Centralised service 6-7: Ensuring the resilience of centralised services cyber-security and sharing cyber intelligence

Transcription

1 Centralised service 6-7: Ensuring the resilience of centralised services cyber-security and sharing cyber intelligence Patrick MANA CS6-7 Project Manager WAC 08 March 2017

2 Why doing it? NIS Directive EC 1377/2016 & 2

3 But still in a reactive mode to a big event 3

4 CS6-7: EATM-CERT AND SOC CERT is registered in the Office for Harmonization in the Internal Market by Carnegie Mellon University. EUROCONTROL has been granted the right to use the label CERT. EUROCONTROL Centralised Service 6-7 4

5 CS6-7: EATM-CERT + SOC EASA (ECCSA) National CERTs National CERTs National CERTs Alerts/Incidents - intelligence Alerts/ Incidents D SOC CS6-7 EATM-CERT Intelligence /services Alerts/ Incidents CS SOC Intelligence /services Cyber Intelligence Thematic CERTs Cyber intelligence Cyber Provider intelligence Cyber Provider intelligence Provider ATM CI Provider (US & other Regions ATM CERT) EA-ISAC EUROPOL Significant Incidents - intelligence Alerts/other Incidents - intelligence/services Logs Recommendations Recommendations CERT-EU ENISA NATO/EDA Logs Bilateral agreements CS CFT SOC ATM Stakeholder ATM SOC Stakeholder SOC (1) ATM SOC Stakeholder (1) SOC SOC (1) SOC ATM Stakeholder ATM Stakeholder ATM Stakeholder ATM Stakeholder ATM Stakeholder CS CS CS EUROCONTROL Centralised Service 6-7 6

6 enter your presentation title 7

7 Alert/Incident reporting To National CERT (mandatory as per NIS Directive) To ATM CERT(s) (if national law permits e.g. legal case) To National CERT(not mandatory in NIS Directive and dependent upon National CERT capabilities) To ATM CERT(s) Incidents of significant importance Other Incidents To ATM CERT(s) Alerts Mandatory On a voluntary basis EUROCONTROL Centralised Service 6-7 8

8 EATM-CERT: services Initial proposition of services To be reviewed based on Stakeholders needs Reactive Services Proactive Services Other Services Alerts and Warnings (1) Incident Handling Incident analysis (1) Forensic evidence collection (A) Tracking or Tracing (A) Incident response on site (N) Incident response support (1) Incident response coordination (1) Vulnerability Handling Vulnerability analysis (A) Vulnerability response (A) Vulnerability response coordination (A) Announcements (1) Technology Watch (2) Security Assessments Infrastructure review (A) Best practice review (A) Scanning (A) Penetration testing (2) Configuration and Maintenance of Security (N) Development of Security Tools (N) Intrusion Detection Services (2) Security-Related Information Dissemination (1) Artifact Handling Artifact analysis (1) Artifact response (1) Artifact response coordination (1) Security Quality Management Risk Analysis (N) Business Continuity and Disaster Recovery (N) Security Consulting (N) Awareness Building (A) Education/Training (A) Product Evaluation or Certification (N) EUROCONTROL Centralised Service

9 WHAT CAN CS6-7 DO FOR YOU? EUROCONTROL Centralised Service

10 CS6-7 for you Target: ANSPs, Airport Operators If you have a SOC: Benefit from EATM-CERT services: no extra cost Independent, no commercial interest, ATM-specialised, de-identified info ATM specific cyber-intelligence relevant Proactive services: Infra/Best Practice reviews, pen testing, vulnerability assessment Reactive services: alert/incident response coordination, artifact handling, forensic, If you don t have a SOC: Benefit from D-SOC: on a voluntary basis Benefit from EATM-CERT services: no extra cost EUROCONTROL Centralised Service

11 2 Security Operations Center (SOC) for ATM Stakeholders (D-SOC) CS6-7 EUROCONTROL Centralised Service

12 D-SOC Services D-SOC services are: 1. Monitoring (Tier1); 2. Analysis (Tier2); 3. Investigation/Hunting (Tier3). 4. Vulnerability management including; Vulnerability analysis and scanning; Vulnerability response; Vulnerability response coordination; 5. Forensic investigation; 6. Security assessments including: Infrastructure review; Best practice review; Penetration testing; Mapping. EUROCONTROL Centralised Service

13 D-SOC Benefit from CS SOC Means to comply with EC 1377/2016 security requirements Support compliance with NIS Directive Fully dedicated to ATM Synergies amongst ATM Stakeholders On a voluntary basis EUROCONTROL Centralised Service

14 CS6-7: Conclusions ATM Stakeholders have to set a cyber-security approach that includes the development and deployment of their SOC CS6-7/D-SOC : a solution for ATM Stakeholders who wish to use it on a voluntary basis Need to share (de-identified) cyber data amongst ATM Stakeholders CERT for ATM Stakeholders is needed => EATM-CERT is an opportunity EUROCONTROL Centralised Service

15 Go to: THANK YOU EUROCONTROL Centralised Service