 Good morning, good afternoon, and good evening, everyone. It's our pleasure to meet all of you at the virtual event of Embedded Leaders Conference Europe. Today, we would like to share the topic three modeling key methodology and applications from open source software CIP, C4 infrastructure platform perspective with you. Today, we have two speakers. Dinesh is working for Toshiba Software India and participating in a security work group in the CIP project for years. Another speaker is me, S. Z. Lin. I'm working for Mosa Inc. and I contribute to NINUX and several open source software projects. Let's talk about the C4 infrastructure. C4 infrastructures are supporting the human activities, including the electric power generation and energy distribution. All in guess, water and wastewater, healthcare, communication, transportation and community management. However, there are some key challenges in the C4 infrastructure. As you may know, typically the left cycle of the system where in C4 infrastructure is more than decades. So we have the challenges such as have to apply the IOD concept to industrial systems to ensure the quality and gravity of the product and to keep millions of connected systems secure. In order to overcome these challenges, there are three vital requirements need to be fulfilled. And that is industrial grades. We may have to provide a function for the availability, functional safety or real-time capability. The second one is sustainability. As I mentioned, the left cycle period may be very long over the decades. So it's very important for providing the back work compatibility and standards. The last one is security. As you know, it's vital for the C4 infrastructure system regarding the security feature. And those, we would like to provide the function to reduce and minimize the risk of regressions. The CIP, C4 infrastructure platform is the solution. The CIP is a collaborative open source project hosted by the NINUS Foundation. SAPI project members work together to develop a base layer, a set of industrial grade core open source software components, tools and methods to create the NINUS base embedded systems that meet the requirements of industrial grade sustainability and security. As I mentioned in the previous slide, SAPI project established an open source base layer of industrial grade software to enable the use and implementation of software building blocks for C4 infrastructure system. In the SAPI project, the scope of the software includes the kernel space to user space. As you can see, the scope of the CIP, we have the software stack include the kernel space and user space. We have tools and concepts. The number of the block means the order of the workgroup. So in today's presentation, we are the security workgroup. From the security workgroup's perspective, our goal is to protect the asset in the C4 infrastructure system by reducing the risk. And we will adapt the international standard. That is ISA, IEC 62443. It is a standard regarding the industrial automation and control system cybersecurity. As I mentioned, our goal is to reduce the risk. What is the risk? Risk is commonly described as a threat plus vulnerability plus consequence. As you can see, the threat source, for example, the insider hackers, the threat source can launch the threat factor. For example, the unauthorized access or social engineering to exploit the vulnerability within the assets. And it will cause the consequence or the impact. That is the basic concept of the risk. So the first factor of the risk is threat. The threat is a set of circumstances and associated sequence of events with the potential to affect operations, including the functions and reputation. Assets, control system or individual via unauthorized access, extraction, disclose, modification of data or denial of service. That means the threat is dynamic and is very hard to be predicted. Therefore, we need to conduct the threat modeling. The threat modeling is the process of anticipating what could go wrong. And then we can forecasting how it can go wrong. So the general threat modeling objectives include to know the service which could be a tech. And then we can reduce the attack surveys. And we can have some idea to set security for configurations. We can also adjust the access control to fulfill the least privilege. We can have the multiple layers of security control throughout an information by using the defense in depth. And by using the threat modeling, we can segment critical and non-critical information. And after that, we can have the policy compliance or the standard conformance. And to the CIP, our goal is to help the CIPM users to use the CIP platform reference threat modeling and build further security on top of it. As you may know, the product is built based on the platform. So if the platform can conduct threat modeling, it can reduce the effort from the end user. And we will periodically review and update the threat model to incorporate newly reported threats. As I mentioned, the threat is dynamic. And so it's important to have a good approach and a good content to review the threat periodically. The last but not the least, we want to reduce the risk of the open source base layer. And currently, they are full threat modeling methodologies. The first one is threat source. The threat source means we just think like a attacker or the insider or the hacker. We will model the capability intent and the targeting about the threat to find out that threat agent might conduct. The next one is threat action. The threat action means we will model the actions which might conducted by the threat actor. The famous method belongs to this category is strike. Strike model is developed by Microsoft. The third one is threat activity. In this methodology, the threat was modeled based on the activity which conducted by a series of threat actions. The last one is vulnerability few points. In this methodology, we will check and examine the vulnerability within the asset. And we can know the threat. So based on the methodology which I mentioned, there are several key threat modeling methodology, such as the stride threat modeling, attack trees, PASTA, CVSS, security codes, and hybrid threat modeling method. In this presentation, we will introduce the stride threat modeling and attack trees. So as I mentioned, we want to reduce the risk. And the risk mitigation by threat modeling is very vital for us. There are four ways to reduce the risk by using the threat analysis reports. The first one is to redesign. It will be great if we can mitigate the risk in the very