Maturity assessment on Cybersecurityfor critical ... assessment on Cybersecurityfor critical infrastructures 28TH SEPTEMBER2015, ... without the prior written consent of Thales

www.thalesgroup.com OPEN

Maturity assessment on Cybersecurity for critical infrastructures

28TH SEPTEMBER 2015, AMSTERDAM

DR THIEYACINE FALL

2 OPENThis document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.

Agenda

▌Cyber-Security Today (Maturity assessment)

▌Compliance Legislation

▌ICS Security Architecture (Working Group)

▌Protection Profiles

▌EU approach towards product compliance & Certification

▌Conclusion/Next Drivers

▌References


Cyber-Security Today (Maturity assessment)

Anticipate threats

▌ Perform risk assessmentand/or vulnerability assessment

▌ Define risk governance and security policy

▌ Transform security requirements into implementable technical, procedural and organisationalmeasures

▌ Build a secure software Development life cycle

Manage security

incidents

▌ Detect cyber attacks and deviant behaviors through implementation of probes and/or SIEM tools

▌ React to incidents to maintain business continuity or reduce impacts

▌ Prepare system, network and malware analysis (Forensics) following a successful cyber attack

Comply with security

policy and legal

constraints

▌ Measure and reduce discrepancies between security policy and implementation

▌ Comply to legal and industry regulations

▌ Comply with best practices recommendations (ISO, NIST, …)

▌ Perform audits and penetration testing to evaluate the level of security


Cyber Security project approach (Maturity assessment)

Security Documentation

IEC 62443 1-4 (Not started)

k


Critical Infrastructure sectors according to the EU/Critical systems

Critical Infrastructure

Sectors (EU)

▌ Transport

▌ Energy

▌ Nuclear Industry

▌ Water

▌ Chemical Industry

▌ Food

▌ Health

▌ Financial

▌ ICT

▌ Space

▌ Research Facilities

Detailed Critical Infrastructure Sectors (EU)

▌ Road transport

▌ Rail transport

▌ Air transport

▌ Inland waterways transport

▌ Ocean and short-sea shipping and ports

▌ Electricity

▌ Oil

▌ gas

Critical

automated

control systems

▌ Airport (site)

▌ Railway/Metro station

▌ Oil & gas

▌ Electricity

▌ Maritime shipping industry

Critical systems

▌ Rail signaling & Railway/Metro traffic management systems

▌ Avionics (Flight, Ground)

▌ Air Traffic management systems (Single European Sky …)

▌ Urban protection systems

▌ Automotive industry (Next generation vehicles, unmanned vehicles


Rail signaling & Railway/Metro traffic management systems

Anticipate threats



▌ Transform security requirements into implementable technical, procedural and organizational measures


Manage security

incidents





policy and legal

constraints





Incomplete

Planned

Performed

Systematic security requirements for new projects (in particular ERTMS)Still proprietary systems (Interlocking). SIL Levels improve security postureIssues for operational security


Air Traffic management systems (Single European Sky …)

Anticipate threats



▌ Transform security requirements into implementable technical, procedural and organizational measures


Manage security

incidents





policy and legal

constraints





Incomplete

Planned

Performed

Systematic security requirements for new projects (in particular Single European Sky)Large IT footprint for new generation of software (Interoperability)


Emerging issues

▌Lack of holistic view

▌Cross sector dependencies

▌Heterogeneous solutions for automated control systems (Asset

inventory difficult)

▌Product certification

▌System accreditation


Compliance/Legislation

▌ U.S.

Executive order: 13636

Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014

Voluntary program (cooperation with the private sector), NERC CIP

▌ U.K.

Collaborative approach through CPNI (14 sectors),

Security for Industrial Control System Framework

▌ E.U.

Collaborative approach through ENISA

Security for Industrial Control System (Certification/Compliance approach)

▌ Germany

Strict cyber-security law to protect ‘critical infrastructure’ (July 2015), 7 sectors

Over 2,000 essential service providers will have to implement new minimum information security standards within two years

▌ France

Generic Ministerial order (March 2015)

Ministerial order per critical sector area (2015-2016)


French Regulation LPM : Loi de Programmation Militaire 2014-2019

▌ Concerns critical infrastructure operators

12 strategic areas for the country

Defense, energy, transportation, water treatment, criticalindustries...

Around 250 enterprises

▌ Key measures

Incident security notification/operations

- Obligation for critical operators to notify significant incidents occurring on their critical IS

- Mandatory Implementation of a SOC outsourced or internalized , qualified by the ANSSI and operated from the national territory

Submission to controls

- Obligation to submit there IS to controls by the ANSSI or by any providers qualified by the ANSSI

Possible judiciary prosecution


LPM: Ministerial order (March 2015)

▌ Apply a set of rules as defined by Ministerial order

Application of a classification method and key

measures (ANSSI) for Industrial Control Systems

▌ A particular rule

Implementation of a qualified detection system for security events

Emergence of a sovereign probe for an intrusion detection system

▌ In the event of major crises , be imposed measures

The Prime Minister (ANSSI) may impose measures such as disconnection of the internet

▌ Ministerial order per strategic area (2015-2016)

Ministerial order March 2015


Industrial Architecture

lndustrial System Functionality : � Functionality 1 : Minimal system,� Functionality 2 : Complex system,

� Functionality 3 : Very complex system.

