Centralised service 6-7: Ensuring the resilience of centralised services cyber-security and sharing cyber intelligence

Transcription

1 Centralised service 6-7: Ensuring the resilience of centralised services cyber-security and sharing cyber intelligence Patrick MANA CS6-7 Project Manager WAC 08 & 09 March 2016

2 enter your presentation title 2

3 What is happening out there? Attacks? Is ATM attacked today? Will ATM be attacked tomorrow? We don t really know: we are rather blind due to very limited monitor/detection means Yes though not always specifically focused Limited impact Yes, it will happen for sure so we have to be ready even => Monitor/protection means in place More open architecture: Mix of legacy + New architecture (e.g. SWIM)... But may be need to isolate some key assets New attackers => EUROCONTROL Centralised Service 6-7 3

4 How to protect your operations? Set a policy and its associated framework Identify primary assets ( crown jewels ) Define priorities (risk classification) Protect assets according to risk and develop resilience Don t start with technology... Think operations => Deploy means to monitor/detect/prevent/protect including Security Operations Center 1 of a cyber-attack => 30 to 40 to protect your operations Sharing data, knowledge, cyber-intelligence : => CERT, ISAC EUROCONTROL Centralised Service 6-7 4

5 EUROCONTROL CS6-7 EUROPEAN ATM CERT AND CS SOC EUROCONTROL Centralised Service 6-7 5

6 CS6-7: Two main roles 1. European ATM CERT ATM Computer Emergency Response Team: 1. Collects, generates and distributes ATM relevant cyber intelligence; 2. Coordinates pan-european ATM response to ATM relevant cyber-security events/incidents. 2. Security Operation Centre - SOC CS-SOC - Security Operation Centre (SOC) for all Centralised Services: monitors, assesses Centralised Services related cyber-security events and provides recommendations to the relevant CS Contractors. Delegated ANSP SOC (D-SOC): perform the role of a Security Operation Centre for ANSPs wishing to entrust such role to CS6-7 based on specific bilateral agreements. EUROCONTROL Centralised Service 6-7 6

7 CS6-7: European ATM CERT + SOC EA-ISAC EUROPOL CERT-EU ENISA NATO/EDA National CERTs EACCC Intelligence Intelligence Qualified Incidents CS SOC CS6-7 EATM-CERT Intelligence SIEM Qualified Incidents DSOC Intelligence Intelligence Thematic CERTs intelligence Provider intelligence Provider intelligence Provider ATM CI Provider (US & other Regions ATM CERT) EASA ATM Stakeholder ATM SOC Stakeholder (1) ATM SOC Stakeholder (1) SOC (1) Qualified Incidents + intelligence ATM Stakeholder SOC intelligence Network Security Incidents NOC NewPENS NOC EAGDCS Intelligence Logs Recommendations CS Sec devices, App CS CS Sec devices, App Sec devices, App CS CFT Events /Logs Recommendations /Actions Bilateral agreements ANSP CS6-7 tools / ANSP CS6-7 tools / ACC ANSP CS6-7 tools / ACC CS6-7 tools ACC ANSP/ACC EUROCONTROL Centralised Service 6-7 7

8 CS6-7/CS SOC Contract CS6-7 development Phase1 CS6-7 Operations Phase2 CS6-7 roadmap 1 st set/core services 2 nd set of Services EATM-CERT CS SOC D-SOC ( Entrusted ANSP SOC) Advanced services ANSP1 SOC ANSP2 SOC ANSP3 SOC Other ATM Stakeholder SOCs CS6-2 CS6-6 CS1 CS7-2 CS7-3 CS4 CS6-3 CS6-5 CS6-4 CS 3, 5 CS7-1 NewPENS EAGDCS Mid 2016 Mid 2017 Mid

9 1 - EUROPEAN ATM CERT CS6-7 CERT is registered in the Office for Harmonization in the Internal Market by Carnegie Mellon University. EUROCONTROL Centralised Service 6-7 9

10 European ATM CERT Catalogue of services: Progressive over time & experience (1 st set, 2 nd set, Advanced) Initially 8x5 (office hours) Operated by and at EUROCONTROL HQ (BXL) Re-using CERT-EU procedures and SW suite Very good knowledge of European ATM architecture and operations Reactive Services Proactive Services Other Services Alerts and Warnings (1) Incident Handling Incident analysis (1) Forensic evidence collection (A) Tracking or Tracing (A) Incident response on site (N) Incident response support (1) Incident response coordination (1) Vulnerability Handling Vulnerability analysis (N) Vulnerability response (N) Vulnerability response coordination (N) Announcements (1) Technology Watch (2) Security Assessments Infrastructure review (N) Best practice review (N) Scanning (N) Penetration testing (2) Configuration and Maintenance of Security (N) Development of Security Tools (N) Intrusion Detection Services (2) Security-Related Information Dissemination (1) Artifact Handling Artifact analysis (1) Artifact response (1) Artifact response coordination (1) Security Quality Management Risk Analysis (N) Business Continuity and Disaster Recovery (N) Security Consulting (N) Awareness Building (A) Education/Training (A) Product Evaluation or Certification (N) EUROCONTROL Centralised Service

11 European ATM CERT services 1 st set of services (core services) : 1. Alerts and Warnings; 2. Announcements/security-related information dissemination; 3. Pan-European ATM cyber-security events/incidents response coordination relying on cybersecurity incident analysis and response support; and 4. Artifacts handling including artifacts analysis, response and response coordination. Once experience is gained and a significant number of CSs and ATM Stakeholders SOCs are operational, a 2 nd set of services will be provided: 5. Intrusion Detection service; 6. Penetration testing; 7. Technology watch. EUROCONTROL Centralised Service

12 2 Security Operations Center (SOC) for CSs CS6-7 EUROCONTROL Centralised Service

13 CS SOC Services CS SOC core services (1 st set) are: 1. Monitoring (Tier1); 2. Analysis (Tier2); 3. Investigation/Hunting (Tier3). Once experience is gained and a significant number of CSs are operational, a 2 nd set of services will be provided (after 2 years): 4. Vulnerability management including; Vulnerability analysis and scanning; Vulnerability response; Vulnerability response coordination; 5. Forensic investigation; 6. Security assessments including: Infrastructure review; Best practice review; Penetration testing; Mapping. EUROCONTROL Centralised Service

14 CS SOC Call For Tenders status: Tenders submitted, under assessment Contract expected to be signed Mid-2016 Initial operations: no later than Mid-2017 EUROCONTROL Centralised Service

15 CS6-7: Conclusions ATM stakeholders have to set a cyber-security approach that includes the development and deployment of their SOC EUROCONTROL has initiated such approach and deploys its SOCs: CSs, NM, MUAC Need to share data amongst ATM stakeholders A CERT for ATM is needed => EATM-CERT (CS6-7) = the solution! EUROCONTROL Centralised Service

16 Go to: THANK YOU EUROCONTROL Centralised Service