4. has mechanisms to make it hard to change historical records,or at least make it easy to detect changes (audit trail)

The blockchain provides the underpinning of Bitcoin

Definition

Source: https://blockgeeks.com/guides/what-is-blockchain-technology/

An entry is submitted to

the blockchain

Distribution to peers

Consistency checks and

approval

Addition of new block to

all copies

Pros & Cons

Blockchain Characteristics


1. Transparency & VerifiabilityTransaction history is publicly* viewable

2. ImmutabilityTransactions cannot be altered or deleted

3. ResilienceDistributed nature of the blockchain makes it hard/impossible to destroy or tamper with it

4. Use Case AgnosticAny type of use case can theoretically be implemented on a blockchain

* If desired, data can be encrypted and only accessible by a selected set of users

Pros

1. Lack of FlexibilityUpdating the protocol/implementation is very hard

2. ScalabilityLarge number of transactions/sec is challenging*

3. Lack of ControlNo single entity can impose change by design

4. Significant OverheadIn terms of computational power, bandwidth, storage, ...

* Newer blockchain technologies offer higher performance, typicallynot a limitation anymore

Cons

Blockchain Characteristics


Permissioned Blockchain:

Membership Management

Audit Support

Privacy-preserving

authentication

Consistency

Immutability Provenance and

Ownership

Blockchain for Business

Transaction

confidentiality

Transparency

High throughput

Current State and Future Vision

When is Blockchain the Right Technology?


Applicability & Use Cases

A blockchain-based approach may be appropriate if

– Multiple parties are involved

– The parties do not trust each other

– The correct functioning or behavior of the system is verifiableby inspecting the blockchain (otherwise, trust in otherdevices/systems/parties is required)

Consequently, applicability of blockchain technology is limited if one or more of the conditions above is not met.

In this case, typically a traditional distributed database is a viable and more efficient alternative.

Conditions

Applicability of Blockchain technology is bound to multiple conditions

Thomas Locher; Sebastian Obermeier; Yvonne-Anne Pignolet: “When Can a Distributed Ledger Replace a Trusted Third Party?”, The 2018 IEEE International

Conference on Blockchain, July 2018, Halifax, Canada

Cyber Security Challenges


Summary and Conclusion

Riddle


The end

Peggy has uncovered a secret word used to open a magic door in a cave.

The cave is shaped like a circle, with the entrance on one side and the

magic door blocking the opposite side.

Victor says he'll pay her for the secret, but not until he's sure that she

really knows it. Peggy says she'll tell him the secret, but not until she

receives the money. The magic word works in only one direction (B to

A); this information should also not be disclosed to Victor.

How can Peggy prove she knows the magic word, without disclosing

the word and the direction?

• Victor waits outside as Peggy enters the cave, secretly choosing path B.

• Victor enters the cave and shouts the name of the desired return path, either A or B, chosen at random.

• Provided Peggy knows the magic word: she opens the door (if necessary) and returns along the desired path.

• If Peggy reliably appears at the exit Victor named, he can conclude that she is very likely to know the secret word

Solution


Zero Knowledge Proof

• Victor waits outside as Peggy enters the cave, secretly choosing path B.

• Victor enters the cave and shouts the name of the desired return path, either A or B, chosen at random.

• Provided Peggy knows the magic word: she opens the door (if necessary) and returns along the desired path.

• If Peggy reliably appears at the exit Victor named, he can conclude that she is very likely to know the secret word

Solution


Zero Knowledge Proof

Just a nice riddle?

Replace(Peggy Device A)Replace(Victor Device B)Replace(Cave Unsecure Network)Replace(Magic Word Password)

Documents

SEPTEMBER 6 , 2018 ETFA 2018 Cyber Security Research ...ieee-etfa2018.com/files/Obermeier_Presentation.pdfSupport of IEC 60870-5-104, IEC 61850, OPC, HART, ProfiNet, Modbus,…? Real