beginning. So if we conduct the threat modeling in the very beginning phase of our development, we can redesign and we can emulate the risk. And the second one, we can use the best practice, such as a standard, to mitigate the risk. The third one is we can think and even the new mitigation to the design or the development. The last one is we can adapt the conversating controls and to take the operate extra measures in implementation. If we can conduct the threat modeling in the very beginning, we can reduce the total cost of the development. Otherwise, the cost is pretty high after work. So allow me to give the floor to Dinesh. Dinesh, please. Thank you, SD. So I will further go in the detail of threat modeling by the use cases of CAP as well as I will see what the activities we are doing in CIP. So as she mentioned in this presentation, basically we are focusing on two methodologies for threat modeling, stride and attack phase. So for stride on the main element for before doing the threat modeling is creating data flow diagrams. So data flow diagrams help us to understand the processes which are taking place inside the software system and data issues, data flows, external interactors and trust boundaries. So these are the points from here. A lot of times it is found that vulnerabilities are introduced and when things are not taken into consideration like proper security measures, then there are many points of communication or interaction within the system that can be exploited by adversaries. So we can see as part of data flow diagrams, there are mainly of five elements, processes, data stores, data flows, external interactors and trust boundaries. So we will see the detail of these elements. So the example of external entities are, there could be people outside the system who can interact, they can send some kind of data, commands, et cetera, or there could be other systems which are interacting with the system and web portals. And the examples of processes could be some other processes running as dll.so, exes, components, services, web services, similar kind of things. And data flow includes function calls, our network traffic, RPC. So examples of data stores could be databases, files, registry, config files, shared library. So these are the main elements of data flow diagram. Now in further slides, we will see how in a straight we utilize data flow diagrams and how we can do the threat modeling using data flow diagrams. So first of all, we will see CIP development context diagram where it is depicted like CIP platform has multiple processes and the external entities, which are shown as other OSS developers, CIP developers or testers, CIP member companies, members, and CIP customers or end customers. So all these external entities interact with CIP platform in various ways where based on the type of members, they interact like sometimes they are doing, adding packages, doing work fixing or applying upstream fixes. So again, we can see here there is a lot of data flow to CIP platform from different external entities. So there could be many paths or many ways where the system can be exploited. So we have to model the system in a way that we can identify those points. So let's go and see more detail of CIP development. Here in this diagram, as you can see, there are external entities like CIP developers. And as you know, CIP developers means it's open source project and CIP developers contribute from all across the world. And there is no limitation. And on top of that, you can see the source code documents, all the artifacts are kept openly and anyone can do operations, but in a restricted way. You can see here repositories like upstream repositories, CIP JITLAB repositories, Google Docs. So these are the data stores for CIP development. And here, one thing which is important to notice is the right axis or we can say merge privilege is only with limited people. So that's how we protect these data stores. So any malicious users when try to put some code or some binary, that's not be possible. And in CIP, especially in CIP kernel and CIP code development, we have dedicated maintainers. They constantly keep reviewing and incorporating security fixes. That way we keep the system up to date. So let's see in further slides about more detail of stride, how we apply stride methodologies for doing the threads modeling. So here we can see, as we have seen in previous slides, four elements of DFD, like Dataflow, Datastore, Process and Interactors. So you can see like four data flows. Data flows can be affected by doing tampering, information disclosure and denial of service. And you can see Datastore and Processes, Interactors, they all have some or other kind of way which can be exploited or used by someone for malicious intent. So you can see the Processes are the most vulnerable where you can see spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privileges. All this kind of malicious things can be exploited. Now, we will see one example of CIP use case as when the CIP has been used to develop a network switch and in this diagram we see the reference ICS model which shows the four different zones. And in this, we can see in zone one, there are almost the most important asset of entire system like DCS, PLC, safety systems and these are the core part of entire system. Even though as you can see each zone is protected by various sort of mechanism like antivirus, firewalls and all, but still we need to have additional mechanisms and we need to do that modeling to make sure that all the points are protected. So you can see here a switch in zone one which is like assuming based on CIP. So in next slides, we will see the data flow in case of network switch. So this is the diagram which has been created using Microsoft threat modeling tool and we can see here there are four external entities which include admin user, DCS Distributed Control System, PLC, SD and Safety ES. And as you have seen in previous diagram where it is shown how this DCS safety system and other part of the entire system can interact with switch or CIP system. So here we have tried to depict what kind of data flows and interaction could happen when the system is running. So there is one authentication service running which is a process and one is store and forward process. So these are the processes running inside the system and these external entities will interact with these processes and these processes inter will take some action. So for example, either they store the data, process the data or pass the data to either other external entity or to data