Security analysis and assessment of threats in European signalling systems?

Similar documents
Functional. Safety and. Cyber Security. Pete Brown Safety & Security Officer PI-UK

Industrial Security - Protecting productivity IEC INDA

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Protection Levels, Holistic Approach. ISA-99 WG 3 TG 3 Protection Levels

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

ISA99 - Industrial Automation and Controls Systems Security

Procurement Language for Supply Chain Cyber Assurance

Cyber Security Standards Developments

Just How Vulnerable is Your Safety System?

Nebraska CERT Conference

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Cyber Security for Process Control Systems ABB's view

Standard CIP Cyber Security Systems Security Management

IC32E - Pre-Instructional Survey

Achilles System Certification (ASC) from GE Digital

ISA99 - Industrial Automation and Controls Systems Security

Protect Your Organization from Cyber Attacks

SECURITY & PRIVACY DOCUMENTATION

How can I use ISA/IEC (Formally ISA 99) to minimize risk? Standards Certification Education & Training Publishing Conferences & Exhibits

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

German Industrial Security Standard and Application Status. RAMI - ICS - SQ Markus Bartsch

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Standard CIP 007 3a Cyber Security Systems Security Management

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

Hvordan kommer man i gang med et Industrial Security-koncept?

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

NIST Security Certification and Accreditation Project

Standard CIP 007 4a Cyber Security Systems Security Management

Standard CIP Cyber Security Systems Security Management

Information Security Controls Policy

ISO/IEC TR TECHNICAL REPORT

13th Florence Rail Forum: Cyber Security in Railways Systems. Immacolata Lamberti Andrea Pepato

MIS Week 9 Host Hardening

K12 Cybersecurity Roadmap

End-to-end Safety, Security and Reliability Keys for a successful I4.0 Migration

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

LESSONS LEARNED IN SMART GRID CYBER SECURITY

External Supplier Control Obligations. Cyber Security

Cyber security for digital substations. IEC Europe Conference 2017

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Standard Development Timeline

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

FOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY

the SWIFT Customer Security

Cyber Hygiene: A Baseline Set of Practices

Embedding GDPR into the SDLC

Objectives of the Security Policy Project for the University of Cyprus

Designing and Building a Cybersecurity Program

10 FOCUS AREAS FOR BREACH PREVENTION

Why 2 times 2 ain t necessarily 4 at least not in IT security risk assessment

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Information Security Policy

The cybersecurity platform for industrial small and medium-sized enterprises (SME) Andreas Harner, Head of

Securing Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager

IoT & SCADA Cyber Security Services

Advent IM Ltd ISO/IEC 27001:2013 vs

Monthly Cyber Threat Briefing

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

_isms_27001_fnd_en_sample_set01_v2, Group A

PCI PA-DSS Implementation Guide

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Siemens Research Cyber Security

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

AUTHORITY FOR ELECTRICITY REGULATION

Checklist: Credit Union Information Security and Privacy Policies

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Education Network Security

Security+ SY0-501 Study Guide Table of Contents

Guide to cyber security/cip specifications and requirements for suppliers. September 2016

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

Information Technology Enhancing Productivity and Securing Against Cyber Attacks

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

University of Sunderland Business Assurance PCI Security Policy

ISO/IEC Information technology Security techniques Code of practice for information security management

CCISO Blueprint v1. EC-Council

Security Solutions. Overview. Business Needs

Watson Developer Cloud Security Overview

MINIMUM SECURITY CONTROLS SUMMARY

Projectplace: A Secure Project Collaboration Solution

Transcription:

Security analysis and assessment of threats in European signalling systems? New Challenges in Railway Operations Dr. Thomas Störtkuhl, Dr. Kai Wollenweber TÜV SÜD Rail Copenhagen, 20 November 2014 Slide 1

Agenda The challenge: Security for Electric Signalling Systems Security Standards Security Analysis using IEC 62443 Steps for Security Inspection or Certification Summary Slide 2

Day-to-day experience with vulnerabilities General Application Password No or only a minimum of network segmentation Assets are not known, no network plan No periodic IT security audits No security monitoring No or weak processes (e.g. security incident handling) Employees with no security skills Possibility of attacks (DoS, Cross Site Scripting, code execution) Security is not integrated into the development process No security tests, incl. 3rd party software Incorrect implementation of cryptographic algorithms Default passwords Weak/trivial passwords Password in clear text Passwords on post-it Generic password for user groups Root passwords are group passwords for suppliers Slide 3

Day-to-day experience with vulnerabilities Use of Engineering Workstations Remote Access & Maintenance Any accessible interfaces in the industrial IT infrastructure is used EWS is used in different networks for different customers EWS is often used as a standard computer Different solutions of the suppliers are implemented and allowed For Remote Access no DMZ is implemented Remote access is always enabled and therefore can be used at any time without control Group accounts Multi-factor authentication are not used Slide 4

