“Securing the Critical Infrastructure Networks Effectively” - Is OT the Weakest Link in Securing the Critical Infrastructure?
Cyber Attacks has consistently ranked among the top threats faced by businesses. Cyber Security as a subject that has now reached boardroom agendas. There have been proposals to link Cyber Security to CEO performance and pays. The point only underlines the critical nature and importance of Cyber Security to Businesses.
In an OT environment, the threat is amplified much more because it can have ramifications that impact human lives and their safety.
2. AGENDA
CYBER THREAT
LANDSCAPE
Changing Face of Friend or Foe
CISA : SHARING PROS AND
CONS
To share or Not to share ?
CONCLUSION
Are we there yet ?
1
CHALLENGES FOR INDUSTRY
Where do we go today ?
BACKGROUND & HISTORY
Definition, NIST Core Guide, Best Practices, CISA 2015
4. AGILITY
Highly technical players leverage new
vulnerability within hours. Black market for tools
and Zero day exploits. Vendors always in catch
up mode.
EVOLUTION
Rapid code sharing and active community
generated variants in multiples. No longer
rocket science or requiring large funding
hardware or exceptional talent.
SLA
Service Level Agreements are based on
predictable behavior. Need to learn to love the
unpredictable and unexpected.
DIVERSITY
Modern day exploits so varied and diverse that
old risk models are inadequate. Simple ISO
27001 compliance provides no guarantees for
security.
DIGITAL FRAUD
On an epidemic scale with yearly estimated
losses in the billions. Well coordinated and often
teams / gang based across global geographies.
STATE SPONSORED
Highly productive and well funded teams. Links to
military and government. Often done by known
adversaries or allies. e.g US elections 2016 –
Fancy Bear, Cozy Bear.
CYBER THREAT LANDSCAPE 3
6. INTERNAL SKILLS DEFICIT
Lack of specialized resources for CTI. Unable
to leverage expensive tools fully. Under staffed
NOC/SOC for 24/7 diligence.
DATA OVERLOAD
Immense volumes of data available from CTI
sources, vendors, public/private sharing
platforms and international CERTS. Resources
drowning in data without a reprieve.
VENDOR SOLUTIONS
Difficult to easily identify correct CTI Vendor
solution in a crowded market. Vendors need to
be constantly providing latest relevant CTI
feeds. Room for patch latency and being
behind the curve.
MANAGEMENT SUPPORT
Hard climb to get top level management
support for sharing CTI -- especially to outside
agencies and teams.
POLICIES & PROCEDURES
Develop using a risk based approach. Work with
business owners to classify data criticality. Bake
in BCP and DR plan and drill schedules.
COMMUNICATION CHANNEL
Need to build effective information exchange
channels between CTI teams and internal
business function owners.
CHALENGES FOR INDUSTRY 5
8. Cyber threat information is any information
that can help an organization identify,
assess, monitor, and respond to cyber
threats. Examples of cyber threat information
include indicators (system artifacts or
observables associated with an attack),
TTPs, security alerts, threat intelligence
reports, and recommended security tool
configurations. Most organizations already
produce multiple types of cyber threat
information that are available to share
internally as part of their information
technology and security operations efforts..
”
DEFINITION 7
GUIDE TO CYBER THREAT
INFORMATION SHARING
“
NIST SP 800-150
9. INVENTORY
Perform an inventory to
catalog existing information
an organization possesses
and perhaps still yet to be
produced. The inventory
should document the
circumstances in which
the information could be
shared
EXCHANGE
Exchange of CTI, tools and
techniques with sharing
partners. When sharing CTI
organizations learn from
each other; gain a more
complete
understanding of
adversary's tactics,
technique and procedures;
craft effective
strategies to protect systems;
and take action, either
independently or collectively,
to address known threats.
OPEN STANDARDS
Use open, standard data
formats and transport
protocols for efficient
and effective exchange
of CTI. This fosters
interoperability and allows
different products, data
repositories and tools to
rapidly exchange data.CI.
PARTNER
Enhance cyber security posture
and maturity by augmenting
local data collection, analysis
and management processes
using information from
outside sources. Helps
organizations develop a deeper
understanding about activities
on their networks, identify cyber
attack campaigns and better
detect blended threats that use
multiple methods of attacks.
