critical information infrastructure protection

Critical Information Infrastructure Protection:

1

OPENTHALES GROUP INTERNAL

THALES GROUP CONFIDENTIALTHALES GROUP SECRET

This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third partywithout the prior written consent of Thales - © Thales 2014 All rights reserved.

www.thalesgroup.comOPEN

THALES GROUP INTERNALTHALES GROUP CONFIDENTIAL

THALES GROUP SECRET

Infrastructure Protection: Threats & Challenges for ASEAN Countries

DR MOHAMMAD SHAHIR CISSP, CEngSENIOR SECURITY CONSULTANTTHALES E-SECURITY, APAC

CRITICAL INFORMATION PROTECTION & RESILIENCE ASIABANGKOK, THAILAND24-25TH JUNE 2015

Biography

Dr. Shahir has 11 years of Cyber security experience and knowsthe Malaysian security market. He is considered as a securityevangelist in the Malaysian market. He was previously attachedwith MIMOS, T-Systems and Hewlett Packard focusing on Internetof Things, Embedded Security Platform on System Engineering,

Dr. Mohammad ShahirSenior Security ConsultantThales E-Security

2




Twitter @BlackcatLinkedIn Shahir Majed Shikh

2

of Things, Embedded Security Platform on System Engineering,Security Assessment and Consulting. Dr. Shahir was responsible forthe delivery and support of security professional service toenterprise customer including McAfee, HP, Royal Dutch SHELL,British American Tobacco and several multinational banks onsecurity solutions / services as Systems Security Engineering,Network Security Design, PKI Infrastructure and IntegratedOperation (IO as a service). He is a professional member of IEEE &IET.

Basic Understanding of CII [1/2]

▌Critical Information Infrastructures (CII)

communications and/or information services whose availability, reliability and resilience are essential to the functioning of a modern economy

CII also includes:

- telecommunications, power distribution, water supply, public health services, national defense, law enforcement, government services, and emergency services

3




TelecomNetwork

Power Grid

Water Supply

PublicHealth

NationalDefence

NationalDefence

LawEnforcement

Basic Understanding of CII [2/2]

▌Critical Information Infrastructure Protection (CIIP)

Focuses on protection of IT systems and assets

- Telecommunication, computers/software, Internet, Satellite, interconnected computers/networks (Internet) & services they provide

Ensures Confidentiality, Integrity and Availability

- Required 27/4 (365 days)

- Part of the daily modern economy and the existence of any country

4




Confidentiality

Integrity

Availability

Key levels of CII risks

▌ Technical

Complexity and interdependencies

- Increased dependencies → increased vulnerabilities

Trust relationships increasingly complex

End-to-End mitigation can be difficult

5




▌Actor

State-sponsored actors

Ideological and political extremist actors

Frustrated insiders/social-engineering

Organised criminal agents/individuals

- Supported by underworld economy

Global trends towards CIIP

▌ Increased awareness for CIIP & cyber security

Countries aware that risks to CIIP need to be managed

- Whether at National, Regional or International level

▌Cyber security & CIIP becoming essential tools

For supporting national security & social-economic well-being

6




▌At national level

Increased need to share responsibilities & co-ordination

- Among stakeholders in prevention, preparation, response & recovery

▌At regional & international level

Increased need for co-operation & co-ordination with partners

- In order to formulate and implement effective CIIP frameworks

How about developed economies?

▌Key Cybersecurity threat(s) are diverse, but related

“Established capable states...”

Source: UK Cyber Security Strategy [2009]

“The role of nations in exploiting information networks...”

Source: US Cyberspace Policy Review [2009]

7




“The dangers from IT crime, threat to government agencies...”

Source: Swedish Emergency Management Agency (SEMA) [2008]

“Financial incentive for online criminal behaviour...”

Source: Towards a Belgian strategy on Information Security [2008]

Challenges for ASEAN countries

Total Security Expenditure by Year (2014-2018)*

The total ASEAN** market is expected to spend USD 3.5 billion* from 2014-2018

Tota

l Mar

ket (

in U

SD

mill

ion)

600

800

1000

1200

8




• The total value of all opportunities identified in the 6 countries is USD 3.5 billion. The expenditure isexpected to peak in 2016.

• Infrastructure developments account for some of the peaks and troughs. Visibility on securityexpenditure further than 2018 is limited. However as future projects are agreed and developed,security expenditure is expected to remain at high levels.

• Many countries have declared plans till 2016. More investments are expected to happen post 2016when future plans are declared

Tota

l Mar

ket (

in U

SD

mill

ion)

2014 2015 2016 2017 2018

Total Market 453 716 953 564 827

0

200

400


#1: Cost and lack of (limited) financial investment

Economics for establishing a CIIP framework can be a hindrance

Limited human & institutional resources

Total Security Expenditure by Country

4%

27%36%

• Critical Infrastructure security forms 15% of the total homeland security market in the 6 countries

• The Critical Infrastructure security market will be driven by Vietnam, Malaysia and Indonesia – a combined spend of 90% of the total market

9




7%

24%

2%

Singapore Malaysia Thailand

Indonesia Philippines Vietnam

the total market• Vietnam will be a key market for critical

infrastructure security as about one-third of the total homeland security expenditure is expected to happen in Critical Infrastructure security

