Maturity assessment on Cybersecurity for critical infrastructures

Transcription

1 Maturity assessment on Cybersecurity for critical infrastructures 28TH SEPTEMBER 2015, AMSTERDAM DR THIEYACINE FALL

2 Cyber-Security Today (Maturity assessment) Anticipate threats Perform risk assessment and/or vulnerability assessment Define risk governance and security policy Transform security requirements into implementable technical, procedural and organisational measures Build a secure software Development life cycle Manage security incidents Detect cyber attacks and deviant behaviors through implementation of probes and/or SIEM tools React to incidents to maintain business continuity or reduce impacts Prepare system, network and malware analysis (Forensics) following a successful cyber attack Comply with security policy and legal constraints Measure and reduce discrepancies between security policy and implementation Comply to legal and industry regulations Comply with best practices recommendations (ISO, NIST, ) Perform audits and penetration testing to evaluate the level of security 2

3 Cyber Security project approach (Maturity assessment) IEC (Not started) k Security Documentation 3

4 Critical Infrastructure sectors according to the EU/Critical systems Critical Infrastructure Sectors (EU) Transport Energy Nuclear Industry Water Chemical Industry Food Health Financial ICT Space Research Facilities Detailed Critical Infrastructure Sectors (EU) Road transport Rail transport Air transport Inland waterways transport Ocean and shortsea shipping and ports Electricity Oil gas Critical systems Rail signaling & Railway/Metro traffic management systems Avionics (Flight, Ground) Air Traffic management systems (Single European Sky ) Urban protection systems Automotive industry (Next generation vehicles, unmanned vehicles Critical automated control systems Airport (site) Railway/Metro station Oil & gas Electricity Maritime shipping industry 4

5 Context Critical systems are now the target of hackers 5

6 Rail signaling & Railway/Metro traffic management systems Systematic security requirements for new projects (in particular ERTMS) Still proprietary systems (Interlocking). SIL Levels improve security posture Issues for operational security Incomplete Planned Performed Anticipate threats Perform risk assessment and/or vulnerability assessment Define risk governance and security policy Transform security requirements into implementable technical, procedural and organisational measures Build a secure software Development life cycle Manage security incidents Detect cyber attacks and deviant behaviors through implementation of probes and/or SIEM tools React to incidents to maintain business continuity or reduce impacts Prepare system, network and malware analysis (Forensics) following a successful cyber attack Comply with security policy and legal constraints Measure and reduce discrepancies between security policy and implementation Comply to legal and industry regulations Comply with best practices recommendations (ISO, NIST, ) Perform audits and penetration testing to evaluate the level of security 6

7 Air Traffic management systems (Single European Sky ) Systematic security requirements for new projects (in particular Single European Sky) Large IT footprint for new generation of software (Interoperability) Incomplete Planned Performed Anticipate threats Perform risk assessment and/or vulnerability assessment Define risk governance and security policy Transform security requirements into implementable technical, procedural and organisational measures Build a secure software Development life cycle Manage security incidents Detect cyber attacks and deviant behaviors through implementation of probes and/or SIEM tools React to incidents to maintain business continuity or reduce impacts Prepare system, network and malware analysis (Forensics) following a successful cyber attack Comply with security policy and legal constraints Measure and reduce discrepancies between security policy and implementation Comply to legal and industry regulations Comply with best practices recommendations (ISO, NIST, ) Perform audits and penetration testing to evaluate the level of security 7

8 Emerging issues Lack of holistic view Cross sector dependencies Heterogeneous solutions for automated control systems (Asset inventory difficult) Product certification System accreditation 8

9 Compliance/Legislation U.S. U.K. E.U. Executive order: Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014 Voluntary program (cooperation with the private sector), NERC CIP Collaborative approach through CPNI (14 sectors), Security for Industrial Control System Framework Collaborative approach through ENISA Security for Industrial Control System (Certification/Compliance approach) Germany Strict cyber-security law to protect critical infrastructure (July 2015), 7 sectors Over 2,000 essential service providers will have to implement new minimum information security standards within two years France Generic Ministerial order (March 2015) Ministerial order per critical sector area ( ) 9

10 French Regulation LPM : Loi de Programmation Militaire Concerns critical infrastructure operators 12 strategic areas for the country Defense, energy, transportation, water treatment, critical industries... Around 250 enterprises Key measures Incident security notification/operations - Obligation for critical operators to notify significant incidents occurring on their critical IS - Mandatory Implementation of a SOC outsourced or internalized, qualified by the ANSSI and operated from the national territory Submission to controls - Obligation to submit there IS to controls by the ANSSI or by any providers qualified by the ANSSI Possible judiciary prosecution 10

11 LPM: Ministerial order (March 2015) Apply a set of rules as defined by Ministerial order Application of a classification method and key measures (ANSSI) for Industrial Control Systems A particular rule Implementation of a qualified detection system for security events Emergence of a sovereign probe for an intrusion detection system In the event of major crises, be imposed measures The Prime Minister (ANSSI) may impose measures such as disconnection of the internet Ministerial order per strategic area ( ) Ministerial order March