BEST PRACTICES : INFORMATION SHARING (NIST) 8
10. ADAPTIVE
Define Cyber Security
approach adaptive to the
lifecycle of an attack by
developing defensive
measures that detect,
limit or prevent
reconnaissance and
delivery of malicious
payloads. Approach
should mitigate the
execution of exploits that
allow an adversary to
establish or maintain a
persistent network
RESOURCES
Ensure resources required for
continuing participation in a
sharing community are
available. Participation might
require an organization to
commit personnel; deliver
training; and provide
hardware, software,
services and other
infrastructure needed to
support continuing data
collection, storage, analysis
and dissemination..
AWARENESS
Maintaining continuing
awareness of information
security, vulnerabilities and
threats. Organizations
should implement the
security controls to
protect its sensitive
information, enforce
sharing rules and ensure
that information received
from external sources is
protected in accordance
with data sharing
agreements.
INFRASTRUCUTURE
Establish infrastructure
necessary to maintain cyber
security posture and identify the
roles and responsibilities for
installing, operating and
maintaining these capabilities.
Organizations should have
basic asset, vulnerability and
configuration management
capabilities in place to
ensure to monitor and
manage the hardware and
software on their networks for
timely patching..
BEST PRACTICES : INFORMATION SHARING (NIST) 9
11. INFORMATION SHARING : PROCESS MAP (NIST) 10
1
Establish core
Cyber Security
capabilities
2
Establish and
participate in
sharing and
coordination
activities
5
Use basic threat
intelligence to
support
decision making
processes
7
Develop and
deploy advanced
Cyber Security
capabilities
10
Use advanced
threat Intel to
support decision
making processes
3
Consume basic
threat Intel from
external sources
8
Consume
advanced threat
Intel from
external sources
11
Share advanced
threat Intel with
external partners
4
Create basic
threat Intel
6
Share basic
threat Intel with
external partners
9
Create advanced
threat Intel
12. 11
CISA : Cyber Security Information Sharing Act
December 18, 2015
01 02 03 04 05 06
Establish
Establishes a
process for the
U.S. government
to share cyber
threat
information with
businesses that
voluntarily agree
to participate in
the program
Share
Encourages
companies to
share malicious
code, suspected
recon,
vulnerabilities,
anomalous
activity, and
identify signatures
and techniques
that could pose
harm to an IT
system
Exemption
Provides antitrust
exemption for
companies that
share their threat
data with other
businesses
Alerts
Allowing
government
agencies to move
more quickly to
alert companies
when they have
been hacked
CTI Hub
Designates the
Department of
Homeland Security
(DHS) to act as the
cyber threat
information-sharing
hub between
government and
business, and set up
automated systems
Executive
Allows president,
(after notifying
Congress) to set
up a second
information
sharing center, if
needed
14. “He who controls the past
controls the future. He who
controls the present
controls the past.
”
CISA : SHARING PROS AND CONS 13
VOLUNTARY PROGRAM TO JOIN
BI PARTISAN
PROTECTION FROM LIABILITY, DISCLOSURE, ANIT-TRUST
COMPLEMTARY TO EXECUTIVE ORDERS AND FRAMEWORK
CITIZENS DATA PRIVACY CONCERNS
COMPROMIZED GATE KEEPER ACCESS
REPUTATIONAL RISK AND RANSOMEWARE
OPPOSED BY TECH - APPLE, TWITTER, GOOGLE, MS
1984 George Orwell
LACK OF FEDERAL AGILITY AND FUNDING
INTER DEPARTMENTAL SHARING – IRS, FBI, LOCAL POLICE
EXCUSES COS FROM LIABILITY IN VIOLATING PRIVACY LAWS
PROVIDES SAFEGUARDS FOR PRIVACY AND CIVIL
LIBERTIES
15. 14CONCLUSION : CYBER THREAT INFORMATION
IMPERATIVES
IT must have the ability to set
expectations for service quality,
availability and timeliness. High
availability and data protection
are integral for IT to set these
expectations.
Build strategy to stay
current with CTI and
push to improve
infrastructure to
support the vision. A
stitch in time saves
lives.
Aim for ease of
acquiring, deploying,
and managing IT Cyber
Security infrastructure,
and deploying IT
workloads.
SERVICE DELIVERY
Maintain Availability and
Customer Satisfaction as
always or better. CTI
gathering should never
impede the business model.
LONG TERM
Realise long term Cost
Saving by spending wisely
now. Invest in staff training
and building out PEN and
NOC skills and staffing.
SIMPLICITY
Use the KISS Rule to ensure
that you are not over reaching
the expectation