Transcription
BASIC INTRODUCTION TO STPA FORSECURITY (STPA-SEC)2020 SYSTEM-THEORETIC ACCIDENTMODEL AND PROCESSES (STAMP)WORKSHOPJuly 22, 2020William “Dollar” Young, Jr (PhD)WYOUNG@MIT.EDU1
Acknowledgement & DisclaimerThe views expressed in this presentation are those of the presenterand do not reflect the official policy or position of SyracuseUniversity, the United States Air Force, Department of Defense, AirCombat Command, or the U.S. GovernmentThis Presentation Provides Only a Brief Introduction tothe 40 hour STPA-SEC Analysis Methodology CourseWYOUNG@MIT.EDU2
Tutorial Objective These short tutorials are not training classes We cannot cover everything in these tutorial sessions. The objectiveis just to introduce some of the core concepts and help newattendees follow the workshop presentations. Like most techniques, training and practice with a qualified instructorare needed to become proficient.WYOUNG@MIT.EDU
Overview Motivation & Big Ideas Security Through a System-Theoretic Lens System-Theoretic Process Analysis for Security (STPA-Sec) Practicum Problem Framing Scenario Development Wargaming Does it Work in the Real World? Ongoing Work and STPA-Sec 2.0 SummaryTo Maximize Available Time, We Will Continue the ExerciseJohn Thomas Introduced in Yesterday’s STPA TutorialWYOUNG@MIT.EDU4
Overview Motivation & Big Ideas Security Through a System-Theoretic Lens System-Theoretic Process Analysis for Security (STPA-Sec) Practicum Problem Framing Scenario Development Wargaming Does it Work in the Real World? Ongoing Work and STPA-Sec 2.0 SummaryBusiness / Mission Analysis Provides the Missing Link toImplementing Security FrameworksWYOUNG@MIT.EDU5
Motivation (1/2)STATE OF THE ARTSecurityConceptFunctionalSecurity Req’sBake-inBolt-onPatchingIn Systems That You Are Familiar With, In What Phase Was Security FirstAddressed?Ref: Systems Engineering For Intelligent Transportation SystemsWYOUNG@MIT.EDU Copyright William Young, 20206
Motivation (1/2)STATE OF THE ARTSecurityConceptFunctionalSecurity Req’sBake-inBolt-onPatchingThe Vast Majority of Current Security Engineering Practice Does Not AddressSecurity until After Architecture is Well DefinedRef: Systems Engineering For Intelligent Transportation SystemsWYOUNG@MIT.EDU Copyright William Young, 20207
Motivation (2/2) Dominant Security Model isLimited in Important Ways“Clearly, what we need isa way to model threatsagainst computersystems. If we canunderstand all thedifferent ways in which asystem can be attacked,we can likely designcountermeasures tothwart those attacks”Attack Trees are Based on Fault Trees Used in Safety (and share the sameshortfalls based on model weaknesses)Ref: /attack trees.htmlWYOUNG@MIT.EDU Copyright William Young, 20208
Motivation (2) Dominant Security Model isLimited in Important WaysSafe is A means to an end within aProcess- Preventing safe from opening isNOT the overall mission!- Safe is a form that has beenassigned mission-relatedfunctionalityCurrent Security Approaches Are Built on Variations of the Same Linear ModelNancy Introduced on Monday’s Talk!Ref: /attack trees.htmlWYOUNG@MIT.EDU Copyright William Young, 20209
Motivation (2) Dominant Security Model isLimited in Important WaysSafe is A means to an end within aProcess- Preventing safe from opening isNOT the overall mission!- Safe is a form that has beenassigned mission-relatedfunctionalityTo Make Progress We Need a More Powerful Model (and Process) Capable ofProviding Greater Insight, Earlier in the System Engineering LifecycleRef: /attack trees.htmlWYOUNG@MIT.EDU Copyright William Young, 202010
Flawed logicConflicting goalsPoor AssumptionsWrong ProblemMissing requirementsIncomplete requirementsMotivation (3)The Vast Majority of Security Related Losses are Related to Not ApplyingSystems Thinking to Security During the Concept StageRef: Systems Engineering For Intelligent Transportation SystemsWYOUNG@MIT.EDU Copyright William Young, 202011