store. So as part of threat modeling, all the interactions, for example, admin user tries to authenticate or DCS external entity tries to pass some data or safety system tries to pass some data to PLC. So all these interactions have to be analyzed for weak access points. And this is done through threat modeling and this Microsoft tool helps us doing these things. So let's see how it helps us. So in this slide, you can see there is one window in the bottom where you can see the threat analysis view. So this view presents the detail of each interaction. As you can see in this screen, it is depicting the interaction of user credential when admin user tries to authenticate to the system, then this tool analyzes this interaction and it tries to tell, like if you see the description, it says authentication for configuration claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source time and summary of the received data. So it gives us the pointer, what could go wrong and what actions we should take. Now it's our responsibility while doing the threat modeling and doing the analysis of each interaction, we should deploy appropriate mechanism so that this threat can be mitigated. So this tool helps us to analyze entire system one by one from different angles and it gives us close how we can protect it. Let's see one more huge case of CIP when CIP is used as PLC. So we can see in this data flow diagram, there are three external entries where temperature sensor is the sensor or sort of IoT device which keeps sending the data to CIP based DNC. Similarly, there is another pressure sensor connected outside the system which keeps feeding the data and on the other side, you see there is HMI system which has a UI which can be operated by HMI operator to give various kind of commands or see the output of sampling process. So this way you can see the various data flows. We can see here the PLC has mainly two services, authentication service and a sampling process. So they are like two processes and you can see here data stores where like sampling data is being stored after sampling is done and there is file system storage which is used to store the authentication information or credentials in turn, we can say. So we can analyze each interaction. For example, when temperature sensor is sending data, so it has to be first authenticated by authentication service and once it is authenticated, it will be allowed to send the data further for sampling and the sampling process will do the sampling by doing some kind of calculation or predefined process and stores the data, let's say in a data store and this data can be viewed by HMI UI application. So HMI operator can send various kinds of commands. So as you can see in the red boxes, we will analyze from threat modeling perspective, the interaction of data for monitoring, commands and data for starting HMI. And we will try to see what kind of pointers this tool is giving, what kind of additional security measures we should take in order to protect the system. So we can see here, this tool is giving few pointers. So for example, for commands interaction, it is telling about if HMI GUI is given access to memory or such as shared memory or pointer. So this can be exploited. HMI can send some different commands and that can be exploited. And similarly, it gives another pointer about the escalation of, sorry, elevation of privilege. And if you see in the data for monitoring interaction, there is indication of tampering. The data can be tampered when the data is being monitored. Similarly, we can see another example of tampering. It is pointing. And if we see data for starting HMI interaction there, it is telling about the exploitation of elevation of privilege. So these are the pointers, which have been given by this threat modeling tool. And this way, this tool generates a complete analysis of all the threats possible for each interaction. Okay, so next we see here in CIP, how are we handling standard threats and how what are the standard mitigations available for us? So as we can see for like spoofing, general security property which is affected is authentication. Someone can spoof. And without doing the authentication, he can do some operation and we cannot identify him. So the general mitigation method is to utilize some authentication system like Kerberos, PKI or digital signatures. And in CIP, we have CEDO, PAM, and Google Authenticator for multi-factor authentication as well as support of OpenSSL. Similarly, for tampering, in CIP we have access control list. It's like a standard feature, but it helps to achieve many threats mitigation. And OpenSSL library supports various types of has and digest algorithms, including highest strength has digest algorithms, including stuff 5.1. Then for reputation, we have audit D and R-SYS log, which can monitor the system and the activities of all the users. So later using the logs and the audit system, we can always trace back what were the operation done by individual user. Similarly, the measures for information disclosure, OpenSSL, ACL, denial of service, PAM, OpenSSL and ACL. So using PAM, we can control like number of concurrent sessions where after a certain number of sessions, additional opening of sessions won't be allowed. Then elevation of privilege is achieved by applying additional security policies and ACLs. Okay, so this was so far we discussed about straight methodologies. This is another methodology of using attack trees. So this is the example of generic attack trees. Here we can see how attack trees work. So root node of the tree is the global goal of the attacker. How to achieve the global goal? He has to go through a lot of child nodes depending upon the goal. So each node represents one attack and an attack tree defines a collection of possible attacks. So if we traverse any particular, any one path and reaches to root, it means the global goal of exploiting root node is achieved. So here we can see like the goal is password attack should be successful. And for this, it can be done by cracking alternatives or other types of password attacks. And cracking alternatives can be achieved either by dictionary attacks or guessing or brute force. Similarly, we can see in the right side tray, password attacks either it can be done through social engineering keyloggers and they are further divided in different ways. So this is the way attack trees work. And this is a methodology which gives a very simple and efficient way of doing threat modeling. So in order to keep threat modeling very extensive and comprehensive in CIP we are planning to