CWRAF Domains, Technology Groups, Archetypes, and Vignettes

Document version: 0.8.1

Date: February 3, 2012

Project Coordinator:

Document Editor:

Archetypes:

• Web application
• Web browser
• Web browser plugin
• Web client
• Web server
• Web proxy
• J2EE and supporting frameworks

Archetypes:

• Programmable Logic Controller (PLC)
• Embedded Device
• Proprietary Firmware

Potential consequences of successful attack could include blocked/delayed flow of information; unauthorized changes to commands/alarms to damage/shut-down equipment, affect environment, or endanger human life; send inaccurate information to system operators to hide unauthorized changes or cause the operators to initiate inappropriate actions; modify ICS software or configuration settings, or install malware; interfere with operation of safety systems, possibly endangering human life.

According to an INL-NSTB report, confidentiality is less important than integrity, which is less important than availability. Distinctions could be made between sensor data and administrative information.

Archetypes:

• Distributed Control System (DCS)
• SCADA
• Process Control Systems
• Programmable Logic Controller (PLC)
• Remote Terminal Unit (RTU)

Archetypes:

• Smartphone
• PDA
• Laptop

Archetypes:

• Database
• Removable Storage Media

Archetypes:

• General-purpose OS
• Virtualized OS

Archetypes:

• PKI
• Digital certificate
• Privacy management

Archetypes:

• Database
• Document Processing
• General-purpose OS
• Virtualized OS
• Anti-Virus Program
• VPN
• Firewall

Archetypes:

• Infrastructure as a Service (IaaS)
• Platform-as-a-Service (PaaS)
• Software-as-a-Service (SaaS)
• Virtualized OS

Archetypes:

• Anti-Virus Program
• VPN
• Firewall

Archetypes:

• Internet Communications
• Modem Communications
• Wireless Communications
• Router
• VPN
• Firewall

The HMI uses various frameworks (Java, .NET, etc.) with Restful Architecture (AJAX, XML, SOAP, XSL, and WML).

Security incidents might have organizational impacts including financial loss, legal liability, compliance/regulatory concerns, and reputation/brand damage.

Availability is less important - could cause delays in billing but do not directly affect health of the patient.

• Blog entry - privacy considerations and EHR

  quote: Privacy concerns have been the main deterrent to "wiring" medical records... in life-and-death cases, ease of access to patient records can make a critical difference. Electronic medical record breaches open the door to new kinds of discrimination. Imagine a healthy person losing a job opportunity because her family history suggests an elevated risk of a debilitating disease. Imagine embarrassing disclosures based on prescription drug information. Imagine insurers -- let's assume for a moment that not every insurer is scrupulous -- basing payment decisions on information they are not legally allowed to see.

• Hospital Employee's Stolen Laptop Contained Info for 21K Patients

  Birth dates, SSN, insurance information stolen from laptop; employee had downloaded this data to a personal laptop, where it was stored unencrypted.

• Usenix HealthSec '10 report

• Implantable Medical Devices: Security and Privacy for Pervasive, Wireless Healthcare

  Video and slides available at bottom of page.

• Medical device security center - publications
• Patients, Pacemakers, and Implantable Defibrillators: Human Values and Security for Wireless Implantable Medical Devices

  Includes some discussion of properties/priorities

• Improving the Security and Privacy of Implantable Medical Devices

  William H. Maisel, M.D., M.P.H., and Tadayoshi Kohno, Ph.D. N Engl J Med 2010; 362:1164-1166. April 1, 2010

• Usenix HealthSec '10 report

  "Approximately 13 different attacks" reported to FDA. Distinction between "implanted" (pacemakers) vs. "partially embedded" (e.g. insulin pump). Insulin pumps can have remote wireless interfaces, ability to update settings by PC or smartphone. Some mention of keeping "emergency-access" keys - e.g., on wristbands, or implanted in skin (tattoos).

• Insulin Pump Security

  Nate Paul et al.

