critical information infrastructure protection
TRANSCRIPT
Critical Information Infrastructure Protection:
1
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
www.thalesgroup.comOPEN
THALES GROUP INTERNALTHALES GROUP CONFIDENTIAL
THALES GROUP SECRET
Infrastructure Protection: Threats & Challenges for ASEAN Countries
DR MOHAMMAD SHAHIR CISSP, CEngSENIOR SECURITY CONSULTANTTHALES E-SECURITY, APAC
CRITICAL INFORMATION PROTECTION & RESILIENCE ASIABANGKOK, THAILAND24-25TH JUNE 2015
Biography
Dr. Shahir has 11 years of Cyber security experience and knowsthe Malaysian security market. He is considered as a securityevangelist in the Malaysian market. He was previously attachedwith MIMOS, T-Systems and Hewlett Packard focusing on Internetof Things, Embedded Security Platform on System Engineering,
Dr. Mohammad ShahirSenior Security ConsultantThales E-Security
2
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Twitter @BlackcatLinkedIn Shahir Majed Shikh
2
of Things, Embedded Security Platform on System Engineering,Security Assessment and Consulting. Dr. Shahir was responsible forthe delivery and support of security professional service toenterprise customer including McAfee, HP, Royal Dutch SHELL,British American Tobacco and several multinational banks onsecurity solutions / services as Systems Security Engineering,Network Security Design, PKI Infrastructure and IntegratedOperation (IO as a service). He is a professional member of IEEE &IET.
Basic Understanding of CII [1/2]
▌Critical Information Infrastructures (CII)
communications and/or information services whose availability, reliability and resilience are essential to the functioning of a modern economy
CII also includes:
- telecommunications, power distribution, water supply, public health services, national defense, law enforcement, government services, and emergency services
3
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
TelecomNetwork
Power Grid
Water Supply
PublicHealth
NationalDefence
NationalDefence
LawEnforcement
Basic Understanding of CII [2/2]
▌Critical Information Infrastructure Protection (CIIP)
Focuses on protection of IT systems and assets
- Telecommunication, computers/software, Internet, Satellite, interconnected computers/networks (Internet) & services they provide
Ensures Confidentiality, Integrity and Availability
- Required 27/4 (365 days)
- Part of the daily modern economy and the existence of any country
4
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Confidentiality
Integrity
Availability
Key levels of CII risks
▌ Technical
Complexity and interdependencies
- Increased dependencies → increased vulnerabilities
Trust relationships increasingly complex
End-to-End mitigation can be difficult
5
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
▌Actor
State-sponsored actors
Ideological and political extremist actors
Frustrated insiders/social-engineering
Organised criminal agents/individuals
- Supported by underworld economy
Global trends towards CIIP
▌ Increased awareness for CIIP & cyber security
Countries aware that risks to CIIP need to be managed
- Whether at National, Regional or International level
▌Cyber security & CIIP becoming essential tools
For supporting national security & social-economic well-being
6
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
▌At national level
Increased need to share responsibilities & co-ordination
- Among stakeholders in prevention, preparation, response & recovery
▌At regional & international level
Increased need for co-operation & co-ordination with partners
- In order to formulate and implement effective CIIP frameworks
How about developed economies?
▌Key Cybersecurity threat(s) are diverse, but related
“Established capable states...”
Source: UK Cyber Security Strategy [2009]
“The role of nations in exploiting information networks...”
Source: US Cyberspace Policy Review [2009]
7
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
“The dangers from IT crime, threat to government agencies...”
Source: Swedish Emergency Management Agency (SEMA) [2008]
“Financial incentive for online criminal behaviour...”
Source: Towards a Belgian strategy on Information Security [2008]
Challenges for ASEAN countries
Total Security Expenditure by Year (2014-2018)*
The total ASEAN** market is expected to spend USD 3.5 billion* from 2014-2018
Tota
l Mar
ket (
in U
SD
mill
ion)
600
800
1000
1200
8
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
• The total value of all opportunities identified in the 6 countries is USD 3.5 billion. The expenditure isexpected to peak in 2016.
• Infrastructure developments account for some of the peaks and troughs. Visibility on securityexpenditure further than 2018 is limited. However as future projects are agreed and developed,security expenditure is expected to remain at high levels.
