More Related Content
Similar to Practical approach to NIS Directive's incident management (20)
More from DATA SECURITY SOLUTIONS (20)
Practical approach to NIS Directive's incident management
- 1. © 1991 − 2018, CLICO sp. z o.o.
Practical approach to NIS Directive's
incident management
Mariusz Stawowski, Ph.D.
CISSP, CEH, CCISO
- 2. © 1991 − 2018, CLICO sp. z o.o.
Mandatory critical systems protection and incident reporting
– the law obligation of operators of essential services
• Risk management (NISD Art. 14.1) - threats, vulnerabilities and impact
assessment of assets covered by the law requirements.
• Assets protection (NISD Art. 14.1) - measures for ensuring the safety of the
assets covered by the law requirements.
• Incident management and reporting (NISD Art. 14.2, 14.3, 14.4) - take
appropriate measures to prevent and minimize the impact of incidents as well
as notify to the authority of security breaches related to the assets covered
by the law requirements.
• Documentation of assets and cybersecurity (NISD Art. 15.2.a) -
documentation of assets covered by the law requirements and security
measures that ensure their safety.
- 3. © 1991 − 2018, CLICO sp. z o.o.
Business-critical Systems that failure can cause significant tangible or intangible
economic costs, e.g., customer accounting system in a bank,
e-banking system, etc.
Mission-critical Systems that failure can cause an inability to complete the overall
system or project objectives; e.g., loss of energy or water supply,
unavailability of an important industrial process, etc.
Life-critical,
safety-critical
Systems that failure can cause loss of life, serious personal injury, or
damage to the natural environment.
Critical
infrastructure
Assets that are essential for the functioning of a society and economy,
e.g., electricity generation, transmission and distribution, water supply,
public health, transportation systems, telecommunication, banking
and financial services, etc.
- 4. © 1991 − 2018, CLICO sp. z o.o.
Control devices (PLC,
PAC, RTU, etc.)
Visualization,
supervision and
control (SCADA, DCS,
HMI, etc.)
Advanced analytics and
data storage (MES, APC,
Historian, etc.)
WAN
LAN
LAN Internet
VPN
Cameras, IP
phones, many
more
OT Maintenance
OT
IT
Business
Critical
Systems
Mission
Critical
Systems
Life
Critical
Systems
- 5. © 1991 − 2018, CLICO sp. z o.o.
NIST, Framework for Improving Critical Infrastructure
Cybersecurity, April 16, 2018
1. Identify
Understanding the
business context, the
resources that support
critical functions, and
the related
cybersecurity risks
2. Protect
Appropriate
safeguards to ensure
delivery of critical
services
3. Detect
Appropriate activities
to identify the
occurrence of a
cybersecurity event
4. Respond
Appropriate activities to
take action regarding a
detected cybersecurity
incident (including the
ability to contain the
impact of a potential
cybersecurity incident)
5. Recover
Timely recovery to
normal operations to
reduce the impact from
a cybersecurity incident
Risk Management
- 6. © 1991 − 2018, CLICO sp. z o.o.
Control devices (PLC,
PAC, RTU, etc.)
Visualization,
supervision and
control (SCADA, DCS,
HMI, etc.)
Advanced analytics and
data storage (MES, APC,
Historian, etc.)
WAN
LAN
LAN Internet
VPN
Cameras, IP
phones, many
more
OT Maintenance
Industrial/
Enterprise DMZ
• FW, VPN & IPS
• Privileged Access Security
• Anti-Malware, etc.
- 7. © 1991 − 2018, CLICO sp. z o.o.
Control devices (PLC,
PAC, RTU, etc.)
Visualization,
supervision and
control (SCADA, DCS,
HMI, etc.)
Advanced analytics and
data storage (MES, APC,
Historian, etc.)
WAN
LAN
LAN Internet
VPN
Cameras, IP
phones, many
more
OT Maintenance
Industrial/
Enterprise DMZ
Incident
detection
- 8. © 1991 − 2018, CLICO sp. z o.o.
Flowmon ADS
Security Intelligence based on
Network Behavior Analysis
- 9. © 1991 − 2018, CLICO sp. z o.o.
Incident detection with ICS networks
Unknown DNS requests
Port scanning (TCP, UDP)
Network scanning (ICMP, TCP, UDP)
DNS tunneling
New IP address in the network
Anomaly in network behavior
C&C access attempts
(Threat Intelligence)
New protocol in the network
ALERTS!
- 10. © 1991 − 2018, CLICO sp. z o.o.
Variety of analytical methods for efficient incident detection
FlowmonADS
Machine Learning
Adaptive
Baselining
Heuristics
Behavior Patterns
Threat Intelligence
- 11. © 1991 − 2018, CLICO sp. z o.o.
