VOLTTRONTM: Security Features and Discussion BRANDON CARPENTER, BORA AKYOL Pacific Northwest National Laboratory Software Framework for Transactive Energy: VOLTTRON™, VTARI, Arlington, VA PNNL-SA-111786 July 29, 2015 1 VOLTTRON Team Software Development Team Application Development Team Bora Akyol Srinivas Katipamula Jereme Haack Robert Lutes Brandon Carpenter Wooyun Kim Kyle Monson Rick Pratt Craig Allwardt Carl Miller Poorva Sharma Weimin Wang Tim Kang Siddartha Goyal Robert Lutes Michael Brambley Casey Neubauer Lucy Huang Dan Johnson Chad Corbin He Hao July 29, 2015 2 Overview Threat modeling for context List of security features/deployment recommendations Recommends review of NIST SP800- 82 Guide to Industrial Control Systems (ICS) Security http://csrc.nist.gov/publications/drafts/80 0-82r2/sp800_82_r2_draft.pdf Please make suggestions as github issues or email to [email protected] July 29, 2015 3 Security in VOLTTRON 2.x July 29, 2015 4 VOLTTRON Security Goals (including 3.0 release) Protecting the integrity of agent programming through cryptographic means Protecting agents from using excessive system resources to ensure platform stability Protecting agent configuration (and work orders) from manipulation Securing communications between VOLTTRON platforms and external data sources Securing communications between platform instances, including the transfer of agents Securing communications between agents running on the same VOLTTRON platform July 29, 2015 5 VOLTTRON 3.0 Security Improvements Platform hardening recommendations for all VOLTTRON users and use cases CurveMQ encryption and authentication enabled by default for TCP connections into the platform All connections are authenticated Authorization based on identity, domain, endpoint, and authentication credentials All messages include user ID for authorization and attribution Associated on the platform and cannot be spoofed by agents Platform refuses to run as root to prevent damage and escalation July 29, 2015 6 Components and Communication July 29, 2015 7 Threat Identification and Mitigation Strategies VOLTTRON security features and documented in the white paper The paper first identifies possible attack vectors against the VOLTTRON software, as well as associated risks and mitigations for reducing, alleviating, or even eliminating the risks Some threats also include future strategies for improving the mitigations and even further reducing the risk Each vulnerability follows the following template: Description of vulnerability/threat. R: Associated risk indicating what might occur if the vulnerability is exercised. M: Mitigation that should/will be implemented to reduce or eliminate the associated risk. F: Future strategies for mitigation (optional) July 29, 2015 8 Communications between VOLTTRON and other services (3 and 7) VOLTTRON allows agents to act as proxies to external resources to move information between a service and the platform (3). VOLTTRON utilizes an external service for data storage Devices managed by the platform Application log messages (7). July 29, 2015 9 Example Threats and Mitigations Communication between agents and the Cloud/external historian could be intercepted, tampered with or snooped upon by a third party R: A remote entity can insert itself between VOLTTRON and external entities. Once in the path, the remote entity can tamper with communications, affecting integrity, or snoop the communications, affecting confidentiality. M: VOLTTRON uses standardized communication protocols (TLS/SSL) when communicating with external entities. These protocols provide both message integrity and confidentiality services. Identities are authenticated by means of X509 certificates. Agents may communicate with any system in the Cloud with which any other agent is also able to communicate (assumes firewall allows such communication). R: An agent may exfiltrate data to systems in the Cloud. M: Agent code will be reviewed for security issues and malicious intent. F: Agents will be sandboxed to disallow unauthorized communications. July 29, 2015 10