Enhancing Cyber Resilience and Sustainability in Critical Infrastructure with CIP and IEC-62443-4

Transcript

1. Enhancing Cyber Resilience and Sustainability in Critical Infrastructure with CIP

   and IEC-62443-4 Yoshitake Kobayashi, CIP TSC Chair Dinesh Kumar, CIP Security WG Lead October 28, 2024 Open Source Summit Japan

2. About speakers Dinesh Kumar CIP Security WG Lead Yoshitake Kobayashi

   CIP Technical Steering Committee Chair 2

3. Agenda • Introduction to CIP • How CIP Enhances Cyber

   Resilience • CIP Security Working Group and IEC 62443 • Conclusion 3

4. Platinum Members Silver Members 4

5. Introduction to CIP and Cyber Resilience

6. Our Civilization Runs on Linux®: “Hidden” Industrial IoT Systems Rail

   automation Automatic ticket gates Vehicle control Transport Power Generation Turbine Control Energy Turbine Control Building automation Healthcare Broadcasting Others Industry automation Industrial communication CNC control Industry 6 Linux is a registered trademark of Linus Torvalds. 6

7. Kernel usage for products and its lifecycle 7 Year of

   the kernel release

8. Civil Infrastructure an Increasing Target of Cybersecurity Threats Cyberattacks are

   now nearly doubling annually. 8 Ref: 2024 Threat Report https://waterfall-security.com/2024-threat-report/ Cybersecurity Incidents in OT systems on public records since 2010 Ref: https://www.gao.gov/products/gao-19-48

9. The Evolving Regulatory Landscape Cyber Resilience Act (CRA) Ref: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act

   The President’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity Ref: https://www.whitehouse.gov/briefing-room/presidential- actions/2021/05/12/executive-order-on-improving-the-nations- cybersecurity/ 9 Countries with Cyber Resilience legislation Australia, Bulgaria, United States, United Kingdom

10. Understanding Cyber Resilience • The ability to anticipate, withstand, recover

    from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. (Ref: https://csrc.nist.gov/glossary/term/cyber_resiliency) • Key components • Prepare/Identify • Protect • Detect • Respond • Recover Prepare / Identify Protect Detect Respond Recover Cyber Resilience 10

11. Establishing an Open Source Base Layer of industrial-grade software to

    enable the use and implementation of software building blocks for Civil Infrastructure Systems 11

12. The key challenges • Apply IoT concepts to industrial systems

    • Ensure quality and longevity of products • Keep millions of connected systems secure • Product life-cycles of decades • Backwards compatibility • Standards • Reliability • Functional Safety • Real-time capabilities • Security & vulnerability management • Firmware updates • Minimize risk of regressions Sustainability Industrial gradeness Security 12

13. CIP Core packages (tens) CIP kernel (10+ years maintenance, based

    on LTS kernels) Additional packages (hundreds) CIP Civil Infrastructure Platform Project (https://www.cip-project.org/) LTS Long Term Support CIP Open Source base layer company-specific middleware and applications Scope of a typical Linux distribution Layered Linux distribution for industrial products, utilizing and influencing the relevant Open Source projects: What is “Open Source Base Layer (OSBL)” ? 13

14. OSS Open Source Software QA quality assurance SDK software development

    kit Corporate team/ central project Companies/ Divisions Business Units/ Products Firmware Update Security Hardening Container Runtime … Up to 70% effort reduction achievable for OSS license clearing and vulnerability monitoring, kernel and package maintenance, application adaptation and testing for an individual product. “distribution“ Kernel Base packages, SDK, Build chain, QA CIP Core packages (tens) Additional packages (hundreds) CIP Kernel (10+ years maintenance) Domain-specific extensions Domain-specific extensions … Mapping CIP into the company 14

15. User space Kernel space Linux Kernel App container infrastructure (mid-term)

    App Framework (optionally, mid-term) Middleware/Libraries Monitoring Domain Specific communication (e.g. OPC UA) Shared config. & logging Real-time / safe virtualization Tools Concepts Tracing & reporting tools Configuration management Device management (update, download) Functional safety architecture/strategy, including compliance w/standards (e.g.,NERC CIP, IEC61508) Standardization collaborative effort with others License clearing Export Control Classification On-device software stack Product development and maintenance Application life-cycle management Multimedia Security Safe & Secure Update 6 2 5 Real-time support CIP Core Packages 3 1 Super Long Term Supported Kernel (STLS) 4 Test automation 3 Build environment (e.g. bitbake, dpkg) 1 3 Long-term support Strategy: security patch management Scope of activities 15

