Upload
duongdan
View
215
Download
1
Embed Size (px)
Citation preview
www.thalesgroup.com OPEN
Maturity assessment on Cybersecurity for critical infrastructures
28TH SEPTEMBER 2015, AMSTERDAM
DR THIEYACINE FALL
2 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Agenda
▌Cyber-Security Today (Maturity assessment)
▌Compliance Legislation
▌ICS Security Architecture (Working Group)
▌Protection Profiles
▌EU approach towards product compliance & Certification
▌Conclusion/Next Drivers
▌References
3 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Cyber-Security Today (Maturity assessment)
Anticipate threats
▌ Perform risk assessmentand/or vulnerability assessment
▌ Define risk governance and security policy
▌ Transform security requirements into implementable technical, procedural and organisationalmeasures
▌ Build a secure software Development life cycle
Manage security
incidents
▌ Detect cyber attacks and deviant behaviors through implementation of probes and/or SIEM tools
▌ React to incidents to maintain business continuity or reduce impacts
▌ Prepare system, network and malware analysis (Forensics) following a successful cyber attack
Comply with security
policy and legal
constraints
▌ Measure and reduce discrepancies between security policy and implementation
▌ Comply to legal and industry regulations
▌ Comply with best practices recommendations (ISO, NIST, …)
▌ Perform audits and penetration testing to evaluate the level of security
4 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Cyber Security project approach (Maturity assessment)
Security Documentation
IEC 62443 1-4 (Not started)
k
5 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Critical Infrastructure sectors according to the EU/Critical systems
Critical Infrastructure
Sectors (EU)
▌ Transport
▌ Energy
▌ Nuclear Industry
▌ Water
▌ Chemical Industry
▌ Food
▌ Health
▌ Financial
▌ ICT
▌ Space
▌ Research Facilities
Detailed Critical Infrastructure Sectors (EU)
▌ Road transport
▌ Rail transport
▌ Air transport
▌ Inland waterways transport
▌ Ocean and short-sea shipping and ports
▌ Electricity
▌ Oil
▌ gas
Critical
automated
control systems
▌ Airport (site)
▌ Railway/Metro station
▌ Oil & gas
▌ Electricity
▌ Maritime shipping industry
Critical systems
▌ Rail signaling & Railway/Metro traffic management systems
▌ Avionics (Flight, Ground)
▌ Air Traffic management systems (Single European Sky …)
▌ Urban protection systems
▌ Automotive industry (Next generation vehicles, unmanned vehicles
6 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Rail signaling & Railway/Metro traffic management systems
Anticipate threats
▌ Perform risk assessmentand/or vulnerability assessment
▌ Define risk governance and security policy
▌ Transform security requirements into implementable technical, procedural and organizational measures
▌ Build a secure software Development life cycle
Manage security
incidents
▌ Detect cyber attacks and deviant behaviors through implementation of probes and/or SIEM tools
▌ React to incidents to maintain business continuity or reduce impacts
▌ Prepare system, network and malware analysis (Forensics) following a successful cyber attack
Comply with security
policy and legal
constraints
▌ Measure and reduce discrepancies between security policy and implementation
▌ Comply to legal and industry regulations
▌ Comply with best practices recommendations (ISO, NIST, …)
▌ Perform audits and penetration testing to evaluate the level of security
Incomplete
Planned
Performed
Systematic security requirements for new projects (in particular ERTMS)Still proprietary systems (Interlocking). SIL Levels improve security postureIssues for operational security
7 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Air Traffic management systems (Single European Sky …)
Anticipate threats
▌ Perform risk assessmentand/or vulnerability assessment
▌ Define risk governance and security policy
▌ Transform security requirements into implementable technical, procedural and organizational measures
▌ Build a secure software Development life cycle
Manage security
incidents
▌ Detect cyber attacks and deviant behaviors through implementation of probes and/or SIEM tools
▌ React to incidents to maintain business continuity or reduce impacts
▌ Prepare system, network and malware analysis (Forensics) following a successful cyber attack
Comply with security
policy and legal
constraints
▌ Measure and reduce discrepancies between security policy and implementation
▌ Comply to legal and industry regulations
▌ Comply with best practices recommendations (ISO, NIST, …)
▌ Perform audits and penetration testing to evaluate the level of security
Incomplete
Planned
Performed
Systematic security requirements for new projects (in particular Single European Sky)Large IT footprint for new generation of software (Interoperability)
8 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Emerging issues
▌Lack of holistic view
▌Cross sector dependencies
▌Heterogeneous solutions for automated control systems (Asset
inventory difficult)
▌Product certification
▌System accreditation
9 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Compliance/Legislation
▌ U.S.
