Table Of ContentVOLTTRONTM:
Security Features and
Discussion
BRANDON CARPENTER, BORA AKYOL
Pacific Northwest National Laboratory
Software Framework for Transactive Energy: VOLTTRON™, VTARI, Arlington, VA
PNNL-SA-111786 July 29, 2015 1
VOLTTRON Team
Software Development Team Application Development Team
Bora Akyol Srinivas Katipamula
Jereme Haack Robert Lutes
Brandon Carpenter Wooyun Kim
Kyle Monson Rick Pratt
Craig Allwardt Carl Miller
Poorva Sharma Weimin Wang
Tim Kang Siddartha Goyal
Robert Lutes Michael Brambley
Casey Neubauer Lucy Huang
Dan Johnson Chad Corbin
He Hao
July 29, 2015 2
Overview
Threat modeling for context
List of security features/deployment
recommendations
Recommends review of NIST SP800-
82 Guide to Industrial Control Systems
(ICS) Security
http://csrc.nist.gov/publications/drafts/80
0-82r2/sp800_82_r2_draft.pdf
Please make suggestions as github
issues or email to [email protected]
July 29, 2015 3
Security in VOLTTRON 2.x
July 29, 2015 4
VOLTTRON Security Goals
(including 3.0 release)
Protecting the integrity of agent programming through cryptographic
means
Protecting agents from using excessive system resources to ensure
platform stability
Protecting agent configuration (and work orders) from manipulation
Securing communications between VOLTTRON platforms and external
data sources
Securing communications between platform instances, including the
transfer of agents
Securing communications between agents running on the same
VOLTTRON platform
July 29, 2015 5
VOLTTRON 3.0 Security
Improvements
Platform hardening recommendations for all VOLTTRON users and use
cases
CurveMQ encryption and authentication enabled by default for TCP
connections into the platform
All connections are authenticated
Authorization based on identity, domain, endpoint, and authentication
credentials
All messages include user ID for authorization and attribution
Associated on the platform and cannot be spoofed by agents
Platform refuses to run as root to prevent damage and escalation
July 29, 2015 6
Components and Communication
July 29, 2015 7
Threat Identification and Mitigation
Strategies
VOLTTRON security features and
documented in the white paper
The paper first identifies possible attack
vectors against the VOLTTRON software, as
well as associated risks and mitigations for
reducing, alleviating, or even eliminating the
risks
Some threats also include future strategies for
improving the mitigations and even further
reducing the risk
Each vulnerability follows the following
template:
Description of vulnerability/threat.
R: Associated risk indicating what might occur if
the vulnerability is exercised.
M: Mitigation that should/will be implemented to
reduce or eliminate the associated risk.
F: Future strategies for mitigation (optional)
July 29, 2015 8
Communications between
VOLTTRON and other services
(3 and 7)
VOLTTRON allows agents to
act as proxies to external
resources to move information
between a service and the
platform (3).
VOLTTRON utilizes an
external service for data
storage
Devices managed by the
platform
Application log messages (7).
July 29, 2015 9
Example Threats and Mitigations
Communication between agents and the Cloud/external historian could
be intercepted, tampered with or snooped upon by a third party
R: A remote entity can insert itself between VOLTTRON and external entities.
Once in the path, the remote entity can tamper with communications,
affecting integrity, or snoop the communications, affecting confidentiality.
M: VOLTTRON uses standardized communication protocols (TLS/SSL) when
communicating with external entities. These protocols provide both message
integrity and confidentiality services. Identities are authenticated by means of
X509 certificates.
Agents may communicate with any system in the Cloud with which any
other agent is also able to communicate (assumes firewall allows such
communication).
R: An agent may exfiltrate data to systems in the Cloud.
M: Agent code will be reviewed for security issues and malicious intent.
F: Agents will be sandboxed to disallow unauthorized communications.
July 29, 2015 10
Description:affecting integrity, or snoop the communications, affecting confidentiality. M: VOLTTRON uses standardized communication protocols (TLS/SSL) when.
