WIXLIB

Securing the supply chain: Amulti-pronged approachBy Jason Jaskolka and John VillasenorStanford UniversityUniversity of California, Los AngelesJune 1, 2017

This presentation addresses two key issues1. Supply chain security in relation to the integrated circuits (“chips”) thatare at the core of every electronics system, including in US criticalinfrastructure (work done by John Villasenor at UCLA; pre-CIRI)2. Supply chain security in relation to critical infrastructure networks (workdone under CIRI by Jason Jaskolka and John Villasenor at Stanford) 2017 CIRI / A Homeland Security Center of Excellence2

Intentionally compromisedchips

Chips: A gaping cybersecurity exposure Chips are used to make the internet work manage antilock braking in cars position flaps on modern airliners control access to ATMs manage financial transactions - big and small run the stock market run the electricity grid run our communications systems store and access information run key aspects of every critical infrastructure sector 2017 CIRI / A Homeland Security Center of Excellence4

Chips: A gaping cybersecurity exposure The importance of chip supply chain integrity is well recognized, particularly with respect tocounterfeits Yet the supply chain is almost completely unprotected against a threat that may turn out to bemore significant in the long term: Chips could be intentionally compromised during the design process, before they areeven manufactured 2017 CIRI / A Homeland Security Center of Excellence5

A chip-launched cyberattack could . . . Stop or impede the chip (and possibly the system containing it) from functioning Exfiltrate data while making the chip appear to function normally Corrupt data within the chip Some combination of the above 2017 CIRI / A Homeland Security Center of Excellence6

Creating a chip: A simplified viewSpecificationDesign 2017 CIRI / A Homeland Security Center of ExcellenceManufactureTestShip7

Creating a chip: A simplified viewSpecificationDesignManufactureTestShipMuch of the attention to hardwaretrust issues has been directed here 2017 CIRI / A Homeland Security Center of Excellence8

Creating a chip: A simplified viewSpecificationDesignWe also need tobe looking here 2017 CIRI / A Homeland Security Center of ExcellenceManufactureTestShipMuch of the attention to hardwaretrust issues has been directed here9

Inside a chip: A (very!) simplified view Chips often contain a combination of outsourced and in-house designs 2017 CIRI / A Homeland Security Center of Excellence10

Design practices In the early days of ICs, the design was carried out in-house within a single company usingsmall teams composed of people working towards a common purpose Many of the protocols developed in those days – for example that the various parts of a circuitwill behave as expected – assumed all participants were trusted In those days, that was a reasonable assumption Analogy with internet: early assumptions of trust haven’t held true 2017 CIRI / A Homeland Security Center of Excellence11

Why testing for hardware attacks is hard Example: A block that adds 6ADD 6 2017 CIRI / A Homeland Security Center of Excellence12

Why testing for hardware attacks is hard Example: A block that adds 620 2017 CIRI / A Homeland Security Center of ExcellenceADD 626

Why testing for hardware attacks is hard Example: A block that adds 620ADD 626127ADD 6133 2017 CIRI / A Homeland Security Center of Excellence

Why testing for hardware attacks is hard Example: A block that adds 620ADD 626127ADD 6133Test 100,000 more inputs . . .If the answer is always correct,conclude that the block works 2017 CIRI / A Homeland Security Center of Excellence

Why testing for hardware attacks is hard Example: A block that adds 6 But . . . Suppose there is one particular input leads to another result:126,321,204ADD 6Start attack It’s simply not possible to test every possible input Thus, the trigger, in this case consisting of the input 126,321,204, is likely to never be testedbefore deployment 2017 CIRI / A Homeland Security Center of Excellence

Addressing the problem Publication in IEEE Transactions on VLSI Systems 2017 CIRI / A Homeland Security Center of Excellence

Addressing the problem Publication in IEEE Transactions on Reliability 2017 CIRI / A Homeland Security Center of Excellence

Addressing the problem Publication in IEEE Transactions on VLSI Systems 2017 CIRI / A Homeland Security Center of Excellence

Addressing the problem: Example approaches Secure bus system: Analyzes statistical patterns of system bus access by different functionalblocks, flags aberrant behavior 2017 CIRI / A Homeland Security Center of Excellence

Addressing the problem: Example approaches Memory gatekeeper: Ensures that functional blocks are able to access only authorizedportions of memory; Helps to prevent corruption or exfiltration of data; Flags any attempts atunauthorized access 2017 CIRI / A Homeland Security Center of Excellence

Addressing the problem: Example approaches Input/output monitor: Analyzes flow of data on and off the chip, compares with expectedflows, flags aberrations 2017 CIRI / A Homeland Security Center of Excellence

Addressing the problem: Example approaches Warning to other devices: A chip under attack can send a warning to other devices, allowingthem to preemptively protect themselves against impending attacks. 2017 CIRI / A Homeland Security Center of Excellence

Policy solutions Brookings Institution Paper 2017 CIRI / A Homeland Security Center of Excellence

