Critical Infrastructure and Cyber Security: trends and challenges

Genova, 30 October 2013

2

In 2013, GCSEC has been involved in several activities both at national and international level on critical infrastructure protection

Online   Frauds   Cyber   Centre   and   Expert   Network   (OF2CEN):   crea'on   of   a   system   of   informa'on   exchange  between  financial  ins'tu'ons  and  European  law  enforcement  agencies  (Italy,  UK,  Romania),  with  development  of  a  informa'on  sharing  plaCorm  in  Italy  with  par'cipa'on  of  Polizia  Postale  e  delle  Comunicazioni    Security   of   Energy   System   (SoES):   The   project   will   provide   a   comprehensive   analysis   of   ICT   architectures,  vulnerabili'es,  and  best  prac'ces   related  to   the  Smart  Grids  and  will   create,  at  European   level  an   Informa'on  Sharing  Hub  on  the  subject.  The  project  is  developed  in  partnership  with  ENEL,  RSE  Energia,  EFACEC    Distributed  Energy  Security  Knowledge  (DEnSeK):  The  aim  of  the  project  is  defining  and  deploying  a  distributed  cross-­‐company   situa'on   awareness   network   for   the   Energy   Industrial   field.   It   will   enforce   the   capability   of  forecas'ng  cyber  threats  evolu'on  at  con'nental  level,  giving  the  opportunity  to  take  mi'ga'ng  measures  and  facilitates   the   coordina'on   among   the  members   of   the   plaCorm   in   case   of   crisis.   Project   Partners   are:   ENEL,  Security  MaTers,  Alliander  NV,  Gdansk  University  of  Technology    

Projects co-funded by EU

(70-90%)

Computer  Emergency  Response  Team  (CERT):  Support  to  Security  Department  in  the  design,  development  and  implementa'on  of  corporate  CERT.  Interna'onal  Benchmark,  design  of  main  processes  (incident  handling,  early  warning,  threat  and  vulnerability  management,…),  review  of  FIRST  requirements,  prepara'on  of  Top  Management  presenta'ons  and  report,…      Black  market  study:  analysis  of  aTack  mo'va'ons,  poten'al  impacts  of  the  aTacks  and  descrip'on  of  tools,  network  resources,  informa'on  and  services  sold  online  for  perpetra'ng  the  aTacks  

Some initiatives

Italian  Groups  

NATO  Advanced  Research  Workshop:  GCSEC,  together  with  GCSP,  has  organized  an  event  in  Geneva  on  “Best  Prac'ces  for  Computer  Network  Defence:  Incident  Detec'on  and  Response”.  29  experts  in  cyber  security,  from  NATO  Countries  and  Partner,  discussed  on  the  evolu'on  of  Incident  Detec'on  and  Response  

3

Scenarios: cyberspace will increase more and more

Today  and  the  Near  Future1  

Today   2020  

Es'mated  World  Popula'on  

7  billion  people   8  billion  people  circa  

Es'mated  Internet  Popula'on  

2.5  billion  people  (35%  of  popula'on  online)  

5  billion  people  circa  (60%  of  popula'on  online)  

Total  Number  of  Devices  

12.5  billion  internet  connected  physical  objects  and  devices  (6  devices  per  person  circa)  

50  billion  internet  connected  physical  objects  ad  devices  (10  devices  per  person  circa)  

ICT  Contribu'on  to  the  Economy  

4%  of  GDP  on  average  for  G20  na'ons  

10%  of  worldwide  GDP  

1)  Evans,  The  Internet  of  Things,  How  the  Next  Evolu'on  of  the  Internet  Is  Changing  Everything  

More People

More People online

More Devices

More Revenues generated

MORE THREATS

•  More  People  aTracted  to  business  crime  •  New  market  to  explore  •  Easier  to  find  vic'ms,  not  confident  with  

internet  •  Easier  to  buy  full  package  services  •  …  

4

Spies breach electricity grid in U.S.: According to current and former national security officials, as reported in The Wall Street Journal, cyberspies from China, Russia and other countries penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the

system.

2009

The Stuxnet worm temporarily knocks out some of the centrifuges at Iran's Natanz nuclear facility, causing considerable delay to that country's uranium enrichment program

2010

The Nitro Attacks: A series of targeted attacks using an off-the-shelf Trojan horse called "Poison Ivy" is directed mainly at companies involved in the research, development and manufacture of chemicals and advanced materials. After tricking targeted users into downloading Poison Ivy, the attackers issue instructions to the compromised computers, troll for higher-level passwords and eventually offload the stolen content to hacker-

controlled systems.

2011

DDoS attacks on U.S. banks: The U.S. accuses Iran of staging a wave of denial-of-service attacks against U.S. financial institutions. Defense Secretary Leon Panetta warns of potential for a "cyber Pearl Harbor" against critical infrastructure and calls for new protection standards.

2012

Threats will increase and also impact critical infrastructures too

Sources:  ICS-­‐CERT,  The  New  York  Times,  CSO,  Computerworld,  The  Wall  Street  Journal  

"   Intellectual Property and Digital Identities are stolen regularly

"   Systems are erased

"   Services are disrupted

"   Sophisticated hackers team are even more well oranized

"   Malwares are cheaper and easier

"   Full maleware package/services available on dark market

"   …

5

What are the critical infrastructures?