Day-to-day experience with vulnerabilities Protocols USB-Token Unprotected communications TLS/SSL: use of weak cipher suites Wireless communication without authentication and encryption Incorrect implementation of cryptographic algorithms No regulations for the use of USB Tokens Uncontrolled USB tokens are used by suppliers No virus scanning for USB tokens (not to think about Bad USB ) Slide 5

80% of Malware cannot be Detected by Anti-Virus Software Digitization becomes increasingly complex entry points for attacks grow exponentially Slide 6

Our Industrial IT Security Services Consulting Security Management & Organisation Threat & Risk Analysis IT Security Processes (Development, Operation, Maintenance) Technical & Process Audits Security Handbook Testing Communication Robustness Testing Penetration Testing Assessment & Certification (DAkkS accredited) IT Security Management Systems, Industrial Control Systems & Products Process & Product Assessments (Development, Operation, Maintenance) Communication Robustness & Penetration Testing Lab Slide 7

Agenda The challenge: Security for Electric Signalling Systems Security Standards Security Analysis using IEC 62443 Steps for Security Inspection or Certification Summary Slide 8

Content and Structure of relevant Security Standards & Guidelines Processes Security Guidelines IEC 62443-4-1 IEC 62443-2-4 IEC 62443-3-2 IEC 62443-2-1 Best Practices Coding Standards DIN VDE V 0831-104 EN 50159 Safety Communication only No implementation recommendations How Security Objectives / Requirements IEC 62443-3-3 IEC 62443-4-2 Implementation Standards & Guidelines BSI TR-02102-2 Cryptography: Recommendations and Key Lengths FIPS 140-3 Security Requirements for Cryptographic Modules What Slide 9

Current status of relevant standards for electric signalling systems DIN EN 50159 Railway applications Communication, signalling and processing systems Safety-related communication in transmission systems DIN VDE V 0831-104 Electric signalling systems for railways Part 104: IT Security Guideline based on IEC 62443 DIN VDE V 0831-102 Electric signalling systems for railways Part 102: Protection profile for technical functions in railway signalling They all have in common: Focus only on safety relevant threats Internal attackers are out of scope Slide 10

IEC 62443: Overview IEC 62443 Industrial communication networks Network and system security General Policies & Procedures System Component / Product 1-1 Terminology, concepts and models 2-1 Requirements for an IACS security management system 3-1 Security technologies for IACS 4-1 Product development requirements 1-2 Master glossary of terms and abbreviations 2-2 Implementation guidance for an IACS security management system 3-2 Security levels for zones and conduits 4-2 Technical security requirements for IACS components 1-3 System security compliance metrics 2-3 Patch management in the IACS environment 3-3 System security requirements and security levels 1-4 IACS security lifecycle and use-case 2-4 Installation and maintenance requirements for IACS suppliers Basis for DIN VDE V 0831-104 Published Versions Draft Versions Slide 11

Threats for a electric Signalling System Slide 12

Agenda The challenge: Security for Electric Signalling Systems Security Standards Security Analysis using IEC 62443 Steps for Security Inspection or Certification Summary Slide 13

Frequency Classical risk analysis approach Risk model R = D* F R Risk ( / year ) D Damage F Frequency of Occurrence Negligible Marginal Critical Catastrophic Frequent Probable Minor Improbable Damage Slide 14

Impact of Cyber Security Risks on classical Risk Management Process Probabilities for attacks are not available and are difficult / impossible to calculate Threat probabilities and the resulting risks are not quantifiable, only qualifiable As a result IEC 62443 and derived DIN VDE V 0831-104 define the characteristics of an attacker through parameters (skill, means, resources, motivation) Definition of risk-based Security Levels [IEC 62443-3-3:2013]: Security Level 1 (SL1) Prevent the unauthorized disclosure of information via eavesdropping or casual exposure. Security Level 2 (SL2) Prevent the unauthorized disclosure of information to an entity actively searching for it using simple means with low resources, generic skills and low motivation. Security Level 3 (SL3) Prevent the unauthorized disclosure of information to an entity actively searching for it using sophisticated means with moderate resources, IACS specific skills and moderate motivation. Security Level 4 (SL4) Prevent the unauthorized disclosure of information to an entity actively searching for it using sophisticated means with extended resources, IACS specific skills and high motivation. Slide 15

