Hazmat Signs for Industrial Software if they existed, what would - - PowerPoint PPT Presentation

hazmat signs for industrial software
SMART_READER_LITE
LIVE PREVIEW

Hazmat Signs for Industrial Software if they existed, what would - - PowerPoint PPT Presentation

Jan 17, 2024 360 likes •577 views

Hazmat Signs for Industrial Software if they existed, what would they look like? Bryan Owen PE, OSIsoft LLC cred-c.org | 1 Most Industrial Software is Toxic cred-c.org | 2 Toxicity The degree to which a chemical substance can damage

slide-1
SLIDE 1

cred-c.org | 1

Hazmat Signs for Industrial Software …if they existed, what would they look like?

Bryan Owen PE, OSIsoft LLC

slide-2
SLIDE 2

cred-c.org | 2

Most Industrial Software is ‘Toxic’

slide-3
SLIDE 3

cred-c.org | 3

Toxicity

The degree to which a chemical substance can damage an organism

  • Whole organism
  • Organs,
  • Tissue,
  • Or even cellular damage.
slide-4
SLIDE 4

cred-c.org | 4

Toxin Categories

Biological Hazard Corrosive Hazard Physical Hazard Non-Ionizing Radiation Hazard

slide-5
SLIDE 5

cred-c.org | 5

“Cyber” – Bio Hazard

Abuse of legitimate ICS functionality

  • Stuxnet
  • Crashoverride / Industroyer
  • Eg Protocols: IEC101, IEC104, and

IEC61850 Biological Hazard

slide-6
SLIDE 6

cred-c.org | 6

“Cyber” – Corrosive Hazard

Non-ICS specific Ransomware & Wipers

  • Brickerbot
  • Not Petya / WannaCry
  • Shamoon
  • Eg Protocols: SMB, Telnet

Corrosive Hazard

slide-7
SLIDE 7

cred-c.org | 7

“Cyber” – Physical Hazard

Enlistment in bots

  • Carna
  • Mirai
  • Reaper
  • And many other similar threats

Physical Hazard

slide-8
SLIDE 8

cred-c.org | 8

“Cyber” – Radio Hazards

Recent malware targeting radios

  • BadBIOS
  • BlueBorne
  • WPA2 Krack

Non-Ionizing Radiation Hazard

slide-9
SLIDE 9

cred-c.org | 9

Chemical Hazard Labels – NFPA Diamond

HEALTH FLAMABILITY REACTIVITY SPECIAL HAZARDS

3 4

Will Not Burn Shock and Heat May Detonate Least Serious Most Serious

slide-10
SLIDE 10

cred-c.org | 10

Cyber Hazard Labels: “C-I-A Triad Model”

CONFIDENTIALITY INTEGRITY AVAILABILITY SPECIAL HAZARDS

4

Remote, Anonymous, Default Configuration, Root Access

3

Remote, Anonymous, Default Configuration, User Access

2

Remote, Authenticated, Default Configuration, Root Access

1

Remote, Authenticated, Custom Configuration, Write Access Remote, Authenticated, Read Access

slide-11
SLIDE 11

cred-c.org | 11

Cyber Hazard Labels: “V-A-T Model (OSSTMM)” 1/2

VISIBILITY ACCESS TRUST SPECIAL HAZARDS

VISIBILITY 4

Remote management endpoints

3

Remote write access endpoints

2

Remote read access endpoints

1

Device broadcasts No targets visible remotely

slide-12
SLIDE 12

cred-c.org | 12

Cyber Hazard Labels: “V-A-T Model (OSSTMM)” 2/2

VISIBILITY ACCESS TRUST SPECIAL HAZARDS

TRUST 4

Unmanaged 3P components, 3P managed trust infrastructure

3

Unmanaged 3P components

2

3P managed trust infrastructure

1

Self-managed 3P components, trust infrastructure Trusted foundry with transparency

slide-13
SLIDE 13

cred-c.org | 13

Cyber Hazard Labels: Cornell “SoS” Blueprint

OBFUSCATION ISOLATION MONITORING SPECIAL HAZARDS

Blueprint for a science of cybersecurity The Next Wave Vol. 19 No. 2 | 2012 Fred B. Schneider

Safety

  • No ‘bad thing’ happens

Liveness

  • Some ‘good thing’ happens
slide-14
SLIDE 14

cred-c.org | 14

Special Cyber Hazards: “Observables”

  • Digital signature or unique hash
  • Documentation of third party components
  • Important dates (creation, last modified)
  • Memory safe frameworks and languages
  • User mode vs kernel or root
  • Execution flags (ASLR, CFG, DEP, NX, etc…)
  • Network protocol safety
  • Software update mechanism

A badness-omemter can’t tell you that you’re secure. It can only tell you that you’re not.

Badness-ometers are good. Do you own one? by Gary McGraw https://www.synopsys.com/blogs/software-security/badness-ometers-are-good-do-you-own-one

slide-15
SLIDE 15

cred-c.org | 15

Idea: Safety Data Sheets

slide-16
SLIDE 16

cred-c.org | 16

Cyber Security Data Sheets

Cyber Security Technical Assessment Methodology: Vulnerability Identification and Mitigation 3002008023 Final Report, October 2016

Michael Thow – EPRI Steve Hagan – Fisher Valves Dan Griffin – JW Secure John Connelly – Exelon Inman – Lanier – Fisher Valves Justin Kosar – Assoc. Electric Cooperative Manu Sharma – Exelon Mike Hagen – Fisher Valves Andrew Dettmer – Assoc. Electric Cooperative Kenneth Levandoski – Exelon Andrew Clark – Sandia National Laboratory Steve Ricker – East Kentucky Power Cooperative Brad Yeates – Southern Company Matthew Coulter – Duke Energy Phillip Turner – Sandia National Laboratory Scott Junkin – Southern Company Susan Ritter – Duke Energy Tim Wheeler – Sandia National Laboratory Richard Atkinson – Arizona Public Service Mark Denton – Duke Energy Alice Muna – Sandia National Laboratory Sandra Bittner – Arizona Public Service Norman Geddes – Southern Eng. Services Christine Lai – Sandia National Laboratory

slide-17
SLIDE 17

cred-c.org | 17

EPRI TAM Overview

slide-18
SLIDE 18

cred-c.org | 18

EPRI TAM – Attack Surface Characterization

slide-19
SLIDE 19

cred-c.org | 19

Reference Cyber Security Data Sheets

A key part of the Supply Chain

  • Step 1 & 2 by EPRI, Vendors, and
  • ther Stakeholders
  • Starting point for tailored CSDS

Big Idea: You can create a CSDS too!

Cyber Security Technical Assessment Methodology: Vulnerability Identification and Mitigation 3002008023

slide-20
SLIDE 20

http://cred-c.org @credcresearch facebook.com/credcresearch/

Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security