2. In 2013, GCSEC has been involved in several activities both at national and
international level on critical infrastructure protection
Some initiatives
Projects cofunded by EU
(70-90%)
Italian
Groups
Online
Frauds
Cyber
Centre
and
Expert
Network
(OF2CEN):
crea'on
of
a
system
of
informa'on
exchange
between
financial
ins'tu'ons
and
European
law
enforcement
agencies
(Italy,
UK,
Romania),
with
development
of
a
informa'on
sharing
plaCorm
in
Italy
with
par'cipa'on
of
Polizia
Postale
e
delle
Comunicazioni
Security
of
Energy
System
(SoES):
The
project
will
provide
a
comprehensive
analysis
of
ICT
architectures,
vulnerabili'es,
and
best
prac'ces
related
to
the
Smart
Grids
and
will
create,
at
European
level
an
Informa'on
Sharing
Hub
on
the
subject.
The
project
is
developed
in
partnership
with
ENEL,
RSE
Energia,
EFACEC
Distributed
Energy
Security
Knowledge
(DEnSeK):
The
aim
of
the
project
is
defining
and
deploying
a
distributed
cross-‐company
situa'on
awareness
network
for
the
Energy
Industrial
field.
It
will
enforce
the
capability
of
forecas'ng
cyber
threats
evolu'on
at
con'nental
level,
giving
the
opportunity
to
take
mi'ga'ng
measures
and
facilitates
the
coordina'on
among
the
members
of
the
plaCorm
in
case
of
crisis.
Project
Partners
are:
ENEL,
Security
MaTers,
Alliander
NV,
Gdansk
University
of
Technology
Computer
Emergency
Response
Team
(CERT):
Support
to
Security
Department
in
the
design,
development
and
implementa'on
of
corporate
CERT.
Interna'onal
Benchmark,
design
of
main
processes
(incident
handling,
early
warning,
threat
and
vulnerability
management,…),
review
of
FIRST
requirements,
prepara'on
of
Top
Management
presenta'ons
and
report,…
Black
market
study:
analysis
of
aTack
mo'va'ons,
poten'al
impacts
of
the
aTacks
and
descrip'on
of
tools,
network
resources,
informa'on
and
services
sold
online
for
perpetra'ng
the
aTacks
NATO
Advanced
Research
Workshop:
GCSEC,
together
with
GCSP,
has
organized
an
event
in
Geneva
on
“Best
Prac'ces
for
Computer
Network
Defence:
Incident
Detec'on
and
Response”.
29
experts
in
cyber
security,
from
NATO
Countries
and
Partner,
discussed
on
the
evolu'on
of
Incident
Detec'on
and
Response
2
3. Scenarios: cyberspace will increase more and more
Today
and
the
Near
Future1
Today
2020
Es'mated
World
Popula'on
7
billion
people
8
billion
people
circa
Es'mated
Internet
Popula'on
2.5
billion
people
(35%
of
popula'on
online)
5
billion
people
circa
(60%
of
popula'on
online)
Total
Number
of
Devices
12.5
billion
internet
connected
physical
objects
and
devices
(6
devices
per
person
circa)
50
billion
internet
connected
physical
objects
ad
devices
(10
devices
per
person
circa)
ICT
Contribu'on
to
the
Economy
4%
of
GDP
on
average
for
G20
na'ons
10%
of
worldwide
GDP
MORE THREATS
•
•
•
•
•
3
1)
Evans,
The
Internet
of
Things,
How
the
Next
Evolu'on
of
the
Internet
Is
Changing
Everything
More People
More People
online
More Devices
More Revenues
generated
More
People
aTracted
to
business
crime
New
market
to
explore
Easier
to
find
vic'ms,
not
confident
with
internet
Easier
to
buy
full
package
services
…
4. Threats will increase and also impact critical infrastructures too
" Intellectual Property and Digital Identities are stolen regularly
" Systems are erased
" Services are disrupted
" Sophisticated hackers team are even more well oranized
" Malwares are cheaper and easier
" Full maleware package/services available on dark market
" …
2009
Spies breach electricity grid in U.S.: According to current and former national security officials, as reported in The Wall Street Journal, cyberspies
from China, Russia and other countries penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the
system.
2010
The Stuxnet worm temporarily knocks out some of the centrifuges at Iran's Natanz nuclear facility, causing considerable delay to that country's
uranium enrichment program
2011
The Nitro Attacks: A series of targeted attacks using an off-the-shelf Trojan horse called "Poison Ivy" is directed mainly at companies involved in
the research, development and manufacture of chemicals and advanced materials. After tricking targeted users into downloading Poison Ivy,
the attackers issue instructions to the compromised computers, troll for higher-level passwords and eventually offload the stolen content to hackercontrolled systems.
2012
DDoS attacks on U.S. banks: The U.S. accuses Iran of staging a wave of denial-of-service attacks against U.S. financial institutions. Defense
Secretary Leon Panetta warns of potential for a "cyber Pearl Harbor" against critical infrastructure and calls for new protection standards.
