Critical Infrastructure and Cyber Security: trends and challenges


Published on

by Massimo Cappelli

GCSEC - Global Cyber Security Center


Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Critical Infrastructure and Cyber Security: trends and challenges

  1. 1. Critical Infrastructure and Cyber Security: trends and challenges Genova, 30 October 2013
  2. 2. In 2013, GCSEC has been involved in several activities both at national and international level on critical infrastructure protection Some initiatives Projects cofunded by EU (70-90%) Italian  Groups   Online   Frauds   Cyber   Centre   and   Expert   Network   (OF2CEN):   crea'on   of   a   system   of   informa'on   exchange   between  financial  ins'tu'ons  and  European  law  enforcement  agencies  (Italy,  UK,  Romania),  with  development  of   a  informa'on  sharing  plaCorm  in  Italy  with  par'cipa'on  of  Polizia  Postale  e  delle  Comunicazioni     Security   of   Energy   System   (SoES):   The   project   will   provide   a   comprehensive   analysis   of   ICT   architectures,   vulnerabili'es,   and   best   prac'ces   related   to   the   Smart   Grids   and   will   create,   at   European   level   an   Informa'on   Sharing  Hub  on  the  subject.  The  project  is  developed  in  partnership  with  ENEL,  RSE  Energia,  EFACEC     Distributed   Energy   Security   Knowledge   (DEnSeK):   The   aim   of   the   project   is   defining   and   deploying   a   distributed   cross-­‐company   situa'on   awareness   network   for   the   Energy   Industrial   field.   It   will   enforce   the   capability   of   forecas'ng  cyber  threats  evolu'on  at  con'nental  level,  giving  the  opportunity  to  take  mi'ga'ng  measures  and   facilitates   the   coordina'on   among   the   members   of   the   plaCorm   in   case   of   crisis.   Project   Partners   are:   ENEL,   Security  MaTers,  Alliander  NV,  Gdansk  University  of  Technology     Computer  Emergency  Response  Team  (CERT):  Support  to  Security  Department  in  the  design,  development  and   implementa'on  of  corporate  CERT.  Interna'onal  Benchmark,  design  of  main  processes  (incident  handling,  early   warning,  threat  and  vulnerability  management,…),  review  of  FIRST  requirements,  prepara'on  of  Top   Management  presenta'ons  and  report,…       Black  market  study:  analysis  of  aTack  mo'va'ons,  poten'al  impacts  of  the  aTacks  and  descrip'on  of  tools,   network  resources,  informa'on  and  services  sold  online  for  perpetra'ng  the  aTacks   NATO  Advanced  Research  Workshop:  GCSEC,  together  with  GCSP,  has  organized  an  event  in  Geneva  on  “Best   Prac'ces  for  Computer  Network  Defence:  Incident  Detec'on  and  Response”.  29  experts  in  cyber  security,  from   NATO  Countries  and  Partner,  discussed  on  the  evolu'on  of  Incident  Detec'on  and  Response   2
  3. 3. Scenarios: cyberspace will increase more and more Today  and  the  Near   Future1   Today   2020   Es'mated  World   Popula'on   7  billion  people   8  billion  people  circa   Es'mated  Internet   Popula'on   2.5  billion  people   (35%  of  popula'on  online)   5  billion  people  circa   (60%  of  popula'on  online)   Total  Number  of   Devices   12.5  billion  internet   connected  physical  objects   and  devices   (6  devices  per  person  circa)   50  billion  internet  connected   physical  objects  ad  devices   (10  devices  per  person  circa)   ICT  Contribu'on  to   the  Economy   4%  of  GDP  on  average  for   G20  na'ons   10%  of  worldwide  GDP   MORE THREATS •  •  •  •  •  3 1)  Evans,  The  Internet  of  Things,  How  the  Next  Evolu'on  of  the  Internet  Is  Changing  Everything   More People More People online More Devices More Revenues generated More  People  aTracted  to  business  crime   New  market  to  explore   Easier  to  find  vic'ms,  not  confident  with   internet   Easier  to  buy  full  package  services   …  
  4. 4. Threats will increase and also impact critical infrastructures too "   Intellectual Property and Digital Identities are stolen regularly "   Systems are erased "   Services are disrupted "   Sophisticated hackers team are even more well oranized "   Malwares are cheaper and easier "   Full maleware package/services available on dark market "  … 2009 Spies breach electricity grid in U.S.: According to current and former national security officials, as reported in The Wall Street Journal, cyberspies from China, Russia and other countries penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system. 2010 The Stuxnet worm temporarily knocks out some of the centrifuges at Iran's Natanz nuclear facility, causing considerable delay to that country's uranium enrichment program 2011 The Nitro Attacks: A series of targeted attacks using an off-the-shelf Trojan horse called "Poison Ivy" is directed mainly at companies involved in the research, development and manufacture of chemicals and advanced materials. After tricking targeted users into downloading Poison Ivy, the attackers issue instructions to the compromised computers, troll for higher-level passwords and eventually offload the stolen content to hackercontrolled systems. 2012 DDoS attacks on U.S. banks: The U.S. accuses Iran of staging a wave of denial-of-service attacks against U.S. financial institutions. Defense Secretary Leon Panetta warns of potential for a "cyber Pearl Harbor" against critical infrastructure and calls for new protection standards. 4 Sources:  ICS-­‐CERT,  The  New  York  Times,  CSO,  Computerworld,  The  Wall  Street  Journal  