  Includes an insulin pump system threat model. Smartphones can interact with the pump.

• Security and Privacy for Implantable Medical Devices

  Daniel Halperin, Thomas S. Heydt-Benjamin, Kevin Fu, Tadayoshi Kohno, and William H. Maisel. Vol. 7, No. 1 January.March 2008 In "Pervasive Computing"

  ICD (implantable cardiac defibrillators), drug delivery, neurostimulators

• Medical Device Security

  Elliot Sloane, Drexel

• Smart Meters Can Be Hacked: Security Experts
• More Researchers Point to Smart Meter Security Holes
• Smart Metering Communications Issues and Technologies
• Smart Grids and Smart Water Metering in The Netherlands

  Henk Jan Top EC – ICT for Water Management – June 11th, 2010

• Security Pros Question Deployment of Smart Meters

  Kim Zetter - March 4, 2010

• More Researchers Point to Smart Meter Security Holes

  Jordan Robertson, Mar 26, 2010

• Smart Meters Can Be Hacked: Security Experts

  Ken Kalthoff, Oct 9, 2009

• Smart Meter Security: A Work in Progress
• Private Memoirs of a Smart Meter

  Andres Molina-Markham, Prashant Shenoy, Kevin Fu, Emmanuel Cecchet, and David Irwin

• Private Memoirs of a Smart Meter

  Andres Molina-Markham, Prashant Shenoy, Kevin Fu, Emmanuel Cecchet, and David Irwin

• Private Memoirs of a Smart Meter

  Andres Molina-Markham, Prashant Shenoy, Kevin Fu, Emmanuel Cecchet, and David Irwin

Confidentiality of customer energy usage statistics is important (could be used for marketing or "illegal" purposes). Confidentiality, integrity, and availability requirements will vary depending on the specific application. For example, energy usage or billing statistics of customers are generally important for confidentiality (hourly stats could be used for monitoring activities, for example), but availability can vary from minimal (customer Home Area Networks, which have few real-time requirements) to important (portions of AMI networks that require real-time interaction).

Key management is important. Wireless interactions may be common. Some components will not be in physically secure environments. Integrity of metering data is important because of the financial impact on stakeholders. May have different priorities between monitoring and control.

• Electricity for Free? The Dirty Underbelly of SCADA and Smart Meters

  Jonathan Pollet, CISSP, CAP, PCIP. July 2010

  Page 16 includes a breakdown of various consequences / vuln types found, focusing on the Operational DMZ (ISA99 level 3). Also talks about AMR and smart meters.

• DRAFT NISTIR 7628 - Smart Grid Cyber Security Strategy and Requiremens

  Includes logical architecture and interfaces, high level security requirements, privacy, C-1 vuln classes, other doc's for control systems

  Appendix A includes Use-Cases with various CIA analyses.

  The functional logical architecture represents a blending of the initial set of use cases and requirements that came from the workshops and the initial NIST Smart Grid Interoperability Roadmap, including the individual logical interface diagrams for the six application areas: electric transportation, electric storage, advanced metering infrastructure (AMI), wide area situational awareness (WASA), distribution grid management, and home area network/business area network (HAN/BAN).

• Cyber Assessment Methods for SCADA Security

  May Robin Permann, Kenneth Rohde. 2005.

  Includes an attack model for "Modifying Alarms and Commands." Primary focus is on vulnerability assessment of COTS.

• Top 10 Most Critical ICS Vulnerabilities

  Quote: "Historian server is used for data archiving and analysis and is typically an integral part of an ICS. It is usually located in a DMZ or on the corporate network. Threats to the historian include compromise of the historian host and data corruption. ICS historians typically utilize a common SQL server as its backend. The historical data is often made available for viewing via a custom Web interface or application."