4
Sources:
ICS-‐CERT,
The
New
York
Times,
CSO,
Computerworld,
The
Wall
Street
Journal
5. What are the critical infrastructures?
The
UK's
na'onal
infrastructure
is
defined
by
the
Government
as:
“those
facili'es,
systems,
sites
and
networks
necessary
for
the
func'oning
of
the
country
and
the
delivery
of
the
essen'al
services
upon
which
daily
life
in
the
UK
depends”
UK
CPNI
WEBSITE
Parameter
Green
Yellow
Orange
Red
Health
No
injuries
Light
injuries
Heavy
Injuries
Danger
of
life
Economics
Loss
<
1%
EBITDA
1%<EBITDA<3
%
3%<EBITDA<5
%
>
5%
EBITDA
Service
disrup'on
0
–
10
minutes
10
–
60
minutes
1
day
>
1
day
Reputa'on
Inside
the
company
Local
level
Na'onal
level
Interna'onal
level
…
The
Infrastructure
is
not
at
the
center
of
interests
the
conPnuity
of
the
SERVICE
is
the
main
goal
5
UK
Cri'cality
Scale
(Strategic
Framework
and
Policy
Statement
–
Cabinet
Office)
6. Critical Infrastructure are that infrastructure vital for the continuity of a
service delivery which disruption would be critical at national level
CITIZENS
and
COMPANIES
Do
the
Owners
of
criPcal
services…
" …know if the service they deliver is critical?
Core/Cri'cal
Service
Cri'cal
Applica'on
1
" …know at which level of criticality scale the
Support
Service
Not
Cri'cal
Applica'on
2
Applica'on
2
service could be considered critical?
" …know the technology/assets chain vital for
delivering critical services?
Opera'ng
system
" …know from who they depend on?
" …put already in place all the countermeasures
Infrastructure
/tools
Infrastructure
/tools
Infrastructure
/tools
known and necessary to guarantee the service
continuity?
6
Facility
Facility
Facility
7. The new trend in the protection of critical infrastructures is also to do
properly what we are already doing (1/3)
Examples
Better Perimeter
and service
Knowledge
Prioritize Patch
management
" Map the technology/asset chain the critical service depends on and the impact related to
their disruptions
" Map the interdependencies between networks, applications, operating system,…
" Identify the servers containing sensitive data
" Define a patch management cycle (notification, testing, prioritizing, deploying, monitor,…)
" Prioritize deployment on critical infrastructures the critical service depend on
Reduce
complexity and
opportunities
Strengthen
internal
collaboration
" Avoid conflicts between business units (business owner, information technology, security
departments, …)
" Join skills and capabilities and work together to define and implement security
requirements (i.e. CERT)
Increase
education and
training
7
" Reduce the complexity of networks, applications, operating systems, in order to reduce
also the “surface” available for the attacks
" Often there are many applications inside a company doing similar activities, platform
optimization will save time and resources to monitor it and patch it
" Reducing the attack surface will reduce the opportunities for the hacker to find blind spots
" Managers and employees don’t know security policy related to the use of ICT
infrastructures, PCs or mobile devices
" There is a lack of training and exercises inside companies, this doesn’t help to speed the
incident handling process and so on
8. The new trend in the protection of critical infrastructures is also to do
properly what we are already doing (2/3)
Examples
Use of Honeypots
Use of
Disinformation/
Deception
" Traps set to detect, deflect or counteracts attempts at unauthorized use of information
systems
" They gather information regarding an intruder or attacker in the system
" False repository with false intellectual proprieties or data not useful for the attackers
" It allows to identify the attack motives
" It allows also to make attackers to invest money without profit
Knowledge of
your enemies
" Monitor blogs/forum, media, chat to understand the sentiment around the company and if
someone intend to attack your organization
" Monitor black market t(i.e. services, malware, databases of credentials, emails and so on)
" Learn hacker operating model (pattern of attacks could be similar against different
companies)
Hacker Yourself
" Start to think and act as a hacker. In this way you can really test the protection levels of
your infrastructures and take the right countermeasures (penetration testing, vulnerability
assessment,…)
Stregthen
integration and
data/traffic
analysis
" Data are usually collected but rarely analyzed and correlated. Usually only for forensics
" Big Data is the future and security has to be confident with them to understand patterns,
correlations and so on
" There are new solutions dealing also with behavioral pattern or “pattern of life” that
describe the normal online activity of employees,… (anomaly-based IDS)
8
9. The new trend in the protection of critical infrastructures is also to do
properly what we are already doing (3/3)
Examples
Build a security inhouse capability
Limit the “bring
your own
device”(BYOD)
Stregthen external
collaboration
Moving target
architectures
" Security could not be transfer to external suppliers. It will create an uncomfortable
dependency
" Companies are re-thinking security bringing back at home competencies and skilled
resources
" Internet of things will enlarge the interactions with personal devices used also for work
" Clear policy shall be defined and strict controls put in place (mandatory authirization
process, password protection, control of risky application, limit the use of business
application with sensitive data,…)
" SOC/CERT and Security departments have to strengthen concrete collaborations
" It is impossible to have the overview of all the threats and vulnerabilities present in
cyberspace
" The collaboration shall go one step further the signature of MoUs
" The design of architectures could be done in order to shift the program’s attack surface,
also reducing it (Moving target)
" Different types of architectures based on microkernels and separation kernels
APPROACHING
CYBER
SECURITY
TODAY
IS
SUCH
AS
APPROACHING
COLD
WAR
YEARS
AGO
START
TO
THINK
THAT
YOU
ARE
ALREADY
UNDER
ATTACK
9