Big Idea 1: Secure Form Realizes SecureConcept & Function “Form follows function” is a central tenant of systemengineering and architecture Generate secure Business & Mission Systems by firstdefining the secure functionality to be realized Get to security via Identify functionality required to solve the problem athand (But we must understand problem) Implement all required functionality securely based onunderstanding problem and context Architecture Defined (Crawley) The embodiment of concept, and the allocation ofphysical/informational function to elements of form, anddefinition of interfaces among the elements and with thesurrounding contextWYOUNG@MIT.EDU Copyright William Young, 202012
Big Idea 2: Build a Strategy to Secure key Process(prevent mis-behavior that matters) then developspecific security tacticsMISSION OR BUSINESS PROCESSMODELBasic Control LoopSystem-Theoretic PROCESS Analysis for SecurityWYOUNG@MIT.EDU Copyright William Young, 2020
What We Need to Get to“The first thing we need in this process is the ability to state computer securityrequirements clearly and precisely so that a competent professional can studyit for a reasonably short amount of time and, say, "Oh, yes, I agree. If you buildthat particular system to that particular requirement, it's secure enough for thatparticular purpose.”- Donald Good "The Foundations of Computer Security, We Need Some"Integrate Security Principles Into Systems Engineering Via Secure SystemsAnalysisWYOUNG@MIT.EDU Copyright William Young, 202014
From Systems Analysis to Secure Systems Analysis“A systematic examination of a problem of choice in which each step of theanalysis is made explicit wherever possible.”Malcom W. Hoag, “An Introduction to Systems Analysis” RAND ResearchMemorandum, RM-1678, 18 April 1956Secure Systems AnalysisSystemsAnalysisSecurityEngineeringSystems EngineeringSTPA-Sec Allows the Systems Analysis Framework to be Applied to SecurityWYOUNG@MIT.EDU Copyright William Young, Jr, 201915
Overview Motivation & Big Ideas Security Through a System-Theoretic Lens System-Theoretic Process Analysis for Security (STPA-Sec) Practicum Problem Framing Scenario Development Wargaming Does it Work in the Real World? Ongoing Work and STPA-Sec 2.0 SummaryWYOUNG@MIT.EDU Copyright William Young, 202016
Three Types of Cybersecurity AnalysisVulnerability AnalysisSystemVulnerabilityFocus forNearly AllCybersecurityAnalysisThreatToSystem andBusiness /MissionTACTICSMission orBusinessOperationsMost isThreat AnalysisAnalyzing Cybersecurity through a Business or Mission Lens Raises FrameworkImplementation from a Tactics to a Strategy Issue, But Requires a Suitable ModelWYOUNG@MIT.EDU Copyright William Young, 202017
Three Types of Cybersecurity Analysis (2)Vulnerability AnalysisSystemVulnerabilityFocus forNearly AllCybersecurityAnalysisThreatToSystem andBusiness /MissionTACTICSMission orBusinessOperationsMost isThreat AnalysisThe Attack Tree only Covers Two of the Three ConcernsWYOUNG@MIT.EDU Copyright William Young, 202018
Returning top Our Attack TreeSystem (Component) ImpactSystem VulnerabilitiesThreat AttacksTacit Assumption is that the Security Problem is Protecting the Safe Contents,But We Need to Understand the Mission (process) in order to Identify theRight Actions to takeRef: /attack trees.htmlWYOUNG@MIT.EDU Copyright William Young, 202019
Returning top Our Attack TreeSystem (Component) ImpactSystem VulnerabilitiesThreat AttacksMission Impact, Not System Impact, Is What Matters MostRef: /attack trees.htmlWYOUNG@MIT.EDU Copyright William Young, 202020
RISK THREAT X VULNERABILITY X IMPACTInvestmentLeverage erageImpactWe Have Most Control over Impact!WYOUNG@MIT.EDU Copyright William Young, 2020
Martin Libicki on Network Security“Start with the problem of preventing effects arising from misinstructed systems, often understood as “defending networks.” Asnoted earlier, such a task might otherwise be understood as anengineering task—how to prevent errant orders from makingsystems misbehave. One need look no further than NancyLeveson’s Safeware to understand that the problem of keepingsystems under control in the face of bad commands is a part of amore general problem of safety engineering, a close cousin ofsecurity engineering as Ross Anderson’s classic of the samename expounds.”Preventing Unacceptable Losses Due to System Misbehavior from Misinstruction is Shared in Safety and Security EngineeringReference:“Cyberspace is not a Warfighting Domain”WYOUNG@MIT.EDU Copyright William Young, 2020
