EN 
DE Authors: Thomas Bötner, Prof. Dr. Hartmut Pohl, softScheck GmbH
Contribution – Embedded Software Engineering Congress 2015
While robots inherently incorporate safety-relevant (IEC 61508 Functional Safety) protection mechanisms to prevent harm to life and limb, security (attack resistance: ISO 27034 and IEC 62443) is equally essential for (networked) robots, as security can impact safety: An attacker can exploit vulnerabilities in software or firmware to disable implemented protection mechanisms and cause connected robots to malfunction.
Networked production processes are an increasingly popular target for cyberattacks. The ongoing digitalization of manufacturing facilities and the networking of production and office networks expand the attack surface and simultaneously attract more and more attackers. In practice, a proliferation of ad-hoc security activities can be observed – a strategy is lacking. ISO 27034 offers a solution for managing all security activities, which can be easily implemented in practice with the help of a process guideline.
The targets of attacks range from data theft (espionage) and extortion to the sabotage (!) of production processes. If the attack becomes known, the company suffers (additional) reputational damage; this is often independent of whether the process owner itself or third parties – such as suppliers and service providers – are responsible for the exploited security vulnerability.
A prerequisite for all (successful) attacks is at least one security vulnerability known to the attacker and exploitable by the attacker. Therefore, it is essential to identify and patch as many security vulnerabilities in software and hardware as possible – this applies particularly to previously undiscovered (unpublished) security vulnerabilities (zero-day vulnerabilities).
However, the effort required to patch a security vulnerability increases exponentially with the maturity of the software and is greatest after release. Therefore, security aspects should be considered from the very first phases of requirements and risk analysis, as well as the design phase of the development process.
ISO 27034-1
ISO 27034-1 "Application Security" provides a general approach to managing the development of secure software. This standard offers a vendor- and technology-independent foundation; it defines concepts, frameworks, and processes that help organizations integrate application security into their software development process. A key component of the standard is an enterprise-wide library containing all security activities relevant to software development. Based on the security requirements for the specific software project, selected security activities are implemented and their successful implementation is verified during the verification phase.
ISO 27034 can be applied equally well to the procurement of products or the outsourcing of development. This allows for the requirement and verification of uniform security levels across the entire company for purchased products or services.
Security Testing
Security testing is a key security activity: The following five methods, proposed by the standard, are used to identify known security gaps and, in particular, previously undiscovered, unpublished zero-day vulnerabilities:
Security Requirements Analysis:
Identification and verification of exact security requirements
Threat Modeling (Security by Design)
It reviews the security architecture of the software and firmware of critical IT infrastructures and networks. Since approximately half of all security vulnerabilities are due to design flaws, security measures must be implemented and verified before or during the design phase.
Static Source Code Analysis (Code Review):
From the implementation phase onward, the conformity of the target software's source code is checked using formal methods to ensure adherence to the syntactic programming conventions of the programming language and compliance with programming guidelines. This process is comparable to a parser, which performs a lexical, syntactic, and semantic analysis of the program code.
Due to the lexical rules of the programming language used and the semantic relationships, individual errors generally require a manual audit to rule out false positives and to develop appropriate remediation strategies. The quality and quantity of the analysis results therefore depend significantly on the selection of suitable tools.
Penetration Testing:
Dynamic security audit using known attacks to identify known vulnerabilities.
Dynamic Analysis – Fuzzing:
Fuzzing is a semi-automated method for identifying exploitable vulnerabilities in software and hardware/firmware: Tool-assisted input of test data into a target system (program, firmware) is used to detect unforeseen input data not accounted for in the program code. Incorrect or insufficient processing of this data leads to unexpected behavior (crash, high resource consumption such as processing time and memory) of the target program. This anomalous program behavior is logged, pre-analyzed, and visualized using a monitoring tool. Analyzing the monitoring results allows for the elimination of false positives. Vulnerabilities are proven by reproducing the anomaly and developing an exploit.
Besides selecting the right methods, determining the point in time when a method is applied in the product life cycle is important for the success and efficiency of the method.
Process guide
A process guide for developing secure software is helpful for the practical implementation of this standard; using the process guide eliminates the need for time-consuming training of all project participants on the standard itself. Existing security concepts and measures can be integrated into the process guide. It is independent of the software development lifecycle used (from traditional models like the waterfall model, through the V-model, to agile approaches like Scrum).
