Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security

Transcription

1 Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security Michael John SmartSec 2016, Amsterdam

2 European Network for Cyber Security The European Network for Cyber Security (ENCS) is a non-profit organization that brings together critical infrastructure stakeholders and security experts to deploy secure European critical energy grids and infrastructure. 2

3 Changing threat landscape of the energy sector

4 Threat Level Developments Cyber Meter Fraud Bad Architectures & Bad Protocols Ukraine Incident PLC Malware New World of Threats in Energy Sector Targeted IT Malware for Energy Sector was somewhat expected? More targeted malware for Control Systems 4

5 Threat Landscape: More, More, More More Standards More Interconnectivity More Targeted Attacks More Active Threat Actors More Automated Attacks/ Artificial Intelligence More Computing Power* and Better Tools (Quantum Computing*) 5

6 Attack Vector Shift Attacks will be more Energy Network specific and more complex over time. Social Engine ering Client Side Attacks Insider Attacks IT to OT Comprom isation 3 rd Party Remote Access Supply Chain Attacks Field Maintenance Exploit OT Malware Inter System Attacks Field to Central System Attacks 6

7 Methodology for assessing security

8 Security Evaluation in the System Development Lifecycle Analyze & Plan Maintain Architecture Design Acceptance / Migration Develop / Procure Implement / Integrate 8

9 Security Evaluation in the System Development Lifecycle (contd.) Analyze & Plan Architecture Design Develop / Procure Implement / Integrate Acceptance / Migration Maintain Perform Risk Analysis Define Security Architecture and derive Security Requirements Mandate Security Requirement: Specification / Procurement Supervision Documentation (e.g. on residual risks) Security Lifecycle Management cont. Architecture & Design Review Implementation Review, Perform Functional Test & Robustness Test Penetration Testing of Systems or Components Pen Test of existing System, Functional & Robustness of new releases 9

10 Defining Security Requirements & Security Levels Minimum Requirements Awarding Criteria Recommended Assurance Explanation A mandatory requirement that is a compulsory function that an entity, device, or module must perform. Criteria is weighted and scored during the evaluation, but do not lead to direct exclusion of a solution. Section provides guidance for quality control, describing how the implementation of the requirement shall be security tested An additional explanation and guidance on the requirements is provided, if this is necessary. References: Distribution Automation / ENEXIS Case Study Electric Vehicle Charging with ElaadNL Smart Metering Security Requirements with Oesterreichs Energie or ENCS members in Europe 10

11 Requirement Categories Requirement Domains clustered into areas: Future-Proof Design Cryptographic Algorithms and Protocols Communication Security System Hardening Resilience Support for Secure Operation Access Control Logging Product Lifecycle and Governance Effective Requirements require: a Risk Analysis of the system as input a defined Security Architecture to be technology-agnostic to contain only the factors relevant to security to focus on Architecture, Component and Interface View 11

12 Design Verification Assurance of good security design, provides early indication that requirements WILL BE correctly implemented Different categories, such as Architecture Review, Protocol Review, Requirements Review, at later stage also Code Reviews or Hardware Design Reviews Architectures Specification, Design, Requirements Source Codes 12

13 Functional Testing Structural test cases that validate functional security requirements are met in the implementation. Verification that requirements HAVE BEEN correctly implemented Architecture dependent, thus a Security Architecture & Design is required Note: Embrace End-to-End Security - Security at the endpoint of the communication! Allows to quantify and compare system quality when multiple solutions are considered On different levels: Component Device Zone / Interface Architectural Level Mapping between Requirements and Test Cases Requirement ID n Test ID n.1 Test ID n.2 Test ID n Test ID n.m 13

14 Example: Smart Metering Excerpt, aggregated results. Percentage of systems that failed to meet the requirement, over 25 systems analyzed. 14

15 Robustness Testing Validates the stability and reliability of an implementation Verification that requirements HAVE BEEN correctly implemented Design weaknesses such as missing functional separation can increase impact Tests are related to interface (also internally) of a system Search for memory corruption that can possibility be used for remote code execution (but will not give exploits) 15

16 Penetration Testing Time boxed activity with prior scope definition. Normally more free format. Different types of pen tests exsists, from Network Scanning, System-wide tests, hardware tests, More efficient with more information available (gray vs. black box), security design, results from previous test activities Usefull for demonstraton & awareness as eploits can be developed in full Findings Saturation of findings Time 16

17 Assessing Maturity Levels through Testing Analyze & Plan Architecture Design Develop / Procure Implement / Integrate Acceptance / Migration Maintain Review & Validation Functional & Robustness Testing Penetration Testing Retest Processes Secure Design & Architecture Secure Implementation Secure Configuration Secure Lifecycle 5 Maturity Level Test Finding Indicators Required Steps Design, Implementation, Hardened Configurations and Processes Only few findings which can be swiftly corrected. Continues monitoring 4 Design, Implementation, Hardened Configuration Regression faults (!) Optimize processes for maintaining security 3 Design and Implementation Configuration / provisioning faults Revise processes & policies 2 1 Security Design & Architecture Only Pen Testing performed late in Product Lifecycle Implementation inherent faults with high impact, long rework required Multitude of security issues discovered due to absence of security Enforce requirements in system specification or in procurement Build Awareness & Education 17

18 Training your team

19 Develop Security Capacity Secure Architectures Know-How Understanding of secure architectures concepts, such as segmentation, in networks and devices Security reference architectures for smart metering, electric vehicles, and substation automation Security requirements understanding Intrusion detection capability Prepare for dealing with large numbers of alerts from intrusion detection systems Distinguishing between real attacks and false alarms Finding the source of an attack Incident response capability Steps in responding to a possible cyber incident Analyzing what really happened during an incident Containing attacks and recovering from them 19

20 Security Labs and Training Facilities Build capabilities to train personnel on cyber security in your organization Various reach of training activities: Online Courses Theory sessions Hands-On Sessions Cyber Exercises Security Certifications C-Level trainings Build also capabilities to: verify reported vulnerabilities replicate equipment / systems in field in lab environment 20

21 Collaboration and Resource Sharing Collaboration is key Collaboration between utilities Collaboration with academic and research institutions Start sharing information on threats with other DSOs Increase information sharing about security incidents Cross-functional training for professionals Provide security knowledge to the operations team Provide operational knowledge to the security team Establish training programs IT / OT integration becoming a integration of mindsets 21

22 Thank you Michael John Director Consulting Services