Developing secure components for

embedded systems
(or how to make sure the
infrastructure keeps running)
Prof. Jim Norton!
Steering Group Chair!
Secure Software Development Partnership!
Vice-President Professionalism!
BCS Chartered Institute for IT!
External Director!
UK Parliamentary Office of Science &
Technology (POST)!
www.profjimnorton.com!

Issues to be covered
So whats the problem?.
Why now?
What is the key commonality?
Breaking the vicious circle
Sustaining the breakout
Final thoughts

Copyright 2010 Prof. Jim Norton

ISSD 20th May 2010

So what is the problem?

We have known for thirty years how to develop formal
specifications, generate secure code and thus deliver secure
systems.
Typically though systems are not conceived or built in this way.
There has been relatively little demand for formal methods.
Employers have not regarded these skills as key for
recruitment.
Universities are thus less keen to keep them in the syllabus.
So, with some honorable exceptions, we have a declining spiral.
This needs to change but
There is nothing more difficult to take in hand, more perilous to conduct, or
more uncertain in its success than to take the lead in the introduction of a new
order of things. Niccolo Machiavelli from The Prince
Copyright 2010 Prof. Jim Norton

ISSD 20th May 2010

Issues to be covered
So whats the problem?.
Why now?
What is the key commonality?
Breaking the vicious circle
Sustaining the breakout
Final thoughts

Copyright 2010 Prof. Jim Norton

ISSD 20th May 2010

Why now?

A series of reports published in the summer of 2009 stressed the need for
major investment in infrastructure renewal and hardening against a wide
range of threats

Copyright 2010 Prof. Jim Norton

ISSD 20th May 2010

Quotes from the reports (1)

Recommendation 52: Government should review its powers to mandate
realistic minimum levels of resilience in relation to all critical infrastructures
and in relation to all areas of interdependence between different infrastructure sectors.
Where wider interpretation or amendment of existing legislation is not sufficient and
new primary legislation is required, this should be included in the planned further Bill
on Civil Contingencies.
Recommendation 53: Government should bring together regulators of the different
infrastructure industries and require them to enforce higher resilience standards in
their own sectors, as well as to investigate and strengthen resilience in areas of
interdependencies between sectors and in sector supply chains.
Recommendation 54: Government should go further and signal to sector regulators that
it would welcome investment by utility providers in relevant areas outside their own
core business areas where such investment would reduce interdependence on other
elements of the infrastructure. Investment by the power generators, national grid and
energy distribution companies in mobile communications that are more resilient against
power failure, for example, would be welcome.
Recommendation 57: Government should task the Centre for the Protection of National
Infrastructure (CPNI) with the development of security recommendations aimed at
mitigating command and control risks associated with Smart Grids
Copyright 2010 Prof. Jim Norton

ISSD 20th May 2010

Quotes from the reports (2)

We do not believe that the NI can continue on its current trajectory, for three
main reasons:
it is highly fragmented, both in terms of delivery and governance
its resilience against systemic failure is significantly weakening through a
combination of:
o ageing infrastructure components;
o greater complexity and interconnectivity between the different infrastructure
sectors; and
o nearing maximum capacity as a result of increased social and economic
pressures
the significant challenges posed by climate change and socio-demographic changes,
which mean that:
o there is an urgent need for a major change in devising low carbon solutions to
meet the 80% target for reducing greenhouse gas emissions by 2050;
o core pieces of infrastructure need to be future-proofed against extreme natural
events; and
o they need to be able to respond to future demographic, social and life style
changes.
Copyright 2010 Prof. Jim Norton

ISSD 20th May 2010

Quotes from the reports (3)

We recommend that the government creates a single point of authority for
infrastructure resilience to coordinate the work of the agencies responsible for
dealing with individual sectors and threats and recognise interdependency. This
would provide the fundamental overview that is lacking, consider how to fill in the
gaps and address the areas of infrastructure defence which are currently ignored.
With climate change identified as the biggest threat currently facing the UKs
infrastructure, government must ensure that the newly created Natural Hazards
Team is effective. Government should invest the Natural Hazards Team with the
power to provide strong leadership to asset owners and ensure legislation is properly
enforced.
Government must give clearer guidance to sector regulators such as Ofgem and
Ofwat. At present these regulators remit is largely the short-term prices paid by end
users. In order to deliver the improvements to resilience identified as necessary by
government and the overview function for infrastructure resilience, regulators must
have the capacity to address asset resilience as well as broader and longer term
consumer interests. Regulators require the ability to ensure asset owners build in
reserve capacity to critical infrastructure and that they are fully prepared for any
emergency scenario.
Copyright 2010 Prof. Jim Norton

ISSD 20th May 2010

Issues to be covered
So whats the problem?.
Why now?
What is the key commonality?
Breaking the vicious circle
Sustaining the breakout
Final thoughts

Copyright 2010 Prof. Jim Norton

ISSD 20th May 2010

What is the key commonality?

