Embed Size (px)
Citation preview
Manindra Agrawal and Sandeep K. ShuklaCenter for Cyber Security of Critical Infrastructure
Indian Institute of Technology Kanpur
ISIS tries to hack Google, takes down small Indian firm Hackers associated with the terror group ISIS made a boo boo in their grand scheme of bringing down Google and instead hacked a small Indian firm.
IndiaToday.in New Delhi, March 3, 2016 | Posted by Parthshri Arora | UPDATED 20:23 IST
Home India India-News-India Indian government website hacked by terrorist group al Qaeda
Indian government website hacked by terrorist group al Qaeda Al Qaeda's south Asia chief is Maulana Aasim Umar who has a message for Muslims in India
By: Express Web Desk
New DelhiUpdated: Mar 2, 2016, 11:10
Pakistani hackers deface 24 Chhattisgarh government websites Rashmi Drolia | TNN | Sep 29, 2015, 03.50 PM IST
Ukraine blackout is a cyberattack milestone Hundreds of thousands of homes were left in the dark in what security experts say was a first for hackers with ill intent.
Israel's Electrical Grid Targeted by 'Severe Cyber-attack'
Energy Minister Steinitz says Israeli electric authority succeeded in mitigating attack by shutting down systems to prevent virus from spreading.
Danna Harman Jan 26, 2016 8:43 PM
read more: http://www.haaretz.com/israel-news/.premium-1.699706
Home /
Cybersecurity/ Iranian Cyberattack Infiltrated Control System of New York Dam
Iranian Cyberattack Infiltrated Control System of New York Dam 12/22/2015 | Thomas Overton
TV5Monde hack: 'Jihadist' cyber attack on French TV station could have Russian link The invasion of the computers was claimed by 'CyberCaliphate' on behalf of Isis
Home › Vulnerabilities
Cyberattack on German Steel Plant Caused Significant Damage: Report
By Eduard Kovacs on December 18, 2014
Turkish banks under cyberattack amid crisis with Russia Hülya Güler – ISTANBUL
• Davis-Besse Ohio Nuclear Power Plant and Slammer Worm – January 2003
• North-East Power Blackout – August 2003• CSX Train Signaling System and Sobig Virus – August 2003• Automobile Plants and the Zotob Worm (Daimler-Chrysler) August 2005• Hatch Nuclear Power Plant Shutdown – March 2008• Stuxnet and Iran Nuclear Enrichment Plant problems – 2009
Title Year Industry Type CountryPage 1 of 9
German Steel Mill Cyber Attack
2014 Metals Germany
Russian-Based Dragonfly Group Attacks Energy Industry
2014 Power and Utilities United States
Public utility compromised after brute-force hack attack, says Homeland Security
2014 Power and Utilities United States
After ‘Godzilla Attack!’ U.S. warns about traffic-sign hackers
2014 Transportation United States
U-2 spy plane caused widespread shutdown of U.S. flights: report
2014 Transportation United States
Virus shuts down county highway department network
2013 Transportation United States
Signal problèmes cause train Delay
2013 Transportation United States
Computer Glitch Leads to Shutdown of Nuclear Reactor
2012 Power and Utilities United States
Software error
23%
Malware Attacks
35%
SCADA Component Failure
19%
Operator Error
11%
Other
12%
Figure : Main Causes of Incidents in Industrial Networks
date
The rise of mobile banking Trojans (Kaspersky Security Bulletin 2014)
Assocham Mahindra SSG Report 2015
black market
Source: Andy Greenberg (Forbes, 3/23/2012 )
Pay-per-install (PPI) services
PPI operation:1. Own victim’s machine2. Download and install client’s code3. Charge client
Source: Cabalerro et al. (www.icir.org/vern/papers/ppi-usesec11.pdf)
spam bot keylogger
clients
PPI service
Victims
Source: Cabalerro et al. (www.icir.org/vern/papers/ppi-usesec11.pdf)
spam bot keylogger
clients
PPI service
Victims
Cost: US - 100-180$ / 1000 machines
Asia - 7-8$ / 1000 machines
Hackers Terrorists, Criminal Groups
Hacktivists
Disgruntled InsidersForeign Governments
19
Cybersecurity — Executive Order 13636 On February 12, 2013, President Obama signed Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” The Executive Order is designed to increase the level of core capabilities for our critical infrastructure to manage cyber risk. It does this by focusing on three key areas: (1) information sharing, (2) privacy, and (3) the adoption of cybersecurity practices.
