Critical Infrastructures are common targets for cyber-and-physical attacks. Smart Grids, Water Transport Systems, Railway, or Motorway witness an increase of malware and attacks partially due to the IT/OT convergence. Usually, critical infrastructures are composed by legacy software or hardware that cannot be easily patched or upgraded, facilitating the work of the attackers by exposing vulnerabilities solved in IT decades ago. Moreover, it is usually impossible to have a test system for such infrastructures, where a security countermeasure is evaluated for its impact. In fact, in OT systems, availability is of its utmost importance, thus adding a security countermeasure has to be carefully evaluated to not hinder such property. To overcome such shortcomings, digital twins are used. In this talk, it will be presented how digital twins specifically devised for cybersecurity are used for the evaluation of threats in cyber-and-physical systems in an industrial environment. In particular, it will be shown how a digital twin will be systematically derived from the Architectural representation of a real-world industrial system (the "collaborative intelligent transport system") and how the security measures are evaluated with an specific architectural view.
call girls in G.T.B. Nagar (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
Securing Critical Infrastructures with a cybersecurity digital twin
1. OCCASIONE D’USO
DATA IN GG/MM/AA
1
Securing Critical
Infrastructures with a
Cybersecurity Digital Twin
Massimiliano Masi - <mmasi@autostrade.it>
IEEE CBI 2023, Prague
22/06/2023
2. OCCASIONE D’USO
DATA IN GG/MM/AA
1. What are critical infrastructures
A. The definitions – and the legal context
B. Examples: the Intelligent Transport Systems.
2. The problem: OT Security
A. Difference between IT/OT Security
1. The use of EA
A. A digital twin for cybersecurity: the cybersecurity view
B. A systematic creation of the DT starting from the RAMI 4.0
2. A couple of real use cases: a Road Tunnel and C-ITS
PROPOSED AGENDA
3. OCCASIONE D’USO
DATA IN GG/MM/AA
Critical Infrastructures seen from the law
The law (2008/114/CE/) defines
‘critical infrastructure’ means an asset, system or part thereof located in Member States which
is essential for the maintenance of vital societal functions, health, safety, security, economic or
social well-being of people, and the disruption or destruction of which would have a significant
impact in a Member State as a result of the failure to maintain those functions;
Examples are (they all have a EA)
• Healthcare facilities, and their IT infrastructure
• The entire financial sector
• Energy, from transmission to distribution
• Transportation: road, maritime, aviation, and water supply
Critical Infrastructures
4. OCCASIONE D’USO
DATA IN GG/MM/AA
Critical Infrastructures: a Computer Science perspective
Usually, critical infrastructures utilizes hardware and software components which are
specifically devised for the operations
In Healthcare
• Medical Equipment under the Medical Device Regulation
• Picture Archiving and Communication Systems (PACS)
In Energy Supply
• Programmable Logic Controllers (PLC) to monitor and actuate energy management
• Intelligent Electronic Devices (IED) enabling use cases such as the Virtual Power Plant
Critical Infrastructures
5. OCCASIONE D’USO
DATA IN GG/MM/AA
Critical Infrastructures: Cyber-and-Physical Systems
A virtual power plant, an water management facility, or truck platooning system, are examples
of remote-controlled cyber-and-physical systems.
A control room, usually sends commands to actuate the controlled devices to modify the
physical world, and receives information from sensors sensing from the real world.
In Road Transportation
• A red light might affect the traffic regulations
In Energy Supply
• Sensors may return values from a PV used by a software to decide the day-ahead electricity
consumption
Critical Infrastructures
6. OCCASIONE D’USO
DATA IN GG/MM/AA
Critical Infrastructures: Cyber-and-Physical Attacks
Critical Infrastructures
Cybersecurity attacks may be originated from the digital infrastructures to impact on
the digital infrastructures itself, or even impact the physical world.
And VICEVERSA.
7. OCCASIONE D’USO
DATA IN GG/MM/AA
Critical Infrastructures: Cyber-and-Physical Systems
When an attack is performed towards a Critical Infrastructure it may affect our lives.