Basic Control sModel(beliefs)FeedbackControlled Process Provides another way to think about losses Forms foundation for STAMP/STPA/CAST/STPA-SECWYOUNG@MIT.EDU
Another Look at Nancy’s Warsaw ReverseThrusters Loss Example from MondayWYOUNG@MIT.EDU24
PilotsSystem Hazard:Aircraft does notdecelerate onlandingPilot appliesThrustReversers afteraircraft landsHCA: TRCdeploys thrustreversers toolate afteraircraft landsDecisionMakingControl ActionsCorrectlybelievesaircraft elievesaircraft has notlandedThrust Reverse Cont.ControlalgorithmControl ActionsProcessModel(beliefs)FeedbackControlled ProcessWheel speed 72ktsWoW 6T(but aircraft haslanded)Wet runway(hydroplane)Crosswind landingCould This Be Exploited by an Adversary?(John Thomas, 2019; jthomas4@mit.edu)WYOUNG@MIT.EDU Copyright John Thomas 2019
STRIDE Mnemonic For Generating SecurityScenarios (Shostack) Spoofing – Pretending to be something or someone you’re not Tampering – Modifying something you’re not supposed to modify Repudiation – Claiming you didn’t do something (whether you did ordidn’t) Information Disclosure – exposing information to people who are notauthorized to see it Denial of Service – attacks meant to prevent a system from providingservice, including by crashing it, making it unusably slow or filling all ofits storage Elevation of Privilege- when a program or user is technically able to dothings that they aren’t supposed to doWe will NOT be Using STRIDE to Generate ScenariosRef: Shostack, Threat Modeling: Designing for SecurityWYOUNG@MIT.EDU26
STRIDE Mnemonic For Generating SecurityScenarios (Shostack) Spoofing – Pretending to be something or someone you’re not Tampering – Modifying something you’re not supposed to modify Repudiation – Claiming you didn’t do something (whether you did ordidn’t) Information Disclosure – exposing information to people who are notauthorized to see it Denial of Service – attacks meant to prevent a system from providingservice, including by crashing it, making it unusably slow or filling allof its storage Elevation of Privilege- when a program or user is technically able todo things that they aren’t supposed to doWe will use STRIDE to Categorize Attacks and as a Bridge toSecurity Experts Who Will Help Develop SolutionsRef: Shostack, Threat Modeling: Designing for SecurityWYOUNG@MIT.EDU27
Nancy’s Safety Example Captures theOUTCOMES of Successful Attacks!Hazard: InadequateAircraft decelerationafter landingSpoofingTamperDenial of ServiceFeedbackindicatesplane has notlandedHow Might We Categorize this Part of the Causal Scenario?WYOUNG@MIT.EDU Copyright William Young, 202028
Nancy’s Safety Example Captures theOUTCOMES of Successful Attacks!Hazard: InadequateAircraft decelerationafter landingTamperSpoofingPlane has notlandedHow Might We Categorize this Part of the Causal Scenario?WYOUNG@MIT.EDU Copyright William Young, 202029
Nancy’s Safety Example Captures theOUTCOMES of Successful Attacks!Hazard: InadequateAircraft decelerationafter landingPlane haslandedDenial of ServiceTamperSpoofingHow Might We Categorize this Part of the Causal Scenario?WYOUNG@MIT.EDU Copyright William Young, 202030
Nancy’s Safety Example Captures theOUTCOMES of Successful Attacks!Hazard: InadequateAircraft decelerationafter landingApply ThrustReversersSpoofingTamperHow Might We Categorize this Part of the Causal Scenario?WYOUNG@MIT.EDU Copyright William Young, 202031
Nancy’s Safety Example Captures theOUTCOMES of Successful Attacks!Hazard: InadequateAircraft decelerationafter landingIgnoreCommandTamperHow Might We Categorize this Part of the Causal Scenario?WYOUNG@MIT.EDU Copyright William Young, 202032
Overview Motivation & Big Ideas Security Through a System-Theoretic Lens System-Theoretic Process Analysis for Security (STPA-Sec) Practicum Problem Framing Scenario Development Wargaming Does it Work in the Real World? Ongoing Work and STPA-Sec 2.0 SummaryBusiness / Mission Analysis Provides the Missing Link toImplementing Security FrameworksWYOUNG@MIT.EDU Copyright William Young, 202033
