industrial cybersecurity and critical infrastructure protection in europe
TRANSCRIPT
Critical Infrastructure Protection in Europe
Ignacio Paredes (@iparedes)Industrial Cybersecurity Centerwww.cci-es.org
www.cci-es.org
2
Nacho Paredes• Head of studies and research at Industrial Cybersecurity Center• ENISA expert in Information Security and CIIP• M.S. In computer science• >15 years in cybersecurity and IT consultancy• Expert in the design and deployment of cybersecurity technical and
administrative solutions, including (application security, secure network design, critical infrastructure protection, ethical hacking or business continuity)
• GICSP, CISSP, CISM, CISA, CeH, PMP, GSNA, GAWN, BS7799 Lead Auditor
I am…
e-mail: [email protected] Twitter: @iparedes , @info_cci
Blog: http://blog.cci-es.orgWeb: http://www.cci-es.org
Tel: +34 647723708
www.cci-es.org
www.cci-es.org
Changing Environment
www.cci-es.org
¿Cyber Security?Industrial Safety
Physical Security
EnvironmentalSafety
SECURITY
www.cci-es.org Plant vs IT vs Security
Plant / IT Conflict:
– “Watertight” environments. “Don’t get into my lot, and I won’t into yours”
– Attention is not paid to communication interfaces between both worlds
– Connection interfaces are no man’s land, and many times, unknown (others WWW… Wild Wild West )
www.cci-es.org
8
Physical & Cyber Worlds Convergence
Risk Level and Impact of a Security
Incident
Corporate Environment
Industrial Env.
Industrial Operations
Availability
Consequences: IntangibleWeb Portal unavailableNo email
Consequences: Tangible, ConcreteProduction LossesEnvironmental DamagesPublic HealthLower Company Valuation
www.cci-es.org The air-gap myth
Eric Byres (Tofino)Unicorns and air gapshttp://goo.gl/YHbgG7
www.cci-es.org IT in the Industrial World
Industrial devices have inherited all problems from IT
Industrial Control Systems are NOT
isolated anymore. They have moved
from using dedicated serial
lines to Ethernet or WiFi
Now, most of industrial protocols
are running over TCP/IP
Industrial Control Systems use general purpose operating
systems
www.cci-es.org
11
IT vs OT
Information Technology Operations Technology
Component lifetime 3-5 years Component lifetime: 10-20 years
Maturity and knowledge on cybersecurity First steps on cybersecurity. Lack of awareness
Standard methodologies and architectures
Legacy systems
Loss of data Loss of life
Recover by reboot Fault tolerance essential
High throughput demanded. High delay accepted
Modest throughtput acceptable. High delay serious concern
Straightforward upgrades and automated changes
Patching is a pain. Changes only through vendors
www.cci-es.org
12
IT vs OT
Cybersecurity Dimensions in IT Cybersecurity Dimensions in OT
Confidentiality 50% Availability 60%
Integrity 30% Integrity 35%
Availability 20% Confidentiality 5%
www.cci-es.org
13
ICS Vulnerability Disclosure Evolution
2010 2011 2012 20130
20
40
60
80
100
120
# ICS-CERT disclosures
Alerts + Advisories. https://ics-cert.us-cert.gov/ics-archive
www.cci-es.org
14
Aramco Cyber Attack
• Biggest oil producer in the world• > 50,000 employees• Revenue > 300 US$ billion• In August 2012 had a cybersecurity incident• Computers directly tied to oil production were
compromised (Shamoon virus)• 30,000 workstations were affected• The company spent one week to restore services• After the incident Aramco tightened its security policies• Not only in the corp. side, but in the industrial systems
www.cci-es.org
15
Stuxnet
www.cci-es.orgProject Basecamp
SCADA Security Scientific Symposium (S4)
www.cci-es.org Shodan (www.shodanhq.com)
• Internet search engine that indexes internet-connected services response (FTP, SSH, Telnet, HTTP, HTTPS, SNMP, uPNP, SMB…)
• Provide access to millions of Internet-connected devices
