ISACA Kyiv Chapter presentation at TAIEX Workshop on Advancing Cyber Security Capacity in Critical Infrastructure

1. TAIEX Workshop on Advancing Cyber
Security Capacity in Critical Infrastructure
Existing situation and proposed solutions to improve cybersecurity
24.01.17
Alexey Yankovski
ISACA Kyiv Chapter

2. 2
• Briefly about ISACA
• Cybersecurity – analysis of existing situation in Ukraine
• Proposed solution
- Standards
- Governance model
- Education
- PPP
- International cooperation
• Proposed next steps
Agenda

3. 3
Briefly about ISACA
• International non-profit professional association
• Develops best practices, knowledge, education and professional certifications in
the area of IT Governance, Information Security Management, Cybersecurity and
IT Audit
• Kyiv chapter exists since 2008
• Run by volonteers
• Helps to drive the reforms in Ukraine
• Translates and publicizes international best practices
• Developed a version of a Draft Law of Ukraine on Cybersecurity Fundamentals –
based on international standards
• When the wave of attacks happened in Ukraine – established and delivered to a
number of state organizations a Cybersecurity training focused on Preparation,
Containment and Eradication of a cyberattack
Exist since 1969
More than 200 chapters world wide
more 115 000 members in 180 countries
“

4. 4
Cybersecurity – analysis of existing situation in Ukraine
• Reforms are on their way
• Cyber strategy adopted last year
• Government Cyber Center has been created
• Technical solutions are being implemented
• Massive successful attacks on critical infrastructure and state bodies
• Limited skills in organizations to combat cyberattacks
• After attacks organizations are typically left on their own as far as
eradication with limited or no guidelines
• No information sharing. State advisories are not published following
the attacks
• Limited understanding of cybersecurity processes by state
authorities and responsible agencies
• Technical solutions such as Monitoring system/SIEM/IPS
implementations are viewed as panacea with limited attention dedicated
to preparation, containment and eradication phases

5. 5
Cybersecurity – analysis of existing situation in Ukraine
Root causes – 1) Ineffective framework
• Information Protecting framework “KSZI” (based on ND TZI 2.5-004-99
analogue of ISO-15408), is intended for evaluation of security properties
of an IT Product rather than an organization
• Not risk-based (uses threats and protection profiles)
• Lack of organizational measures and governance
• Static rather than dynamic – once the system and it’s controls are
documented and attested – changes are not permitted => cannot be
used for cybersecurity where dynamic changes are needed during
containment/eradication
• Not suitable for medium to large-scale architectures
• Ineffective compliance process – requires use of state-accredited
auditors – historically very corrupt process
• Significant resistance in Ukraine against international standards, in favor
of “KSZI” – lobby by business delivering compliance. Employees trained
under old framework are reluctant to changes too

6. 6
Cybersecurity – analysis of existing situation in Ukraine
Root causes – 2) Ineffective governance model
• Lack of law on cybersecurity – multiple versions exists. Strong lobby in
favour of ineffective “KSZI”
• Private business is concerned that “KSZI” and government-accredited
auditors will be misused to put illegal pressure on business
• Responsibility of Ministers, Supervisory Boards/Management for
cybersecurity of their critical infrastructure in respective industries and
organizations is not defined
• No effective mechanisms for coordination at the operational level of
cyber response among different state agencies. No centralized
command for attack response
• No one handles – preparing and educating organizations, helping them
with eradication after attacks
• No industry-based regulators and standards for cyber (except for the
banking sector)
• No reliance on independent risk-based audit to verify security

7. 7
Cybersecurity – analysis of existing situation in Ukraine
Root causes – 3) Ineffective educational system
• Educational system still focused on preparing students knowledgeable of “KSZI”
rather than international standards
• International professional certifications are not recognized in Ukraine
• Lack of instructors with advanced and modern practical experience and
international certifications
• In “Licensing requirements” for government IT security employees (mandated by
DSTSZI):
 there are no requirements of “cybersecurity” education, only for “technical
information protection” and “cryptography”;
 there are no requirements as to the level of quality of the cybersecurity
training courses.
• There are no cybersecurity specializations for higher education (forensic
investigator, network defender, auditor, recovery specialist, risk manager etc.)

8. 8
Cybersecurity – analysis of existing situation in Ukraine
Root causes – 4) Ineffective PPP
• No formal PPP programme
• Lack of dialog between businesses and state
• Limited information sharing
• Lack of guidance and support by the state
• State does not sufficiently involve volunteers, experts, and does not rely on third-
party assurance for cybersecurity
• Business not sufficiently self-organized – no industry self-regulation, industry
CERTs, ISACs

9. 9
Cybersecurity – proposed solution
1) Implement international frameworks instead of KSZI
• ISO-27000 – series and NIST Critical Infrastructure
Protection Framework
• NIST Guide to Industrial Control Systems security
• Industry-based best practices – e.g. NERC CIP for Energy
• Original standards should be used rather than their
translation/adoption to ensure that Ukraine does not fall
behind during the translation and adoption process

