This document provides an overview of critical infrastructure protection in Europe presented by Ignacio Paredes of the Industrial Cybersecurity Center. It discusses the convergence of physical and cyber worlds and how industrial control systems have become interconnected over TCP/IP and use general purpose operating systems. This has introduced cybersecurity challenges to operational technology environments. The document reviews cyber attacks on critical infrastructure like Stuxnet and Shamoon and regulations around critical infrastructure protection in the US and EU. It argues that identifying and prioritizing critical infrastructure is important but questions who will pay for protection and whether regulations have led to minimum compliance over real protection.

1. Critical Infrastructure
Protection in Europe
Ignacio Paredes (@iparedes)
Industrial Cybersecurity Center
www.cci-es.org

2. www.cci-es.org
2
Nacho Paredes
• Head of studies and research at Industrial Cybersecurity Center
• ENISA expert in Information Security and CIIP
• M.S. In computer science
• >15 years in cybersecurity and IT consultancy
• Expert in the design and deployment of cybersecurity technical and
administrative solutions, including (application security, secure
network design, critical infrastructure protection, ethical hacking or
business continuity)
• GICSP, CISSP, CISM, CISA, CeH, PMP, GSNA, GAWN, BS7799 Lead
Auditor
I am…
e-mail: ignacio.paredes@cci-es.org
Twitter: @iparedes , @info_cci
Blog: http://blog.cci-es.org
Web: http://www.cci-es.org
Tel: +34 647723708

3. www.cci-es.org

4. www.cci-es.org

6. www.cci-es.org
¿Cyber Security?
Industrial Safety
Physical Security
Environmental
Safety
SECURITY

7. www.cci-es.org
Plant vs IT vs Security
Plant / IT Conflict:
–“Watertight” environments. “Don’t get
into my lot, and I won’t into yours”
–Attention is not paid to communication
interfaces between both worlds
–Connection interfaces are no man’s land,
and many times, unknown (others
WWW… Wild Wild West )

8. www.cci-es.org
Physical & Cyber Worlds Convergence
8
Consequences: Intangible
Web Portal unavailable
No email
Consequences: Tangible, Concrete
Production Losses
Environmental Damages
Public Health
Lower Company Valuation

9. www.cci-es.org

10. www.cci-es.org
IT in the Industrial World
Industrial devices have inherited
all problems from IT
Industrial Control
Systems are NOT
isolated anymore.
They have moved
from using
dedicated serial
lines to Ethernet or
WiFi
Now, most of
industrial protocols
are running over
TCP/IP
Industrial Control
Systems use general
purpose operating
systems

11. www.cci-es.org
IT vs OT
11
Information Technology Operations Technology
Component lifetime 3-5 years Component lifetime: 10-20 years
Maturity and knowledge on cybersecurity First steps on cybersecurity. Lack of
awareness
Standard methodologies and
architectures
Legacy systems
Loss of data Loss of life
Recover by reboot Fault tolerance essential
High throughput demanded. High delay
accepted
Modest throughtput acceptable. High
delay serious concern
Straightforward upgrades and automated
changes
Patching is a pain. Changes only through
vendors

12. www.cci-es.org
IT vs OT
12
Cybersecurity Dimensions in IT Cybersecurity Dimensions in OT
Confidentiality 50% Availability 60%
Integrity 30% Integrity 35%
Availability 20% Confidentiality 5%

13. www.cci-es.org
ICS Vulnerability Disclosure Evolution
0
20
40
60
80
100
120
2010 2011 2012 2013
# ICS-CERT disclosures
13Alerts + Advisories. https://ics-cert.us-cert.gov/ics-archive

14. www.cci-es.org
Aramco Cyber Attack
14
• Biggest oil producer in the world
• > 50,000 employees
• Revenue > 300 US$ billion
• In August 2012 had a cybersecurity incident
• Computers directly tied to oil production were
compromised (Shamoon virus)
• 30,000 workstations were affected
• The company spent one week to restore services
• After the incident Aramco tightened its security policies
• Not only in the corp. side, but in the industrial systems