Securing networks from thesupply chain

Goal To develop rigorous (formal methods-based) assessment approaches to betterunderstand, identify, analyze, and mitigate implicit component interactions in criticalinfrastructures 2017 CIRI / A Homeland Security Center of Excellence26

Overview Critical infrastructures consist of numerous components and even more interactions,some of which may be: Unfamiliar, unplanned, or unexpectedNot visible or not immediately comprehensible Implicit Interactions Can indicate unforeseen design flaws allowing for these interactions Intentional or accidental, malicious or innocuous Constitute linkages of which designers are generally unaware security vulnerability Can be exploited to mount cyber-attacks at a later time 2017 CIRI / A Homeland Security Center of Excellence27

Approach1.Model critical infrastructure systems using a mathematical framework 2.Communicating Concurrent Kleene AlgebraFormulate and identify the existence of implicit interactions Potential for Communication3.Analyze the severity of identified implicit interactions Measuring and Classifying Severity, Exploitability, and Impact4.Mitigate the existence of and/or minimize the threat posed by identified implicit interactions Preemptive and Reactive Solutions 2017 CIRI / A Homeland Security Center of Excellence28

Modelling critical infrastructure systemsIllustrative example: Maritime port terminal Maritime ports consist of a number of physicalcomponents and just as many, if not more, intangiblesoftware components distributed throughout thesystem in order to coordinate and control its overallfunctionality We can view the system as having the followingclasses of agents responsible for coordinating andcontrolling system components in order to safely andsecurely operate with efficiency and reliability:Aker American Shipping Yard Port CaptainShip Managers Terminal ManagersCrane ManagersSource: Tmarinucci via Wikimedia Commons Stevedores Carrier Coordinators 2017 CIRI / A Homeland Security Center of Excellence29

Analyzing implicit interactionsIllustrative example: Maritime port terminal For illustrative maritime port terminal with 8 agents, 21 basic events, and 25 basic behaviors: 3902 of the 4596 total interactions are implicit interactions Result of the potential for out-of-sequence/unexpected messages from system components Caused by cyber-attack or failure After identifying that implicit interactions exist, we have (or are developing) approaches for: Measuring the severity of identified implicit interactions Measuring the exploitability of identified implicit interactions Studying impact of implicit interactions through simulation 2017 CIRI / A Homeland Security Center of Excellence30

Addressing supply chain challenges Perform system-level analysis to identify the vulnerabilities and risks introduced by theinclusion of particular components in the system Example: If a supplied component comes pre-loaded with a malicious fault designed toevade quality assurance tests, it may not be until the component in composed with othercomponents that it begins to exhibit behaviors that are unintended or unexpected, therebycausing potentially significant system instabilities, and altered or interrupted information flows. Our approach can also be used to model different components in the macro-level supply chain toidentify unforeseen linkages between suppliers and businesses Can show how a disruption of one business may have consequences both upstream anddownstream in the supply chain 2017 CIRI / A Homeland Security Center of Excellence31

Impact and value to homeland security Our approach, backed by rigorous modelling and testing, can provide vital information that candrive decisions on where and how to spend valuable resources in mitigating the potential forsuch attacks on systems and/or disruption of supply chains Formal foundation upon which mitigation approaches can be developed Basis for developing policies and guidelines for designing and implementing criticalinfrastructure systems that are resilient to cyber-threats Community engagement can enable contributions to emerging challenges in criticalinfrastructure cybersecurity 2017 CIRI / A Homeland Security Center of Excellence32

Understanding and addressing networkvulnerabilities: Contributions and publications1.J. Jaskolka and J. Villasenor. Identifying implicit component interactions in distributed cyberphysical systems. In Proceedings of the 50th Hawaii International Conference on SystemSciences, HICSS-50, pages 5988–5997, January 2017.2.J. Jaskolka and J. Villasenor. An approach for identifying and analyzing implicit interactions indistributed systems. IEEE Transactions on Reliability, pages 1–18, March 2017.3.J. Jaskolka and J. Villasenor. Securing Cyber-Dependent Maritime Ports and Operations.NMIO Technical Bulletin. (Forthcoming).4.J. Jaskolka and J. Villasenor. Evaluating the exploitability of implicit interactions in distributedsystems. ACM Transactions on Privacy and Security. (Under Review).5.J. Jaskolka and J. Villasenor. Assessing the impact of implicit interactions through attackscenario simulation. (In Preparation). 2017 CIRI / A Homeland Security Center of Excellence33

Thank youJason Jaskolkajaskolka@stanford.eduJohn Villasenorvilla@ee.ucla.edu

OverviewOperational Need Significant progress has been made in quality assurance for software and componentsused to build critical infrastructure systems Much less attention and progress in making the supply chain robust against intentionallycompromised hardware and/or software Specifically designed to remain undetected in tests formulated to detect accidentaldesign flaws Often only visible, or known, after a system experiences some kind of compromiseor failure Cyber-attacks launched using built-in hardware and/or software vulnerabilities could havea devastating impact 2017 CIRI / A Homeland Security Center of Excellence35