  5. 5. What are the critical infrastructures? The  UK's  na'onal  infrastructure  is  defined  by  the  Government  as:  “those  facili'es,  systems,  sites  and  networks  necessary  for  the   func'oning  of  the  country  and  the  delivery  of  the  essen'al  services  upon  which  daily  life  in  the  UK  depends”                              UK  CPNI  WEBSITE   Parameter   Green   Yellow   Orange   Red   Health   No  injuries   Light  injuries   Heavy  Injuries   Danger  of  life   Economics   Loss   <  1%  EBITDA   1%<EBITDA<3 %     3%<EBITDA<5 %   >  5%  EBITDA   Service   disrup'on   0  –  10  minutes   10  –  60   minutes   1  day   >  1  day   Reputa'on   Inside  the   company   Local  level   Na'onal  level   Interna'onal   level   …   The  Infrastructure  is  not  at  the  center  of  interests     the  conPnuity  of  the  SERVICE   is  the  main  goal   5 UK  Cri'cality  Scale  (Strategic  Framework  and  Policy  Statement  –   Cabinet  Office)    
  6. 6. Critical Infrastructure are that infrastructure vital for the continuity of a service delivery which disruption would be critical at national level CITIZENS  and  COMPANIES   Do  the  Owners  of  criPcal  services…   "   …know if the service they deliver is critical? Core/Cri'cal   Service   Cri'cal   Applica'on  1   "   …know at which level of criticality scale the Support  Service   Not  Cri'cal   Applica'on  2   Applica'on  2   service could be considered critical? "   …know the technology/assets chain vital for delivering critical services? Opera'ng  system   "   …know from who they depend on? "   …put already in place all the countermeasures Infrastructure /tools   Infrastructure /tools   Infrastructure /tools   known and necessary to guarantee the service continuity? 6 Facility   Facility   Facility  
  7. 7. The new trend in the protection of critical infrastructures is also to do properly what we are already doing (1/3) Examples   Better Perimeter and service Knowledge Prioritize Patch management "   Map the technology/asset chain the critical service depends on and the impact related to their disruptions "   Map the interdependencies between networks, applications, operating system,… "   Identify the servers containing sensitive data "   Define a patch management cycle (notification, testing, prioritizing, deploying, monitor,…) "   Prioritize deployment on critical infrastructures the critical service depend on Reduce complexity and opportunities Strengthen internal collaboration "   Avoid conflicts between business units (business owner, information technology, security departments, …) "   Join skills and capabilities and work together to define and implement security requirements (i.e. CERT) Increase education and training 7 "   Reduce the complexity of networks, applications, operating systems, in order to reduce also the “surface” available for the attacks "   Often there are many applications inside a company doing similar activities, platform optimization will save time and resources to monitor it and patch it "   Reducing the attack surface will reduce the opportunities for the hacker to find blind spots "   Managers and employees don’t know security policy related to the use of ICT infrastructures, PCs or mobile devices "   There is a lack of training and exercises inside companies, this doesn’t help to speed the incident handling process and so on
  8. 8. The new trend in the protection of critical infrastructures is also to do properly what we are already doing (2/3) Examples   Use of Honeypots Use of Disinformation/ Deception "   Traps set to detect, deflect or counteracts attempts at unauthorized use of information systems "   They gather information regarding an intruder or attacker in the system "   False repository with false intellectual proprieties or data not useful for the attackers "   It allows to identify the attack motives "   It allows also to make attackers to invest money without profit Knowledge of your enemies "   Monitor blogs/forum, media, chat to understand the sentiment around the company and if someone intend to attack your organization "   Monitor black market t(i.e. services, malware, databases of credentials, emails and so on) "   Learn hacker operating model (pattern of attacks could be similar against different companies) Hacker Yourself "   Start to think and act as a hacker. In this way you can really test the protection levels of your infrastructures and take the right countermeasures (penetration testing, vulnerability assessment,…) Stregthen integration and data/traffic analysis "   Data are usually collected but rarely analyzed and correlated. Usually only for forensics "   Big Data is the future and security has to be confident with them to understand patterns, correlations and so on "   There are new solutions dealing also with behavioral pattern or “pattern of life” that describe the normal online activity of employees,… (anomaly-based IDS) 8
  9. 9. The new trend in the protection of critical infrastructures is also to do properly what we are already doing (3/3) Examples   Build a security inhouse capability Limit the “bring your own device”(BYOD) Stregthen external collaboration Moving target architectures "   Security could not be transfer to external suppliers. It will create an uncomfortable dependency "   Companies are re-thinking security bringing back at home competencies and skilled resources "   Internet of things will enlarge the interactions with personal devices used also for work "   Clear policy shall be defined and strict controls put in place (mandatory authirization process, password protection, control of risky application, limit the use of business application with sensitive data,…) "   SOC/CERT and Security departments have to strengthen concrete collaborations "   It is impossible to have the overview of all the threats and vulnerabilities present in cyberspace "   The collaboration shall go one step further the signature of MoUs "   The design of architectures could be done in order to shift the program’s attack surface, also reducing it (Moving target) "   Different types of architectures based on microkernels and separation kernels APPROACHING  CYBER  SECURITY  TODAY  IS  SUCH  AS  APPROACHING  COLD  WAR  YEARS  AGO     START  TO  THINK  THAT  YOU  ARE  ALREADY  UNDER  ATTACK     9
  10. 10. THANKS     10