• Many countries have declared plans till 2016. More investments are expected to happen post 2016when future plans are declared
Tota
l Mar
ket (
in U
SD
mill
ion)
2014 2015 2016 2017 2018
Total Market 453 716 953 564 827
0
200
400
Challenges for ASEAN countries
#1: Cost and lack of (limited) financial investment
Economics for establishing a CIIP framework can be a hindrance
Limited human & institutional resources
Total Security Expenditure by Country
4%
27%36%
• Critical Infrastructure security forms 15% of the total homeland security market in the 6 countries
• The Critical Infrastructure security market will be driven by Vietnam, Malaysia and Indonesia – a combined spend of 90% of the total market
9
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
7%
24%
2%
Singapore Malaysia Thailand
Indonesia Philippines Vietnam
the total market• Vietnam will be a key market for critical
infrastructure security as about one-third of the total homeland security expenditure is expected to happen in Critical Infrastructure security
• Vietnam – Security installations will be required for 3 new gas power plants, 3new hydro power plants, 2 new nuclear energy plants, and 4 sea ports
• Indonesia – Security installations for 4 new sea ports, coal power plant and 2petrochemical plants
• Malaysia – Investments in Ports, power plants, and a new hydrocarbon hubKe
y P
roje
cts
Challenges for ASEAN countries
#2: Technical complexity in deploying CIIP
Need to understand dependencies & interdependencies
- Especially vulnerabilities & how they cascade
Lack of effective trust relationships among stakeholders
Power Water National
10
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
TelecomNetwork
Power Grid
Water Supply
PublicHealth
NationalDefence
NationalDefence
LawEnforcement
Provides
Technical & Policy assistance to member
states
Challenges for ASEAN countries
#3: Need for Cybersecurity education & culture re-think
Create awareness on importance of Cybersecurity & CIIP
- By sharing information on what works & successful best practices
Creating a Cybersecurity culture can promote trust & confidence
- It will stimulate secure usage, ensure protection of data and privacy
11
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Challenges for ASEAN countries
#4: Lack of relevant CII policies & legal framework
Needs Cybercrime legislation & enforcement mechanisms
Setup policies to encourage co-operation among stakeholders
- Especially through Public-Private-Partnerships (PPP)
#5: Lack of information sharing & knowledge transfer
12
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
#5: Lack of information sharing & knowledge transfer
It is important at ALL levels National, Regional & International
Necessary for developing trust relationships among stakeholders
- Including CERT teams
Challenges in Securing CIIP Eco-systems
Typical challenges faced in CII Security
Managing Network Integration
CorporateCorporate3rd Party3rd Party
PartnerPartner
Control NetworkControl Network
Lack of granular visibility and control over control network usage & traffic
Enterprise Zone
Control Network
Zone 1 Zone 2
Zone 4Zone 3
Increasing use of web-based Applications / SaaS
http://
SaaS
13
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
faced in CII Security
Reporting for Regulatory/Customer Audits & Forensics
CFATSCIP Standards
Escalated Threat Landscape
ExploitsMalware & APTs
Protecting Legacy Systems
$400b
Annualcost of
global cybercrime
Future CII threat vectors 1/2
14
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
10
global cybercrime
Threat Agents Evolve
Rise of government surveillance, cyberwarfare, information control
Social, political attacks, outsourcing
Motivations shift from personalgains to aspirations of control
Investment grows
Powerful, organized, and wellfunded new threat agents
Resources & community thrives
Success reinforces investment andattracts new attackers
Nation-state ‘equalizer’
Seeking New Targets
Government, industrial, business
Satisfy dark-markets and for-profitvulnerability research
Hardware attacks up, POS, mobile,
ATM, vehicles, industrial
Attackers maintain the initiative
Future CII threat vectors 2/2
15
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
11
Security talent pool shrinks
70% orgs are understaffed
58% senior and 36% staff level positions went unfilled in 2013
High leadership turnover
Tools and Methods
Powerful tools and code emerge
Reverse-engineering and reuse
15% of vulnerabilities exploited
Markets for exploits, services,vulnerabilities, data, and skills
Threats Accelerate
Professionals emerge, educated, organized, focused, and capable
Attacking further down the stack, firmware and base code
Faster reconnaissance, recruiting,and development of compromises
Effects of The Threat Vector
� Attackers capabilities increases with investments,experience, and professional threat agents
� Successes boosts confidence, raises the lure for more attacks and boldness to expand scope
� Defenders struggle with a growing attack surface challenging effectiveness models, lack of talent and
16
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
12
The Race to Evolve is On!
