Securing The Internet of BIG Things
SANS Automotive Cybersecurity Summit
Detroit, Michigan
May 1-2, 2017
PWBierdeman
Caterpillar: Non-Confidential
Agenda
•
•
•
•
•
2
Caterpillar
Security for the Internet of Things (IoT)
Caterpillar strategy for IoT Security
Obstacles
Vision
The Age of Smart Iron
https://youtu.be/hj7bk2X9Zxw
3
Cat® Machines
• Diverse range of non-road products
• 30+ machine types with multiple models
4
216B Skid Steer
Skid Steer:
Me:
1.78
65kg
5
L/W/H (m)
Weight (kg)
Engine
3.23 / 1.52 / 1.95
2589kg
2.2L Cat® 3024C
37kW
216B Skid Steer
3.23 / 1.52 / 1.95
2589kg
2.2L Cat® 3024C
37kW
6
797F Mining Truck
797F Mining Truck
L/W/H (m)
Weight (kg)
Engine
15.08 / 9.76 / 7.71
251998 kg (empty)
106L Cat® C175-20
2983 kW
Introduction
IoT, the “Internet of Things” is the network of interconnected devices that optimize daily
activity. Labor saving devices, assistants, conveniences, remote access, ...
Caterpillar’s Internet of BIG Things means network connectivity of really big & heavy
machines promoting greater uptime at a lower cost, using data analytics to increase safety,
convenience, comfort and energy efficiency.
While improved connectivity enables useful features, it also increases the attack surface for
malicious activity. Security vulnerabilities must be minimized to counteract unauthorized
intervention by cyber attackers.
Information Technology (IT), Operational Technology (OT) & Industrial Internet of Things (IIoT)
all require a secure foundation. This talk follows an IoT security approach with comments
and suggestions regarding Caterpillar Electronics’ experience.
7
Industry Standard Approach
This perspective on “Securing the Internet of BIG Things” was
adapted as a reference framework to examine lessons learned
during Caterpillar’s embedded security journey.
*
1.
2.
3.
4.
Steps to Address Security for the IoT
Assess Security Impact in Diverse Environments
Apply a Multi-Faceted Security Approach
Define Lifecycle Controls
Partner for Success
Greater Complexity
leads to greater
security risk
*Harbor Research: Security for the Internet of Things, 2016.
8
Security Infrastructure Includes:
ECU
Development
Environment:
Source code
& Tools
Service Tools
Manufacturing /
ECU Provisioning
Cloud
Flash Files
User Device
HSM: Hardware Back Office:
Security Module Web servers
& Databases
Product & ECU
Onboard Network
Internet
Worldwide
communications
Test labs
tools & pilots
9
Customer Fleet
All components
must trust
each other
1. Assess Security Impact
Security Risk Assessment
Similar to FMEA
Identify attackers
Assess all infrastructure
components independently for:
•
•
•
•
•
•
•
Compliance with best practice
Physical environment
Legal & Regulatory
Privacy concerns
Communications protocols
Who gets data
Duration of storage
Attacker goals:
Update every
couple years
Identify attacks
Determine for each attacker-attack pair the
likelihood and impact of an attack (likelihood x
impact = risk)
•
•
Identify all attacks with high risk (= high
likelihood x high impact)
Capture, Disrupt, Manipulate
Derive countermeasures and
recommendations for improvement
10
•
Only identify attacks with high
risk at this point
At later point, consider all
attacks with
•
high impact (low or
medium likelihood)
•
medium impact and high
or medium likelihood
Finally, consider remaining
risks of low impact or low
likelihood.
Embedded Security is NOT THE SAME as Step 1a
Assess Security Impact
Network or PC-based Security
Claim:
IoT Security Baseline is:
Proper IT Security – but...
Network / PC Security:
•
Attackers seldom have physical access to
target systems
•
Very little manipulation and no component
replacement
•
Attacks can be filtered
•
Repairs can be made in central location
•
System updates as needed, when needed
Embedded Security:
•
Attackers have constant physical access to
all electronics
•
Attackers can manipulate or replace all builtin components
•
Attackers have unlimited time to try unlimited
offline attacks
•
Discovered vulnerabilities must be fixed in
hundreds or thousands of units
•
Products deployed may operate for many
years without change
CIA <-> AIC
Caterpillar Office
11
Caterpillar ECU
Security Risk Assessment identifies
Concerns of Embedded Systems:
Step 1b
Assess Security Impact
Identify Gaps
•
•
•
•
•
Enforce Safety & Quality
Support Brand reputation
Enable new business opportunities
Ensure embedded system integrity
Support Performance metrics
• Prevent unauthorized configurations
• Avoid unauthorized remote manipulation
• Ensure telematics data integrity
• Privacy issues are mostly confidentiality
12
Motivation to do embedded security
• Evolutionary path
– incrementally add security components to current platform
• Revolutionary path
– move to advanced technology platform with native security technologies
⇒ Three motivations for embedded security:
1.
2.
3.
13
•
•
•
•
•
•
Regulatory
Enables business in regulated sectors
Avoid Penalties for non-conformance
Quality
Reliability & Safety depend on Security
Security makes better products
Business Models
Make money with security
Lose money without security
Step 1c
Assess Security Impact
2. Multi-Faceted Security Approach
*
Identity
Access Controls and User Management
Encryption
Analytics
IoT Security Stack:
Network Security
Balance Security & Usability
These steps enable security processes
13
• Application Security
• Network Security
• Device Security
*Harbor Research: Security for the Internet of Things, 2016.