15. www.cci-es.org
Stuxnet
15

16. www.cci-es.org
Project Basecamp
SCADA Security
Scientific
Symposium (S4)

17. www.cci-es.org
Shodan (www.shodanhq.com)
• Internet search engine that indexes internet-
connected services response (FTP, SSH, Telnet,
HTTP, HTTPS, SNMP, uPNP, SMB…)
• Provide access to millions of Internet-
connected devices

18. www.cci-es.org
18

19. www.cci-es.org
19

20. www.cci-es.org
20

21. www.cci-es.org
21

22. www.cci-es.org
22

23. www.cci-es.org
Internet-facing
Industrial Systems+2.000.000
Located in
United States30%
ISP’s Dynamic
Addresses80%
Project SHINE
SHodan INtelligence Extraction

25. www.cci-es.org
Regulation Timeline in US & EU
25
1995 1998 2001 2004 2005 2006 2008 2009 2011 20132003
COM(2004) 702 Critical Infrastructure Protection in
the fight against terrorism
COM(2005) 576 Green paper on a European
programme for critical infrastructure protection
COM(2006) 768 EPCIP (European Programme for
Critical Infrastructure Protection)
COM(2009) 149 CIP: Protecting Europe from large
scale cyber-attacks and disruptions: enhancing
COM(2011) 163 CIP: Achievements and next steps:
towards global cyber-security
2014

26. www.cci-es.org
Critical Infrastructure Protection
• Government guided process
– Identification (mostly secret)
– Priorization (different levels of criticity)
– Protection (countermeasures deployment)
• The question is:
26
Who is gonna pay for this?

27. www.cci-es.org
Critical Infrastructure Protection
27
• Industry pressure against regulation
• Leads to:
Minimum Requirements
• Implementation towards compliance
– Infrastructure protection into the background
– False sense of protection

28. www.cci-es.org

29. www.cci-es.org
CI Interdependencies

30. www.cci-es.org
The Smart Grid
30

31. www.cci-es.org
The Smart Grid
• The CI that lies beneath
• Focus of many CIP initiatives
• Smart grid means
– Efficiency
– Resiliency
– Integration of technologies
– User Interaction
– Prosumers
– New services
– Electric Vehicles
• Very tight interconnection
31

32. www.cci-es.org
The Smart Grid
• Security is paramount
• And brings an additional component
32

33. www.cci-es.org
Who’s got the interest?
33

34. www.cci-es.org
Who?
34

35. www.cci-es.org
Who?
• The US National Security Agency is one of the most
prolific tool makers for APTing.
• Its ANT (Access Network Technology) division has
compromised the security architecture of every major
player in the IT industry.
• Multiple secret backdoors allow the NSA to
compromise virtually every organization in the world.
• Software and hardware tools.
• Attacks against protocols, operating systems,
electromagnetic spectrum…
35

36. www.cci-es.org
Who?
36
• Political,
strategical,
and financial
interests are involved in decisions made by
governments and corporations
• PLA Unit 61398
• AKA People’s Liberation Army
Persistent Threat Unit

37. www.cci-es.org
There are more that we can see

38. www.cci-es.org
Hacktivism
38

39. www.cci-es.org
• High interaction honeypot
• Emulating a water treatment
plant
• Just recording
• Targetted attacks
• With the intention of
modification or destruction
Kyle Wilhoit
(Trendmicro)

40. www.cci-es.org
…stalking

41. www.cci-es.org
TIC
Society
ICT
Industrial
Industrial Orgs.
Critical Infrastructures
Consultancies
Integrators
Engineering
EPC
ICT & Cybersecurity
Vendors
Industrial
Vendors
Services &
Products
CIP &
IC
Government
Requirements
& Regulations

42. www.cci-es.org
R
“C3R: Collaboration, Coordination and Commitment based
Relationships”
Collaboration
CoordinationCommitment

43. www.cci-es.org
большое спасибо
Ignacio Paredes - @iparedes - ignacio.paredes@cci-es.org