  Security Goals: confidentiality < integrity < availability

The second greatest threat is the lack of security checks ensuring proper authorization. Many SCADA systems, while providing some form of authentication system, lack the ability to enforce differing levels of access control between users and other critical system functions. Without effective access control design and implementation, for example, an attacker who breaches a SCADA system and who understands the control codes could spoof messages from a sensor resulting in invalid readings that could trigger adverse actions as the system tries to correct an erroneous problem. This attack could easily trigger systemic instability across the facility, including a complete shutdown of the plant or facility if not seriously damaging mission critical systems.

Issues of Confidentiality and Availability are typically less important security concerns for SCADA systems as a category. Network-based denial of service (DoS) attacks, which do not involve the use of stealth commanding of key control systems are unlikely to affect the functioning of the SCADA system. Likewise, network sniffing (eavesdropping) attacks, areless serious threats because eavesdropping on the network traffic of a SCADA system will be only marginally useful to an attacker without special training.

Modify or delete SCADA system monitoring logs, alter sensor readings, or change or corrupt core files used for monitoring the SCADA system via the HMI browser. Because the SCADA system can be remotely monitored and controlled via a web application interface, an attacker who knows which application values to change can control the facility.

Obtain detailed information on the operations of a SCADA facility by reading application data used by the Web-based HMI control apparatus. This could allow an attacker to map out key industrial systems or monitor the operations of the facility covertly.

Help America Vote Act (HAVA) requirements mandate paper audit logs for use by election officials.

Security incidents might facilitate fraud via malicious influence of election process or outcomes, facilitate extortion, coercion, or vote selling, incur Federal regulatory concerns, &amp; erosion of voter confidence.

Security incidents might facilitate fraud via malicious influence of election process or outcomes as well as incur Federal regulatory concerns, and erosion of voter confidence.

Modify or delete election data files, causing DoS or unreliable voting results, or modify DRE system configuration.

Modify or delete voter record data, voting logs, or other core files essential for the election; change votes or modify the voting records, or modify cryptographic keys.

Read voter record information or steal cryptographic keys used for encrypting voting records prior to upload to voting server, or read system/application configuration of the DRE machine.

Read voter record data, voting logs, or other core files essential for the election; read votes or record the voting records in an unauthorized manner, or steal cryptographic keys used to protect vote confidentiality.

Printer fails to print out local record of vote result.

Federal Voting Assistance Program (FVAP) conducted a Pilot internet voting experiment (i.e. the VOI and SERVE initiatives) which were cancelled due to security concerns prior to the implementation phase.

Security incidents might facilitate fraud via malicious influence of election process or outcomes, facilitate extortion, coercion, or vote selling, incur Federal regulatory concerns, and erosion of voter confidence.

Modify or delete election data files, causing DoS or unreliable voting results, or modify Internet Voting system configuration.

Modify or delete voter record data, voting logs, or other core files essential for the election; change votes or modify the voting records, or modify cryptographic keys

Read voter record information or steal cryptographic keys used for encrypting voting records prior to upload to voting server, or read system/application configuration of the Internet Voting system.

Read voter record data, voting logs, or other core files essential for the election; read votes or record the voting records in an unauthorized manner, or steal cryptographic keys used to protect vote confidentiality.

Voters experience difficulty in using Internet Voting System, unpredictable firmware behavior causes delays, lost votes, miscalculated votes, or erosion of voter confidence affecting overall election results and turnout.

Voters experience slow or unresponsive user interface, unpredictable firmware behavior including lag, delays between actions, causes incorrect votes or confusion on the part of the voter. Overall voter confidence is eroded.

Availability is important for users to access the site, since it is the only means of contact between users in initial stages, until other communication channels are used.

Integrity can have some impact on users - modification of profile information could hamper the search for compatible contacts (e.g. through gender or age preferences), delete messages/chat logs between participants, or enable harrassment (e.g. by modifying pictures or descriptions of desired partners).

• Emergency Planning: First Responders
• FEMA puts disaster info into hands of smart-phone users

  "Mobile devices have increasingly become a lifeline for providing information to survivors and emergency personnel after a disaster"

  http://m.fema.gov/ - FEMA site for mobile users, includes claim-filing for federal assistance, etc.