New Threat Trends in CII(Critical Information Infrastructure)

Contents
◼ Who am I?
◼ What is CII?
◼ What is Industry 4.0?
◼ New Risks of CII in Industry 4.0
◼ Conclusion & Summary

Who am I?
◼ Seungjoo (Gabriel) Kim (金昇柱)
◼ 1999. 02 : Ph.D on Cryptography @
Sungkyunkwan Univ.
◼ 1998.12~2004.02 : Team Manager @ KISA
(Korea Internet & Security Agency)
◼ 2004.03~2011.02 : Associate Professor @
Sungkyunkwan Univ.
◼ 2011.03~Now : Full Professor @ Department
of Cyber Defense, Korea Univ.

Who am I?
◼ 2011.03~Now : Co-Founder/Advisory Director
of a hacker group, HARU and an international
security & hacking conference, SECUINSIDE.

Department of Cyber Defense?
◼ Established in 2012
◼ 30 students / year
◼ Joint educational programs with Korea Army
(Cyber Command)
◼ Full Scholarship over Guaranteed Employment
◼ Upon graduation, they are to be commissioned as
second lieutenants and must serve in the military
for 7 years
◼ Accept top 1% of students in the national
college entrance exam (Korean SAT)

Department of Cyber Defense?
◼ In 2015 and 2018, our students from Dept. of
CYDF at Korea University won the TOP prize at
the DEFCON CTF for the first time in Asia!

Hacker Group, HARU?
◼ Founded in 2011
◼ Acronym of “HAckers’ Re-Union” or “HAckers
aRe Us”
◼ One of the biggest association of underground
hacking groups and communities in Korea
◼ 8+ Honorable Members :
◼ BLACK.PERL (www.bpsec.co.kr), CNSECURITY
(www.cnsec.co.kr), FlyHigh, GRAYHASH (BEISTLAB,
www.grayhash.com), Hackerschool
(www.hackerschool.org), iNET COP
(www.inetcop.net), NSHC (www.nshc.net), SEWORKS
(Wowhacker, www.seworks.co), etc.

Critical Information Infra.
◼ CII : Infrastructure that provides an essential
support for economic and social well-being,
for public safety and for the functioning of
key government responsibilities.
◼ However, the definition of critical
infrastructure varies from country to country
and is fluid, as the definition and list of
infrastructures deemed to be critical have
changed or matured over the time.

Critical Information Infra.
(Source: Munish Sharma, "Securing Critical Information Infrastructure: Global Perspectives and Practices", April 2017)

Industry 4.0
Mechanization, water power, steam power
Mass production, assembly line, electrical energy
Computer and further automation
Cyber Physical Systems

◼ The 4th industrial revolution (Industry 4.0) is
transforming the next generation of
manufacturing systems by making it smarter,
well-connected, self-organized, decentralized,
and flexible.
◼ To accelerate this transformation, industrial
sectors have planned to commit US$ 907
billion per annum to Industry 4.0.
Industry 4.0

(e.g.) Digital Twin
Digital twin is a S/W representations of assets and processes that are used to understand,
predict, and optimize performance in order to achieve improved business outcomes
(named one of Gartner's Top 10 Strategic Technology Trends for 2017).

(e.g.) Smart Manufacturing
(Source: Michele H.Ahuett-Garza and T.Kurfess, "A Brief Discussion on the Trends of Habilitating Technologies for
Industry 4.0 and Smart Manufacturing", Manufacturing Letters, Feb 17, 2018)
By maximizing SC flexibility, Smart Manufacturing enables mass customization!

CII Security in Industry 4.0
◼ So far, critical infrastructures were isolated and
focused on operational safety.
Drastically ↓Changed!
◼ However, Industry 4.0 increases the digitalization
and connectivity of the industry.
◼ Examples of such inter-connected systems may
include traffic monitoring and control systems
communicating with smart vehicles, energy related
systems communicating with smart homes and smart
meters, monitoring systems connected with
autonomous sensors in nuclear plants, power grids
and body area networks.

◼ This increasing connectivity and
interdependencies between CII elements
increases the risk of cyber security threats.

◼ This increasing connectivity and
interdependencies between CII elements
increases the risk of cyber security threats.
◼ Risk 1. No air-gap, everything connected!
◼ Risk 2. Increased complexity
◼ Risk 3. Global outsourcing is essential &
Enterprise processes become more digitized.
◼ Risk 4. How to manage billions connected devices?
◼ Risk 5. You (one team in one company) can not
verify all the products by yourself.
◼ Risk 6. Misconception about blockchain

1st Change in Security Env.
No air-gap,
everything connected!