The  UK's  na'onal  infrastructure  is  defined  by  the  Government  as:  “those  facili'es,  systems,  sites  and  networks  necessary  for  the  func'oning  of  the  country  and  the  delivery  of  the  essen'al  services  upon  which  daily  life  in  the  UK  depends”

                             UK  CPNI  WEBSITE  

UK  Cri'cality  Scale  (Strategic  Framework  and  Policy  Statement  –  Cabinet  Office)    

Parameter   Green   Yellow   Orange   Red  

Health   No  injuries   Light  injuries   Heavy  Injuries   Danger  of  life  

Economics  Loss  

<  1%  EBITDA   1%<EBITDA<3%    

3%<EBITDA<5%  

>  5%  EBITDA  

Service  disrup'on  

0  –  10  minutes   10  –  60  minutes  

1  day   >  1  day  

Reputa'on   Inside  the  company  

Local  level   Na'onal  level   Interna'onal  level  

…  

The  Infrastructure  is  not  at  the  center  of  interests    the  conPnuity  of  the  SERVICE  

is  the  main  goal  

6

Critical Infrastructure are that infrastructure vital for the continuity of a service delivery which disruption would be critical at national level

Facility   Facility  Facility  

Applica'on  1  

Opera'ng  system  

Core/Cri'cal  Service  

Infrastructure/tools  

Infrastructure/tools  

Applica'on  2   Applica'on  2  

Support  Service  

Infrastructure/tools  

CITIZENS  and  COMPANIES  

Cri'cal   Not  Cri'cal  

Do  the  Owners  of  criPcal  services…  

"  …know if the service they deliver is critical?

"  …know at which level of criticality scale the

service could be considered critical?

"  …know the technology/assets chain vital for

delivering critical services?

"  …know from who they depend on?

"  …put already in place all the countermeasures

known and necessary to guarantee the service

continuity?

7

The new trend in the protection of critical infrastructures is also to do properly what we are already doing (1/3)

Better Perimeter and service Knowledge

Prioritize Patch management

Reduce complexity and opportunities

Strengthen internal

collaboration

Increase education and

training

"   Map the technology/asset chain the critical service depends on and the impact related to their disruptions

"   Map the interdependencies between networks, applications, operating system,… "   Identify the servers containing sensitive data

"   Define a patch management cycle (notification, testing, prioritizing, deploying, monitor,…) "   Prioritize deployment on critical infrastructures the critical service depend on

"   Reduce the complexity of networks, applications, operating systems, in order to reduce also the “surface” available for the attacks

"   Often there are many applications inside a company doing similar activities, platform optimization will save time and resources to monitor it and patch it

"   Reducing the attack surface will reduce the opportunities for the hacker to find blind spots

"   Avoid conflicts between business units (business owner, information technology, security departments, …)

"   Join skills and capabilities and work together to define and implement security requirements (i.e. CERT)

"   Managers and employees don’t know security policy related to the use of ICT infrastructures, PCs or mobile devices

"   There is a lack of training and exercises inside companies, this doesn’t help to speed the incident handling process and so on

Examples  

8

Use of Honeypots

Use of Disinformation/

Deception

Knowledge of your enemies

Hacker Yourself

Stregthen integration and

data/traffic analysis

"   Traps set to detect, deflect or counteracts attempts at unauthorized use of information systems

"   They gather information regarding an intruder or attacker in the system

"   False repository with false intellectual proprieties or data not useful for the attackers "   It allows to identify the attack motives "   It allows also to make attackers to invest money without profit

"   Monitor blogs/forum, media, chat to understand the sentiment around the company and if someone intend to attack your organization

"   Monitor black market t(i.e. services, malware, databases of credentials, emails and so on) "   Learn hacker operating model (pattern of attacks could be similar against different

companies)

"   Start to think and act as a hacker. In this way you can really test the protection levels of your infrastructures and take the right countermeasures (penetration testing, vulnerability assessment,…)

"   Data are usually collected but rarely analyzed and correlated. Usually only for forensics "   Big Data is the future and security has to be confident with them to understand patterns,

correlations and so on "   There are new solutions dealing also with behavioral pattern or “pattern of life” that

describe the normal online activity of employees,… (anomaly-based IDS)

Examples  

The new trend in the protection of critical infrastructures is also to do properly what we are already doing (2/3)

9

Build a security in-house capability

Limit the “bring your own

device”(BYOD)

Stregthen external collaboration

Moving target architectures

"   Security could not be transfer to external suppliers. It will create an uncomfortable dependency

"   Companies are re-thinking security bringing back at home competencies and skilled resources

"   Internet of things will enlarge the interactions with personal devices used also for work "   Clear policy shall be defined and strict controls put in place (mandatory authirization

process, password protection, control of risky application, limit the use of business application with sensitive data,…)

"   SOC/CERT and Security departments have to strengthen concrete collaborations "   It is impossible to have the overview of all the threats and vulnerabilities present in

cyberspace "   The collaboration shall go one step further the signature of MoUs

"   The design of architectures could be done in order to shift the program’s attack surface, also reducing it (Moving target)

"   Different types of architectures based on microkernels and separation kernels

Examples  

The new trend in the protection of critical infrastructures is also to do properly what we are already doing (3/3)

APPROACHING  CYBER  SECURITY  TODAY  IS  SUCH  AS  APPROACHING  COLD  WAR  YEARS  AGO    

START  TO  THINK  THAT  YOU  ARE  ALREADY  UNDER  ATTACK    

10

THANKS    massimo.cappelli@gcsec.org    www.gcsec.org