• Trains might not be circulating (economic loss)
• Hospitals are not able to treat patients (potential casualties)
• Water can be poisoned (potential casualties)
• Fuel might not be available (unavailability of vehicles)
• Goods might not be circulating (economic loss, and eventual casualties)
Think availability of critical infrastructures in case of disasters (natural, human, or war)
Campi flegrei
• A volcano is sleeping over a population of millions of inhabitants
Critical Infrastructures
8. OCCASIONE D’USO
DATA IN GG/MM/AA
Critical Infrastructures: Cyber-and-Physical Systems
Critical Infrastructures Protection (CIP) is in most case the mastering of many interdependent
subsystems composed by Industrial Automation and Control Systems (IACS – introducing the IEC
62443-x-y jargon)
• According with EU JRC, IACS are complex systems composed by all the components (PLCs,
SCADA, HMI, Data Loggers) that are integrated into critical infrastructures and industrial
production environments.
Threats, Countermeasures, risk analyses are different than in IT Cybersercurity
Testing Business Continuity Plans is impossible: there is no test tunnel or substation, or
water pipe!
Critical Infrastructures
9. OCCASIONE D’USO
DATA IN GG/MM/AA
Critical Infrastructures: Cyber-and-Physical Systems
Critical Infrastructures
10. OCCASIONE D’USO
DATA IN GG/MM/AA
Critical Infrastructures: interconnected
Systems are all interconnected: unavailability of the
power grid may have an interruption on the traffic,
as tunnels shall be closed after 1 hour of lack of
power, which may create congestion in a smart city
and patients can’t be hospitalised…
This is at european level!
Reasons of such cascading effects?
Critical Infrastructures
11. OCCASIONE D’USO
DATA IN GG/MM/AA
Critical Infrastructures: We need EA!
Critical Infrastructures
12. OCCASIONE D’USO
DATA IN GG/MM/AA
Critical Infrastructures are complex systems of systems
• All interconnected, different data domains
• No test infrastructures, usually the system is tailored to the specific use case
• (Luckily) CI owners are required to test business continuity and incident response plans.
• Need to include also physical attacks that can influence the digital world and viceversa.
How to solve?
The Problem
13. OCCASIONE D’USO
DATA IN GG/MM/AA
Securing OT systems is different than Typical IT
• Availability over Integrity and Confidentiality
• The phases: (rare) Security By Design, Securing Legacy, and Attack Simulations
• Systems are there to stay: they expose vulnerabilities solved in IT decades ago
• PLCs are different than Computers, the programming languages does not have the modern
measures (buffer overflows are normal)
• The traffic of the communication network should be exactly the one expected by the
devices. Pings of Death are possible
• Attacker can be APTs, or disgruntled employees, skilled on the IACS functioning
Typical Countermeasures
• Network segregation and segmentation, DMZ, no ZTNA as today
• Attacker is Dolev-Yao, omnipotent
• And many other myths https://gca.isa.org/blog/common-ics-cybersecurity-myths-lessons-
learned
OT (and I-IoT) Security
14. OCCASIONE D’USO
DATA IN GG/MM/AA
THE ROLE OF A MOTORWAY OPERATOR
THE CONTEXT
Road Operators are considered critical infrastructures in some countries.
• Service Disruptions impact other critical infrastructure [ENISA]
• Service is delivered through IT/OT/IoT infrastructure: Variable Message Signs, C-ITS, Red lights. Such data is used
for Traffic Management Plans
• Road operators are interconnected indirectly through National Access Points and directly to exchange Real Time
Traffic Information (RTTI) and Safety Related Traffic Information (SRTI)
• It is also a typical company, with IT systems: endpoints, ERP, social networking
PECULIARITIES
[ENISA] Good Practices on Interdependencies between OES and DSPs, Nov. 2018
IMPACTS
14
• Usually operates Optic Fiber-based network equipment, geographically distributed
• Energy supply, Diesel Engines, Radio Equipment, Charging Stations
• Network congestion could cause pressure on other adjacent infrastructures (Hospitals, Smart Cities, Good delivery),
and causes vehicle crashes
• Malfunctioning on a Road Tunnel IoT/OT equipment can cause injuries and deaths
15. OCCASIONE D’USO
DATA IN GG/MM/AA
DATA FROM DIFFERENT SECURITY DOMAINS
THE CONTEXT
Typical data journey
• Read from a sensor on the road (IoT). Data is semantically and
syntactically different (e.g., CCTV, LoraWAN).
