Upload
community-protection-forum
View
1.287
Download
6
Embed Size (px)
DESCRIPTION
by Massimo Cappelli GCSEC - Global Cyber Security Center mail: [email protected]
Citation preview
Critical Infrastructure and Cyber Security: trends and challenges
Genova, 30 October 2013
2
In 2013, GCSEC has been involved in several activities both at national and international level on critical infrastructure protection
Online Frauds Cyber Centre and Expert Network (OF2CEN): crea'on of a system of informa'on exchange between financial ins'tu'ons and European law enforcement agencies (Italy, UK, Romania), with development of a informa'on sharing plaCorm in Italy with par'cipa'on of Polizia Postale e delle Comunicazioni Security of Energy System (SoES): The project will provide a comprehensive analysis of ICT architectures, vulnerabili'es, and best prac'ces related to the Smart Grids and will create, at European level an Informa'on Sharing Hub on the subject. The project is developed in partnership with ENEL, RSE Energia, EFACEC Distributed Energy Security Knowledge (DEnSeK): The aim of the project is defining and deploying a distributed cross-‐company situa'on awareness network for the Energy Industrial field. It will enforce the capability of forecas'ng cyber threats evolu'on at con'nental level, giving the opportunity to take mi'ga'ng measures and facilitates the coordina'on among the members of the plaCorm in case of crisis. Project Partners are: ENEL, Security MaTers, Alliander NV, Gdansk University of Technology
Projects co-funded by EU
(70-90%)
Computer Emergency Response Team (CERT): Support to Security Department in the design, development and implementa'on of corporate CERT. Interna'onal Benchmark, design of main processes (incident handling, early warning, threat and vulnerability management,…), review of FIRST requirements, prepara'on of Top Management presenta'ons and report,… Black market study: analysis of aTack mo'va'ons, poten'al impacts of the aTacks and descrip'on of tools, network resources, informa'on and services sold online for perpetra'ng the aTacks
Some initiatives
Italian Groups
NATO Advanced Research Workshop: GCSEC, together with GCSP, has organized an event in Geneva on “Best Prac'ces for Computer Network Defence: Incident Detec'on and Response”. 29 experts in cyber security, from NATO Countries and Partner, discussed on the evolu'on of Incident Detec'on and Response
3
Scenarios: cyberspace will increase more and more
Today and the Near Future1
Today 2020
Es'mated World Popula'on
7 billion people 8 billion people circa
Es'mated Internet Popula'on
2.5 billion people (35% of popula'on online)
5 billion people circa (60% of popula'on online)
Total Number of Devices
12.5 billion internet connected physical objects and devices (6 devices per person circa)
50 billion internet connected physical objects ad devices (10 devices per person circa)
ICT Contribu'on to the Economy
4% of GDP on average for G20 na'ons
10% of worldwide GDP
1) Evans, The Internet of Things, How the Next Evolu'on of the Internet Is Changing Everything
More People
More People online
More Devices
More Revenues generated
MORE THREATS
• More People aTracted to business crime • New market to explore • Easier to find vic'ms, not confident with
internet • Easier to buy full package services • …
4
Spies breach electricity grid in U.S.: According to current and former national security officials, as reported in The Wall Street Journal, cyberspies from China, Russia and other countries penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the
system.
2009
The Stuxnet worm temporarily knocks out some of the centrifuges at Iran's Natanz nuclear facility, causing considerable delay to that country's uranium enrichment program
2010
The Nitro Attacks: A series of targeted attacks using an off-the-shelf Trojan horse called "Poison Ivy" is directed mainly at companies involved in the research, development and manufacture of chemicals and advanced materials. After tricking targeted users into downloading Poison Ivy, the attackers issue instructions to the compromised computers, troll for higher-level passwords and eventually offload the stolen content to hacker-
controlled systems.
2011
DDoS attacks on U.S. banks: The U.S. accuses Iran of staging a wave of denial-of-service attacks against U.S. financial institutions. Defense Secretary Leon Panetta warns of potential for a "cyber Pearl Harbor" against critical infrastructure and calls for new protection standards.
2012
Threats will increase and also impact critical infrastructures too
Sources: ICS-‐CERT, The New York Times, CSO, Computerworld, The Wall Street Journal
" Intellectual Property and Digital Identities are stolen regularly
" Systems are erased
" Services are disrupted
" Sophisticated hackers team are even more well oranized
" Malwares are cheaper and easier
" Full maleware package/services available on dark market
" …
5
What are the critical infrastructures?
