Critical Infrastructure
Protection in Europe
Ignacio Paredes (@iparedes)
Industrial Cybersecurity Center
www.cci-es.org
www.cci-es.org
2
Nacho Paredes
• Head of studies and research at Industrial Cybersecurity Center
• ENISA expert in Informa...
www.cci-es.org
www.cci-es.org
www.cci-es.org
¿Cyber Security?
Industrial Safety
Physical Security
Environmental
Safety
SECURITY
www.cci-es.org
Plant vs IT vs Security
Plant / IT Conflict:
–“Watertight” environments. “Don’t get
into my lot, and I won’...
www.cci-es.org
Physical & Cyber Worlds Convergence
8
Consequences: Intangible
Web Portal unavailable
No email
Consequences...
www.cci-es.org
www.cci-es.org
IT in the Industrial World
Industrial devices have inherited
all problems from IT
Industrial Control
System...
www.cci-es.org
IT vs OT
11
Information Technology Operations Technology
Component lifetime 3-5 years Component lifetime: 1...
www.cci-es.org
IT vs OT
12
Cybersecurity Dimensions in IT Cybersecurity Dimensions in OT
Confidentiality 50% Availability ...
www.cci-es.org
ICS Vulnerability Disclosure Evolution
0
20
40
60
80
100
120
2010 2011 2012 2013
# ICS-CERT disclosures
13A...
www.cci-es.org
Aramco Cyber Attack
14
• Biggest oil producer in the world
• > 50,000 employees
• Revenue > 300 US$ billion...
www.cci-es.org
Stuxnet
15
www.cci-es.org
Project Basecamp
SCADA Security
Scientific
Symposium (S4)
www.cci-es.org
Shodan (www.shodanhq.com)
• Internet search engine that indexes internet-
connected services response (FTP,...
www.cci-es.org
18
www.cci-es.org
19
www.cci-es.org
20
www.cci-es.org
21
www.cci-es.org
22
www.cci-es.org
Internet-facing
Industrial Systems+2.000.000
Located in
United States30%
ISP’s Dynamic
Addresses80%
Project...
www.cci-es.org
Regulation Timeline in US & EU
25
1995 1998 2001 2004 2005 2006 2008 2009 2011 20132003
COM(2004) 702 Criti...
www.cci-es.org
Critical Infrastructure Protection
• Government guided process
– Identification (mostly secret)
– Priorizat...
www.cci-es.org
Critical Infrastructure Protection
27
• Industry pressure against regulation
• Leads to:
Minimum Requiremen...
www.cci-es.org
www.cci-es.org
CI Interdependencies
www.cci-es.org
The Smart Grid
30
www.cci-es.org
The Smart Grid
• The CI that lies beneath
• Focus of many CIP initiatives
• Smart grid means
– Efficiency
–...
www.cci-es.org
The Smart Grid
• Security is paramount
• And brings an additional component
32
www.cci-es.org
Who’s got the interest?
33
www.cci-es.org
Who?
34
www.cci-es.org
Who?
• The US National Security Agency is one of the most
prolific tool makers for APTing.
• Its ANT (Acces...
www.cci-es.org
Who?
36
• Political,
strategical,
and financial
interests are involved in decisions made by
governments and...
www.cci-es.org
There are more that we can see
www.cci-es.org
Hacktivism
38
www.cci-es.org
• High interaction honeypot
• Emulating a water treatment
plant
• Just recording
• Targetted attacks
• With...
www.cci-es.org
…stalking
www.cci-es.org
TIC
Society
ICT
Industrial
Industrial Orgs.
Critical Infrastructures
Consultancies
Integrators
Engineering
...
www.cci-es.org
R
“C3R: Collaboration, Coordination and Commitment based
Relationships”
Collaboration
CoordinationCommitment
www.cci-es.org
большое спасибо
Ignacio Paredes - @iparedes - ignacio.paredes@cci-es.org
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Upcoming SlideShare
Loading in …5
×

Industrial Cybersecurity and Critical Infrastructure Protection in Europe

1,131 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,131
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
90
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Industrial Cybersecurity and Critical Infrastructure Protection in Europe

