This document provides an overview of critical infrastructure protection in Europe presented by Ignacio Paredes of the Industrial Cybersecurity Center. It discusses the convergence of physical and cyber worlds and how industrial control systems have become interconnected over TCP/IP and use general purpose operating systems. This has introduced cybersecurity challenges to operational technology environments. The document reviews cyber attacks on critical infrastructure like Stuxnet and Shamoon and regulations around critical infrastructure protection in the US and EU. It argues that identifying and prioritizing critical infrastructure is important but questions who will pay for protection and whether regulations have led to minimum compliance over real protection.
2. www.cci-es.org
2
Nacho Paredes
• Head of studies and research at Industrial Cybersecurity Center
• ENISA expert in Information Security and CIIP
• M.S. In computer science
• >15 years in cybersecurity and IT consultancy
• Expert in the design and deployment of cybersecurity technical and
administrative solutions, including (application security, secure
network design, critical infrastructure protection, ethical hacking or
business continuity)
• GICSP, CISSP, CISM, CISA, CeH, PMP, GSNA, GAWN, BS7799 Lead
Auditor
I am…
e-mail: ignacio.paredes@cci-es.org
Twitter: @iparedes , @info_cci
Blog: http://blog.cci-es.org
Web: http://www.cci-es.org
Tel: +34 647723708
7. www.cci-es.org
Plant vs IT vs Security
Plant / IT Conflict:
–“Watertight” environments. “Don’t get
into my lot, and I won’t into yours”
–Attention is not paid to communication
interfaces between both worlds
–Connection interfaces are no man’s land,
and many times, unknown (others
WWW… Wild Wild West )
8. www.cci-es.org
Physical & Cyber Worlds Convergence
8
Consequences: Intangible
Web Portal unavailable
No email
Consequences: Tangible, Concrete
Production Losses
Environmental Damages
Public Health
Lower Company Valuation
10. www.cci-es.org
IT in the Industrial World
Industrial devices have inherited
all problems from IT
Industrial Control
Systems are NOT
isolated anymore.
They have moved
from using
dedicated serial
lines to Ethernet or
WiFi
Now, most of
industrial protocols
are running over
TCP/IP
Industrial Control
Systems use general
purpose operating
systems
11. www.cci-es.org
IT vs OT
11
Information Technology Operations Technology
Component lifetime 3-5 years Component lifetime: 10-20 years
Maturity and knowledge on cybersecurity First steps on cybersecurity. Lack of
awareness
Standard methodologies and
architectures
Legacy systems
Loss of data Loss of life
Recover by reboot Fault tolerance essential
High throughput demanded. High delay
accepted
Modest throughtput acceptable. High
delay serious concern
Straightforward upgrades and automated
changes
Patching is a pain. Changes only through
vendors
12. www.cci-es.org
IT vs OT
12
Cybersecurity Dimensions in IT Cybersecurity Dimensions in OT
Confidentiality 50% Availability 60%
Integrity 30% Integrity 35%
Availability 20% Confidentiality 5%
14. www.cci-es.org
Aramco Cyber Attack
14
• Biggest oil producer in the world
• > 50,000 employees
• Revenue > 300 US$ billion
• In August 2012 had a cybersecurity incident
• Computers directly tied to oil production were
compromised (Shamoon virus)
• 30,000 workstations were affected
• The company spent one week to restore services
• After the incident Aramco tightened its security policies
• Not only in the corp. side, but in the industrial systems
25. www.cci-es.org
Regulation Timeline in US & EU
25
1995 1998 2001 2004 2005 2006 2008 2009 2011 20132003
COM(2004) 702 Critical Infrastructure Protection in
the fight against terrorism
COM(2005) 576 Green paper on a European
programme for critical infrastructure protection
COM(2006) 768 EPCIP (European Programme for
Critical Infrastructure Protection)
COM(2009) 149 CIP: Protecting Europe from large
scale cyber-attacks and disruptions: enhancing
COM(2011) 163 CIP: Achievements and next steps:
towards global cyber-security
2014
26. www.cci-es.org
Critical Infrastructure Protection
• Government guided process
– Identification (mostly secret)
– Priorization (different levels of criticity)
– Protection (countermeasures deployment)
• The question is:
26
Who is gonna pay for this?
27. www.cci-es.org
Critical Infrastructure Protection
27
• Industry pressure against regulation
• Leads to:
Minimum Requirements
• Implementation towards compliance
– Infrastructure protection into the background
– False sense of protection
31. www.cci-es.org
The Smart Grid
• The CI that lies beneath
• Focus of many CIP initiatives
• Smart grid means
– Efficiency
– Resiliency
– Integration of technologies
– User Interaction
– Prosumers
– New services
– Electric Vehicles
• Very tight interconnection
31
35. www.cci-es.org
Who?
• The US National Security Agency is one of the most
prolific tool makers for APTing.
• Its ANT (Access Network Technology) division has
compromised the security architecture of every major
player in the IT industry.
• Multiple secret backdoors allow the NSA to
compromise virtually every organization in the world.
• Software and hardware tools.
• Attacks against protocols, operating systems,
electromagnetic spectrum…
35
39. www.cci-es.org
• High interaction honeypot
• Emulating a water treatment
plant
• Just recording
• Targetted attacks
• With the intention of
modification or destruction
Kyle Wilhoit
(Trendmicro)