The UK's na'onal infrastructure is defined by the Government as: “those facili'es, systems, sites and networks necessary for the func'oning of the country and the delivery of the essen'al services upon which daily life in the UK depends”
UK CPNI WEBSITE
UK Cri'cality Scale (Strategic Framework and Policy Statement – Cabinet Office)
Parameter Green Yellow Orange Red
Health No injuries Light injuries Heavy Injuries Danger of life
Economics Loss
< 1% EBITDA 1%<EBITDA<3%
3%<EBITDA<5%
> 5% EBITDA
Service disrup'on
0 – 10 minutes 10 – 60 minutes
1 day > 1 day
Reputa'on Inside the company
Local level Na'onal level Interna'onal level
…
The Infrastructure is not at the center of interests the conPnuity of the SERVICE
is the main goal
6
Critical Infrastructure are that infrastructure vital for the continuity of a service delivery which disruption would be critical at national level
Facility Facility Facility
Applica'on 1
Opera'ng system
Core/Cri'cal Service
Infrastructure/tools
Infrastructure/tools
Applica'on 2 Applica'on 2
Support Service
Infrastructure/tools
CITIZENS and COMPANIES
Cri'cal Not Cri'cal
Do the Owners of criPcal services…
" …know if the service they deliver is critical?
" …know at which level of criticality scale the
service could be considered critical?
" …know the technology/assets chain vital for
delivering critical services?
" …know from who they depend on?
" …put already in place all the countermeasures
known and necessary to guarantee the service
continuity?
7
The new trend in the protection of critical infrastructures is also to do properly what we are already doing (1/3)
Better Perimeter and service Knowledge
Prioritize Patch management
Reduce complexity and opportunities
Strengthen internal
collaboration
Increase education and
training
" Map the technology/asset chain the critical service depends on and the impact related to their disruptions
" Map the interdependencies between networks, applications, operating system,… " Identify the servers containing sensitive data
" Define a patch management cycle (notification, testing, prioritizing, deploying, monitor,…) " Prioritize deployment on critical infrastructures the critical service depend on
" Reduce the complexity of networks, applications, operating systems, in order to reduce also the “surface” available for the attacks
" Often there are many applications inside a company doing similar activities, platform optimization will save time and resources to monitor it and patch it
" Reducing the attack surface will reduce the opportunities for the hacker to find blind spots
" Avoid conflicts between business units (business owner, information technology, security departments, …)
" Join skills and capabilities and work together to define and implement security requirements (i.e. CERT)
" Managers and employees don’t know security policy related to the use of ICT infrastructures, PCs or mobile devices
" There is a lack of training and exercises inside companies, this doesn’t help to speed the incident handling process and so on
Examples
8
Use of Honeypots
Use of Disinformation/
Deception
Knowledge of your enemies
Hacker Yourself
Stregthen integration and
data/traffic analysis
" Traps set to detect, deflect or counteracts attempts at unauthorized use of information systems
" They gather information regarding an intruder or attacker in the system
" False repository with false intellectual proprieties or data not useful for the attackers " It allows to identify the attack motives " It allows also to make attackers to invest money without profit
" Monitor blogs/forum, media, chat to understand the sentiment around the company and if someone intend to attack your organization
" Monitor black market t(i.e. services, malware, databases of credentials, emails and so on) " Learn hacker operating model (pattern of attacks could be similar against different
companies)
" Start to think and act as a hacker. In this way you can really test the protection levels of your infrastructures and take the right countermeasures (penetration testing, vulnerability assessment,…)
" Data are usually collected but rarely analyzed and correlated. Usually only for forensics " Big Data is the future and security has to be confident with them to understand patterns,
correlations and so on " There are new solutions dealing also with behavioral pattern or “pattern of life” that
describe the normal online activity of employees,… (anomaly-based IDS)
Examples
The new trend in the protection of critical infrastructures is also to do properly what we are already doing (2/3)
9
Build a security in-house capability
Limit the “bring your own
device”(BYOD)
Stregthen external collaboration
Moving target architectures
" Security could not be transfer to external suppliers. It will create an uncomfortable dependency
" Companies are re-thinking security bringing back at home competencies and skilled resources
" Internet of things will enlarge the interactions with personal devices used also for work " Clear policy shall be defined and strict controls put in place (mandatory authirization
process, password protection, control of risky application, limit the use of business application with sensitive data,…)
" SOC/CERT and Security departments have to strengthen concrete collaborations " It is impossible to have the overview of all the threats and vulnerabilities present in
cyberspace " The collaboration shall go one step further the signature of MoUs
" The design of architectures could be done in order to shift the program’s attack surface, also reducing it (Moving target)
" Different types of architectures based on microkernels and separation kernels
Examples
The new trend in the protection of critical infrastructures is also to do properly what we are already doing (3/3)
APPROACHING CYBER SECURITY TODAY IS SUCH AS APPROACHING COLD WAR YEARS AGO
START TO THINK THAT YOU ARE ALREADY UNDER ATTACK
10
THANKS [email protected] www.gcsec.org