maturity assessment on cybersecurity for critical ... assessment on cybersecurity for critical...

www.thalesgroup.com OPEN

Maturity assessment on Cybersecurity for critical infrastructures 28TH SEPTEMBER 2015, AMSTERDAM DR THIEYACINE FALL

2 OPEN This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved.

Cyber-Security Today (Maturity assessment)

Anticipate threats

▌ Perform risk assessment and/or vulnerability assessment

▌ Define risk governance and security policy

▌ Transform security requirements into implementable technical, procedural and organisational measures

▌ Build a secure software Development life cycle

Manage security incidents

▌ Detect cyber attacks and deviant behaviors through implementation of probes and/or SIEM tools

▌ React to incidents to maintain business continuity or reduce impacts

▌ Prepare system, network and malware analysis (Forensics) following a successful cyber attack

Comply with security policy and legal

constraints

▌ Measure and reduce discrepancies between security policy and implementation

▌ Comply to legal and industry regulations

▌ Comply with best practices recommendations (ISO, NIST, …)

▌ Perform audits and penetration testing to evaluate the level of security


Cyber Security project approach (Maturity assessment)

Security Documentation

IEC 62443 1-4 (Not started) k


Critical Infrastructure sectors according to the EU/Critical systems

Critical Infrastructure Sectors (EU)

▌ Transport ▌ Energy

▌ Nuclear Industry

▌ Water

▌ Chemical Industry

▌ Food

▌ Health

▌ Financial

▌ ICT

▌ Space

▌ Research Facilities

Detailed Critical Infrastructure Sectors (EU)

▌ Road transport

▌ Rail transport

▌ Air transport

▌ Inland waterways transport

▌ Ocean and short-sea shipping and ports

▌ Electricity

▌ Oil

▌ gas

Critical automated

control systems

▌ Airport (site)

▌ Railway/Metro station

▌ Oil & gas

▌ Electricity

▌ Maritime shipping industry

Critical systems

▌ Rail signaling & Railway/Metro traffic management systems

▌ Avionics (Flight, Ground)

▌ Air Traffic management systems (Single European Sky …)

▌ Urban protection systems

▌ Automotive industry (Next generation vehicles, unmanned vehicles


▌ Critical systems are now the target of hackers

Context


Rail signaling & Railway/Metro traffic management systems

Anticipate threats










constraints





Incomplete

Planned

Performed

Systematic security requirements for new projects (in particular ERTMS) Still proprietary systems (Interlocking). SIL Levels improve security posture Issues for operational security


Air Traffic management systems (Single European Sky …)

Anticipate threats










constraints





Incomplete

Planned

Performed

Systematic security requirements for new projects (in particular Single European Sky) Large IT footprint for new generation of software (Interoperability)


Emerging issues

▌ Lack of holistic view

▌ Cross sector dependencies

▌ Heterogeneous solutions for automated control systems (Asset inventory difficult)

▌ Product certification

▌ System accreditation


Compliance/Legislation

▌ U.S. Executive order: 13636

  Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014

  Voluntary program (cooperation with the private sector), NERC CIP

▌ U.K. Collaborative approach through CPNI (14 sectors),

Security for Industrial Control System Framework

▌ E.U. Collaborative approach through ENISA

Security for Industrial Control System (Certification/Compliance approach)

▌ Germany Strict cyber-security law to protect ‘critical infrastructure’ (July 2015), 7 sectors

Over 2,000 essential service providers will have to implement new minimum information security standards within two years

▌ France Generic Ministerial order (March 2015)

Ministerial order per critical sector area (2015-2016)


French Regulation LPM : Loi de Programmation Militaire 2014-2019

▌ Concerns critical infrastructure operators   12 strategic areas for the country

Defense, energy, transportation, water treatment, critical industries...

Around 250 enterprises

▌ Key measures   Incident security notification/operations

-  Obligation for critical operators to notify significant incidents occurring on their critical IS

-  Mandatory Implementation of a SOC outsourced or internalized , qualified by the ANSSI and operated from the national territory

Submission to controls

-  Obligation to submit there IS to controls by the ANSSI or by any providers qualified by the ANSSI

  Possible judiciary prosecution


LPM: Ministerial order (March 2015)

▌ Apply a set of rules as defined by Ministerial order  Application of a classification method and key measures (ANSSI) for Industrial Control Systems

▌ A particular rule Implementation of a qualified detection system for security events

  Emergence of a sovereign probe for an intrusion detection system

▌ In the event of major crises , be imposed measures   The Prime Minister (ANSSI) may impose measures such as disconnection of the internet

▌ Ministerial order per strategic area (2015-2016)

Ministerial order March 2015


Industrial Architecture

lndustrial System Functionality : §  Functionality 1 : Minimal system, §  Functionality 2 : Complex system,

§  Functionality 3 : Very complex system.

Industrial System Exposure

CIM 0 è Non communicating sensors and actuators, CIM 1 è PLC and analysers,

CIM 2 è SCADA, CIM 3 è Manufacturing Execution System (MES),

CIM 4 è Enterprise Resource Planning (ERP).

CIM = Computer Integrated Manufacturing

Industrial System Connectivity : §  Connectivity 1 : Isolated ICS

§  Connectivity 2 : ICS connected to an MIS §  Connectivity 3 : ICS using wireless technology,

§  Connectivity 4 : Distributed ICS with private infrastructure or permitting operations from outside,

§  Connectivity 5 : Distributed infrastructure with public infrastructure.