www.cci-es.org
18
Many of them areIndustrial Systems…
www.cci-es.org
19
Many of them havedefault configurations…
www.cci-es.org
20
Many of them haveknown vulnerabilities…
www.cci-es.org
21
www.cci-es.org
22
www.cci-es.org
Internet-facing Industrial Systems+2.000.000Located in United States30%ISP’s Dynamic Addresses80%
Project SHINESHodan INtelligence Extraction
Interest
Concern
www.cci-es.org
25
Regulation Timeline in US & EU
1995 1998 2001 2004 2005 2006 2008 2009 2011 20132003
PDD-39 US Policy on
Counterterro
rism
PDD-62 Combating te
rroris
m
PDD-63 Protecting Americ
a’s
Critical In
frastru
ctures
DHS creation
HSPD-7 Critical In
frastru
ctures
Identificatio
n, Prio
rizatio
n and
Protection HSPD-23 Natio
nal
Cybersecurity In
ititativ
e
PPD-21 Critical
Infrastru
cture Security
and Resilience
COM(2004) 702 Critical Infrastructure Protection in the fight against terrorism
COM(2005) 576 Green paper on a European programme for critical infrastructure protection
COM(2006) 768 EPCIP (European Programme for Critical Infrastructure Protection)
COM(2009) 149 CIP: Protecting Europe from large scale cyber-attacks and disruptions: enhancing
COM(2011) 163 CIP: Achievements and next steps: towards global cyber-security
2014
Critical
Infrastru
cture
Cybersecurity
Framework
www.cci-es.org
26
Critical Infrastructure Protection
• Government guided process– Identification (mostly secret)– Priorization (different levels of criticity)– Protection (countermeasures deployment)
• The question is:
Who is gonna pay for this?
www.cci-es.org
27
Critical Infrastructure Protection
• Industry pressure against regulation• Leads to:
Minimum Requirements
• Implementation towards compliance– Infrastructure protection into the background– False sense of protection
www.cci-es.org
www.cci-es.orgCI Interdependencies
www.cci-es.org
30
The Smart Grid
www.cci-es.org
31
The Smart Grid
• The CI that lies beneath• Focus of many CIP initiatives• Smart grid means
– Efficiency– Resiliency– Integration of technologies– User Interaction– Prosumers– New services– Electric Vehicles
• Very tight interconnection
www.cci-es.org
32
The Smart Grid
• Security is paramount• And brings an additional component
www.cci-es.org
33
Who’s got the interest?
www.cci-es.org
34
Who?
www.cci-es.org
35
Who?
• The US National Security Agency is one of the most prolific tool makers for APTing.
• Its ANT (Access Network Technology) division has compromised the security architecture of every major player in the IT industry.
• Multiple secret backdoors allow the NSA to compromise virtually every organization in the world.
• Software and hardware tools.• Attacks against protocols, operating systems,
electromagnetic spectrum…
www.cci-es.org
36
Who?
• Political,strategical,and financialinterests are involved in decisions made by governments and corporations
• PLA Unit 61398• AKA People’s Liberation Army
Persistent Threat Unit
www.cci-es.org There are more that we can see
Advance
d Per
siste
nt Thre
ats
www.cci-es.org
38
Hacktivism
www.cci-es.org
• High interaction honeypot• Emulating a water treatment
plant• Just recording
• Targetted attacks• With the intention of
modification or destruction
Kyle Wilhoit (Trendmicro)
www.cci-es.org
…stalking
www.cci-es.org
TIC
Society
ICT
Industrial
Industrial Orgs. Critical Infrastructures
Consultancies
Integrators
Engineering EPC
ICT & Cybersecurity Vendors
Industrial Vendors
Services & Products
CIP & IC
Government
Requirements & Regulations
www.cci-es.org
C3R
“C3R: Collaboration, Coordination and Commitment based Relationships”
Collaboration
CoordinationCommitment
www.cci-es.orgAre you going to keep watching the wave?
большое спасибоIgnacio Paredes - @iparedes - [email protected]