About us: Finmeccanica

Transcription

1 About us: Finmeccanica CP EXPO Workshop - «Risks and Security Management in Logistics and Transports» Cyber Security in Railways Systems, Ansaldo STS experience Part 2: Cyber Security Strategy and Design Relator: Daniele Debertol, PhD. Joint work with: Ermete Meda, InfoSec Manager Finmeccanica is Italy s leading manufacturer in the high technology sector. Genova, 29 October 2013 Finmeccanica is the largest shareholder in Ansaldo STS with a 40% stake. 1

2 Signaling Systems: Safety-to-Security relationships Vital Systems RBC (Radio Block Center) Interlocking Environment Proprietary Infrastructure that ensures Railway Safety is not subject to computer attack Non-Vital Systems Centralized Traffic Control Systems (e.g. TMS), Automation Systems Environment Commercial ICT Infrastructure undergoing Cyber Security Risks (Operational Continuity, Financial losses, Reputational damage) Vital Systems Non-Vital Systems 2

3 and between vital and non-vital layers Needs Protection External Systems Non-vital layer Train Management System (TMS) Interlocking RBC Interlocking Vital layer T1 ERTMS Euroradio T2 Balise RBC: Radio-Block Center 3

4 Evolution and Characteristics of Railway Signaling Systems Technology Platforms In the Past Proprietary HW/SW Isolated Systems Dedicated Applications Structured Information Today Commercial low cost HW/SW TCP/IP Protocol Interconnected Systems Heterogeneous Services ( , Info-web, VoIP, CCTV, ) Structured and unstructured Information Operating Environment Today Distributed ICT infrastructure spread over long distances, and unattended systems Connections between safety critical and non-safety critical layers External systems connected to signaling infrastructure Human factor (operators, maintainers and passengers) 4

5 Cyber Space calling, Cyber Security knocking Cyber Security: protection of Cyber Space. But what is Cyber Space? Yesterday: many different environments, side-by-side Today: one single, big environment Consequences: Dynamic Threat Landscape in unique Cyber Domain Strategic & Tactical Cyber War Terrorism Military Politics Stuxnet, Operation Aurora, Botnets Espionage Organized Crime Intellectual Property $ Zeus, Flame, Mandiant APT1 Report, AET attacks, Botnets, Phishing e- mail Vandalism & Hacktivism Ego, Curiosity DDoS attacks, Wikileaks, Anonymous 5

6 Mature Cyber Security Process 1 Discovery & Assessment Identify key risks Identify key assets Identify gaps 2 HW/SW Review & Redesign Countermeasure rationalization Security Infrastructure Assessment Fill technology gaps 3 Intelligence & Analytics Monitoring & Management Improvement Big Data Security Analytics Real-time Intelligence feeds 3 Phase Approach 6

7 ICT Security Activities and Governance: Best Practices Incident Management Event Identification Countermeasures Effort 7

8 ICT Security Activities and Governance: real life Reactive countermeasures Reaction Detection WTF is going on??? Monitoring and Monitoring and guess what? (not excluding Forensics) Prevention Proactive countermeasures 8

9 Cyber Security: taking advantage of IT Building on top of Information Technology infrastructures, means that you get both its weaknesses, true, but its strenghts as well putting it the other way round: if a system is not secure by design and they are not, it will leave plenty of traces for you to follow! Leaving trace-routes behind 9

10 Strategy: enhance monitoring and correlate Firewalling Content Filtering Virtual Patching IDS/IPS AAA So many eyes giving a very broad view (say, at 365 degrees to stay safe) OK But where to look for? And for what? And who? 10

11 Perimeter Defence - Firewall shortcoming Signalling Plant_1 Signalling Plant_2 Signalling Plant_N.. Firewall Module Firewall Module Firewall Module WAN Policy Installation Logs Traffic Firewall Module External Systems Management Console expected results from logs Solution: adding IPS/IDS and Log Correlation 11

12 Content Filtering: the do s and the dont s Operating system is static, meaning that you can t change it too often (good ), but that you won t be able to patch (at all) either, which is NO GOOD! Dirty Traffic Virtual Patcher Clean Traffic Clean Traffic Threats Treatment Analysis: find critical vulnerabilities directly exposed to possible attacks Remediation: identify (& block) specific packets for the above vulnerabilities Solution: adding Virtual Patching 12

13 Near Realtime Asset Control not a performance- or availability-driven tool, though it may help based on static asset database loaded offline at project time Repeat as needed perform differential discovery onsite for database tuning acknowledge variations that should be allowed what is left, deal with: either a missing sheep, or a mismatched one, or go, bark, there s a wolf! GUI Clean Traffic Clean Traffic Monitoring subnet WAN Know your flock, and beware of wolves! Barkin, at the very least 13

14 The russian peasant of SIEMs at work: fast and light Events Console Message Correlation Correlation Engine Minimize False Positives Realtime response(no archiving) Novelty detection for scheme-in-the-chaos Log Files Sensor_1 Sensor_2 Sensor_n Log Correlation 14

15 The 11 th hour (a.m.?) Do we simply wait for vulnerabilities to become actual threats or Can we advance from here, and provide for new services? Cyber Security = Defense line 15