Cyber security in European ATM

Transcription

1 Cyber security in European ATM EUROCONTROL Patrick MANA Cyber-security Project Manager 06/03/2018

2 Agenda Policy / guidelines / standards, training, support to states, R&D Initiatives: EATM-CERT & Cyber Info sharing CEF Project: SWIM Common PKI with SDM WAC

3 WAC

4 Why doing it? And because no one wants this To become this! 4

5 Cyber-resilience: a change of culture People Procedure Equipment EUROCONTROL 5

6 DISRUPT/DISTURB SERVICE 6

7 RANSOMWARE Should we pay or not? NO Even if we pay, we cannot operate a system that has been hacked/modified that way. Need for: Back-up Configuration management 7

8 Non-ATM systems Power Supply BMS HVAC EUROCONTROL/EATM-CERT 8

9 Resilience so far mainly designed for safety now also for security e.g. I have firewall(s) thus my internal network/machines is/are protected Do you use X.509 digital certificates for SWIM & non-swim, for external and internal exchanges of information? e.g. I have an Anti-Virus thus my internal network/machines is/are protected Is it updated with latest CVE? Can anyhow viruses go through? Yes 9

10 CYBER-SECURITY ESPECIALLY IN AVIATION IS NOT A NATIONAL ONLY ISSUE LET S SHARE CYBER-INFO FOR REAL Lesson learned from Wannacry, Not/Petya, => need for more cross-national sharing/coordination Sharing info, vulnerability, cyber-intel => Need for regional and sectorial CERT, ISAC Reduce our cost to protect ourselves Increase cost on bad guys side Best Practices of many other domains An objective could be: Let s make a type of cyber-attack working max once. Exchange of cyber-info can be achieved with simple existing technology/standards: And TRUST WAC

11 EUROCONTROL CONTRIBUTION WAC

12 ATM Security developments NEASCOG (NATO EUROCONTROL ATM Security Coordinating group) & EUROCONTROL Policy, Guidance: International collaboration (NEASCOG members full ATM spectrum) Threat/risk assessment: ICAO TRWG/cyber Matrixes (CNS) Awareness: seminars/workshops 2 days, in June every year Training: at IANS (RTCE of ICAO) SEC-CYBER, SEC-MS, SEC-LEX/CYBER ICAO GAT; Fundamentals of ATM Security Support to States: ATM cyber security workshops: 2,5 days, on site Guidance: Manual for National ATM Security Oversight v2.0 R&D: S2020, ACARE WG/4 Safety & Security (co-chaired with EASA) Standards: EUROCAE WG-72 (Aeronautical Information Systems Security). ED205 (security accreditation of ground ATM systems) WAC

13 (1) Need for regional sectorial (ATM) CERT: combine cyber and domain expertise EASA (ECCSA) National CERTs National CERTs National CERTs Alerts/Incidents - intelligence EATM-CERT Cyber Intelligence Thematic CERTs Cyber intelligence Cyber Provider intelligence Cyber Provider intelligence Provider ATM CI Provider (US & other Regions ATM CERT) EA-ISAC Alerts/ Incidents Intelligence /services EUROPOL CERT-EU Significant Incidents - intelligence Alerts/other Incidents - intelligence/services EUROCONTROL SOCs ENISA NATO/EDA ATM Stakeholder SOC SOC (1) ATM Stakeholder SOC SOC (1) ATM Stakeholder SOC ATM Stakeholder Logs System Recommendations ATM Manufacturer ATM Manufacturer ATM Manufacturer ATM Stakeholder ATM Stakeholder ATM Stakeholder EUROCONTROL 13

14 Alert/Incident reporting To National CERT (mandatory as per NIS Directive) To EATM-CERT (if national law permits e.g. legal case) Incidents of significant importance To National CERT(not mandatory in NIS Directive and dependent upon National CERT capabilities) To EATM-CERT Other Incidents To EATM-CERT Alerts Mandatory On a voluntary basis WAC

15 enter your presentation title 15

16 CERT & SOC services are complementary services Strategic CERT CERT services: Share info to prevent incidents and coordinates response to incidents Federate multiple systems/services and their SOC(s) Proactive services : analysis of information to generate ATM and Stakeholder relevant information Discover vulnerabilities and propose fix before exploited (design review, pen testing, red teaming, ) Inform about hackers Tactics, Techniques and Procedures to protect systems before being hit Inform about Indicators of Compromises (malware, URL) to protect systems before being hit Reactive services: Support to incident reaction/remediation, coordination amongst various entities being hit Hunting/post analysis in case of incidents Forensic investigation Tactical SOC (Security Operations Centre) SOC services: (H24) monitoring of systems/services activities to detect abnormal situations Analyse abnormal situations detected by SIEM (Security Information and Event Management) tool Filter false positive alerts (e.g. within 45 ) Analyse true alerts/incidents and propose remediation actions (e.g. within 1 or 24 hours) Improvement of abnormal situation detection criteria/threshold ( correlation rules ) using CERT info Update SIEM with info provided by CERT Operational NM, CRCO MUAC ANSPs AOs Decide if CERT or SOC recommendations have to be implemented and implement them Update Security Controls (firewalls, AV, IDS,..) and systems/applications using CERT info Manage cyber incidents with CERT and/or SOC support Post incident analysis with CERT support WAC 2018

17 Security Assessment Results WAC

18 CEF - SWIM Common PKI (PCP Family 5.1.4) WAC

19 Cross-certification (1/2): What collaboration WITHOUT a cross-certification bridge looks like CA 1 CA 5 CA 2 CA 4 CA 3 WAC

20 Cross-certification (2/2): What collaboration WITH a cross-certification bridge looks like Common Bridge (Trust Anchor) CA 1 CA 2 CA 3 CA 4 CA 5 WAC

21 Applied for CEF Funding as part of SDM Led & coordinated by EUROCONTROL ANSPs DFS, DSNA, NAVIAIR, ENAV, NAV P, ROMATSA, SMATSA, BULATSA, Hungaroconrol, HANSA, SloveniaControl, FABCE Ltd, Austrocontrol, ANS Finland, LFV, Belgocontrol, LVNL, LPS SR, PANSA, Oro Navigacija, Others Airlines Air France Lufthansa Ryanair Airport Operators: CPH MAG ADP Military Spanish Air Force French MoD WAC

22 World wide PKI ICAO trust bridge hierarchy The dream WAC

23 World wide PKI - Regional CA's with Crosscertification the reality to start with WAC

24 THANK YOU WAC