Critical Infrastructure Protection in Europe

Ignacio Paredes (@iparedes)Industrial Cybersecurity Centerwww.cci-es.org

www.cci-es.org

2

Nacho Paredes• Head of studies and research at Industrial Cybersecurity Center• ENISA expert in Information Security and CIIP• M.S. In computer science• >15 years in cybersecurity and IT consultancy• Expert in the design and deployment of cybersecurity technical and

administrative solutions, including (application security, secure network design, critical infrastructure protection, ethical hacking or business continuity)

• GICSP, CISSP, CISM, CISA, CeH, PMP, GSNA, GAWN, BS7799 Lead Auditor

I am…

e-mail: ignacio.paredes@cci-es.org Twitter: @iparedes , @info_cci

Blog: http://blog.cci-es.orgWeb: http://www.cci-es.org

Tel: +34 647723708

www.cci-es.org

www.cci-es.org

Changing Environment

www.cci-es.org

¿Cyber Security?Industrial Safety

Physical Security

EnvironmentalSafety

SECURITY

www.cci-es.org Plant vs IT vs Security

Plant / IT Conflict:

– “Watertight” environments. “Don’t get into my lot, and I won’t into yours”

– Attention is not paid to communication interfaces between both worlds

– Connection interfaces are no man’s land, and many times, unknown (others WWW… Wild Wild West )

www.cci-es.org

8

Physical & Cyber Worlds Convergence

Risk Level and Impact of a Security

Incident

Corporate Environment

Industrial Env.

Industrial Operations

Availability

Consequences: IntangibleWeb Portal unavailableNo email

Consequences: Tangible, ConcreteProduction LossesEnvironmental DamagesPublic HealthLower Company Valuation

www.cci-es.org The air-gap myth

Eric Byres (Tofino)Unicorns and air gapshttp://goo.gl/YHbgG7

www.cci-es.org IT in the Industrial World

Industrial devices have inherited all problems from IT

Industrial Control Systems are NOT

isolated anymore. They have moved

from using dedicated serial

lines to Ethernet or WiFi

Now, most of industrial protocols

are running over TCP/IP

Industrial Control Systems use general purpose operating

systems

www.cci-es.org

11

IT vs OT

Information Technology Operations Technology

Component lifetime 3-5 years Component lifetime: 10-20 years

Maturity and knowledge on cybersecurity First steps on cybersecurity. Lack of awareness

Standard methodologies and architectures

Legacy systems

Loss of data Loss of life

Recover by reboot Fault tolerance essential

High throughput demanded. High delay accepted

Modest throughtput acceptable. High delay serious concern

Straightforward upgrades and automated changes

Patching is a pain. Changes only through vendors

www.cci-es.org

12

IT vs OT

Cybersecurity Dimensions in IT Cybersecurity Dimensions in OT

Confidentiality 50% Availability 60%

Integrity 30% Integrity 35%

Availability 20% Confidentiality 5%

www.cci-es.org

13

ICS Vulnerability Disclosure Evolution

2010 2011 2012 20130

20

40

60

80

100

120

# ICS-CERT disclosures

Alerts + Advisories. https://ics-cert.us-cert.gov/ics-archive

www.cci-es.org

14

Aramco Cyber Attack

• Biggest oil producer in the world• > 50,000 employees• Revenue > 300 US$ billion• In August 2012 had a cybersecurity incident• Computers directly tied to oil production were

compromised (Shamoon virus)• 30,000 workstations were affected• The company spent one week to restore services• After the incident Aramco tightened its security policies• Not only in the corp. side, but in the industrial systems

www.cci-es.org

15

Stuxnet

www.cci-es.orgProject Basecamp

SCADA Security Scientific Symposium (S4)

www.cci-es.org Shodan (www.shodanhq.com)

• Internet search engine that indexes internet-connected services response (FTP, SSH, Telnet, HTTP, HTTPS, SNMP, uPNP, SMB…)