Executive order: 13636
Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014
Voluntary program (cooperation with the private sector), NERC CIP
▌ U.K.
Collaborative approach through CPNI (14 sectors),
Security for Industrial Control System Framework
▌ E.U.
Collaborative approach through ENISA
Security for Industrial Control System (Certification/Compliance approach)
▌ Germany
Strict cyber-security law to protect ‘critical infrastructure’ (July 2015), 7 sectors
Over 2,000 essential service providers will have to implement new minimum information security standards within two years
▌ France
Generic Ministerial order (March 2015)
Ministerial order per critical sector area (2015-2016)
10 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
French Regulation LPM : Loi de Programmation Militaire 2014-2019
▌ Concerns critical infrastructure operators
12 strategic areas for the country
Defense, energy, transportation, water treatment, criticalindustries...
Around 250 enterprises
▌ Key measures
Incident security notification/operations
- Obligation for critical operators to notify significant incidents occurring on their critical IS
- Mandatory Implementation of a SOC outsourced or internalized , qualified by the ANSSI and operated from the national territory
Submission to controls
- Obligation to submit there IS to controls by the ANSSI or by any providers qualified by the ANSSI
Possible judiciary prosecution
11 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
LPM: Ministerial order (March 2015)
▌ Apply a set of rules as defined by Ministerial order
Application of a classification method and key
measures (ANSSI) for Industrial Control Systems
▌ A particular rule
Implementation of a qualified detection system for security events
Emergence of a sovereign probe for an intrusion detection system
▌ In the event of major crises , be imposed measures
The Prime Minister (ANSSI) may impose measures such as disconnection of the internet
▌ Ministerial order per strategic area (2015-2016)
Ministerial order March 2015
12 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Industrial Architecture
lndustrial System Functionality : � Functionality 1 : Minimal system,� Functionality 2 : Complex system,
� Functionality 3 : Very complex system.
Industrial System Exposure
CIM 0 � Non communicating sensors and actuators,CIM 1 � PLC and analysers,
CIM 2 � SCADA,CIM 3 � Manufacturing Execution System (MES),
CIM 4 � Enterprise Resource Planning (ERP).
CIM = Computer Integrated Manufacturing
Industrial System Connectivity :� Connectivity 1 : Isolated ICS
� Connectivity 2 : ICS connected to an MIS� Connectivity 3 : ICS using wireless technology,
� Connectivity 4 : Distributed ICS with private infrastructure or permittingoperations from outside,
� Connectivity 5 : Distributed infrastructure with public infrastructure.
13 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
▌ Class 1
ICS for which the risk or impact of an attack is low. The measures recommendedcorrespond to rules provided by an Hygienic guide (ANSSI, SANS/CPNI)
▌ Class 2
ICS for which the risk or impact of an attack is significant. The responsible entitymust be able to provide evidence that adequate measures have been implemented
▌ Class 3
ICS for which the risk or impact of an attack is critical. The conformity is verified by the state authority or an accredited body
Classification Method
14 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Use cases
▌ Water supply plant
The plant under consideration is a remotely managed ICS handling the water supply of an urban area with 500,000 inhabitants. The ICS is geographically distributed over several sites (reservoirs, booster stations, pumps). Remote sites communicate with the central site via PSTN1 lines or GPRS connections. The ICS is composed of numerous remote management devices (RTU) and supervision work stations (SCADA). Technicians can connect to the system from their remote location if problems occur.