10. 10
Use of NIST framework shall be mandatory for cyber
incident preparation and response*
Preparation
1 Detection and
analysis
2
Containment Eradication
4
Recovery
53
* Based on NIST Computer Security Incident Handling Guide
• Identify emergency
organization and
develop
emergency
response plan
• Identify critical
assets
• Perform risk
analysis and
implement
countermeasures
• Set up
communication
with authorities
• Implement incident
monitoring process
• Select and implement
event monitoring tools
and intrusion detection
systems
• Train responsible
individuals to perform
incident investigation
including reverse-
engineering of hostile
code and identify
command and control
centers
• Set up information
sharing with industry
players
• Mobilize emergency
response team
• Develop plan for containment
of intruders and cleansing of
the environment
• Search for samples of
malware
• Improve protection of the
most critical services and
payment systems
• Perform emergency
measures to Improve security
of Active Directory, external
perimeter and internal
network
• This may include completely
disconnecting organization
from Internet, limiting
customer services, removing
systems from domain
• Implement additional
operational non-IT dependent
controls (limits,
reconciliations, additional
approvals, statistical
deviations monitoring, etc.)
• Return to normal
operation
• Remove unnecessary
additional operational
controls
• Identify infected
systems across the
whole network based
on malware samples
analysis and reinstall
them
• Clean-up or install a
new Active Directory
domain, migrate to the
new domain
• Clean-up of the access
rights, change of
passwords and reissue
of crypto keys
• Fine-tuning of the
intrusion detection
systems and
monitoring tools
• Run intrusion
diagnostics software on
a regular basis
• Select and install
additional security tools
that need to be
implemented

11. 11
Cybersecurity – proposed solution
2) Implement effective governance model and compliance process
• Centralized command (rather than coordination) of the responsible state
agencies for cyber response and eradication
• Analysis of malware samples and publishing of advisories and YARA rules
to identify the intruders (information sharing)
• Education and training programme for preparation, identification,
containment and eradication for critical infrastructure for state and privately-
owned CI – must be done immediately!
• Responsibilities of the Ministers, SBs and Management shall be defined
• CI owners shall be tasked to perform risk-assessment, develop remediation
plans and report to the responsible ministries
• Independent risk-based audits, under international standards shall be
mandated for the state-owned CI
• State accreditation of the audit firms shall be replaced with requirements to
have staff certified under international standards for cybersecurity
• Law on cybersecurity fundamentals (based on international standards and
independent audit) shall be passed by the Parliament. Law on Information
Protection – shall be changed

12. Слайд 12
Critical
Infrastructure
Self-regulating
organization
for energy
Results of the risks
assessment and
remediation plan
5
Ministry of
Energy
Development/approv
al of industry
standards for
cybersecurity
2
Independent
auditorsRisk-based
cybersecurity
assessment
4
State Cyber Center,
Government CERT
Consultations, Advisories
Support during containment
and response, Approval of
industry standards and
priority risks
1
Consultations,
Advisories, malware
samples, Support
during containment
and eradication
1
ICS ISAC
Govt. ISAC
of Ukraine
Industry
ISAC
Foreilgn
ISACs
Sharing of information
about attacks and
malware samples
7
Reporting to the regulator
6
Example - Possible cybersecurity governance model for
Energy sector
Priority risks
3
Priority risks,
Industry-specific
standards and
requirements
3

13. 13
Cybersecurity – proposed solution
3) Education
• Build educational programmes around internationally-accepted frameworks
• Formally recognized international professional certifications for cyber and
information security and mandate that for responsible personnel (e.g. top
managers responsible for cyber, security staff, etc.)
• Recognize international professional certifications for university instructors as
part of the qualification process (in addition to publications and patents)
4) PPP
• Implement information sharing, install information sharing platform
• Establish national dialogue by means of creation of Cybersecurity Counsel
including responsible state staff and industry representatives
• Government shall rely on independent audit firms and certified professionals
to provide assurance for the critical infrastructure
• Industry self-regulation for cybersecurity – industrial regulators, CERTs, ISACs
• Government shall use responses of volunteers and consultants to deliver on
its commitments - in particular to deliver training, incident response
• Ensure independent review by the industry experts of the state decisions,
budgets and solutions in the area of Cybersecurity and information protection

14. 14
Cybersecurity – proposed solution
International cooperation
1) Since Ukraine is used as a playground by international hackers to test
the tools and techniques to be used against the rest of the world, other
countries should be interested to give a hand to Ukraine to improve its
cybersecurity, help with containment and eradication of the existing
incidents, as well as provide expertise and tools necessary to set up
CERTs, ISACs, improve forensic capabilities, etc.
2) Information sharing of the malware samples should be established
with Ukraine, in order for the rest of the world to be prepared for the attacks
that international hacker groups tested on Ukrainian infrastructures

15. 15
Cybersecurity – next steps
• State-wide Cybersecurity transformation programme should be
established and centrally driven by an international team of experts
• Crisis management office shall be established for cybersecurity, until an
effective governance model is implemented
Immediate steps should be:
• Analysis of malware samples and publishing of advisories and YARA
rules to identify intrusions in other government-owned and private
organizations thorough Ukraine
• Education and training programme for preparation, identification,
containment and eradication for critical infrastructure for state and
privately-owned CI