• Sensors and actuators in Tunnels. Data is exchanged using OT
protocols from IoT devices, actuating tunnel pumps in case of fire.
• Data arrives in a Data Center or in a Cloud VPC. Risks related to
cloud have to be considered
• Data is elaborated in a Traffic Control Center:Traffic Management
Plans, SRTI, RTTI, send Hazardous Location Notification
• C-ITS data arrives at 10hz per vehicle over a public network (DSRC)
According with IEC 62443, those may have different
Security Level Target (SL-T)
• This means different countermeasures on integrity, confidentiality
• How to trust data from C-ITS? Security Policy only requires a “ISO
27001 certification”
15
16. OCCASIONE D’USO
DATA IN GG/MM/AA
RAMI, 27001, 62443
THE CONTEXT
Use of IEC 62443
• Mapping all the abstract architectural assets to the RAMI 4.0 framework
• Use Business and Functional as target for the high-level risk analysis
• Use Communication as hint for zone and conduit
• Use integration and assets to select the items for the low-level risk
analysis
• Perform security testing
The 27001 protection rings
• Multi-compliance: security zones share 27001 and 62443 requirements
• Use of the NIST Cybersecurity Framework as a mapping tool
• IEC 62443-2-1 and the related TR, should be updated
16
17. OCCASIONE D’USO
DATA IN GG/MM/AA
Many definitions and many publications
• In this context it is adopted the definition from Grieves, Manufacturing Excellence Through
Virtual Factory Replication (2015)
• We consider a virtual description of a physical product that is accurate to both micro-and
macro- level.
• Digital twins exhibit fidelity, a high number of parameters transferred between the physical
and the virtual entity, high accuracy and a satisfying level of abstraction.
• In the past physical models have been widely used in engineering and architecture to help
the design and facilitate physical testing of buildings, plants, machines and systems.
• Digital twin can be either inline, where an actuation on the twin has an immediate effect on
the system, or asynchronous, where an actuation on the twin is actuated at a second stage
DIGITAL TWIN
18. OCCASIONE D’USO
DATA IN GG/MM/AA
Many definitions and many publications
• Other meanings are as digital shadows, when not communicating or interacting with their
physical counterpart, or models
• The use of a Digital Twin in Cybersecurity is not new. Publications and PoC exists to
demonstrate its usage for Security Operation Centre
DIGITAL TWIN
We are using a methodology that systematically gets the description of the IACS from
its Reference Architecture and builds its digital twin. On that, we evaluate
countermeasures, and we test Business Continuity Plans.
Results will be then, asynchronously, implemented site by site
19. OCCASIONE D’USO
DATA IN GG/MM/AA
It is divided in 3 steps
• It leverages the concept of Reference Architecture and Solution Architecture to produce the
architecture models needed to design the cybersecurity Digital Twin
• It starts with a model or by mapping the system into a Reference Architecture.
• We introduce a cybersecurity view with the following viewpoint
• Overview: enabling the assessment of BCPs and security posture of IACS
• Concerns: decrease the cyber-threat risk to acceptable levels
• Anti-Concerns: ROI Analysis
• Typical Stakeholders: business decision makers and cybersecurity experts
• Mode Kind
• Choose a Reference Architecture Framework
• Translating the View into a Digital Twin
• Identify Attack Scenarios
The Methodology
20. OCCASIONE D’USO
DATA IN GG/MM/AA
Generating a Cybersecurity View
• Choose an Architecture Framework (e.g., RAMI 4.0, SGAM, TOGAF). It is worth noting that the
methodology is parametric, as long as mapping exists
• For legacy systems, a mapping is required from the system to the EA conceptual space
• The mapping may be guided by existing frameworks, such as the NIST CSF for CIP.