use two methodologies so that we can think and we can cover as many huge cases as possible. So here is one example of attack tree for CIP repositories. So let's say the goal is to obtain CIP repository admin privilege. So this is the global goal. Now how it has, how it can be achieved if we try to further break down it. So the options could be obtain repository honors password and then we can obtain CIP repository admin privilege or still repository honors SSH private key or still repository honors token. So these are the ways we can obtain admin privilege. Then further, if we try to break down how can we obtain repository honors password? So one option is bribe the owner but it depends. It may or it may not work. Then brute force, try as many combinations as possible and try to guess the password. Similarly, stealing repository honors SSH private key the easiest way is to steal the laptop or key card and then get the private key. So this way we try to model, we try to think how we can analyze all possible paths of attacks. Next, this is the attack tree for running CIP system or when the system is in production. Here we can see the global goal is how to temper CIP software. So we can see here four possible immediate possible ways are like replace CIP official image. It could be maybe stored in AWS or any other clouds. Then force Debian binary packets where again this could be exploited inject malicious code and exploit non vulnerabilities. So these are the four possible ways to temper CIP software. Now to further break down it, we can think of to replace the CIP official image. It could be one of the options could be hack into file server or someone can think of some other ways where this could be possible. Then for like second option of force Debian binary packets we have three options hack binary packets or change APT source list. So it points to a malicious repository and still deviance developers private key. So you get the complete control. So this kind of ways help us to think about doing the analysis of for threat modeling. So once we have completed doing threat modeling now it's the time to think how should we validate? How should we validate the threat models are appropriate that they can protect the system or there could be something else which should be again planned and executed. So to validate whole threat model what all things we should do? Thus we should think like does diagram match the final code or final system implementation? Are all threats enumerated or there are still some threats which are not even thought or maybe try to do stride as we have seen in previous slides stride for each element, each interaction or each you see the process interaction external entities. So all the interactions we should analyze from stride perspective and see how the interaction is happening. Also other option is has test QA reviewed the model then tester often finds issues with threat models which are not covered during threat modeling. So discussion with QA or testing team is also equally important and each threat mitigated. Yeah, so mitigation is where we should appropriately think and we should mitigate each threat because once we find all the threats enumerate all the threats then next step is always to mitigate them and include security measures so that all the threats are mitigated and no risk remains because as it was explained in first part of the session ultimate goal of threat modeling is to reduce the risk. So all mitigations are done correctly. If all these things are done it means that the threat model have been validated to achieve the end goal but threat modeling is again something which is not complete in one time. We have to do this activity periodically and keep repeating whenever there is change in terms of design or additional component. Okay, so as part of CIP what is the next model? Sorry, next step for CIP threat modeling. So as we can see in this diagram generally the cycle is defined security requirements and then do the threat modeling considering security requirements and entire system. So as we can see in the diagram we have completed defining security requirements for CIP and currently we are doing the threat modeling and this is just the beginning as we are also in discussion with the certification body for compliance to IEC 6243-4-1 and 2. So 4-1 requires the system and software should do threat modeling and so the system should be protected in a way that all the threats are mitigated. So currently we are doing threat modeling and we are analyzing all the components, all the interactions during development or during execution and we are also thinking different huge cases of CIP and after this next step would be to mitigate potential threats which are identified as part of threat modeling and then again at any design change or additional package addition we have to again do the evaluation of existing threat models and update them if needed and based on that we have to repeat the cycle. So this is as I mentioned and it was mentioned in previous session a previous part of the session it's a RIP T2 exercise which we have to continuously do because new threats keep coming and we have to incorporate the fixes or the mitigation for those threats. So that was all about this session and you can see the references for CIP resources to get further information or you can get the additional details about CIP work groups and CIP repositories and documents for further information you can refer these hotels. It's also listed a few more threat modeling tools though for this presentation and for this exercise currently we have mainly focused on using Microsoft threat modeling tool but we are also planning to use open source tools such as ThreadDragon and draw.io so we will be using this down the line. In addition to this talk there are few more talks planned as part of ELC and you can see there will be sessions on CIP kernel and international effort to establish base layer that's also from CIP security work group and there is one mini summit on 30th October where all the work groups of CIP will update their status and you can see the detail of each work group activities. Also please don't forget to visit CIP virtual booth where we will have CIP members they will try to assist you to get more information about CIP and please join us for contribution at different levels and you can see current CIP member companies are listed in this space. So thank you, thank you for attending this session. I hope you enjoyed the session and along the way we would try to answer all your queries. Thank you, stay safe.