The Critical Infrastructure: To be or not to be Secure. European Network for Cyber Security. Fred Streefland Director Education & Training

Transcription

1 The Critical Infrastructure: To be or not to be Secure European Network for Cyber Security Fred Streefland Director Education & Training

2

3 Utilinet Securing IP/Ethernet Networks

4 CBS video Aurora

5 Content 1. Introduction 2. What is ENCS? 3. Cyber Security & the Critical Infrastructure 4. The Challenges 5. The (possible) Solution(s) 6. Conclusion 7. Q & A

6 Content 1. Introduction 2. What is ENCS? 3. Cyber Security & the Critical Infrastructure 4. The Challenges 5. The (possible) Solution(s) 6. Conclusion 7. Q & A

7 Introduction Source: ICS-CERT

8 Introduction Did you know that. In 2013 part of the Austrian and German power grid nearly broke down after a control command was accidentally misdirected? In 2012 a honeypot ICS/SCADA system was connected to the internet and received the first attack within 18 hours?.the same honeypot ICS/SCADA system was attacked 39 times from 14 different countries within a period of 28 days?

9 Introduction Who is Fred Streefland? 20+ years of Intelligence & Security experience Air Force/NATO, Intelligence Service, IBM, Accenture, ENCS Specific Cyber Security courses (including SCADA pentesting courses) in UK, Israel, the Netherlands & the US. Public & Private Cyber Security advisor Projectleader in the Smart Grid domain (substation automation) and still not an expert at anything!

10 Content 1. Introduction 2. What is ENCS? 3. Cyber Security & the Critical Infrastructure 4. The Challenges 5. The (possible) Solution(s) 6. Conclusion 7. Q & A

11 What is ENCS? European Network for Cyber Security Not-for-profit cooperative, independent organisation Founded in July 2012 Located in The Hague, The Netherlands Services: Test Lab, R&D, Education & Training and an Information/Knowledge sharing platform Goal: to increase the Cyber Resilience of the European Critical Infrastructure

12 20 employees, from: Brazil Germany Japan Netherlands Poland Spain USA HR, Finance, ICT, Marketing ENCS Assembly ENCS Assembly Committee CEO Office HR, Finance, ICT, Marketing Projects Alliander KPN DNV KEMA Radboud University TNO E.ON Enexis Wurldtech Applied Risk (Siemens) (Accenture) (EDP) (Westland Infra) (Delft University) Research & Development Security Testing Education & Training Information & Knowledge Sharing - Confidential - 12

13 Content 1. Introduction 2. What is ENCS? 3. Cyber Security & the Critical Infrastructure 4. The Challenges 5. The (possible) Solution(s) 6. Conclusion 7. Q & A

14 What is Cyber Security? Cyber Security: the protection of an organisation and its assets from electronic attack to minimise the risk of business disruption*. *Source: Wikipedia slightly adapted

15 What is the Critical Infrastructure? Critical infrastructure is a term used by governments to describe assets that are essential for the functioning of a society and economy*. electricity generation, transmission and distribution; gas production, transport and distribution;; telecommunication; water supply (drinking water, waste water/sewage, stemming of surface water (e.g. dikes and sluices)); food production and distribution; public health (hospitals, ambulances); transportation systems (fuel supply, railway network, airports, harbors, inland shipping); financial services (banking, clearing); security services (police, military). *Source: Wikipedia

16 Cyber Security & the Critical Infrastructure The more people rely on the internet, the more people rely on it to be secure Neelie Kroes (VP European Commission) The more Critical Infrastructures rely on the internet, the more Critical Infrastructures become insecure Fred Streefland (Cyber Security hobbyist)

17

18 Content 1. Introduction 2. What is ENCS? 3. Cyber Security & the Critical Infrastructure 4. The Challenges 5. The (possible) Solution(s) 6. Conclusion 7. Q & A

19 The inter-connected world..

20 The complexity of the organizations.

21 The number of attack surfaces Client attacks Server attacks Netwerk attacks Hardware attacks

22 The sophistication of attacks

23 The lack of knowledge and standards

24 Content 1. Introduction 2. What is ENCS? 3. Cyber Security & the Critical Infrastructure 4. The Challenges 5. The (possible) Solution(s) 6. Conclusion 7. Q & A

25 The possible solution(s) Yes, this is the dialogue part of this presentation!

26 A holistic/overarching approach Data Governance/Strategy Applications Policies & Standards Systems Process & Operations Network Physical Security Prevent Detect Respond Source: Accenture Netherlands, 2013

27 The Cyber Security Intelligence Cycle* Understand what is happening on the IT and Infrastructure in real time Understand where you are today and learn from earlier events Understand the nature and significance of an event and provide assessments Threat Tempo Study the assessments and decide how to deal with them Response Tempo Take action. Contain and fix the damage (if any). 27 * Source: IBM

28 Collaboration is essential!

29 Content 1. Introduction 2. What is ENCS? 3. Cyber Security & the Critical Infrastructure 4. The Challenges 5. The (possible) Solution(s) 6. Conclusion 7. Q & A

30 Some recommendations There s no standard 100% solution that fits all, but. there are some measurements that minimize the risk: 1. Educate & train your people (awareness) 2. Detect & Identify all connections/devices/networks in your organization 3. Dismantle/pull the plug of all unneccessary connections/services to internet 4. Check potential back doors of 3rd party vendors/contractors (procurement) 5. Execute risk/security/pen-testing audits on a regulary base 6. Develop clear security job descriptions within the company, also within the ICS domain. Assign responsibilities to the management, preferably in the boardroom 7. Document & log everything 8. Make sure that you have back-ups and recovery plans (and test them!) 9. Create security policy and train this 10. Monitor, Monitor and Monitor!!

31 Conclusion The Critical Infrastructure is hard to secure due to the interconnectivity requirements (internet), the complexity of the organiztions, the threats (surface & sophistication) and the lack of specific knowledge & standards. The overarching approach combined with the Intelligence Cyber Security Cycle and collaboration is needed. 100% security is impossible, but there are some recommendations that really help you to minimize the risk. But at the end..

32 It comes down to Collaboration. No one can do it alone. Bram Reinders founder of ENCS

33 Content 1. Introduction 2. What is ENCS? 3. Cyber Security & the Critical Infrastructure 4. The Challenges 5. The (possible) Solution(s) 6. Conclusion 7. Q & A

34

35 Thank you for your attention! European Network for Cyber Security

36