• Once the system is in the conceptual space, the view is created by selecting the architectural
elements to be protected, by Business Impact Analyses, Risk Analysis, regulations
Step 1
21. OCCASIONE D’USO
DATA IN GG/MM/AA
Deriving the Cybersecurity Digital Twin
• The elements in the EA Conceptual space in the Cybersecurity View are translated into Meta
Attack Language (MAL)
Step 2
22. OCCASIONE D’USO
DATA IN GG/MM/AA
Security simulations and countermeasure identification
• Once the system is represented in MAL, SecuriCAD has been used to perform simulations
• Simulations are performed using a twin concept, which includes specific threats related to
the IACS (e.g, water poisoning, or tunnel light system availability)
• Simulations enable reasonings also on the Techniques, Tactics, and Procedures from the
MITRE ATT&CK matrix for ICS
Step 3
24. OCCASIONE D’USO
DATA IN GG/MM/AA
Target for (cyber)terrorist attacks
• By nature, a tunnel connects two sites physically separated by geographic obstacles
(mountain, rivers, sea)
• Hence a malfunctioning tunnel leads to economic loss and pressure over other infrastructures
lying on both sides of the entrance.
• Road Authorities are required to perform risk analysis and business continuity plans
Road Tunnels
25. OCCASIONE D’USO
DATA IN GG/MM/AA
Building a reference architecture of the road tunnel and generating a Cybersecurity View
• The system under analysis already exist, and no EA conceptual models are available
• We mapped all the components of a single tunnel (around 200) into RAMI 4.0 to create the EA
space
• The cybersecurity mappings have been performed following the NIST CSF CIP v1.1.
• ID.AM-3 – data flows are mapped -> all the traffic from all the switches has been sniffed
and the entire network map has been created. Results of elements in the RAMI 4.0
Communication layer
• ID.AM-2 - Software platforms and applications within the organization are inventoried ->
Results are elements in the RAMI 4.0 Asset layer
Phase 1
26. OCCASIONE D’USO
DATA IN GG/MM/AA
Phase 2: deriving the cybersecurity digital twin
From: Massimiliano Masi, Giovanni Paolo Sellitto, Helder Aranha, Tanja Pavleska:
Securing critical infrastructures with a cybersecurity digital twin. Softw. Syst. Model. 22(2): 689-707 (2023)
27. OCCASIONE D’USO
DATA IN GG/MM/AA
Phase 3: Simulations
• Excerpt from the digital twin
• Two attack scenario:
• SCADA compromised by a credential leak
without MFA
• Maintainer laptop with Industroyer
• Segregation at firewall level is easy, but what
is the impact?
• Costs, maintenance, unfeasible
• Air gapping solutions?
• Other techniques bypassing air gap
exists, unfeasible
• Adding an Intrusion Detection System nearby
the SCADA?
• Would not hinder availability
• Detection procedures and automations
shall be in place
• With MAL and SecuriCAD we have been able to
show the effects and the costs-effectiveness
analysis to management
28. OCCASIONE D’USO
DATA IN GG/MM/AA
Countermeasures have been implemented
• The results obtained from the simulations have been implemented in tunnels
• Business Continuity Plans are created, designed, and simulated for their safety before
changing the traffic regulations (BCP tests can’t be performed with live traffic)
• The model is used for continuous improvement: when new attack techniques, or scenario
arise, we perform detailed simulations – other product exists, but the model is systematically
created from the system
After the Simulations
29. OCCASIONE D’USO
DATA IN GG/MM/AA
29
CONCLUSIONS
Complexity of Critical Infrastructure Protection
29
What we have seen
A methodology to use MAL as a model
representing the CI
Simulations over a road Tunnel
Editor's Notes
TITOLO | Carattere Univers | Grandezza carattere 36 | GRASSETTO
SOTTOTITOLO | Carattere Univers | Grandezza carattere 20 | GRASSETTO
In alto a destra inserire sempre con Carattere Univers 14 | GRASSETTO | COLORE BIANCO
Occasione d’uso (es. CDA)
Struttura o Direzione scrivente
Data con gg/mm/aa