▌ Class 1   ICS for which the risk or impact of an attack is low. The measures recommended correspond to rules provided by an Hygienic guide (ANSSI, SANS/CPNI)

▌ Class 2 ICS for which the risk or impact of an attack is significant. The responsible entity must be able to provide evidence that adequate measures have been implemented

▌ Class 3 ICS for which the risk or impact of an attack is critical. The conformity is verified by the state authority or an accredited body

Classification Method


Use cases

▌ Water supply plant   The plant under consideration is a remotely managed ICS handling the water supply of an urban area with 500,000 inhabitants. The ICS is geographically distributed over several sites (reservoirs, booster stations, pumps). Remote sites communicate with the central site via PSTN1 lines or GPRS connections. The ICS is composed of numerous remote management devices (RTU) and supervision work stations (SCADA). Technicians can connect to the system from their remote location if problems occur.

  Class 2

▌ Manufacturing industry   The site under study is a household appliance assembly line for a company essentially doing business on a national level. The ICS is limited to a single site. It includes an MES and permanently-connected engineering stations. Technicians and operators use tablets and wireless scanners to scan bar codes.

  Class 1


Use cases

▌ Continuous process industry   The ICS under study is a production plant for toxic chemicals. The site is covered by the Seveso Directive. The ICS has centralised historians, engineering stations or programming consoles that are permanently connected. The industrial networks are connected to the site’s MIS. Wireless networks are not yet deployed on the industrial perimeter.

  Class 2 or Class 3

▌ Railway switch automation   In a railway transport network, a computerised railway switch control system allows management of track assignments and remote control of switches and signalling devices.

  Class 3

▌ Detailed measures Technical

Organisational


Industrial Architecture – Measures

Solution Example Class 3 : interconnection between ICS

zone and Office area

40 Essential measures for a healthy network

KNOW THE INFORMATION SYSTEM AND ITS

USERS CONTROL THE NETWORK

UPGRADE SOFTWARE AUTHENTICATE THE USER

SECURE COMPUTER TERMINALS SECURE THE INSIDE OF THE NETWORK

PROTECT THE INTERNAL NETWORK FROM THE INTERNET

MONITOR SYSTEMS SECURE NETWORK ADMINISTRATION

CONTROL ACCESS TO THE PREMISES AND PHYSICAL SECURITY

ORGANISE RESPONSE IN THE EVENT OF AN INCIDENT

RAISE AWARENESS CARRY OUT A SECURITY AUDIT


Protection Profiles

▌ Switch

▌ PLC   Short term (Critical assets of the environment)

-  Control-command of the industrial process -  Engineering workstation flows

Mid-term (Critical assets of the environment)

-  Control-command of the industrial process -  Engineering workstation flows -  Data exchanges between the ToE and the supervision -  Data exchanges between the ToE and another PLC

▌ Firewall

▌ VPN

▌ Wireless


EU (ENISA/JRC) approach towards product compliance & certification

▌ A research and action plan for 2015-20 Project No 1: Stakeholders consultation & project planning

Project No 2: Product Register development

Project No 3: Cyber-security Common Requirements Project No 4: Generic IACS Cyber-security Profiles Project No 5: Compliance & Certification Process

Project No 6: Transition & Implementation Plan

Project No 7: Launch of the C&C Scheme

- Level 1: self-declaration of compliance - Level 2: third-party compliance assessment - Level 3: third-party product certification - Level 4: third-party full certification


Progress (PLC level)

▌ Firmware Security Firmware signed

Verification of the signature

▌ Operations Security   User authentication to modify programs

▌ Communication Security Desactivation of unused services

  IP filtering

  VPN for integrity and authenticity of communications

▌ Log event management   Monitoring security events

Syslog format


Conclusion/Next Drivers

▌ Regulation/Legislation in the EU   France, Germany

▌ Credit Rating Agencies Cybersecurity: New risk factor

▌ Cyber insurance Compliance to best practices (Evidence)

  Incident Response Team (Subscribed service)


Glossary

▌ Interlocking   An interlocking is an arrangement of signal apparatus that prevents conflicting movements through an arrangement of tracks such as junctions or crossings. The signalling appliances and tracks are sometimes collectively referred to as an interlocking plant. An interlocking is designed so that it is impossible to display a signal to proceed unless the route to be used is proven safe (Wikipedia)

▌ Protection Profile   A Protection Profile (PP) is a document used as part of the certification process according to ISO/IEC 15408 and the Common Criteria (CC). As the generic form of a Security Target (ST), it is typically created by a user or user community and provides an implementation independent specification of information assurance security requirements. A PP is a combination of threats, security objectives, assumptions, security functional requirements (SFRs), security assurance requirements (SARs) and rationales (Wikipedia)


References

▌ http://www.ssi.gouv.fr/uploads/2013/01/guide_hygiene_v1-2-1_en.pdf

▌ http://www.ssi.gouv.fr/entreprise/guide/profils-de-protection-pour-les-systemes-industriels/

▌ http://www.ssi.gouv.fr/entreprise/guide/la-cybersecurite-des-systemes-industriels/

▌ http://publications.jrc.ec.europa.eu/repository/bitstream/JRC94533/2015%201441_src_en_pth-erncip-iacsreport-201411-at-accepted%20pth2-op.pdf

▌ http://www.secur-ed.eu/wp-content/uploads/2014/11/SECUR-ED_Cyber_security_roadmap_v3.pdf

maturity assessment on cybersecurity for critical ... assessment on cybersecurity for critical...

Documents