High Secured Inter-Cloud Connectivity via Public Networks Andreas Aldrian Christoph Schmittner AVL List GmbH Austrian Institute of Technology andreas.aldrian@avl.com Christoph.schmittner.fl@ait.ac.at

project network

storyline Pilot Use Case Consequences of insecure CPS Goal State of the Art Approach Results

use case in a nutshell no inbound initiation internet AVL product AVL no routing isolated network internet AVL product @customer AVL Typical use cases: remote interaction remote updates of software/firmware health and status tracking pre-emptive services (condition based) logistic purposes reporting of availability and utilization

Consequences of insecure CPS Modern ICS and CPS require connection, cooperation, automation These (often legacy) systems have diverse operational and communication requirements (interfaces, protocols) Not just devices but systems can collaborate Goal of the project: Work out the formal and technical details for collaboration http://www.symantec.com/connect/blogs/iot-devices-being-increasingly-used-ddos-attacks

Consequences of insecure CPS Modern ICS and CPS require connection, cooperation, automation These (often legacy) systems have diverse operational and communication requirements (interfaces, protocols) Not just devices but systems can collaborate Goal of the project: Work out the formal and technical details for collaboration http://www.symantec.com/connect/blogs/iot-devices-being-increasingly-used-ddos-attacks http://www.theregister.co.uk/2016/03/24/water_utility_hacked/

Consequences of insecure CPS Modern ICS and CPS require connection, cooperation, automation These (often legacy) systems have diverse operational and communication requirements (interfaces, protocols) https://www.sentryo.net/cyberattack-on-a-german-steel-mill/ Not just devices but systems can collaborate Goal of the project: Work out the formal and technical details for collaboration http://www.symantec.com/connect/blogs/iot-devices-being-increasingly-used-ddos-attacks http://www.theregister.co.uk/2016/03/24/water_utility_hacked/

Consequences of insecure CPS Modern ICS and CPS require connection, cooperation, automation These (often legacy) systems have diverse operational and communication requirements (interfaces, protocols) https://www.sentryo.net/cyberattack-on-a-german-steel-mill/ http://www.networkworld.com/article/2225104/microsoft-subnet/not-cyber-myths--hacking-oil-rigs--water-plants--industrial-infrastructure.html Not just devices but systems can collaborate Goal of the project: Work out the formal and technical details for collaboration http://www.symantec.com/connect/blogs/iot-devices-being-increasingly-used-ddos-attacks http://www.theregister.co.uk/2016/03/24/water_utility_hacked/

Goal Fulfill the security policies and enable smart services without risking Network, system or data of the product operator and of the service provider Safety or reliability of machinery

State of the Art First industrial security standard: IEC 62443: Industrial communication networks - Network and system security Considers IT-Security, security of machinery and also impacts on safety and reliability

State of the Art First industrial security standard: IEC 62443: Industrial communication networks - Network and system security Considers IT-Security, security of machinery and also impacts on safety and reliability Under Review Development Development Planned Under Review Planned Available Available Under Review Draft Available Draft Draft

Approach We needed something which works for safety & security We developed an approach for safety & security analysis and iterative design workflow

Safety & Security analysis approach System Model Based on ISO 27005 IEC 60812 Microsoft STRIDE Security objectives Failure catalogue Survey Threat catalogue Unified catalogue Impact assessment Risk assessment Likelihood assessment Risk Catalogue Based on: ETSI TS 102 165-1 IEC 60812 09.11.2018

Simplified system model To ease risk assessment some components have been combined Strongly related processes within a trust boundary Data flows between the same components 09.11.2018

Threat & Failure Catalogue Similar approach for safety and security, use system model and identify potential manipulations (STRIDE) or deviations (failure modes) from normal operation STRIDE: Spoofing of user identity, Tampering, Repudiation, Information disclosure, Denial of service (D.o.S), Elevation of privilege Failure modes for communication or processing units: Missing Data, Incorrect Data, Timing of Data, Extra Data, Halt/Abnormal, Omitted Event, Incorrect Logic, Timing/Order Spoofing of user identity Tampering Repudiation Information disclosure (privacy breach or data leak) Denial of service (D.o.S) Elevation of privilege

Risk Catalogue Investigate overlap between safety and security effects Estimate risk based on impact and likelihood Formulate safety and security goals Spoofing of user identity Tampering Repudiation Information disclosure (privacy breach or data leak) Denial of service (D.o.S) Elevation of privilege

Design workflow System concept / architecture Safety & Security analysis Safety & Security concept Review

results of the security & safety analysis no inbound initiation non-routable communication (serial interface) AVL product @customer internet AVL infra mediator unit

security controller Secure contactless (NFC) device configuration Anti-counterfeiting IP protection and feature activation Secure SW update Secured boot of industrial devices Secure contactless (NFC) device configuration Secure TLS client authentication Secure communi-cation

final topology & encryption levels we utilized ISO20922 (MQTT) as data exchange between both clouds

ArrowHead contribution ISO20922 + HW security as enabler for secure inter-cloud communication

Thank you!