16. Activities in CIP Project Workgroup Mission Industrial grade Sustain- ability

    Security Kernel Team • Providing CIP kernels with 10+ years maintenance period • Work with RT Linux project to upstream Real-time enhancement • Provide CIP SLTS kernel with real-time enhancement CIP Core • Provide a reference implementation with Debian based CIP core packages for testing CIP Testing • Providing a test environment to test the CIP kernel and CIP Core Security • Provide guidelines and reference implementations to help developers to meet cybersecurity standard requirements (IEC62443) SW update • Incorporate a common solution for software updates into CIP core 1 2 3 4 5 6 16

17. How CIP enhances Cyber Resilience (1/2) • Long-term support and

    security updates • 10+ year maintenance period • Open source and upstream first principles • Community-driven improvements • Collaborative patching with upstream community • Faster vulnerability identification • Standardization and interoperability • OSBL as a common software platform • Reduced compatibility issues by CIP testing 17

18. How CIP enhances Cyber Resilience (2/2) • Comprehensive Security Integration

    • Alignment with IEC 62443 standards • Security measures throughout system lifecycle • Threat modeling and risk assessment • Ongoing security validation and improvement • Continuous monitoring and adaptation • CVE monitoring for CIP kernel and CIP Core • Secure Software update mechanisms 18

19. CIP Security Workgroup and IEC62443

20. Building blocks of Cyber Resilience at component level 20 Identify

    Protect Detect Respond Recover

21. IEC62443 Practices for Cyber Resiliency 21 Secure Implementation Security verification

    & Validation Security by design Security Management Management of Security related issues Security Update management

22. CIP Cyber Resilience Support 22 Identify & Protect IEC62443 practices/requirements

    CIP Adherence Human User identification and authentication • User identification by reusing Debian packages passwd, login, usermod, adduser • Provision of MFA • Support for latest Security packages openssl etc. Software process and Device authentication Identifier management, account management Use of Strong Cryptography, public key infrastructure

23. IEC62443 practices/requirements CIP Adherence Threat modelling, Risk assessment of third-party

    components Threat modelling for current processes and controls & mitigation Development environment security, File integrity Primarily gitlab based controls Auditable events, concurrent session control Auditd package support CVE scanning & providing regular fixes CIP Kernel WG tracks CVE regularly and share fixes Continuous monitoring & Audit logs systemd-journald, main service for logs monitoring Control system backup & Restore There was no real use, hence CIP users to address it CIP Cyber Resilience Support 23 Detect, Respond & Recover

24. CIP Cyber Resilience Support 24 When is a build reproducible?

    A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts. Reference: 1. https://reproducible-builds.org/docs/definition/ 2. https://blogs.vmware.com/opensource/2022/07/12/what-makes-a-build-reproducible-part-1/ CIP Reproducible images Support ✔ QEMU amd64, arm64 and armhf (File system level as well as complete disc images) ❑ Other CIP images would be reproducible in near future BBB and generic X86 base images CIP members have strong collaboration with Reproducible Builds community for making CIP images reproducible as well as support RB community

25. CIP IEC62443-4-1 assessment recently concluded Most of the secure development

    practices can be met by reusing upstream as well as CIP development practices 25 CIP IEC62443-4-1 Final assessment status 25 Following IEC62443-4-1 processes were not feasible in CIP • Custom developed components from third party • Secure Design best practices • Defense in depth design in deployment • Penetration testing • Secure disposal guidelines

26. CIP IEC62443-4-1 assessment recently concluded Most of the secure development

    practices can be met by reusing upstream as well as CIP development practices 26

27. Further challenges for OSS community 27 During CIP IEC assessment

    we learned few areas where OSS community must work further to strengthen security posture of OSS components • Review and rework communication is over mailing list, hence difficult to comply meeting the requirement “Track to closure security issue” • Lack of availability of common “Secure Coding Guidelines” • No central place to track if any Secure Design Principles are followed

28. Good coverage of tests adding to Cyber resiliency • CIP

    Security Working Group investigated to find how many packages have tests available in Debian CI and package upstream • It seems a good percentage; more than 85% packages have tests in either upstream or Debian CI • CIP members plan to work with upstream developers to enhance test coverage in future 28

29. Ongoing effort for CIP IEC62443-4-2 29 Final assessment results IEC62443-4-2

    final assessment SVV testing (in-progress)

