From Safety to Cyber resilience: Position Paper
By Frédéric Cuppens and Nora Cuppens
IMT Atlantique
Zero risk does not exist. This is well understood in the context of safety. Safety refers to the control of accidental failures in order to achieve an acceptable level of risk. There are many safety mechanisms that are used to protect the system against accidental failures, including redundancy, confinement, robust design, maintainability, recovery and user-centered design.
The situation is significantly different in the case of cybersecurity. Cybersecurity deals with malicious failure caused by cyberattacks. It is based on a risk analysis whose objective is to identify threats and vulnerabilities. The combination of a threat with a vulnerability leads to a risk. The objective is then to design a security architecture that will reduce these identified risks to an acceptable level. However, this approach is based on a wrong assumption. It is not possible to identify every vulnerability a system is exposed to, and thus it is not possible to identify every risk in the case of malicious failure.
Towards cyber resilient systems
We argue that current cybersecurity technology are, at the best, able to resist against damages caused by known cyberattacks. But they are not effective in the case of unknown attacks, the so called zero-day attacks. Since there are cyberattacks that will succeed, the systems should be designed in a way to resist to such successful cyberattacks. This is the purpose of cyber resilience. We claim that it is urgent to design systems that are cyber resilient. Taking our inspiration partly from safety, we investigate some paths of future research to design cyber resilient systems.
From redundancy to diversity
Redundancy is a widely used solution to effectively enforce safety. However, classical redundancy is not enough to enforce cyber resilience because the same cyberattacks that will succeed on a given component will also succeed on the other redundant component. Diversity principle is based on the simple idea “The same products/processes have the same anomalies; the different product/processes have different anomalies”. “Different” means that products have the same functionality and processes have the same goals but are developed and implemented by different ways. There are already some papers that investigate how diversity can be used to enhance cyber resilience [Tot2005, Sai2009].
Of course, similarly to classical redundancy, diversity will have a cost. This increase of cost due to redundancy is accepted and even mandatory for critical systems like aircrafts or nuclear plants. In such systems, redundancy is a highly relevant solution to reduce risks of catastrophic accidental failures to an acceptable level. We claim that the argument regarding increase of cost must be similar for diversity. Why? Precisely, that’s because cyberattacks can now severely target many critical infrastructures as illustrated by several recent examples of attacks.
Defense in Depth vs. Cyber resilience
Defense in depth is used to enhance security of a system by combining several security layers of protection and defense [Str2003] so that if one security layer fails there are more behind it to continue to protect and defend the assets. Defense in depth measures actually do not prevent security breaches but provide more organization time to detect and respond to an attack. However, there is a major difference between the intent of defense in depth and cyber resilience: If the attacker succeeds in circumventing the different layers of defense in depth protection and defense, then the attack will eventually succeed and its impact may prevent the system from providing its services. Thus defense in depth does not imply cyber resilience.
Dynamic cyber resilience
Currently, the intruder can generally find direct and straight paths to target a system. The objective of dynamic cyber resilience will be to transform such straight paths into a labyrinth so that it will be much more difficult for the intruder to achieve its malicious objectives. Moving Target Defense (MTD) [Jaj2011] is the main avenue of research to enforce such dynamic cyber resilience. In the context of virtualized networks, research works have already proposed several MTD strategies [Wan2017]:
- Changing network topology: To defend against network reconnaissance, stepping stone attack and large-scale malware propagations.
- Changing network attributes: To protect against attacks like target-based attacks, network scan and large-scale malware propagation.
- Network traffic manipulation: To achieve useful defenses like network reflection or honeypot.
- Network diversification: To obfuscate the target network with virtual nodes. This can be used to defend against network scan, advanced persistent threat and vulnerability specific attacks.
- Network element migration: To migrate a network node or an entire network structure to a new physical machine or a new network environment. This can be used to defend against botnet, reduce the security risk brought by an infected node and malware propagation.
Strategies like changing network configuration or node migration can be easily applied on a mainstream virtualization platform. To support the other strategies, we need to add more functions on the underlying virtualization infrastructures [Woe2015, Wan2013]. There is also a need to investigate how to deploy MTD in other fields like Internet of Things.
Conclusion
Face to cyberattacks which may have catastrophic impacts on systems, we urgently need to develop solutions to enhance resilience of systems, so that they will be able to resist to successful cyberattacks. In this paper, we suggest some avenues of research that should urgently be initiated in that direction (an extended version of this paper is available in PDF). Of course, making systems resilient to cyberattacks will have a cost. This increase of cost is accepted in the case of accidental failures when we design critical systems like aircrafts, trains, power plants or nuclear plants. Why the reasoning is not the same in the case of cyberattacks? Are we waiting that a cyberattack with catastrophic consequences occurs to act?
Acknowledgements
Issues presented here are part of the IMT Cyber CNI Chair held by IMT Atlantique and supported by Airbus Defence and Space, Amossys, EDF, Orange, La Poste, Nokia, Société Générale, the Regional Council of Brittany and European Regional Development Fund (ERDF) .
References
- [Jaj2011] Jajodia, S., Ghosh, A.K., Swarup, V., Wang, C., Wang, X.S.: Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats. Springer Publishing Company (2011)
- [Sai2009] Saïdane, A., Nicomette, V., Deswarte, Y.: The Design of a Generic Intrusion-Tolerant Architecture for Web Servers. IEEE Trans. Dependable Sec. Comput. 6(1): 45-58 (2009)
- [Str2003] Straub, K. R.: Information Security Managing Risk with Defense in Depth. SANS Institute InfoSec Reading Room (2003)
- [Tot2005] Totel E., Majorczyk F., Mé L.: COTS Diversity Based Intrusion Detection and Application to Web Servers. RAID 2005: 43-62 (2005)
- [Wan2013] Wang, L., Wang, Z., Sun, K., Jajodia, S.: Reducing attack surface with VM-based phantom server. In: MILCOM 2013: IEEE Military Communications Conference. pp. 1429-1435 (2013)
- [Wan2017] Wang, L., Wu, D.: MTD-VirNet: A Moving Target Defense Architecture over Virtualized Networks. Unpublished paper.
- [Woe2015] Woesner, H., Verbeiren, D.: SDN and NFV in telecommunication network migration. In: Fourth European Workshop on Software Defined Networks, EWSDN, Bilbao, Spain. pp. 125-126 (2015)