challenging effectiveness models, lack of talent and insufficient resources
Threats advance, outpacing defenders
Defenses and Response 1/2
17
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
17
Comprehensive
Security as a continuous cycle
Defense-In-Depth process
Technology and Behaviours
Obstacles and Opposition
Ubiquitous
Security must follow data fromcreation to deletion
Layered across CII ecosystem
Contextual aspects gain inimportance
Seeking Optimal Risk
Risk management planning
Perceptions by executives
Balancing the triple constraintsof Cost, Risk, and Usability
Meeting users shifting demands
Defenses and Response 2/2
18
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
18
Unified
Consolidation of securityfunctions
Independent security controls work together
Security industry collaborates across usages
Better Designs
Industry standards & NERC CIPevolve for specific threats
Trustworthy environment, designed to be harder to compromise
Robust architectures with built-insecurity for detection & response
Explicit Regulations
Increase in number and specificity
Raise the bar, but not a guarantee of security
Cover more segments and usages
Can be impediments to growth
Security Lifecycle Framework for End-to-End Critical Information Protection
Services
Services
Consulting
Risk Analysis
Test &Evaluation
24/7 Cybersecurity
Supervision
Managed
DETECT
OPERATE
Rapid Reaction Team
Crisis Management
Training
Crisis Management
Full-servicepartner
19
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
SystemsProducts
Managed Security Services
Critical IT Design,
Development, integration and
Deployment
Complex Project
Management
CybersecurityProducts
PROTECT
OPERATE
Critical IT Operation
Cloud Computing
Secure IT Outsourcing
Management Training partner
Cyber security for Critical Energy Infrastructures
OVERVIEW OF METERING NETWORKS
Enterprise network
AMI WAN AMI WAN
OVERVIEW OF CONTROL NETWORK
Internet
Enterprise network
2013 agreement for the development of cybersecurity solutions and services to protect command-and-control systems
• Strict Isolation• Strict Isolation
• CSOC• CSOC• CSOC• CSOC
20
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Home area network
AMI WAN AMI WAN
Smart meter
Smart meter
• Encryption of end-point device communication
• IDS
• Encryption of end-point device communication
• IDS
Security layer/Firewall
• Encryption of customer and utility data
• Low cost per end point
• Encryption of customer and utility data
• Low cost per end point
• Authentication of meter control signals
• Authentication of meter control signals
Enterprise network
Control network
Field site
Field site
Partner site
• Dedicated scadasecurity
• Dedicated scadasecurity
• IDS and IPS
• Network Access Control
• Strong authent
• Resilience
• Encryption
• IDS and IPS
• Network Access Control
• Strong authent
• Resilience
• Encryption
• Strict Isolation• Strict Isolation
• Network Security• Network Security
Summary
▌ CIIP deployment in ASEAN countries is working progress
Despite the challenges, there are also success stories too
- E.g. Malaysia, Singapore, Indonesia (CERT/TCC)
▌ CIIP/Cybersecurity is a 24/7 (365 days) business
It’s costly, but doing without it is even worse
▌ Co-ordination & co-operation among stake holders is crucial
21
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Encourages trust, knowledge sharing & skills transfer
▌ Future threat vectors need our full attention
Dependencies & interdependencies will become more complex
▌ Security Framework for CIIP
Treat CIIP security as a cycle. Prevention is important, but is never impervious. Plan across the cycle, including feedback loops for continual improvement
Every year, Thales e-Security Consulting
Services team performs more than:
� 5,000 vulnerability assessments
� 100 penetration tests
� 100 technical audits
� 50 hardware security evaluations
� 20 code security auditing
10 supporting engagements to CII security
Key Highlights
22
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
� 10 supporting engagements to CII security approval
� 10 designs of risks analysis and security policies of global organisations
� 5 designs of continuity and crisis management
� 3 security training & awareness programmes
Thales e-Security Consulting Services team also supports global organisations to design, manage & control their IT & CII security
Q&A Session
Thank You
23
OPENTHALES GROUP INTERNAL
THALES GROUP CONFIDENTIALTHALES GROUP SECRET
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.
Thank YouThank You
Dr. Mohammad Shahir CISSP, CEngSenior Security Consultant
Thales [email protected]
+603 2178 3800+6016 249 7882