Much of the
underpinning
system design
and software in
command and
control systems
(such as
Supervisory
Control and
Data
Acquisition SCADA) is
poor.

Copyright 2010 Prof. Jim Norton

ISSD 20th May 2010

10

Plenty of good advice on which to draw

Reports from the UK Royal Academy of Engineering:
http://www.raeng.org.uk/news/publications/list/reports/
Engineering_values_in_IT.pdf
http://www.raeng.org.uk/news/publications/list/reports/
Complex_IT_Projects.pdf
Report from the US National Academy of Sciences
http://www.nap.edu/catalog.php?record_id=11923 (there is a link to
download a free PDF)
Report from the US National Security Agency demonstrator project
http://www.adacore.com/home/products/sparkpro/tokeneer
Report from the global work on Information Security Economics
http://www.cl.cam.ac.uk/~rja14/Papers/econ_czech.pdf
With grateful thanks to Prof. Martyn Thomas for all these references.
Copyright 2010 Prof. Jim Norton

ISSD 20th May 2010

11

Issues to be covered
So whats the problem?.
Why now?
What is the key commonality?
Breaking the vicious circle
Sustaining the breakout
Final thoughts

Copyright 2010 Prof. Jim Norton

ISSD 20th May 2010

12

Could infrastructure projects break the vicious circle?

Even with the challenging economic backdrop, we are likely to see extensive
investment in enhancing and hardening the UK national infrastructure over
the next several years.
It seems to me to be crucially important that this investment is based on the
best principles of secure design and implementation, especially in terms of
software and embedded systems
If we want that high confidence that a system has some desired properties
(e.g. specific security properties), then this can only be shown by analysis,
supported (to a degree) by testing.
Once that is accepted, it dictates the whole strategy for development, because
it requires that the desired properties are expressed in a formal language,
and that the software is developed using notations and languages that can be
rigorously analysed to show that the system they describe has the required
properties. If there is a market for certifiably secure software, then there will
be a market for the languages, methods and analysis tools that will be needed.

Copyright 2010 Prof. Jim Norton

ISSD 20th May 2010

13

Achieving the breakout

Take the new infrastructure projects as the catalyst for a
fundamental change in practice, leveraging Governments role in
regulation and, to a lesser extent, procurement.
Adopt a mandatory two-stage procurement, with an initial step in
which a systems architect would capture, formalise and analyse the
customer's requirements;
Demand that key operational software should always be delivered
with an evidence-based argument that it met the security
specification;
Rely far more on analysis and far less on testing as the core evidence.

Again with grateful thanks to Prof. Martyn Thomas for inputs to the Secure Software Development Partnership.
Copyright 2010 Prof. Jim Norton

ISSD 20th May 2010

14

Issues to be covered
So whats the problem?.
Why now?
What is the key commonality?
Breaking the vicious circle
Sustaining the breakout
Final thoughts

Copyright 2010 Prof. Jim Norton

ISSD 20th May 2010

15

From breakout to critical mass

Recommendation 60: Government should
also approach the European Commission
to sponsor a programme for the
creation of a range of secure and reliable
standard software modules (such as simple
operating systems, database management
systems and graphical user interfaces).
These modules should be developed using
formal methods and be made available
free of charge through an Open Source
licence to encourage their widespread use.

Copyright 2010 Prof. Jim Norton

ISSD 20th May 2010

16

Issues to be covered
So whats the problem?.
Why now?
What is the key commonality?
Breaking the vicious circle
Sustaining the breakout
Final thoughts

Copyright 2010 Prof. Jim Norton

ISSD 20th May 2010

17

Final thoughts
We live today in a complex, densely networked and
heavily technology-reliant society. Extensive privatisation
and the pursuit of competitive advantage in globalised
markets, have also led us to pare down the systems we rely
upon until little or no margin for error remains. We have
switched to lean production, stretched supply chains,
decreased stock inventories and reduced redundancy in
our systems. We have outsourced, offshored and embraced
a just-in-time culture with little heed for just-in-case. This
magnifies not only efficiency but also vulnerability.
Everything depends on infrastructure functioning
smoothly and the infrastructure of modern life can be
brittle: interdependent systems can make for cascades of
concatenated failure when one link in the chain is
broken.
Lets use the opportunity of infrastructure renewal to drive a renaissance in
Security by Design, bringing back into widespread use the good practice that we
have long known and understood.
Copyright 2010 Prof. Jim Norton

ISSD 20th May 2010

18

But remember, security is

a continual battle. Dont
ever sit back and believe
that you have won!

Oh dear!

Lets now have a debate as to

whether what I have suggested is:
desirable?
sensible?
implementable?
Presentation can be
Downloaded from: www.profjimnorton.com/issdjn.pdf
Copyright 2009 Prof. Jim Norton

RiskConf 05.11.2009

19

10