LAN/WAN with Flowmon Probes or NetFlow/IPFIX compatible devices
Internet Enterprise
Monitoring of entire attack path - Internet, IT and OT
• From Internet and VPN, business networks to the "deepest" OT
WAN Industrial
- 12. © 1991 − 2018, CLICO sp. z o.o.
Start Duration Proto Src IP:Port Dst IP:Port Packets Bytes …
Flow
Export
9:35:24.8 0 TCP 192.168.1.1:10111 -> 10.10.10.10:80 1 40 …9:35:24.8 0.1 TCP 192.168.1.1:10111 -> 10.10.10.10:80 2 80 …
9:35:25.0 0 TCP 10.10.10.10:80 -> 192.168.1.1:10111 1 40 …9:35:25.0 0.3 TCP 10.10.10.10:80 -> 192.168.1.1:10111 2 156 …9:35:25.0 0.5 TCP 10.10.10.10:80 -> 192.168.1.1:10111 3 362 …9:35:25.0 0.7 TCP 10.10.10.10:80 -> 192.168.1.1:10111 4 862 …9:35:25.0 0.9 TCP 10.10.10.10:80 -> 192.168.1.1:10111 5 1231 …
Detection of internal threats hidden from network safeguards
• Malware detection by analysis of network access switches
- 13. © 1991 − 2018, CLICO sp. z o.o.
• Detailed information about network
and applications and users
• Effective troubleshooting
• Detection of misconfigurations
• Optimization and capacity planning
• Monitoring and analysis of network
and application performance
• Anti-DDoS, prevention of overload and
network down-time
Network visibility and troubleshooting of
IT and OT
- 14. © 1991 − 2018, CLICO sp. z o.o.
Simple and cost-effective deployment
Flowmon Probes - Stand-alone passive sources of network
statistics (NetFlow / IPFIX )
Flowmon Collector - Storing, visualization and analysis of
network statistics
Network Traffic
Monitoring
Network Statistics
Collection & Analysis
Advanced Analysis
of Network Statistics
• No need to copy all ICS network traffic and transfer to central system
• Work modes: network flows, SPAN, Tap
• Very cost-effective solution for ICS security monitoring
- 15. © 1991 − 2018, CLICO sp. z o.o.
Five Keys to effective ICS incident detection
1. Variety of analytical methods for efficient incident detection
• From machine learning and heuristics to Threat Intelligence
2. Monitoring of entire attack path in Internet, IT and OT
• From Internet and VPN, business networks to the "deepest" OT
3. Detection of internal threats hidden from network safeguards
• Malware detection by analysis of network access switches
4. Network visibility and troubleshooting of IT and OT
• Network visibility and troubleshooting, app performance monitoring, Anti-DDoS
5. Simple and cost-effective deployment in existing ICS networks
• No need to copy all ICS network traffic and transfer to central system
- 16. © 1991 − 2018, CLICO sp. z o.o.
NIST, Framework for Improving Critical Infrastructure
Cybersecurity, April 16, 2018
Rigor and sophistication in cybersecurity risk management (Tiers):
1. Partial - in summary organizational cybersecurity risk management practices
are not formalized, and risk is managed in an ad hoc and sometimes reactive
manner
2. Risk Informed - in summary risk management practices are approved by
management but may not be established as organizational-wide policy
3. Repeatable - in summary the organization’s risk management practices are
formally approved and expressed as policy
4. Adaptive - in summary the organization adapts its cybersecurity practices
based on previous and current cybersecurity activities, including lessons
learned and predictive indicators
- 17. © 1991 − 2018, CLICO sp. z o.o.
Integration with SIEM and IT GRC
• Event exporting (syslog based)
• Incident detection (Flowmon ADS) <-> Business Impact (IT GRC)
Event Collection and
Correlation
NetFlow
IPFIX
SYSLOG
Network Traffic
Monitoring
Collection and Behavior
Analysis
Flowmon Collector & ADS
- 18. © 1991 − 2018, CLICO sp. z o.o.
Inicident management workflow and playbook
- 19. © 1991 − 2018, CLICO sp. z o.o.
Business Impact Analysis (BIA) when managing incidents in ICS
networks
- 20. © 1991 − 2018, CLICO sp. z o.o.
Summary
EU’s NIS Directive enforces cybersecurity requirements on the operators of
essential services and providers of critical digital services:
• Risk management
• Assets protection (including critical systems)
• Incident management and reporting
• Documentation of assets and cybersecurity
Recognized security standards and frameworks (e.g. NIST Framework for
Improving Critical Infrastructure Cybersecurity) as well as high quality
Security Management tools can significantly help organizations to comply
with the new EU cybersecurity law
- 21. © 1991 − 2018, CLICO sp. z o.o.
Thank you!
Mariusz.Stawowski@clico.pl