Upload
phungkhue
View
221
Download
0
Embed Size (px)
Citation preview
Centralised service 6-7: Ensuring the resilience of centralised services’ cyber-security and sharing cyber intelligence
Patrick MANA CS6-7 Project Manager
WAC – 08 & 09 March 2016
What is happening out there ?
Is ATM attacked today ? We don’t really know: we are rather blind due
to very limited monitor/detection means
Yes … though not always specifically focused
“Limited” impact
EUROCONTROL Centralised Service 6-7 3
Attacks?
=>
Will ATM be attacked tomorrow? Yes, it will happen for sure … so we have to be
ready even => Monitor/protection means in place
More open architecture: Mix of legacy + New architecture (e.g. SWIM) ... But may be need to isolate some key assets
New attackers
How to protect your operations ? Set a policy and its associated framework Identify primary assets (“crown jewels”) Define priorities (risk classification) Protect assets according to risk and develop resilience Don’t start with technology ... Think operations => Deploy means to monitor/detect/prevent/protect including Security Operations Center
1€ of a cyber-attack => 30 to 40 € to protect your operations
Sharing data, knowledge, cyber-intelligence : => CERT, ISAC
EUROCONTROL Centralised Service 6-7 4
CS6-7: Two main roles
1. European ATM CERT – ATM Computer Emergency Response Team: 1. Collects, generates and distributes ATM relevant cyber intelligence; 2. Coordinates pan-European ATM response to ATM relevant cyber-security events/incidents.
2. Security Operation Centre - SOC
CS-SOC - Security Operation Centre (SOC) for all Centralised Services: monitors, assesses Centralised Services related cyber-security events and provides recommendations to the relevant CS Contractors.
Delegated ANSP SOC (D-SOC): perform the role of a Security Operation Centre for ANSPs wishing to entrust such role to CS6-7 based on specific bilateral agreements.
EUROCONTROL Centralised Service 6-7 6
CS6-7: European ATM CERT + SOC
EUROCONTROL Centralised Service 6-7 7
CS6-7
ATM Stakeholder SOC (1)
ATM Stakeholder SOC (1)
ATM Stakeholder
SOC (1)
ATM Stakeholder SOC
Qualified Incidents
+ intelligence
Cyber intelligence
CS NewPENS
EATM-CERT
CS SOC DSOC
Logs Recommendations
ANSP / ACC ANSP /
ACC ANSP / ACC ANSP/ACC
CERT-EU
EUROPOL
ENISA
CS6-7 tools CS6-7 tools
CS6-7 tools CS6-7 tools CS
CS
Events /Logs
NATO/EDA
EACCC
EASA
NOC
Cyber intelligence
Provider
Qualified Incidents
Cyber Intelligence
Cyber intelligence
Provider Cyber
intelligence Provider
Cyber Intelligence
Cyber Intelligence Qualified
Incidents Cyber Intelligence
Sec devices, App
ATM CI Provider (US & other Regions
ATM CERT)
Thematic CERTs
Bilateral agreements CS CFT
Cyber Intelligence
Recommendations /Actions
Network Security
Incidents Cyber Intelligence
SIEM National CERTs
EAGDCS NOC
Sec devices, App Sec devices, App
EA-ISAC
8
CS6-7 roadmap CS6-7/CS SOC
Contract
EATM-CERT
CS6-2 CS6-6
CS1 CS7-2 CS7-3
CS4 CS6-3
CS6-4 CS7-1
CS6-5
CS 3, 5 NewPENS EAGDCS
ANSP3 SOC
ANSP2 SOC
CS SOC
ANSP1 SOC
D-SOC (“Entrusted” ANSP SOC)
Other ATM Stakeholder
SOCs
1st set/core services
2nd set of Services
“Advanced” Cyber
services
CS6-7 development Phase1
CS6-7 Operations
Phase2
Mid 2016
Mid 2017
Mid 2019
CS6-7 1 - EUROPEAN ATM CERT®
EUROCONTROL Centralised Service 6-7 9
“®CERT is registered in the Office for Harmonization in the Internal Market by Carnegie Mellon University.
European ATM CERT
Catalogue of services: Progressive over time & experience (1st set, 2nd set, Advanced)
Initially 8x5 (office hours) Operated by and at EUROCONTROL HQ (BXL) Re-using CERT-EU procedures and SW suite Very good knowledge of European ATM architecture and operations
EUROCONTROL Centralised Service 6-7 10
Reactive Services Proactive Services Other Services
Alerts and Warnings (1) Incident Handling Incident analysis (1) Forensic evidence collection (A) Tracking or Tracing (A) Incident response on site (N) Incident response support (1) Incident response coordination (1) Vulnerability Handling Vulnerability analysis (N) Vulnerability response (N) Vulnerability response coordination (N)
Announcements (1) Technology Watch (2) Security Assessments Infrastructure review (N) Best practice review (N) Scanning (N) Penetration testing (2) Configuration and Maintenance of Security (N) Development of Security Tools (N) Intrusion Detection Services (2) Security-Related Information Dissemination (1)
Artifact Handling Artifact analysis (1) Artifact response (1) Artifact response coordination (1)
Security Quality Management
Risk Analysis (N) Business Continuity and Disaster Recovery (N) Security Consulting (N) Awareness Building (A) Education/Training (A) Product Evaluation or Certification (N)
European ATM CERT services
1st set of services (core services) : 1. Alerts and Warnings; 2. Announcements/security-related information dissemination; 3. Pan-European ATM cyber-security events/incidents response coordination relying on cyber-
security incident analysis and response support; and 4. Artifacts handling including artifacts analysis, response and response coordination.
Once experience is gained and a significant number of CSs and ATM Stakeholders SOCs are operational, a 2nd set of services will be provided:
5. Intrusion Detection service; 6. Penetration testing; 7. Technology watch.
EUROCONTROL Centralised Service 6-7 11
CS SOC Services
CS SOC core services (1st set) are: 1. Monitoring (Tier1); 2. Analysis (Tier2); 3. Investigation/Hunting (Tier3).
Once experience is gained and a significant number of CSs are operational, a 2nd set of services will be provided (after 2 years):
4. Vulnerability management including; Vulnerability analysis and scanning; Vulnerability response; Vulnerability response coordination;
5. Forensic investigation; 6. Security assessments including:
Infrastructure review; Best practice review; Penetration testing; Mapping.
EUROCONTROL Centralised Service 6-7 13
CS SOC
Call For Tenders status: Tenders submitted, under assessment
Contract expected to be signed Mid-2016
Initial operations: no later than Mid-2017
EUROCONTROL Centralised Service 6-7 14
CS6-7: Conclusions
ATM stakeholders have to set a cyber-security approach that includes the development and deployment of their SOC
EUROCONTROL has initiated such approach and deploys its SOCs: CSs, NM, MUAC
Need to share data amongst ATM stakeholders
A CERT for ATM is needed => EATM-CERT (CS6-7) = the solution !
EUROCONTROL Centralised Service 6-7 15
THANK YOU
Go to: http://www.eurocontrol.int/services/cs6-7-management-common-network-resources-serviceoperation-and-
coordination-network
EUROCONTROL Centralised Service 6-7 16