Industrial System Exposure

CIM 0 � Non communicating sensors and actuators,CIM 1 � PLC and analysers,

CIM 2 � SCADA,CIM 3 � Manufacturing Execution System (MES),

CIM 4 � Enterprise Resource Planning (ERP).

CIM = Computer Integrated Manufacturing

Industrial System Connectivity :� Connectivity 1 : Isolated ICS

� Connectivity 2 : ICS connected to an MIS� Connectivity 3 : ICS using wireless technology,

� Connectivity 4 : Distributed ICS with private infrastructure or permittingoperations from outside,

� Connectivity 5 : Distributed infrastructure with public infrastructure.


▌ Class 1

ICS for which the risk or impact of an attack is low. The measures recommendedcorrespond to rules provided by an Hygienic guide (ANSSI, SANS/CPNI)

▌ Class 2

ICS for which the risk or impact of an attack is significant. The responsible entitymust be able to provide evidence that adequate measures have been implemented

▌ Class 3

ICS for which the risk or impact of an attack is critical. The conformity is verified by the state authority or an accredited body

Classification Method


Use cases

▌ Water supply plant

The plant under consideration is a remotely managed ICS handling the water supply of an urban area with 500,000 inhabitants. The ICS is geographically distributed over several sites (reservoirs, booster stations, pumps). Remote sites communicate with the central site via PSTN1 lines or GPRS connections. The ICS is composed of numerous remote management devices (RTU) and supervision work stations (SCADA). Technicians can connect to the system from their remote location if problems occur.

Class 2

▌ Manufacturing industry

The site under study is a household appliance assembly line for a company essentially doing business on a national level. The ICS is limited to a single site. It includes an MES and permanently-connected engineering stations. Technicians and operators use tablets and wireless scanners to scan bar codes.

Class 1


Use cases

▌ Continuous process industry

The ICS under study is a production plant for toxic chemicals. The site is covered by the Seveso Directive. The ICS has centralised historians, engineering stations or programming consoles that are permanently connected. The industrial networks are connected to the site’s MIS. Wireless networks are not yet deployed on the industrial perimeter.

Class 2 or Class 3

▌ Railway switch automation

In a railway transport network, a computerised railway switch control system allows management of track assignments and remote control of switches and signalling devices.

Class 3

▌ Detailed measures

Technical

Organisational


Industrial Architecture – Measures

Solution Example Class 3 :

interconnection between ICS

zone and Office area

40 Essential measures for a healthy network

KNOW THE INFORMATION SYSTEM AND ITS USERS

CONTROL THE NETWORKUPGRADE SOFTWARE

AUTHENTICATE THE USERSECURE COMPUTER TERMINALS

SECURE THE INSIDE OF THE NETWORKPROTECT THE INTERNAL NETWORK FROM

THE INTERNETMONITOR SYSTEMS

SECURE NETWORK ADMINISTRATIONCONTROL ACCESS TO THE PREMISES AND

PHYSICAL SECURITYORGANISE RESPONSE IN THE EVENT OF AN

INCIDENTRAISE AWARENESS

CARRY OUT A SECURITY AUDIT


Protection Profiles

▌ Switch

▌ PLC

Short term (Critical assets of the environment)

- Control-command of the industrial process

- Engineering workstation flows

Mid-term (Critical assets of the environment)

- Control-command of the industrial process

- Engineering workstation flows

- Data exchanges between the ToE and the supervision

- Data exchanges between the ToE and another PLC

▌ Firewall

▌ VPN

▌ Wireless


EU (ENISA/JRC) approach towards product compliance & certification

▌A research and action plan for 2015-20

Project No 1: Stakeholders consultation & project planningProject No 2: Product Register developmentProject No 3: Cyber-security Common Requirements

Project No 4: Generic IACS Cyber-security Profiles

Project No 5: Compliance & Certification ProcessProject No 6: Transition & Implementation PlanProject No 7: Launch of the C&C Scheme

- Level 1: self-declaration of compliance- Level 2: third-party compliance assessment- Level 3: third-party product certification

- Level 4: third-party full certification


Progress (PLC level)

▌ Firmware Security

Firmware signed

Verification of the signature

▌ Operations Security

User authentication to modify programs

▌ Communication Security

Desactivation of unused services

IP filtering

VPN for integrity and authenticity of communications

▌ Log event management

Monitoring security events

Syslog format


Conclusion/Next Drivers

▌ Regulation/Legislation in the EU

France, Germany

▌ Credit Rating Agencies

Cybersecurity: New risk factor

▌ Cyber insurance

Compliance to best practices (Evidence)

Incident Response Team (Subscribed service)


References

▌ http://www.ssi.gouv.fr/uploads/2013/01/guide_hygiene_v1-2-1_en.pdf

▌ http://www.ssi.gouv.fr/entreprise/guide/profils-de-protection-pour-les-

systemes-industriels/

▌ http://www.ssi.gouv.fr/entreprise/guide/la-cybersecurite-des-systemes-

industriels/

▌ http://publications.jrc.ec.europa.eu/repository/bitstream/JRC94533/2015

%201441_src_en_pth-erncip-iacsreport-201411-at-accepted%20pth2-

op.pdf

▌ http://www.secur-ed.eu/wp-content/uploads/2014/11/SECUR-

ED_Cyber_security_roadmap_v3.pdf

Documents

Maturity assessment on Cybersecurityfor critical ... assessment on Cybersecurityfor critical infrastructures 28TH SEPTEMBER2015, ... without the prior written consent of Thales