No Air Gap! British American Security Information Council
UK nuclear submarine fleet

No Air Gap!
Recent suggestions that the fleet is vulnerable
have sometimes been met with complacency and
claims that the isolated 'air-gapped' systems
cannot be penetrated. Whilst we recognize that it
is important not to be alarmist, these claims are
false.

No Air Gap!
Malware injection during manufacturing(a.k.a
supply chain), mid-life refurbishment or software
updates and data transmission interception allow
potential adversaries to conduct long-term cyber
operations.

2nd Change in Security Env.
CIIP in Industry 4.0 era.
becomes more and more complex
with increased maintenance costs.

◼ Because of the increasing connectivity and
interdependencies, CIIP in Industry 4.0 era.
becomes more and more complex with
increased maintenance costs.
◼ Increasing new IT services
◼ Increasing usage of common COTS software
◼ Increasing integration and information flows
between systems
◼ Heavily connected to other IT services
◼ Even connected to INTERNET
Security by Design

◼ This in turns decreases the efficacy of security.
Security by Design
First Law of Software Quality
e = mc2
errors = (more code)2 or
(more connected)2

◼ CIIP in Industry 4.0 era. becomes more and
more complex with increased maintenance
costs.
◼ This in turns decreases the efficacy of security.
↓
◼ Need ‘Security by Design’ to cope with
complexity!
Security by Design

◼ Security by Design (in a narrow sense) :
Considering security as early as the design
phase of the software development process.
◼ Security by Design (in a broader sense) :
Systematically organized and methodically
equipped framework that is applied over the
lifecycle of secure software.
Security by Design
(Source: Michael Waidner, Michael Backes, Jörn Müller-Quade, "Development of Secure Software with Security By Design",
Fraunhofer SIT Technical Reports, July 2014)

◼ Security by Design (in a narrow sense) :
Considering security as early as the design
phase of the software development process.
◼ Security by Design (in a broader sense) :
Systematically organized and methodically
equipped framework that is applied over the
lifecycle of secure software.
Security by Design
(Source: Michael Waidner, Michael Backes, Jörn Müller-Quade, "Development of Secure Software with Security By Design",
Fraunhofer SIT Technical Reports, July 2014)
From the design stage,
optimize to reduce attack surface
as minimal as possible!

3rd Change in Security Env.
Nobody builds everything themselves any more.
So (global) outsourcing is essential!
&
In the industry 4.0 era, enterprise processes
become more digitized.
↓
Need (global) supply chain security!

◼ A supply chain is defined as the global
network of organizations and activities
associated with the flow of goods and
information from the raw materials stage to
the end users.
◼ If the vision of Industry 4.0 is to be realized,
most enterprise processes must become more
digitized.
Global Supply Chain Security

◼ However, due to the heavy automation and
monitoring, end-to-end digitization,
distributed and well-connected components,
supply chain security issues are well known
and exploited to great effect by
cybercriminals.
◼ Industry 4.0 gives the cybercriminal more
opportunity to dig into the top of the supply
chain, reaching into the smart factory through
its dependent actors.

The spark that starts World War III is
not a nuclear bomb,
but a supply chain hack!

◼ As seen before, in the era of industry 4.0,
global supply chains may have be more
susceptible to attacks at every stage.
◼ So, vendors need to ensure the integrity of
the supply chain by merging traditional
management practices with auditable,
certifiable system security requirements.
◼ Also, with the help of CC(Common Criteria),
we can greatly reduce the risks associated
with the global supply chain.

◼ Usually a large, networked and distributed
secure system like CII is built from a number of
component systems. These components may
be independently developed and evaluated.
◼ Additionally, during design of a large and
complex secure system, one would like to
break up the system into modules which are
small enough to be subject to security analysis,
and then to demonstrate security properties
in the overall system by means of those of
the modules.
Secure Composition

◼ If each of its components satisfies the some
security property, then an entire system
satisfies that security property?
Secure Composition

◼ Unfortunately, secure composition of complex
systems to medium-high assurance levels is
not solved today.
◼ The existing monolithic approaches cannot
cope with the complexity of modern CPS.
◼ certMILS develops a security certification
methodology for complex composable safety-
critical systems.
Secure Composition

Secure Composition
◼ certMILS @ Horizon 2020 Project

4th Change in Security Env.
We will have more than 25 billion connected
devices by 2020!
How to manage it?

Security operations
must be significantly more
automated and manageable!