Approach for Cyber Security Risk Management (DIN VDE V 0831-104) Approach for the cyber security risk management (risk = damage x probability) Establishing the context i.e. scope definition, structure analysis of the target system, defining risk criteria, protection level based on defined attacker characteristics (e.g. security level) Risk identification i.e. identification of all relevant threats with impact on safety Risk analysis and evaluation i.e. estimation of damages & attacker characteristics, risk categorization based on defined risk criteria Risk treatment i.e. deriving relevant countermeasures to withstand the defined characteristics of an attacker Prerequisites Methodology to estimate the characteristics of an attacker Parameters to define characteristics of an attacker Threat analysis methodology (e.g. threat modeling, threat catalogue) Slide 16

Security Level Modified Security Risk Matrix Negligible Marginal Critical Catastrophic SL1 ( frequent ) SL2 ( probable ) SL3 ( minor ) SL4 ( improbable ) Damage Slide 17

Example: Threats to an Electric Signalling System Threat Short description IAC UC SI RDF TRE Malicious Software (1) Unauthorized access to communication (2) Exploit of vulnerabilities (3) Escalation of access rights (4) Virus, worms, trojans which use vulnerabilities in some software Weak passwords, default passwords used for applications and components, even worse for administration or remote access Development process which does not integrate IT security User and rights management has low maturity level X X X X X X X X X X X X X X From IEC 62443-3-3 and DIN VDE V 0831-104: IAC Identification and Authentication Control UC Use Control SI System Integrity RDF Restricted Data Flow TRE Timely Response to Events Slide 18

Example: Threats to an Electric Signalling System Slide 19

Example: Threats to an Electric Signalling System Malicious Software (1) Threat Short description Covered by DIN EN 50159 Virus, worms, trojans which use vulnerabilities in some software Covered by IEC 62443-3-3 X Unauthorized access to communication (2) Weak passwords, default passwords used for applications and components, even worse for administration or remote access X X Exploit of vulnerabilities (3) Escalation of access rights (4) Development process which does not integrate IT security User and rights management has low maturity level X X Slide 20

Example: Threats to an Electric Signalling System Malicious Software (1) Threat Requirement from IEC 62443-3-3 Covered by DIN EN 50159 SR 3.2 Malicious code protection The control system shall provide the capability to employ protection mechanisms to prevent, detect, report and mitigate the effects of malicious code or unauthorized software. The control system shall provide the capability to update the protection mechanisms. Covered by IEC 62443-3-3 X Exploit of vulnerabilities (3) SR 3.4 Software and information integrity The control system shall provide the capability to detect, record, report and protect against unauthorized changes to software and information at rest. X Slide 21

Example: Threats to an Electric Signalling System Threat Requirement from IEC 62443-3-3 Covered by DIN EN 50159 Escalation of access rights (4) SR 2.1 Authorization enforcement On all interfaces, the control system shall provide the capability to enforce authorizations assigned to all human users for controlling use of the control system to support segregation of duties and least privilege. SR 6.2 Continuous monitoring The control system shall provide the capability to continuously monitor all security mechanism performance using commonly accepted security industry practices and recommendations to detect, characterize and report security breaches in a timely manner. Covered by IEC 62443-3-3 X X Slide 22

Agenda The challenge: Security for Electric Signalling Systems Security Standards Security Analysis using IEC 62443 Steps for Security Inspection or Certification Summary Slide 23

Identification of Security Requirements on System Level RAMS- Lifecycle, IEC 62443-2-4 Quality/ Processes System Safety Requirements Functional / Non-Functional Requirements Security Requirements Electric Signalling System DIN VDE V 0831-104 + Security Features Specification Architecture Validation IEC 62443-3-3 Foundational Requirements DIN VDE V 0831-102 Design Implementation Verification Capabilities # Sec. Req. SL1 SL2 SL3 SL4 1 Authentication X 2 Confidentiality X 3 Error Handling X Documentation Security Manual Security Guidelines Report, referencing Product Documentation Slide 24

Agenda The challenge: Security for Electric Signalling Systems Security Standards Security Analysis using IEC 62443 Steps for Security Inspection or Certification Summary Slide 25

Agenda 1 The Challenge Security for Electric Signalling Systems 2 Security Standards 3 Security Analysis using IEC 62443 4 Steps for Security Inspection or Certification 5 Summary Slide 26

Benefits of IEC 62443 The benefits of IEC 62443 are Risk based approach Process oriented Combination with other standards possible Defined requirements Basis for assessment and certification Best Practice approach Slide 27

Status IEC 62443 Slide 28

Contact Dr. Thomas Störtkuhl thomas.stoertkuhl@tuev-sued.de Phone: +49 89 5791-1930 Fax: +49 89 5791-2933 Dr. Kai Wollenweber kai.wollenweber@tuev-sued.de Phone: +49 89 5791-3856 Fax: +49 89 5791-2933 TÜV SÜD Rail GmbH Barthstr. 16 80339 Munich Germany www.tuev-sued.de/rail Slide 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback