About us: Finmeccanica
CP EXPO Workshop - «Risks and Security Management in
Logistics and Transports»
Cyber Security in Ra...
Signaling Systems: Safety-to-Security relationships
“Vital Systems”
• RBC (Radio Block Center)
• Interlocking
Environment
...
… and between vital and non-vital layers
Needs Protection…

External Systems
Non-vital layer

Train Management System (TMS...
Evolution and Characteristics of Railway Signaling Systems

Technology Platforms
In the Past

Today

Proprietary HW/SW
Iso...
Cyber Space calling, Cyber Security knocking
Cyber Security: protection of Cyber Space. But what is Cyber Space?

Yesterda...
Mature Cyber Security Process

1

Discovery & Assessment
•
•
•

2

HW/SW Review & Redesign
•
•
•

3

Identify key risks
Id...
ICT Security Activities and Governance: Best Practices

Incident Management
Event Identification
Countermeasures

Effort

...
ICT Security Activities and Governance: real life
Reactive countermeasures
Reaction
WTF is

Detection

… and guess what?

...
Cyber Security: taking advantage of IT

Building on top of Information
Technology infrastructures, means
that you get both...
Strategy: enhance monitoring and correlate

Content Filtering
Virtual Patching

AAA

Firewalling
IDS/IPS

So many eyes… gi...
Perimeter Defence - Firewall shortcoming
Signalling Plant_2

Signalling Plant_1

Signalling Plant_N

…..
Firewall
Module

...
Content Filtering: the do’s and the dont’s
Operating system is static, meaning that you can’t change it too often (good…),...
Near Realtime Asset Control
• not a performance- or availability-driven tool, though it may help
• based on static asset d...
The russian peasant of SIEMs at work: fast and light

Events
Console

Message Correlation
Minimize False Positives
Realtim...
The 11th hour (a.m.?)

Do we simply wait for
vulnerabilities to become
actual threats
or
Can we advance from here, and
pro...
Upcoming SlideShare
Loading in …5
×

Ansaldo STS at CPExpo 2013: "Risks and Security Management in Logistics and Transports part 2"

545 views
428 views

Published on

CP EXPO Workshop - «Risks and Security Management in
Logistics and Transports»
Cyber Security in Railways Systems, Ansaldo STS experience – Part 2: Cyber Security Strategy and Design

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
545
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Ansaldo STS at CPExpo 2013: "Risks and Security Management in Logistics and Transports part 2"