Unique & Cryptographic Identity
Step 2a
Multi-Faceted
Security Approach
Identification: Each device needs a Unique Identity stored in
immutable Hardware. System integrity must be assured with
Hardware verification to trust participating devices are who they
say they are. Software updates must be (signed) verified before
flash to assure authenticity.
Access & User Management: Devices act as Client & Server.
Unique cryptographic credential must be provisioned by
enrollment system, signed by “root of trust” and stored in
immutable memory to act like a device’s “username/password”
to authorize its access to system features.
15
Encryption & Analytics
Encryption:
• The major challenge with crypto is key management
• Standard symmetric & asymmetric algorithms fit
resources of current systems.
• A big challenge is ability to migrate algorithms to stay
effective with long lived systems
Analytics: (Network Traffic)
• Run Time Integrity Check (RTIC) in hardware
• Run time network communications anomaly monitor
16
Step 2b
Multi-Faceted
Security Approach
Network Security & Balance
Network Security:
Step 2c
Multi-Faceted
Security Approach
• End to end secure sessions are achieved by encrypting at end points
• Remote initiated
• Assume Internet and wireless networks are untrusted
Right sized security: HARD TO DO
• Often hard to know what security options exist
• Disconnected assets are exponentially harder to authenticate.
• Culture changes slowly (i.e. Removing debug – complicates troubleshooting)
• Don’t compromise with a global vulnerability
17
3. Define Lifecycle Controls
*
1.
2.
3.
4.
Deployment
Operations
Incident & Remediation
Retirement & Disposal
*Harbor Research: Security for the Internet of Things, 2016.
18
Deployment
Deployment Trade offs: Make vs Buy vs Open
•
•
•
•
•
•
•
Mismatched COTS (Commercial Off the Shelf) abstractions
Internet protocols are verbose
(Generally – proprietary solutions are weak)
Standard PKI(Public Key Infrastructure) - poor fit with embedded systems
Keys & certs that out last HSM (Hardware Security Module) vendor
Untrusted real time clock for cert expiration
Combining Legacy with new tech
•
•
Secure Key Injection
Secure manufacturing process
•
•
•
Penetration test – with production application
Isolate development/test vs releases
Certification test – Conformance level
Provision Security at ECU manufacturer
Security tests
Cat Products are expected to serve decades – not just years as some IoT “things”
19
Step 3a
Define Lifecycle
Controls
Operation to Retirement
Operations: (Device & Infrastructure)
• Verified boot, authenticated flash
• Over The Air flash update
• Full machine flash through Gateway
Incident & Remediation
• On Demand Verify - “Remote Attestation”
• Ties back to “Analytics” (RTIC)
• Isolate network services to halt potential compromise while
maintaining local availability
• Extends Continuous Product Improvement program
Retirement & Disposal
• Cultural change with machine built to last decades
• Covers Data lifecycle as well as Device lifecycle
20
Step 3b
Define Lifecycle
Controls
4. Partnering for Success
Don’t “go it alone”
Partner with:
• Subject matter experts
• Industry standards
• Commercial & Open Source
• Silicon architectures
Leverage industry standards & protocols – avoid proprietary obscurity
Contract security consultants with industry expertise
COTS (commercial off the shelf) crypto library – avoid custom solutions and maintenance
Research concepts and alternative technologies
Security Risk Assessments & Pen Test experts
Silicon security architecture: Root of Trust
Hardware Security Module: Rack Mount, Smart Cards
Operating System Security features
21
IT vs OT
Added Security Dimensions
Order of importance
Additional priorities
Priorities
Information Technology
Challenges
►
►
►
►
Consequences
►
Operational Technology
Confidentiality
Availability
Integrity
Integrity
Availability
Confidentiality
Users are primary threat vectors
► Intellectual Property
► Personal Information (PII and/or PHI)
► Financial data
Sophisticated threat actors - often state funded
General awareness of threats
Mature vulnerability & patch management
Threat Actor Motives: financial, economic/cyber espionage
►
►
►
►
►
Safety
Devices/equipment/applications are primary threat vectors
► Physical damage, incorrect operation
► Threaten physical safety
► Extortion: Safety or Disclosure
Researchers, Customer Security Reviews, Sophisticated threat actors
Awareness of threats and threat actors is relatively low
Vulnerability & patch management challenges
Threat Actor Motives: physical safety, damage, extortion, disclosure
COMMON CONSEQUENCES: IP theft || Reputational damage || Non-compliance
►
►
►
►
Loss of customer trust & confidence
Loss of financial information
Loss of revenue
Loss of Intellectual Property
►
►
►
►
►
►
22
Control
Loss of customer trust & confidence
Loss of brand value
Damage to equipment
Human health and safety issues
Loss of Intellectual Property (shop floor automation)
Direct financial impacts
Obstacles
•
•
•
•
•
•
•
23
The threat is real, persistent & changing
Intermittent connection to back office
Incomplete security standards – leads to – Proprietary solution
Coexistence between competing standards
Resistance to change – historical constraints
Dealing with Legacy products
Decaying algorithm strength – prepare for change
Vision
•
•
•
•
•
•
•
•
24
Awareness - Universally understood security terms
Conformance levels that advertise security target goal
Certification test to assure alignment to security goal
No security inventions needed – standard solutions leveraged
Balanced Security with Usability – “Right sized”
Convergence of IT, OT, IIoT & IoT security
Ubiquitous patching
Prevent – Detect – React
© 2017 Caterpillar. All Rights Reserved.
CAT, CATERPILLAR, their respective logos, "Caterpillar Yellow," the "Power Edge" trade dress as well as
corporate and product identity used herein, are trademarks of Caterpillar and may not be used without permission.
25