• Provide access to millions of Internet-connected devices

www.cci-es.org

18

Many of them areIndustrial Systems…

www.cci-es.org

19

Many of them havedefault configurations…

www.cci-es.org

20

Many of them haveknown vulnerabilities…

www.cci-es.org

21

www.cci-es.org

22

www.cci-es.org

Internet-facing Industrial Systems+2.000.000Located in United States30%ISP’s Dynamic Addresses80%

Project SHINESHodan INtelligence Extraction

Interest

Concern

www.cci-es.org

25

Regulation Timeline in US & EU

1995 1998 2001 2004 2005 2006 2008 2009 2011 20132003

PDD-39 US Policy on

Counterterro

rism

PDD-62 Combating te

rroris

m

PDD-63 Protecting Americ

a’s

Critical In

frastru

ctures

DHS creation

HSPD-7 Critical In

frastru

ctures

Identificatio

n, Prio

rizatio

n and

Protection HSPD-23 Natio

nal

Cybersecurity In

ititativ

e

PPD-21 Critical

Infrastru

cture Security

and Resilience

COM(2004) 702 Critical Infrastructure Protection in the fight against terrorism

COM(2005) 576 Green paper on a European programme for critical infrastructure protection

COM(2006) 768 EPCIP (European Programme for Critical Infrastructure Protection)

COM(2009) 149 CIP: Protecting Europe from large scale cyber-attacks and disruptions: enhancing

COM(2011) 163 CIP: Achievements and next steps: towards global cyber-security

2014

Critical

Infrastru

cture

Cybersecurity

Framework

www.cci-es.org

26

Critical Infrastructure Protection

• Government guided process– Identification (mostly secret)– Priorization (different levels of criticity)– Protection (countermeasures deployment)

• The question is:

Who is gonna pay for this?

www.cci-es.org

27

Critical Infrastructure Protection

• Industry pressure against regulation• Leads to:

Minimum Requirements

• Implementation towards compliance– Infrastructure protection into the background– False sense of protection

www.cci-es.org

www.cci-es.orgCI Interdependencies

www.cci-es.org

30

The Smart Grid

www.cci-es.org

31

The Smart Grid

• The CI that lies beneath• Focus of many CIP initiatives• Smart grid means

– Efficiency– Resiliency– Integration of technologies– User Interaction– Prosumers– New services– Electric Vehicles

• Very tight interconnection

www.cci-es.org

32

The Smart Grid

• Security is paramount• And brings an additional component

www.cci-es.org

33

Who’s got the interest?

www.cci-es.org

34

Who?

www.cci-es.org

35

Who?

• The US National Security Agency is one of the most prolific tool makers for APTing.

• Its ANT (Access Network Technology) division has compromised the security architecture of every major player in the IT industry.

• Multiple secret backdoors allow the NSA to compromise virtually every organization in the world.

• Software and hardware tools.• Attacks against protocols, operating systems,

electromagnetic spectrum…

www.cci-es.org

36

Who?

• Political,strategical,and financialinterests are involved in decisions made by governments and corporations

• PLA Unit 61398• AKA People’s Liberation Army

Persistent Threat Unit

www.cci-es.org There are more that we can see

Advance

d Per

siste

nt Thre

ats

www.cci-es.org

38

Hacktivism

www.cci-es.org

• High interaction honeypot• Emulating a water treatment

plant• Just recording

• Targetted attacks• With the intention of

modification or destruction

Kyle Wilhoit (Trendmicro)

www.cci-es.org

…stalking

www.cci-es.org

TIC

Society

ICT

Industrial

Industrial Orgs. Critical Infrastructures

Consultancies

Integrators

Engineering EPC

ICT & Cybersecurity Vendors

Industrial Vendors

Services & Products

CIP & IC

Government

Requirements & Regulations

www.cci-es.org

C3R

“C3R: Collaboration, Coordination and Commitment based Relationships”

Collaboration

CoordinationCommitment

www.cci-es.orgAre you going to keep watching the wave?

большое спасибоIgnacio Paredes - @iparedes - ignacio.paredes@cci-es.org