Class 2
▌ Manufacturing industry
The site under study is a household appliance assembly line for a company essentially doing business on a national level. The ICS is limited to a single site. It includes an MES and permanently-connected engineering stations. Technicians and operators use tablets and wireless scanners to scan bar codes.
Class 1
15 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Use cases
▌ Continuous process industry
The ICS under study is a production plant for toxic chemicals. The site is covered by the Seveso Directive. The ICS has centralised historians, engineering stations or programming consoles that are permanently connected. The industrial networks are connected to the site’s MIS. Wireless networks are not yet deployed on the industrial perimeter.
Class 2 or Class 3
▌ Railway switch automation
In a railway transport network, a computerised railway switch control system allows management of track assignments and remote control of switches and signalling devices.
Class 3
▌ Detailed measures
Technical
Organisational
16 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Industrial Architecture – Measures
Solution Example Class 3 :
interconnection between ICS
zone and Office area
40 Essential measures for a healthy network
KNOW THE INFORMATION SYSTEM AND ITS USERS
CONTROL THE NETWORKUPGRADE SOFTWARE
AUTHENTICATE THE USERSECURE COMPUTER TERMINALS
SECURE THE INSIDE OF THE NETWORKPROTECT THE INTERNAL NETWORK FROM
THE INTERNETMONITOR SYSTEMS
SECURE NETWORK ADMINISTRATIONCONTROL ACCESS TO THE PREMISES AND
PHYSICAL SECURITYORGANISE RESPONSE IN THE EVENT OF AN
INCIDENTRAISE AWARENESS
CARRY OUT A SECURITY AUDIT
17 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Protection Profiles
▌ Switch
▌ PLC
Short term (Critical assets of the environment)
- Control-command of the industrial process
- Engineering workstation flows
Mid-term (Critical assets of the environment)
- Control-command of the industrial process
- Engineering workstation flows
- Data exchanges between the ToE and the supervision
- Data exchanges between the ToE and another PLC
▌ Firewall
▌ VPN
▌ Wireless
18 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
EU (ENISA/JRC) approach towards product compliance & certification
▌A research and action plan for 2015-20
Project No 1: Stakeholders consultation & project planningProject No 2: Product Register developmentProject No 3: Cyber-security Common Requirements
Project No 4: Generic IACS Cyber-security Profiles
Project No 5: Compliance & Certification ProcessProject No 6: Transition & Implementation PlanProject No 7: Launch of the C&C Scheme
- Level 1: self-declaration of compliance- Level 2: third-party compliance assessment- Level 3: third-party product certification
- Level 4: third-party full certification
19 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Progress (PLC level)
▌ Firmware Security
Firmware signed
Verification of the signature
▌ Operations Security
User authentication to modify programs
▌ Communication Security
Desactivation of unused services
IP filtering
VPN for integrity and authenticity of communications
▌ Log event management
Monitoring security events
Syslog format
20 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Conclusion/Next Drivers
▌ Regulation/Legislation in the EU
France, Germany
▌ Credit Rating Agencies
Cybersecurity: New risk factor
▌ Cyber insurance
Compliance to best practices (Evidence)
Incident Response Team (Subscribed service)
21 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
References
▌ http://www.ssi.gouv.fr/uploads/2013/01/guide_hygiene_v1-2-1_en.pdf
▌ http://www.ssi.gouv.fr/entreprise/guide/profils-de-protection-pour-les-
systemes-industriels/
▌ http://www.ssi.gouv.fr/entreprise/guide/la-cybersecurite-des-systemes-
industriels/
▌ http://publications.jrc.ec.europa.eu/repository/bitstream/JRC94533/2015
%201441_src_en_pth-erncip-iacsreport-201411-at-accepted%20pth2-
op.pdf
▌ http://www.secur-ed.eu/wp-content/uploads/2014/11/SECUR-
ED_Cyber_security_roadmap_v3.pdf