Cybersecurity Framework Workshop 2016 National Institute of Standards and Technology, Gaithersburg MD April6-7, 2016 Workshop Purpose: The purpose of this workshop is to provide attendees a broad sampling of Framework use and work products, as well as gather input to help NIST understand stakeholder awareness and current use of the Framework, the need for an update to the Framework, cybersecurity best practices sharing, as well as the future governance of the Framework.
Views on the Framework for Improving Critical Infrastructure Cybersecurity A Notice by the National Institute of Standards and Technology on 12/11/2015 •
Notice; Request For Information (Rfi).
The National Institute of Standards and Technology (NIST) is seeking information on the “Framework for Improving Critical Infrastructure Cybersecurity” (the “Framework”).
Government has authorized ‘National Critical Information Infrastructure Protection Centre’ (NCIIPC) to take all necessary measures to facilitate safe, secure, and resilient Information Infrastructure for Critical Sectors
NCIIPC is under of National Technical Research Organization (NTRO).
The government of India’s Inter Departmental Information Security Task Force (ISTF) has set up Indian Computer Emergency Response Team (CERT-In) to respond to the cyber security incidents and take steps to prevent recurrence of the same.
National Nodal Agency to protect NCII. Deliver advice to reduce vulnerabilities. Identify all CII elements for notification. Provide strategic leadership and coherent Government response. Coordinate, share, monitor, collect, analyze and forecast threats. Develop plans, adopt standards, share best practices and refine
procurement processes. Evolve protection strategies, policies, vulnerability assessment and auditing
methodologies and plans for CII. Undertake R&D to create, collaborate and develop technologies for growth
of CII protection. Develop training programs for CII protection. Develop cooperation strategies. Issue guidelines, advisories etc. in coordination with CERT-In and other
organizations. Exchange knowledge and experiences with CERT-In and other
organizations. NCIIPC may call for information and give directions to CII.
Source: http://workshop.nkn.in/2015/sources/speakers/sessions/NKN_NCIIPC.pdf
Lack of credible information about the measures that NCIIPC is taking in protecting the country from cyber threats is a cause of concern. NCIIPC’s charter mandates that it should “raise information security awareness among all stakeholders” and it is failing in its duty by its silence. While almost all leading Computer Emergency Response Teams (CERT) are regularly issuing alerts about the vulnerabilities, it is annoying to find that even the website of its Indian counterpart (CERT-In) is not accessible most of the time.
Rajabahadur V. Arcot, Independent Industry Analyst / columnist and Automation Consultant
Saikat Dutta, Defending India's Critical Information Infrastructure : The Development and Role of NCIIPC available at https://internetdemocracy.in/wp-content/uploads/2016/03/Saikat-Datta-Internet-Democracy-Project-Defending-Indias-CII.pdf, Internet Democracy Project, 2015.
Roles and responsibilities of each of the parties need to be clearly defined.
At the same time, governments need to establish the appropriate policy and legal structures.
Nations, such as the United States, have advocated for a market-based, voluntary approach to industry cybersecurity as part of the National Strategy to Secure Cyberspace.
But this has not worked entirely, because security investments made by industry, as per their corporate needs, are not found to be commensurate with the broader national interest. How will the additional private investments be generated? Is there a case for government incentives, as part of an incentive program
to bridge the gap between those security investments already made and those additional ones that are needed to secure critical infrastructure?
Several security surveys point to this need. They reveal a lack of adequate knowledge among executives about security policy and incidents, the latest technological solutions, data leakage, financial loss, and the training that is needed for their employees.
Ack: From DSCI Website
NASSCOM envisages the Indian IT-BPM industry to achieve a size of USD 350-400 billion by 2025; the country can aspire to build a cyber security product and services industry of USD 35-40 billion by 2025 Currently, Indian industry revenue from security
is estimated to be around 1% (USD 1.5 billion) of overall IT-BPM industry revenue (USD 146 billion); by 2025, India can aspire to scale it to 10%
Ack: From DSCI Website
One million certified skilled cyber security professionals by 2025 1. Develop cyber security as a national mainstream cadre. Mandate through SSC, global best
practices and certifications: • 200 universities/colleges to run both dedicated stream and commercial research • 200 vocational training providers • 5 regional security hubs integrated with industry
Select 100 Cyber security “Drone” acharyas and establish 10 COEs to create a pool of expert Cybers ecurity trainers
Govt. declares cyber security as a strategic sector on par with the space, atomic energy and defence and make investments for capability and capacity building
Attract the best talent for Cyber security via widespread advocacy, early introduction in schools and talent search through hackathon and reality shows
Mandate Cyber security health index of essential public services, critical infrastructure and public companies
Embed Cyber security in the academic curriculum across all levels for creating cyber aware citizens Ack: From DSCI Website
What a hacker must be trying?