System Security with System-Theoretic ProcessAnalysis for Security (STPA-Sec)STPA-SecSTPAHazardAnalysisSTAMP Model Problem framing Identify accidents andhazards Draw the functional controlstructure Identify unsafe/unsecurecontrol actions Identify security-relatedcausal scenarios Wargame* Security Extension to Controlledprocess Copyright William Young, 202034
Based on the Airbus A330 airliner,a KC-30 refuels a F-16BoomFlying a boom is like flying a glider behind tanker.You have full control authority: up, down, left, right, extend,retract.Max extension to 23ft (7.6m), 10 left/right, 15 up/down
STPA1) DefinePurpose of theAnalysisIdentify Losses, on and Thomas, 2018)2) Model theControlStructure3) Identify UnsafeControl Actions4) IdentifyLossScenarios
STPA1) DefinePurpose of theAnalysis2) Model theControlStructure3) Identify UnsafeControl Actions4) IdentifyLossScenariosIdentify Losses, HazardsDefineSystemboundaryEnvironmentSystem Problem Framing(Leveson and Thomas, 2018)Problem Framing is Added to Defining the Purpose of the Analysis
Problem FramingWYOUNG@MIT.EDU38
Problem Framing is Required for Wicked ProblemsAcquisitionOpsIntelEngineering“By now we are all beginning to realize thatone of the most intractable problems is thatof defining problems (of knowing whatdistinguishes an observed condition from adesired condition) and of locating problems(finding where in the complex causalnetworks the trouble really lies). In turn, andequally intractable, is the problem ofidentifying the actions that might effectivelynarrow the gap between what-is and whatought-to-be. ”Dilemmas in a General Theory of Planning.Horst Rittel and Melvin Webber, 1974Wicked Problems Require Framing Before Any Progress Can Be MadeWYOUNG@MIT.EDU Copyright William Young, 202039
Problem Framing in Security “Everything about this [cybersecurity]problem is complex: the technology, thepolicy, the interaction of technology andpolicy, also the politics, the economics, andthe sociology. They’re complex in manydimensions and their complexity is increasingover time its what is known as a wickedproblem.”- Bruce Schneier, Click Here to Kill EverybodySecurity is a Wicked ProblemWYOUNG@MIT.EDU40
Problem Framing Challenges in Security Determining life cycle security concepts Defining & specifying security objectives Defining & specifying securityrequirements Determining measures of success“Many systems fail because their designersprotect the wrong things, or protect the rightthings in the wrong way” – Ross Anderson“Security Engineering”Security Analysis Provides a Rigorous Manner to Identify What to Protect and Howto Protect itWYOUNG@MIT.EDU Copyright William Young, 202041
Problem Framing in Security Done Right CanBe Powerful Military program office used the results of STPA-Sec problem framingto support limiting device functionality during a service-life extension Major Billion dollar military program office used STPA-Sec problemframing to gain sponsor approval to remove featuresWYOUNG@MIT.EDU Copyright William Young, 202042
Defining and Framing the Problem Overview: Synthesize a concise statement that describes what thesystem is supposed to do Elicit purpose, method, goals through discourse with stakeholders(& documents) Craft the description of the Functional Model “A System to do {What Purpose} by means of {How Method} in orderto contribute to {Why Goals}” Method will normally be a set of high-level activities representing stakeholders’essential tasks / activitiesWYOUNG@MIT.EDU Copyright William Young, 202043
Example Derived Load Alleviation SystemProblem FramingPROBLEM: A System to Reduce structural loading on Boom and inadvertentdisconnectsMETHOD: By means of Measuring loads, Calculating corrections, Adjusting Boomposition and movementGOAL: In order to contribute to faster cycle times and lower operating costsCONSTRAINTS / RESTRAINTS: While maximizing system autonomy andmaintaining safety of flight.STPA-Sec Process Generates Meaningful Dialogue and Learning ThatSets the Foundation for Subsequent AnalysisWYOUNG@MIT.EDU Copyright William Young, 2020 44