  1. 1. About us: Finmeccanica CP EXPO Workshop - «Risks and Security Management in Logistics and Transports» Cyber Security in Railways Systems, Ansaldo STS experience – Part 2: Cyber Security Strategy and Design Relator: Joint work with: Daniele Debertol, PhD. Ermete Meda, InfoSec Manager Finmeccanica is Italy’s leading manufacturer in the high technology sector. Genova, 29 October 2013 Finmeccanica is the largest shareholder in Ansaldo STS with a 40% stake. 1
  2. 2. Signaling Systems: Safety-to-Security relationships “Vital Systems” • RBC (Radio Block Center) • Interlocking Environment Proprietary Infrastructure that ensures Railway Safety is not subject to computer attack Vital Systems “Non-Vital Systems” • Centralized Traffic Control Systems (e.g. TMS), Automation Systems Environment • Commercial ICT Infrastructure undergoing Cyber Security Risks (Operational Continuity, Financial losses, Reputational damage) Non-Vital Systems Non-Vital Systems 2
  3. 3. … and between vital and non-vital layers Needs Protection… External Systems Non-vital layer Train Management System (TMS) Interlocking RBC Interlocking Vital layer ERTMS Euroradio T2 T1 Balise RBC: Radio-Block Center 3
  4. 4. Evolution and Characteristics of Railway Signaling Systems Technology Platforms In the Past Today Proprietary HW/SW Isolated Systems Dedicated Applications Structured Information Commercial low cost HW/SW TCP/IP Protocol Interconnected Systems Heterogeneous Services (E-mail, Info-web, VoIP, CCTV, …) Structured and unstructured Information Operating Environment Today Distributed ICT infrastructure spread over long distances, and unattended systems Connections between safety critical and non-safety critical layers External systems connected to signaling infrastructure Human factor (operators, maintainers and… passengers) 4
  5. 5. Cyber Space calling, Cyber Security knocking Cyber Security: protection of Cyber Space. But what is Cyber Space? Yesterday: many different environments, side-by-side Today: one single, big environment Consequences: Dynamic Threat Landscape in unique Cyber Domain Strategic & Tactical Cyber War Military Terrorism Politics Espionage Intellectual Property Organized Crime $ Vandalism & Hacktivism Ego, Curiosity Stuxnet, Operation Aurora, Botnets Zeus, Flame, Mandiant APT1 Report, AET attacks, Botnets, Phishing email DDoS attacks, Wikileaks, Anonymous 5
  6. 6. Mature Cyber Security Process 1 Discovery & Assessment • • • 2 HW/SW Review & Redesign • • • 3 Identify key risks Identify key assets Identify gaps Countermeasure rationalization Security Infrastructure Assessment Fill technology gaps Intelligence & Analytics • • • Monitoring & Management Improvement Big Data Security Analytics Real-time Intelligence feeds 3 Phase Approach 6
  7. 7. ICT Security Activities and Governance: Best Practices Incident Management Event Identification Countermeasures Effort 7
  8. 8. ICT Security Activities and Governance: real life Reactive countermeasures Reaction WTF is Detection … and guess what? … and Monitoring… Monitoring… Prevention going on??? (not excluding Forensics) Proactive countermeasures 8
  9. 9. Cyber Security: taking advantage of IT Building on top of Information Technology infrastructures, means that you get both its weaknesses, true, but its strenghts as well… … putting it the other way round: if a system is not secure by design – and they are not –, it will leave plenty of traces for you to follow! Leaving trace-routes behind 9
  10. 10. Strategy: enhance monitoring and correlate Content Filtering Virtual Patching AAA Firewalling IDS/IPS So many eyes… giving a very broad view (say, at 365°degrees… to stay safe)… OK… ° But where to look for? And for what? And who? 10
  11. 11. Perimeter Defence - Firewall shortcoming Signalling Plant_2 Signalling Plant_1 Signalling Plant_N ….. Firewall Module Firewall Module Firewall Module WAN Policy Installation Logs Traffic Firewall Module Management Console External Systems expected results from logs Solution: adding IPS/IDS and Log Correlation 11
  12. 12. Content Filtering: the do’s and the dont’s Operating system is static, meaning that you can’t change it too often (good…), but that you won’t be able to patch (at all) either, which is NO GOOD! Dirty Traffic Virtual Patcher Clean Traffic Clean Traffic Threats Treatment Analysis: find critical vulnerabilities directly exposed to possible attacks Remediation: identify (& block) specific packets for the above vulnerabilities Solution: adding Virtual Patching 12
  13. 13. Near Realtime Asset Control • not a performance- or availability-driven tool, though it may help • based on static asset database loaded offline at project time Repeat as needed • perform differential discovery onsite for database tuning • acknowledge variations that should be allowed • what is left, deal with: either a missing sheep, or a mismatched one, or… go, bark, there’s a wolf! Clean Traffic Clean Traffic GUI Monitoring subnet WAN Know your flock, and beware of wolves! Barkin’, at the very least 13
  14. 14. The russian peasant of SIEMs at work: fast and light Events Console Message Correlation Minimize False Positives Realtime response (no archiving) Novelty detection for scheme-in-the-chaos Correlation Engine Log Files Sensor_1 Sensor_2 … Sensor_n Log Correlation 14
  15. 15. The 11th hour (a.m.?) Do we simply wait for vulnerabilities to become actual threats or Can we advance from here, and provide for new services? Cyber Security = Defense line 15

×