What a defender must be doing?
Need to be Schizoid
Layers/Research
Ana
lytic
alM
etho
ds
Sim
ulat
ion/
Co-
Sim
ulat
ion
Labo
rato
ryEm
ulat
ion
Cry
ptog
raph
yth
eory
and
Engi
neer
ing
Soft
war
ean
dSy
stem
Secu
rity
Prog
ram
Ana
lysi
s
Mac
hine
Lear
ning
and
Dat
aA
naly
tics
Net
wor
kSe
curi
ty
Physical Dynamics of theSystem
X X X X
The Electro-MechanicalEquipment/sensors/actuators
X X X
Industrial Automation andcontrol
X X X X X
Firmware X X X
Electronics/HardwareX X X
Networking X X X X X X X
Middleware and SystemSoftware
X X X X X X X
Application SoftwareX X X X X X
Cloud Layer X X X X X
Analytical Methods Formal Methods based Dynamic Signature Extraction of
SCADA Components to Counter Code Replacement Attacks
Developing Game Theoretic Models for Cyber Security Simulation/Co-Simulation and Laboratory
Emulation Analysis of CPS Threat Models and Discovery of Counter
Measures Discovery and Remediation of Smart Grid Cyber Security Experimenting with SCADA Security Architecture
Faculty: Sandeep Shukla, S. C. Srivastava, Abhijeet Mahapatra, Indranil Saha, Sunil Simon, Piyush Kurur
Cryptography theory and Engineering Cryptographic protocols, Cryptanalysis Side Channel Attacks, and Counter Measures Number Theory, Algorithms, and Analysis
Software and System Security Automated Protocol Reverse Engineering for
Various Protocols and Counter Measures Cloud Security, Hypervisor Security, Separation
Kernel Methods Perimeter Defense and Penetration Testing
Faculty: Manindra Agrawal, Nitin Saxena, Piyush Kurur, Sandeep Shukla, Indranil Saha
Program Analysis Static Analysis Based Techniques to Discover
Software Vulnerabilities for Software Components Analysis of Vulnerabilities in Hardware
Components such as in PLCs, and IEDs Application of Machine Learning techniques
for Discrimination of Physical Dynamics under Cyber Attacks
Network Security Intrusion Detection in Control Network using
Automated Event CorrelationFaculty: Subhajit Roy, Amey Karkare, Indranil Saha, Sunil Simon, Sandeep Shukla, Arnab Bhattacharya, Piyush Rai, Sumit Ganguly, B. M. Shukla
Education & Outreach Engineering Educational Research on replicating
similar SCADA Lab at other Institutes in India Short Term Courses for Executives and
Engineers, Summer Courses, Workshops, and Public Awareness & Education
The eventual goal is to build a Center of Excellence for Cyber-Security of Critical Infrastructures at IIT Kanpur
Create an interdisciplinary research program in Cyber-Security of Critical Infrastructures at IITK
Create Manpower in the field of Cyber Security at all levels (PhD, M.Tech, B.Tech, and even training program for executives, engineers etc in the CII Sector)
Make IITK as the main center for Cyber Security of CII in India
Create collaborative links with a few International centers for Cyber Security (In talks with BlavatnikInterdisciplinary Center for Cyber Security at Tel Aviv University)
Awareness – anyone who uses any technology – smart phone, net banking, ATM, internet, social networks – must be trained to defend their digital assets
Integrate Cyber Security into Engineering courses
Integrate Cyber Security Ethics into High School and College Courses
Train the police, military, civil servants, and ministers on cyber security challenges, and how to protect
Certification courses for creating cyber security foot soldiers 6 months to 2 year long immersive training courses
Certification courses for creating cyber security strategists and technologists 1 year to 3 years
Creating specialized Masters level courses for cyber security engineers, technologists, and policy makers
Creating teachers for training institutes who actually would know their stuff
Securing distributed information infrastructures from inside attackers
Detection of on-going attacks in a power grid by anomaly detection in PMU data
Building India specific malware repository and trend analysis tools
I tried to scare you – not probably not enough We really need to consider cyber security in
war-time footing We need to take action – NOW! We cannot wait and see – as we are almost a
decade behind most developed countries –surely Israel and the US and possibly China
We need ACTION and NOW! Talking about is not enough!!!
Thank you and be Cyber Safe