Automation
Fully autonomous system for finding and fixing security vulnerabilities
@ Smithsonian

Automation
Mayhem @ human game, DefCon 2016
Korea University

◼ However, security automation is NOT AI-
security!
◼ Automation is basically making a H/W or S/W that
is capable of doing things automatically — without
human intervention.
◼ AI(Artificial Intelligence) is a science and
engineering of making intelligent machines. AI is
all about trying to make machines or S/W mimic,
and eventually supersede human behavior and
intelligence. Thus AI can respond and make
decisions according to varying environment
parameters which are NOT known at the time of
design (e.g., zero-day).
Automation

Despite our great care for security,
weak spots or vulnerabilities of products
can STILL be found.
&
This situation will become WORSE
in the era of the 4th industrial revolution,
when the number of devices
connected to the Internet increases exponentially.
↓
Crowd sourced security protection : Bug Bounty

◼ Bug Bounty : Companies
pay external ethical
hackers for finding and
reporting vulnerabilities.
◼ The first bug bounty
program dates back to
1983 from operating
system company Hunter
& Ready, Inc.
Bug Bounty

◼ A little over a decade later in 1995, Jarrett
Ridlinghafer, a technical support engineer at
Netscape Communications Corporation
coined the phrase 'Bugs Bounty'.
◼ There are now potentially hundreds of bug
bounty programs in operation.
◼ Google, AT&T, Microsoft, Mozilla, General Motors,
Starbucks, United Airlines and many others.
◼ Even US government departments are getting
in on the act.
Bug Bounty

Bug Bounty
This means that they already knew it
before the start of the competition!

Blockchain is becoming
a key element of
the Industry 4.0 transformation.
↓
Blockchain is NOT a panacea!

◼ So far, key elements of the Industry 4.0
transformation include
◼ 3D printing,
◼ robotizing and automation,
◼ smart factory with IoT and machine learning, and
◼ supply chain digitization.
◼ Now, blockchain, the distributed-ledger
technology behind cryptocurrencies including
Bitcoin, is becoming a key technology driving
this digital revolution.
Blockchain Is NOT Panacea!

Internet
Decentralized Blockchain Platform
Internet Of Things (IOT)
Artificial Intelligence (AI)
Data Analytics
Business
(Smart City, etc)

◼ One misconception that is commonly spread
about blockchain technology is that it's
completely unhackable.
◼ Blockchain just provides :
◼ Decentralization,
◼ Immutability,
◼ Transparency, and
◼ Availability.

◼ The major problems that blockchains have is
'privacy' and 'low transaction speed’.
◼ Blockchain technology does not offer much
defensive value beyond the protection of data
integrity and availability.
◼ The wrong use of blockchain for time critical
systems may lead the failure of CIIP.

◼ Industry 4.0 has made many changes to the
security paradigm of the CII (1/5) :
◼ (No Air-Gap) Do not trust the isolated 'air-gapped'
systems any more!
◼ (Security by Design) The increasing connectivity
and interdependencies make CIIP more and more
complex, and this in turns decreases the efficacy
of security. To cope with complexity, we need
‘Security by Design’.
Summary

◼ (Global Supply Chain Security) Outsourcing is
essential and the enterprise manufacturing
processes become more susceptible to cyber
attacks. So we need global supply chain security,
and here CC(Common Criteria) can help to ensure
the integrity of the supply chain.
Summary

◼ (Secure Composition) Usually a large, networked
and distributed secure system like CII is built from
a number of component systems. These
components may be independently developed
and evaluated. But, secure composition of
complex systems to medium-high assurance levels
is not solved today.
Summary

◼ (Automation) We will have more than 25 billion
connected devices by 2020. Thus the security
operations for CIIP must be more automated and
manageable!
◼ (Bug Bounty) Despite our great care for security,
weak spots or vulnerabilities of product can still
be found. This situation will worsen in the era of
the 4th industrial revolution, when the number of
devices connected to the Internet increases
exponentially. So we need crowd sourced security
protection program, a.k.a. 'Bug Bounty’.
Summary

◼ (Limitations of Blockchain) Blockchain is
becoming a key technology driving Industry 4.0.
However, one misconception that is commonly
spread about blockchain technology is that it's
completely unhackable. Blockchain Is not a
panacea!
Summary

New Threat Trends in CII(Critical Information Infrastructure)

Recommended

Recommended

More Related Content

What's hot

What's hot (16)

Similar to New Threat Trends in CII(Critical Information Infrastructure)

Similar to New Threat Trends in CII(Critical Information Infrastructure) (20)

More from Seungjoo Kim

More from Seungjoo Kim (20)

Recently uploaded

Recently uploaded (20)

New Threat Trends in CII(Critical Information Infrastructure)