30. Cyber Resilience & Software Update 30 Vulnerability Management Regular software

    updates are crucial for patching known vulnerabilities. Rapid Response to Threats: The ability to quickly deploy updates in response to newly discovered vulnerabilities Adaptability: Regular updates allow systems to adapt to evolving threat landscapes, which is a core principle of cyber resilience. Incident Recovery: In the event of a successful attack, having the latest software updates can be crucial. Rollback Capability: A robust update system should include the ability to rollback changes if issues arise

31. CIP supports Software Update (1/2) 31 CIP Software update features

    • Basic Software updates provided by SWUpdate framework • Software update using A/B partition • Signed and encrypted image support TUF integration with CIP SWUpdate (WIP) • Hardening update delivery system. • Uses quorum of keys to sign artifacts, reducing the impact of key compromises. • Rotation the signing keys. WFX integration with TUF+SWUpdate in CIP (WIP) • Automate update workflow for fleet of devices at scale. • Manage update status to track any failed updates on the field.

32. CIP supports Software Update(2/2) 32 CIP images support software update

    by using SWUpdate framework Delta updates (Only RFS, Kernel image (WIP) ) Complete image update Signed images Key rotation Secure delivery of artifacts

33. CIP IEC62443-4-x document management • Several requirements for maintaining IEC

    assessment documents • Maintain version of each document • Restricted access of some documents such as secure design and IEC information documents • Versions could be compared • Considering above aspects CIP has decided to maintain assessment documents • Most of the documents are created using Markdown to meet above requirements • CIP plans to migrate to readthedocs format in future • All documents maintained in CIP Gitlab repositories 33

34. CVE handling in CIP • It’s also one of the

    IEC62443 requirement CIP intends to provide CVE updates on regular basis • https://gitlab.com/cip- project/cip-kernel/cip-kernel-sec CIP Kernel team does publish CVE updates via CIP developer ML • https ://gitlab.com/cip-project/cip- core/debian-cve-checker CIP Core provides tooling for CVE updates 34 CIP kernel CVE report CIP Core CVE report generation tooling

35. Reusing OSS components in CIP IEC62443 layer • CIP developers

    do not modify any OSS component instead REUSES them • CIP users are recommended to use security configuration to implement product specific security policies • Follow upstream first policy and report issues in upstream for any changes • Primarily Debian packages are used to meet all IEC 62443 requirements • CIP users can further customize IEC layer by adding additional packages or even custom developed components 35

36. CIP users benefit from CIP IEC62443 compliance 36 CIP being

    IEC62443 compliant will provide a secure foundation attested by IEC security capabilities Significantly reduces end product IEC62443 certification cost Rich set of documentation developed by CIP SWG and

37. Advantages comparison CIP vs Non-CIP distributions Items CIP Non-CIP Dedicated

    kernel maintainers for SLTS up to 10+ years × IEC62443-4-x assessed platform × Close monitoring of CVEs at user and kernel level × Extended support from Debian ELTS for specific packages × Regular automated testing on multiple SOCs with published test results at KernelCI × Strong support from big players of embedded system industry × 37

38. Conclusion • CIP helps to enhance Cyber Resilience for your

    products and services • IEC62443-4-x compliant platform with Long-term support • Constantly striving to incorporate latest security features & updates • Engagement with security focused multiple Open-Source projects • Open source and upstream first principles Collaboration is the key to ensure Cyber Resilience Collaboration is the key to ensure Cyber Resilience 38

39. CIP related talks 39 October 28 • Step by Step,

    What Should We Do for the Kernel Ecosystem? - Hirotaka Motai, Cybertrust Japan 12:05 - 12:45 JST October 29 • Device Management and Delta Update for Embedded Devices with SWUpdate and TUF - Koshiro Onuki, Toshiba Corporation 15:50 - 16:30 JST Please join us Please join us

40. CIP Demo booth at Exhibit area 40 Please visit us

    Please visit us IoT SW Update Low Power

41. Join Now Join Now Join Now 41 Join your industry

    peers in helping build and shape the ecosystem for industrial grade software, its use cases and applications. Unite with other global leaders in power generation, oil and gas, communications and many other industries to establish the software building blocks for civil infrastructure.

42. To get the latest information, please contact: Other resources •

    CIP Mailing list: [email protected] • X: @cip_project • CIP web site: https://www.cip-project.org • CIP wiki: https://wiki.linuxfoundation.org/civilinfrastructureplatform/ • CIP source code - CIP GitLab: https://gitlab.com/cip-project - CIP kernel: https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip.git Contact Information and Resources 42

43. Questions? 43

44. Thank you! 44

45. 45