Centralised service 6-7: Ensuring the resilience of centralised services’ cyber-security and sharing cyber intelligence

Patrick MANA CS6-7 Project Manager

WAC – 08 & 09 March 2016

enter your presentation title 2

What is happening out there ?

Is ATM attacked today ? We don’t really know: we are rather blind due

to very limited monitor/detection means

Yes … though not always specifically focused

“Limited” impact

EUROCONTROL Centralised Service 6-7 3

Attacks?

=>

Will ATM be attacked tomorrow? Yes, it will happen for sure … so we have to be

ready even => Monitor/protection means in place

More open architecture: Mix of legacy + New architecture (e.g. SWIM) ... But may be need to isolate some key assets

New attackers

How to protect your operations ? Set a policy and its associated framework Identify primary assets (“crown jewels”) Define priorities (risk classification) Protect assets according to risk and develop resilience Don’t start with technology ... Think operations => Deploy means to monitor/detect/prevent/protect including Security Operations Center

1€ of a cyber-attack => 30 to 40 € to protect your operations

Sharing data, knowledge, cyber-intelligence : => CERT, ISAC

EUROCONTROL Centralised Service 6-7 4

EUROCONTROL CS6-7 EUROPEAN ATM CERT

AND CS SOC

EUROCONTROL Centralised Service 6-7 5

CS6-7: Two main roles

1. European ATM CERT – ATM Computer Emergency Response Team: 1. Collects, generates and distributes ATM relevant cyber intelligence; 2. Coordinates pan-European ATM response to ATM relevant cyber-security events/incidents.

2. Security Operation Centre - SOC

CS-SOC - Security Operation Centre (SOC) for all Centralised Services: monitors, assesses Centralised Services related cyber-security events and provides recommendations to the relevant CS Contractors.

Delegated ANSP SOC (D-SOC): perform the role of a Security Operation Centre for ANSPs wishing to entrust such role to CS6-7 based on specific bilateral agreements.

EUROCONTROL Centralised Service 6-7 6

CS6-7: European ATM CERT + SOC

EUROCONTROL Centralised Service 6-7 7

CS6-7

ATM Stakeholder SOC (1)

ATM Stakeholder SOC (1)

ATM Stakeholder

SOC (1)

ATM Stakeholder SOC

Qualified Incidents

+ intelligence

Cyber intelligence

CS NewPENS

EATM-CERT

CS SOC DSOC

Logs Recommendations

ANSP / ACC ANSP /

ACC ANSP / ACC ANSP/ACC

CERT-EU

EUROPOL

ENISA

CS6-7 tools CS6-7 tools

CS6-7 tools CS6-7 tools CS

CS

Events /Logs

NATO/EDA

EACCC

EASA

NOC

Cyber intelligence

Provider

Qualified Incidents

Cyber Intelligence

Cyber intelligence

Provider Cyber

intelligence Provider

Cyber Intelligence

Cyber Intelligence Qualified

Incidents Cyber Intelligence

Sec devices, App

ATM CI Provider (US & other Regions

ATM CERT)

Thematic CERTs

Bilateral agreements CS CFT

Cyber Intelligence

Recommendations /Actions

Network Security

Incidents Cyber Intelligence

SIEM National CERTs

EAGDCS NOC

Sec devices, App Sec devices, App

EA-ISAC

8

CS6-7 roadmap CS6-7/CS SOC

Contract

EATM-CERT

CS6-2 CS6-6

CS1 CS7-2 CS7-3

CS4 CS6-3

CS6-4 CS7-1

CS6-5

CS 3, 5 NewPENS EAGDCS

ANSP3 SOC

ANSP2 SOC

CS SOC

ANSP1 SOC

D-SOC (“Entrusted” ANSP SOC)

Other ATM Stakeholder

SOCs

1st set/core services

2nd set of Services

“Advanced” Cyber

services

CS6-7 development Phase1

CS6-7 Operations

Phase2

Mid 2016

Mid 2017

Mid 2019

CS6-7 1 - EUROPEAN ATM CERT®

EUROCONTROL Centralised Service 6-7 9

“®CERT is registered in the Office for Harmonization in the Internal Market by Carnegie Mellon University.

European ATM CERT

Catalogue of services: Progressive over time & experience (1st set, 2nd set, Advanced)

Initially 8x5 (office hours) Operated by and at EUROCONTROL HQ (BXL) Re-using CERT-EU procedures and SW suite Very good knowledge of European ATM architecture and operations

EUROCONTROL Centralised Service 6-7 10

Reactive Services Proactive Services Other Services

Alerts and Warnings (1) Incident Handling Incident analysis (1) Forensic evidence collection (A) Tracking or Tracing (A) Incident response on site (N) Incident response support (1) Incident response coordination (1) Vulnerability Handling Vulnerability analysis (N) Vulnerability response (N) Vulnerability response coordination (N)

Announcements (1) Technology Watch (2) Security Assessments Infrastructure review (N) Best practice review (N) Scanning (N) Penetration testing (2) Configuration and Maintenance of Security (N) Development of Security Tools (N) Intrusion Detection Services (2) Security-Related Information Dissemination (1)

Artifact Handling Artifact analysis (1) Artifact response (1) Artifact response coordination (1)

Security Quality Management

Risk Analysis (N) Business Continuity and Disaster Recovery (N) Security Consulting (N) Awareness Building (A) Education/Training (A) Product Evaluation or Certification (N)

European ATM CERT services

1st set of services (core services) : 1. Alerts and Warnings; 2. Announcements/security-related information dissemination; 3. Pan-European ATM cyber-security events/incidents response coordination relying on cyber-

security incident analysis and response support; and 4. Artifacts handling including artifacts analysis, response and response coordination.

Once experience is gained and a significant number of CSs and ATM Stakeholders SOCs are operational, a 2nd set of services will be provided:

5. Intrusion Detection service; 6. Penetration testing; 7. Technology watch.

EUROCONTROL Centralised Service 6-7 11

CS6-7 2 – Security Operations Center (SOC) for CSs

EUROCONTROL Centralised Service 6-7 12

CS SOC Services

CS SOC core services (1st set) are: 1. Monitoring (Tier1); 2. Analysis (Tier2); 3. Investigation/Hunting (Tier3).

Once experience is gained and a significant number of CSs are operational, a 2nd set of services will be provided (after 2 years):

4. Vulnerability management including; Vulnerability analysis and scanning; Vulnerability response; Vulnerability response coordination;

5. Forensic investigation; 6. Security assessments including:

Infrastructure review; Best practice review; Penetration testing; Mapping.

EUROCONTROL Centralised Service 6-7 13

CS SOC

Call For Tenders status: Tenders submitted, under assessment

Contract expected to be signed Mid-2016

Initial operations: no later than Mid-2017

EUROCONTROL Centralised Service 6-7 14

CS6-7: Conclusions

ATM stakeholders have to set a cyber-security approach that includes the development and deployment of their SOC

EUROCONTROL has initiated such approach and deploys its SOCs: CSs, NM, MUAC

Need to share data amongst ATM stakeholders

A CERT for ATM is needed => EATM-CERT (CS6-7) = the solution !

EUROCONTROL Centralised Service 6-7 15

THANK YOU

Go to: http://www.eurocontrol.int/services/cs6-7-management-common-network-resources-serviceoperation-and-

coordination-network

EUROCONTROL Centralised Service 6-7 16

patrick.mana@eurocontrol.int