STPA Step 1: Define Purpose of the Analysis What are some Losses? L1: Loss of life or injury L2: Damage to aircraft L3: Loss of refueling mission What are some Aircraft-level Hazards? H1: Aircraft violate minimum separation forrefueling [L1,2,3] H2: Aircraft airframe integrity is degraded [L1,2,3] [ ]After Problem Framing, the Rest of Part 1 is the Same Except For Adding Securityspecific Losses and HazardsWYOUNG@MIT.EDU
STPA Step 1: Define Purpose of the Analysis What are some Losses? L1: Loss of life or injury L2: Damage to aircraft L3: Loss of refueling mission What are some Aircraft-level Hazards? H1: Aircraft violate minimum separation forrefueling [L1,2,3] H2: Aircraft airframe integrity is degraded [L1,2,3] [ ]Can You Think of Any Security-Specific Losses?WYOUNG@MIT.EDU
STPA Step 1: Define Purpose of the Analysis What are some Losses? L1: Loss of life or injuryL2: Damage to aircraftL3: Loss of refueling missionL4: Loss of Critical Protected Information (CPI) What are some Aircraft-level Hazards? H1: Aircraft violate minimum separation forrefueling [L1,2,3] H2: Aircraft airframe integrity is degraded [L1,2,3] [ ]Loss of CPI is a Security Related Loss that Falls Outside the Traditional Definition ofSafety, But within the Definition Nancy Provided on MondayWYOUNG@MIT.EDU
STPA Step 1: Define Purpose of the Analysis What are some Losses? L1: Loss of life or injuryL2: Damage to aircraftL3: Loss of refueling missionL4: Loss of Critical Protected Information (CPI) What are some Aircraft-level Hazards? H1: Aircraft violate minimum separation forrefueling [L1,2,3] H2: Aircraft airframe integrity is degraded [L1,2,3] [ ]What is a Hazard Associated with Loss of CPI?WYOUNG@MIT.EDU
STPA Step 1: Define Purpose of the Analysis What are some Losses? L1: Loss of life or injuryL2: Damage to aircraftL3: Loss of refueling missionL4: Loss of Critical Protected Information (CPI) What are some Aircraft-level Hazards? H1: Aircraft violate minimum separation forrefueling [L1,2,3] H2: Aircraft airframe integrity is degraded [L1,2,3] [ ] Hn: Aircraft CPI Exposed to UnauthorizedIndividualExposing Aircraft CPI is a Hazard That Must Be ControlledWYOUNG@MIT.EDU
STPA1) DefinePurpose of theAnalysis2) Model theControlStructure3) Identify UnsafeControl ActionsIdentify Losses, on and Thomas, 2018)Phase 2 Remains the SameWYOUNG@MIT.EDU4) IdentifyLossScenarios
Our Control Structure From YesterdayTanker Boom OperationBoom OperatorManual Boom PositionToggle Mode CmdBCU On/OffSynthetic feedback feelBoom positionBoom coupledBoom ControlUnit (BCU)Control SurfaceMovement (x,y,z)Visual Position(3D Video)Boom position sensorBoom contact sensorBoom force sensorsBoomThomas, 2020Please contact JThomas4@MIT.EDU with any questions!WYOUNG@MIT.EDU Copyright John Thomas 2020
STPA1) DefinePurpose of theAnalysis2) Model theControlStructure3) Identify UnsafeControl ActionsIdentify Losses, on and Thomas, 2018)Phase 3 Remains the SameWYOUNG@MIT.EDU4) IdentifyLossScenarios
Analyze control actionsTanker Boom OperationBoom OperatorBCU On/OffManual Boom PositionToggle Mode CmdSynthetic feedback feelBoom positionBoom coupledBoom ControlUnit (BCU)Control SurfaceMovement (x,y,z)Visual Position(3D Video)Boom position sensorBoom contact sensorBoom force sensorsBoomThomas, 2020Please contact JThomas4@MIT.EDU with any questions!WYOUNG@MIT.EDU Copyright John Thomas 2020
Identify Unsafe (Hazardous) ControlActionsBoom Oper.Control SurfaceMvt.Suppose the Boom is Not Coupled BCUBoomNot providingcauses hazardControlSurfaceMovementCmdThomas, 2020Too Early, Too Late, Stopped Too Soon / Applied tooProviding causes hazardOrderlongBCU providesBCU continues providingBCU provides Movement Cmd whenMovement CmdMovement Cmd too long afterBoom Operator does not move Sticktoo late (more thanBoom reaches positionBCU provides Movement Cmd whenTBD sec) aftercommanded by StickBCU does notBoom OperatorBoom Operator has turned BCU OffprovideBCU continues providingmoves StickMovementBCU provides Movement Cmd in wrongMovement Cmd too long afterCmd whendirection (does not match StickComputer providesBoom position exceeds TBDBoomdirection)Movement CmdOperatorBCU stops providing Movementtoo early ( 0s)moves StickBCU provides excessive MovementCmd too soon before Boombefore Boom[ ]Cmd beyond amount of StickOperator moves reaches position commanded bymovementStickStickIs this Safety or Security?Both![insufficient, oscillatory,repetitive, etc.]Please contact JThomas4@MIT.EDU with any questions![ ]WYOUNG@MIT.EDU [ ]Copyright John Thomas 2020
STPA1) DefinePurpose of theAnalysis2) Model theControlStructure3) Identify UnsafeControl Actions4) IdentifyLossScenariosIdentify Losses, HazardsDefineSystemboundaryEnvironmentSystem Security Specific Scenarios Wargaming(Leveson and Thomas, 2018)Phase 4 Adds Security Specific Scenario Generation and WargamingWYOUNG@MIT.EDU Copyright William Young, 2020
Developing Security ScenariosWYOUNG@MIT.EDU56
Challenges to Developing Security-relatedScenarios Using Traditional Model Difficult to understand interactions among components Difficult to capture “non-technical” aspects (e.g. policy) May waste efforts on scenarios that aren’t valued by stakeholders Difficult to calibrate how secure is “secure enough” Require a complete or nearly complete architectureWYOUNG@MIT.EDU Copyright William Young, 202057
Security Scenarios with STPA-Sec Best Practice is to have safety and security experts developing scenariostogether Generate more scenarios with more interactive complexity STPA-Sec scenarios help identify functional vulnerabilities Scenarios developed using STPA Analysis if available Formal STPA Security-related tools such as STRIDE can be used to classify attacks andtranslate results for security-related solutionsSecurity Scenarios are Often Same as “Safety” Scenarios, but haveSecurity Related Causes and SolutionsWYOUNG@MIT.EDU58
Lets Walk Through a Scenario John ThomasIdentified as Being Safety or SecurityScenario: BCU Provides Excessive Movement Command when Boom Notin Contact Because BCU has a Flawed Control AlgorithmWYOUNG@MIT.EDU59
Security-Related Scenarios To launch a successful cyber attack, adversary has to solve their owncontrol problem Exploit Provides Update to BCU Control Algorithm when Context ControllerBehaviorControl ActionContextThese are the Same Elements of a Hazardous (Unsafe) Control ActionWYOUNG@MIT.EDU Copyright William Young, 202060
Security-Related Scenarios To launch a successful cyber attack, adversary has to solve their owncontrol problem Exploit Provides Update to BCU Control Algorithm when Context ControllerBehaviorControl ActionContextThe Adversary Has to Solve Their Own Control Problem to Cause theHazardous Scenario (via Successful Attack) on our System!WYOUNG@MIT.EDU Copyright William Young, 202061
Security-Related Scenarios To launch a successful cyber attack, adversary has to solve their owncontrol problem Exploit Provides Update to BCU Control Algorithm when Context ControllerBehaviorControl ActionContextMight Viewing Security Through this Lens Open Entirely NewOpportunities to Build More Secure Systems?WYOUNG@MIT.EDU Copyright William Young, 202062
Security-Related Scenarios To launch a successful cyber attack, adversary has to solve their owncontrol problem Exploit Provides Update to BCU Control Algorithm when Context ControllerBehaviorControl ActionContextWe Will Discuss in Much Greater Detail As Part of WargamingWYOUNG@MIT.EDU Copyright William Young, 202063
WARGAMINGWYOUNG@MIT.EDU64
Wargaming History Help officers visualize and adapt to changingand unpredictable socio-technical events “Free, practical, artistic activity” that setconditions for success Part of a learning toolkit, predict what hasn’thappened yet “Discover weaknesses before adversaries do” Helps combat against “failures of imagination” Combat cognitive biasVon Moltke the ElderWargaming is Pen-testing Your Security ConceptWYOUNG@MIT.EDU Copyright William Young, 202065
Wargaming in Security Engineering Adds a human adversary into the process “Thinking adversary” is often highlighted as the difference between safetyand security Captures well-intentioned “work-arounds” necessary to execute missions butposing hazard (safety connection)? Provides Insight into feasibility and level of effort necessary toexecute scenarios Can point out unintended bias and facilitate new insights into novelsolutionsWYOUNG@MIT.EDU Copyright William Young, 202066
STPA-Sec Wargaming Approach Begins at Concept Stage of Engineering Design Lifecycle Assess classes of attacks that can produce particular scenariosidentified via STPA-Sec (or STPA) Assess potential effectiveness of classes of controls Understand complexity of executing classes of attacks Supports assessment of operational risk associated with particularfunctions or features under considerationWYOUNG@MIT.EDU Copyright William Young, 202067
STPA-Sec Wargaming Approach Red Identifies ways to Blue Identifies Scenario ofInterest and initialcountermeasures Assess cost of countermeasureapproach, cost of attack,complexity of attack, etcimplement the scenario with theBlue countermeasures in placeBlueMoveRedMoveAssessCostsAssessEffects Evaluate effects of Attack, givencountermeasuresSTPA-Sec Wargaming Can Be Implemented Through AnyPreferred Methodology (e.g. DoD Cyber Table Top)WYOUNG@MIT.EDU Copyright William Young, 202068
DoD Cyber Table TopCTTs can be us at any Time in the System Life CycleRef: DoD Cyber Table Top Guidebook Version 1.0WYOUNG@MIT.EDU Copyright William Young, 202069
DoD Cyber Table TopLets Look at STPA-Sec Support to Early CTTRef: DoD Cyber Table Top Guidebook Version 1.0WYOUNG@MIT.EDU Copyright William Young, 202070
Identifying Sub-System Under Analysis in CTTThe Previously Developed Control Structure Captures Functions of theSub-System Under AnalysisRef: DoD Cyber Table Top Guidebook Version1.0WYOUNG@MIT.EDU Copyright William Young, 202071
Identifying Sub-System Under Analysis in CTTThe Control Structure is Representative of the Level of Detail AvailableVery Early in the Concept Stage of the System Development LifecycleRef: DoD Cyber Table Top Guidebook Version1.0WYOUNG@MIT.EDU Copyright William Young, 202072
DoD Cyber Table Top (CTT) ProcessRef: DoD Cyber Table Top Guidebook Version 1.0WYOUNG@MIT.EDU Copyright William Young, 202073
STPA-Sec Wargaming Using DoD Cyber TableTop (CTT)BCU provides excessive Movement CMD when Boom is in Contact because BCU believesBoom is Not in contact due to delayed pulse feedbackBegin Move with HCA and Scenario Identified via STPA-Sec (or STPA)Ref: DoD Cyber Table Top Guidebook Version 1.0WYOUNG@MIT.EDU Copyright William Young, 202074
STPA-Sec Wargaming Using DoD Cyber Table Top (CTT):Step 1-OPFOR Describes Broad Class Of Attack andGoalsScenarioBCU provides excessiveMovement CMD when Boom isin Contact because BCU believesBoom is Not in contact due todelayed pulse feedbackBased on the Scenario, What are the Relevant Effects of a SuccessfulAttack on the Sub-System Under Analysis (BCU)?Ref: DoD Cyber Table Top Guidebook Version 1.0WYOUNG@MIT.EDU Copyright William Young, 202075
STPA-Sec Wargaming Using DoD Cyber Table Top (CTT):Step 1-OPFOR Describes Broad Class Of Attack andGoalsScenarioBCU provides excessiveMovement CMD when Boom isin Contact because BCU believesBoom is Not in contact due todelayed pulse feedbackSuccessful Attack will Delay Pulse FeedbackExamining the Control Structure Provides Additional Insight Into theBroad Class(es) of Potential AttacksRef: DoD Cyber Table Top Guidebook Version 1.0WYOUNG@MIT.EDU Copyright William Young, 202076
STPA-Sec Wargaming Using DoD Cyber Table Top (CTT):Step 1-OPFOR Describes Broad Class Of Attack andGoalsDelayedPulseFeedbackWhat Element(s) Does the Attack Impact?Ref: DoD Cyber Table Top Guidebook Version 1.0WYOUNG@MIT.EDU Copyright William Young, 202077
STPA-Sec Wargaming Using DoD Cyber Table Top (CTT):Step 1-OPFOR Describes Broad Class Of Attack andGoalsDelayedProcessingofPulseFeedbackWhat Element(s) Does the Attack Impact?Ref: DoD Cyber Table Top Guidebook Version 1.0WYOUNG@MIT.EDU Copyright William Young, 202078
STPA-Sec Wargaming Using DoD
Tutorial Objective These short tutorials are not training classes We cannot cover everything in these tutorial sessions. The objective is just to introduce some of the core concepts and help new attendees follow the workshop presentations. Like most techniques, training and practice with a qualified instructor are needed to become .