12 Industrial Architecture CIM = Computer Integrated Manufacturing CIM 0 è Non communicating sensors and actuators, CIM 1 è PLC and analysers, CIM 2 è SCADA, CIM 3 è Manufacturing Execution System (MES), CIM 4 è Enterprise Resource Planning (ERP). lndustrial System Functionality : Functionality 1 : Minimal system, Functionality 2 : Complex system, Functionality 3 : Very complex system. Industrial System Connectivity : Connectivity 1 : Isolated ICS Connectivity 2 : ICS connected to an MIS Connectivity 3 : ICS using wireless technology, Connectivity 4 : Distributed ICS with private infrastructure or permitting operations from outside, Connectivity 5 : Distributed infrastructure with public infrastructure. Industrial System Exposure 12

13 Classification Method 13 Class 1 ICS for which the risk or impact of an attack is low. The measures recommended correspond to rules provided by an Hygienic guide (ANSSI, SANS/CPNI) Class 2 ICS for which the risk or impact of an attack is significant. The responsible entity must be able to provide evidence that adequate measures have been implemented Class 3 ICS for which the risk or impact of an attack is critical. The conformity is verified by the state authority or an accredited body

14 Use cases Water supply plant The plant under consideration is a remotely managed ICS handling the water supply of an urban area with 500,000 inhabitants. The ICS is geographically distributed over several sites (reservoirs, booster stations, pumps). Remote sites communicate with the central site via PSTN1 lines or GPRS connections. The ICS is composed of numerous remote management devices (RTU) and supervision work stations (SCADA). Technicians can connect to the system from their remote location if problems occur. Class 2 Manufacturing industry The site under study is a household appliance assembly line for a company essentially doing business on a national level. The ICS is limited to a single site. It includes an MES and permanently-connected engineering stations. Technicians and operators use tablets and wireless scanners to scan bar codes. Class 1 14

15 Use cases Continuous process industry The ICS under study is a production plant for toxic chemicals. The site is covered by the Seveso Directive. The ICS has centralised historians, engineering stations or programming consoles that are permanently connected. The industrial networks are connected to the site s MIS. Wireless networks are not yet deployed on the industrial perimeter. Class 2 or Class 3 Railway switch automation In a railway transport network, a computerised railway switch control system allows management of track assignments and remote control of switches and signalling devices. Class 3 Detailed measures Technical Organisational 15

16 Industrial Architecture Measures Solution Example Class 3 : interconnection between ICS zone and Office area 40 Essential measures for a healthy network KNOW THE INFORMATION SYSTEM AND ITS USERS CONTROL THE NETWORK UPGRADE SOFTWARE AUTHENTICATE THE USER SECURE COMPUTER TERMINALS SECURE THE INSIDE OF THE NETWORK PROTECT THE INTERNAL NETWORK FROM THE INTERNET MONITOR SYSTEMS SECURE NETWORK ADMINISTRATION CONTROL ACCESS TO THE PREMISES AND PHYSICAL SECURITY ORGANISE RESPONSE IN THE EVENT OF AN INCIDENT RAISE AWARENESS CARRY OUT A SECURITY AUDIT 16

17 Protection Profiles Switch PLC Short term (Critical assets of the environment) - Control-command of the industrial process - Engineering workstation flows Mid-term (Critical assets of the environment) Firewall - Control-command of the industrial process - Engineering workstation flows - Data exchanges between the ToE and the supervision - Data exchanges between the ToE and another PLC VPN Wireless 17

18 EU (ENISA/JRC) approach towards product compliance & certification A research and action plan for Project No 1: Stakeholders consultation & project planning Project No 2: Product Register development Project No 3: Cyber-security Common Requirements Project No 4: Generic IACS Cyber-security Profiles Project No 5: Compliance & Certification Process Project No 6: Transition & Implementation Plan Project No 7: Launch of the C&C Scheme - Level 1: self-declaration of compliance - Level 2: third-party compliance assessment - Level 3: third-party product certification - Level 4: third-party full certification 18

19 Progress (PLC level) Firmware Security Firmware signed Verification of the signature Operations Security User authentication to modify programs Communication Security Desactivation of unused services IP filtering VPN for integrity and authenticity of communications Log event management Monitoring security events Syslog format 19

20 Conclusion/Next Drivers Regulation/Legislation in the EU France, Germany Credit Rating Agencies Cybersecurity: New risk factor Cyber insurance Compliance to best practices (Evidence) Incident Response Team (Subscribed service) 20

21 Glossary Interlocking An interlocking is an arrangement of signal apparatus that prevents conflicting movements through an arrangement of tracks such as junctions or crossings. The signalling appliances and tracks are sometimes collectively referred to as an interlocking plant. An interlocking is designed so that it is impossible to display a signal to proceed unless the route to be used is proven safe (Wikipedia) Protection Profile A Protection Profile (PP) is a document used as part of the certification process according to ISO/IEC and the Common Criteria (CC). As the generic form of a Security Target (ST), it is typically created by a user or user community and provides an implementation independent specification of information assurance security requirements. A PP is a combination of threats, security objectives, assumptions, security functional requirements (SFRs), security assurance requirements (SARs) and rationales (Wikipedia) 21

22 References JRC94533/2015%201441_src_en_pth-erncip-iacsreport ataccepted%20pth2-op.pdf ED_Cyber_security_roadmap_v3.pdf 22