ONF & ANF
The core of ISO 27034 consists of two main processes: the Organizational Normative Framework (ONF) Process and the Application Security Management Process (ASMP), through which the Application Normative Framework (ANF) is created and applied. The former describes the structure and maintenance of the ONF. The ONF compiles all company-wide guidelines, regulations, best practices, etc., into a company-wide library. Subsequently, the ASMP creates an ANF for each project by integrating the necessary guidelines, regulations, best practices, etc., along with the associated Application Security Controls (ASCs) – security activities – from the ONF into the product lifecycle, particularly the development process.
A risk analysis in the first step of the ASMP serves as the basis for determining the target level of trust and subsequently defining security requirements for the software to be developed. The ANF is then derived from the ONF according to the project characteristics, such as the technologies used, local legal frameworks, company policies, and the target level of trust.
The ANF (Advanced Security Framework) describes which security activities are performed when in the product lifecycle and when and how successful execution is demonstrated or verified. The product lifecycle is divided into two phases: Provisioning and Operational Application, with the rollout marking the transition between the two phases. Milestones are also defined at which the current security level is compared to the target security level. Have all planned security activities been successfully implemented up to this point? If not, the reason must be discussed, and the ANF or the target security level may need to be adjusted.
Furthermore, the need for additional or new security activities due to changes in the project, e.g., due to new requirements, must be reviewed.
If new security activities are needed, or if existing ones need to be adapted or updated, the project team will communicate this to the ONF team.
Through this feedback process, the ONF and its safety activities are continuously adapted to the current state of the art.
Shoulder closure for functional safety
Functional safety and attack resistance are key requirements for both existing secure systems and current software development. However, these two areas are usually considered independently – leading to security gaps, increased development time, and therefore higher costs. The solution is obvious: a process guideline that encompasses both areas and leverages synergies.
Safety (functional safety) and the associated standard IEC 61508 are already widely known in software development. However, the relationships and, in particular, the dependencies between security and safety are often overlooked. Safety functions can be manipulated by malicious attackers. Therefore, functionally safe systems must also be secure.
Furthermore, synergies can be leveraged by considering safety and security together. Both areas aim for availability. The risks of failures and malfunctions have previously only been examined separately.
The challenge for the future lies in combining the currently two-pronged approach. Not only are there increasing overlaps between safety and security in specific projects, but the still-separate process guidelines in each area also offer points of connection. Merging these into a single guideline enables synergy effects, resulting in significant development cost savings for the customer. At the same time, a combined guideline ensures two crucial aspects: Firstly, it guarantees that the software has been developed in accordance with both standards and is therefore certifiable. Secondly, it offers, for the first time, the urgently needed opportunity to formulate security and safety requirements and objectives in relation to one another. This allows requirements to be aligned and optimized from the outset. Simultaneously, a joint risk analysis identifies and assesses threats that were previously difficult to detect. This enables more precise formulation of countermeasures.
Certification
Firstly, the development process (using the ONF and ASM processes) can be certified. Secondly, the products created using this process can also be certified more easily and cost-effectively. The certificates are issued by an accredited certification body. Thus, the software manufacturer not only receives a certified (secure) product, but also a competitive advantage, which they can then promote.
Summary
Automation systems are an increasingly popular target for cyberattacks. The ongoing digitalization of manufacturing facilities and the networking of production and office networks are expanding the attack surface and simultaneously attracting more and more attackers. Functional safety and attack resistance are key requirements for both existing secure systems and current software development. However, these two areas are usually considered independently – leading to security gaps, increased development time, and thus higher costs. The solution is obvious: a process guideline that encompasses both areas and leverages synergies.
Our training courses & coaching sessions
Do you want to bring yourself up to date with the latest technology?
Then find out more here Regarding training courses/seminars/workshops and individual coaching sessions offered by MircoConsult on the topic Quality, Safety & Security.
Hhere You will also find training courses on software and contract law.
Training & coaching on the other topics in our portfolio can be found here. here.
Quality, Safety & Security – Expertise
Valuable expertise on the topics of quality, safety & security is available. here Available for you to download free of charge.
You can find expertise on other topics in our portfolio here. here.
