Cybersecurity Dimension of Critical Infrastructure

Transcription

1 Cybersecurity Dimension of Critical Infrastructure Views expressed in this presentation are the authors and do not represent the official view of any institution he is affiliated with. ESReDA 52 Seminar, Kaunas 30 May 2017 Vytautas Butrimas NATO ENSEC CoE Member, NCRA of Lithuania

2 What is wrong with this headline? The Largest Cyber Attack In History has been hitting Hong Kong sites - Parmy Olson, Forbes 2014

3 Why? Because when C.I. fails, you life stops.

4 What s happening? IT is coming to ICS/OT Was manually controlled, now digital & remotely controlled Provided wonderful features and efficiencies for the operator Supports modern world but introduced complexity & vulnerabilities And: Cyber defense was not included as a requirement in ICS design 1971 Today

5 IT introduced new vulnerabilities in ICS / OT world Unintentional / intentional cyber incidents A nuclear power plant was recently forced into an emergency shutdown for forty-eight hours after a software update was installed on a single computer.

6 Information technology vs Industrial control systems Significant differences in security priorities If not understood, you will make bad policy! IT security is CIA ICS security is (Safety)AIC

7 Industrial control systems (ICS) space If ICS device is affected physical harm / damage is likely. Denial of Service means: No electricity, no gas. IT: the operation is securing the data ICS: the operation is securing the operation

8 What is an ICS operator s worst nightmare? Loss of View and Loss of Control

9 Is this cybersecurity concern getting across? NO

10 Does government understand how vulnerable their critical infrastructure is and how it can be targeted? Not really the draft cybersecurity requirements state that they are intended to address critical information infrastructure (including industrial control systems), however your draft requirements do not address industrial control systems - Response from 1 entity in the energy sector to Govt. draft regulations

11 Bad news for us: malicious cyber activities of states? Iranian nuclear and oil facilities (STUXNET 2010) Saudi Aramco DOC attack 2012/2013 Belgacom compromised Sandworm Team / Black Energy 2014 BSI reports cyber-attack on German steel mill 2015 TV5Monde 2015/2016 Cyber attack on control systems of Ukraine s pwr grid 2017 WannaCry as latest wake-up-call

12 Bad news: Malicious Cyber Activities of States -2 Case Study: STUXNET 2010 Cyber weapon used by a state against the CI of another. Caused a loss of view and loss of control Disabled safety systems, sent false data to operators Most targets are in Europe and N. America Hi-tech, cheap (10 mln. USD), effective, and deniable

13 Bad news about states - 3: Cyber attack on UKR. regional grid 2015 Cyber intrusions over 6 mo. at 3 regional EPD companies Over 30 substations disabled affecting ¼ mln. Malware loaded on Serial-to-Ethernet comm. devices Control workstation s erased at end of the cyber-attack Operators lost SCADA (loss of view and control)

14 Have we recognized and addressed the threats adequately?

15 Oh, oh a problem: What to do if it is the work of a STATE? But as soon as we find out that it s state-sponsored, or there may be state actors involved, we back away from that. - Interpol digital crime centre director Sanjay Virmani, 2015

16 Still not convinced of the danger? Commander #1: We ve analyzed their attack, sir, and there is a danger. Should I have your ship standing by? Gov. Tarkin: Evacuate? In our moment of triumph? I think you overestimate their chances. Quote from the film Star Wars IV

17 Parts of CI are visible on the Internet: Project Shine Targets are mostly in Europe and N.A.!

18 Project Shine implications (One Iceland tomato farm) 1159 devices visible

19 What the future looks like: More convergence, more vuln. Caveat emptor IIoT and DA improve efficiency, reduce downtime and save money Industry 4.0 integrating manufacturing plant w/ business functions Autonomous control and self configuration Getting a lot of support from Govt. and Industry Not much talk about new vulnerabilities and cybersecurity!!!!

20 Ok, now what can we do about it?

21 Need to address training/knowledge gap ISA 99 / IEC IT IT Cybersecurity Control system OT ISO Too few Control system (OT) Cybersecurity specialists

22 Guides and lessons-learned are available Buyer needs to ask the manufacturer about cybersecurity Standards and training are available IT, OT and Design Engineers need to play as a TEAM!

23 Work globally to keep cyber peace in the new military domain. 1. Nations agree in peacetime to keep out of each other C.I 2. Acceptance of responsibility for their cyberspace 3. Creation of a monitoring and reporting agency

24 Thank you, do you have any questions? Thanks to R. Radvanovsky and J. Brodsky for useful suggestions and comments. Vytautas Butrimas NATO ENSEC CoE Vytautas. enseccoe. org vbutrim Blog contributor:

25 Extra slides 25

26 Should cybersecurity be a priority for protecting CI? In 2006 terrorists at Abqaiq were met with deadly force at the gate In 2015 the C3 systems of this power grid were compromised from cyberspace putting ¼ mln. in darkness.