  1. 1. Critical Infrastructure Protection in Europe Ignacio Paredes (@iparedes) Industrial Cybersecurity Center www.cci-es.org
  2. 2. www.cci-es.org 2 Nacho Paredes • Head of studies and research at Industrial Cybersecurity Center • ENISA expert in Information Security and CIIP • M.S. In computer science • >15 years in cybersecurity and IT consultancy • Expert in the design and deployment of cybersecurity technical and administrative solutions, including (application security, secure network design, critical infrastructure protection, ethical hacking or business continuity) • GICSP, CISSP, CISM, CISA, CeH, PMP, GSNA, GAWN, BS7799 Lead Auditor I am… e-mail: ignacio.paredes@cci-es.org Twitter: @iparedes , @info_cci Blog: http://blog.cci-es.org Web: http://www.cci-es.org Tel: +34 647723708
  3. 3. www.cci-es.org
  4. 4. www.cci-es.org
  5. 5. www.cci-es.org ¿Cyber Security? Industrial Safety Physical Security Environmental Safety SECURITY
  6. 6. www.cci-es.org Plant vs IT vs Security Plant / IT Conflict: –“Watertight” environments. “Don’t get into my lot, and I won’t into yours” –Attention is not paid to communication interfaces between both worlds –Connection interfaces are no man’s land, and many times, unknown (others WWW… Wild Wild West )
  7. 7. www.cci-es.org Physical & Cyber Worlds Convergence 8 Consequences: Intangible Web Portal unavailable No email Consequences: Tangible, Concrete Production Losses Environmental Damages Public Health Lower Company Valuation
  8. 8. www.cci-es.org
  9. 9. www.cci-es.org IT in the Industrial World Industrial devices have inherited all problems from IT Industrial Control Systems are NOT isolated anymore. They have moved from using dedicated serial lines to Ethernet or WiFi Now, most of industrial protocols are running over TCP/IP Industrial Control Systems use general purpose operating systems
  10. 10. www.cci-es.org IT vs OT 11 Information Technology Operations Technology Component lifetime 3-5 years Component lifetime: 10-20 years Maturity and knowledge on cybersecurity First steps on cybersecurity. Lack of awareness Standard methodologies and architectures Legacy systems Loss of data Loss of life Recover by reboot Fault tolerance essential High throughput demanded. High delay accepted Modest throughtput acceptable. High delay serious concern Straightforward upgrades and automated changes Patching is a pain. Changes only through vendors
  11. 11. www.cci-es.org IT vs OT 12 Cybersecurity Dimensions in IT Cybersecurity Dimensions in OT Confidentiality 50% Availability 60% Integrity 30% Integrity 35% Availability 20% Confidentiality 5%
  12. 12. www.cci-es.org ICS Vulnerability Disclosure Evolution 0 20 40 60 80 100 120 2010 2011 2012 2013 # ICS-CERT disclosures 13Alerts + Advisories. https://ics-cert.us-cert.gov/ics-archive
  13. 13. www.cci-es.org Aramco Cyber Attack 14 • Biggest oil producer in the world • > 50,000 employees • Revenue > 300 US$ billion • In August 2012 had a cybersecurity incident • Computers directly tied to oil production were compromised (Shamoon virus) • 30,000 workstations were affected • The company spent one week to restore services • After the incident Aramco tightened its security policies • Not only in the corp. side, but in the industrial systems
  14. 14. www.cci-es.org Stuxnet 15
  15. 15. www.cci-es.org Project Basecamp SCADA Security Scientific Symposium (S4)
  16. 16. www.cci-es.org Shodan (www.shodanhq.com) • Internet search engine that indexes internet- connected services response (FTP, SSH, Telnet, HTTP, HTTPS, SNMP, uPNP, SMB…) • Provide access to millions of Internet- connected devices
  17. 17. www.cci-es.org 18
  18. 18. www.cci-es.org 19
  19. 19. www.cci-es.org 20
  20. 20. www.cci-es.org 21
  21. 21. www.cci-es.org 22
  22. 22. www.cci-es.org Internet-facing Industrial Systems+2.000.000 Located in United States30% ISP’s Dynamic Addresses80% Project SHINE SHodan INtelligence Extraction
  23. 23. www.cci-es.org Regulation Timeline in US & EU 25 1995 1998 2001 2004 2005 2006 2008 2009 2011 20132003 COM(2004) 702 Critical Infrastructure Protection in the fight against terrorism COM(2005) 576 Green paper on a European programme for critical infrastructure protection COM(2006) 768 EPCIP (European Programme for Critical Infrastructure Protection) COM(2009) 149 CIP: Protecting Europe from large scale cyber-attacks and disruptions: enhancing COM(2011) 163 CIP: Achievements and next steps: towards global cyber-security 2014
  24. 24. www.cci-es.org Critical Infrastructure Protection • Government guided process – Identification (mostly secret) – Priorization (different levels of criticity) – Protection (countermeasures deployment) • The question is: 26 Who is gonna pay for this?
  25. 25. www.cci-es.org Critical Infrastructure Protection 27 • Industry pressure against regulation • Leads to: Minimum Requirements • Implementation towards compliance – Infrastructure protection into the background – False sense of protection
  26. 26. www.cci-es.org
  27. 27. www.cci-es.org CI Interdependencies
  28. 28. www.cci-es.org The Smart Grid 30
  29. 29. www.cci-es.org The Smart Grid • The CI that lies beneath • Focus of many CIP initiatives • Smart grid means – Efficiency – Resiliency – Integration of technologies – User Interaction – Prosumers – New services – Electric Vehicles • Very tight interconnection 31
  30. 30. www.cci-es.org The Smart Grid • Security is paramount • And brings an additional component 32
  31. 31. www.cci-es.org Who’s got the interest? 33
  32. 32. www.cci-es.org Who? 34
  33. 33. www.cci-es.org Who? • The US National Security Agency is one of the most prolific tool makers for APTing. • Its ANT (Access Network Technology) division has compromised the security architecture of every major player in the IT industry. • Multiple secret backdoors allow the NSA to compromise virtually every organization in the world. • Software and hardware tools. • Attacks against protocols, operating systems, electromagnetic spectrum… 35
  34. 34. www.cci-es.org Who? 36 • Political, strategical, and financial interests are involved in decisions made by governments and corporations • PLA Unit 61398 • AKA People’s Liberation Army Persistent Threat Unit
  35. 35. www.cci-es.org There are more that we can see
  36. 36. www.cci-es.org Hacktivism 38
  37. 37. www.cci-es.org • High interaction honeypot • Emulating a water treatment plant • Just recording • Targetted attacks • With the intention of modification or destruction Kyle Wilhoit (Trendmicro)
  38. 38. www.cci-es.org …stalking
  39. 39. www.cci-es.org TIC Society ICT Industrial Industrial Orgs. Critical Infrastructures Consultancies Integrators Engineering EPC ICT & Cybersecurity Vendors Industrial Vendors Services & Products CIP & IC Government Requirements & Regulations
  40. 40. www.cci-es.org R “C3R: Collaboration, Coordination and Commitment based Relationships” Collaboration CoordinationCommitment
  41. 41. www.cci-es.org большое спасибо Ignacio Paredes - @iparedes - ignacio.paredes@cci-es.org

×