• Vietnam – Security installations will be required for 3 new gas power plants, 3new hydro power plants, 2 new nuclear energy plants, and 4 sea ports

• Indonesia – Security installations for 4 new sea ports, coal power plant and 2petrochemical plants

• Malaysia – Investments in Ports, power plants, and a new hydrocarbon hubKe

y P

roje

cts


#2: Technical complexity in deploying CIIP

Need to understand dependencies & interdependencies

- Especially vulnerabilities & how they cascade

Lack of effective trust relationships among stakeholders

Power Water National

10




TelecomNetwork

Power Grid

Water Supply

PublicHealth

NationalDefence

NationalDefence

LawEnforcement

Provides

Technical & Policy assistance to member

states


#3: Need for Cybersecurity education & culture re-think

Create awareness on importance of Cybersecurity & CIIP

- By sharing information on what works & successful best practices

Creating a Cybersecurity culture can promote trust & confidence

- It will stimulate secure usage, ensure protection of data and privacy

11





#4: Lack of relevant CII policies & legal framework

Needs Cybercrime legislation & enforcement mechanisms

Setup policies to encourage co-operation among stakeholders

- Especially through Public-Private-Partnerships (PPP)

#5: Lack of information sharing & knowledge transfer

12




#5: Lack of information sharing & knowledge transfer

It is important at ALL levels National, Regional & International

Necessary for developing trust relationships among stakeholders

- Including CERT teams

Challenges in Securing CIIP Eco-systems

Typical challenges faced in CII Security

Managing Network Integration

CorporateCorporate3rd Party3rd Party

PartnerPartner

Control NetworkControl Network

Lack of granular visibility and control over control network usage & traffic

Enterprise Zone

Control Network

Zone 1 Zone 2

Zone 4Zone 3

Increasing use of web-based Applications / SaaS

http://

SaaS

13




faced in CII Security

Reporting for Regulatory/Customer Audits & Forensics

CFATSCIP Standards

Escalated Threat Landscape

ExploitsMalware & APTs

Protecting Legacy Systems

$400b

Annualcost of

global cybercrime

Future CII threat vectors 1/2

14




10

global cybercrime

Threat Agents Evolve

Rise of government surveillance, cyberwarfare, information control

Social, political attacks, outsourcing

Motivations shift from personalgains to aspirations of control

Investment grows

Powerful, organized, and wellfunded new threat agents

Resources & community thrives

Success reinforces investment andattracts new attackers

Nation-state ‘equalizer’

Seeking New Targets

Government, industrial, business

Satisfy dark-markets and for-profitvulnerability research

Hardware attacks up, POS, mobile,

ATM, vehicles, industrial

Attackers maintain the initiative

Future CII threat vectors 2/2

15




11

Security talent pool shrinks

70% orgs are understaffed

58% senior and 36% staff level positions went unfilled in 2013

High leadership turnover

Tools and Methods

Powerful tools and code emerge

Reverse-engineering and reuse

15% of vulnerabilities exploited

Markets for exploits, services,vulnerabilities, data, and skills

Threats Accelerate

Professionals emerge, educated, organized, focused, and capable

Attacking further down the stack, firmware and base code

Faster reconnaissance, recruiting,and development of compromises

Effects of The Threat Vector

� Attackers capabilities increases with investments,experience, and professional threat agents

� Successes boosts confidence, raises the lure for more attacks and boldness to expand scope

� Defenders struggle with a growing attack surface challenging effectiveness models, lack of talent and

16




12

The Race to Evolve is On!

challenging effectiveness models, lack of talent and insufficient resources

Threats advance, outpacing defenders

Defenses and Response 1/2

17




17

Comprehensive

Security as a continuous cycle

Defense-In-Depth process

Technology and Behaviours

Obstacles and Opposition

Ubiquitous

Security must follow data fromcreation to deletion

Layered across CII ecosystem

Contextual aspects gain inimportance

Seeking Optimal Risk

Risk management planning

Perceptions by executives

Balancing the triple constraintsof Cost, Risk, and Usability

Meeting users shifting demands

Defenses and Response 2/2

18




18

Unified

Consolidation of securityfunctions

Independent security controls work together

Security industry collaborates across usages

Better Designs

Industry standards & NERC CIPevolve for specific threats

Trustworthy environment, designed to be harder to compromise

Robust architectures with built-insecurity for detection & response

Explicit Regulations

Increase in number and specificity

Raise the bar, but not a guarantee of security

Cover more segments and usages

Can be impediments to growth

Security Lifecycle Framework for End-to-End Critical Information Protection

Services

Services

Consulting

Risk Analysis

Test &Evaluation

24/7 Cybersecurity

Supervision

Managed

DETECT

OPERATE

Rapid Reaction Team

Crisis Management

Training

Crisis Management

Full-servicepartner

19




SystemsProducts

Managed Security Services

Critical IT Design,

Development, integration and

Deployment

Complex Project

Management

CybersecurityProducts

PROTECT

OPERATE

Critical IT Operation

Cloud Computing

Secure IT Outsourcing

Management Training partner

Cyber security for Critical Energy Infrastructures

OVERVIEW OF METERING NETWORKS

Enterprise network

AMI WAN AMI WAN

OVERVIEW OF CONTROL NETWORK

Internet

Enterprise network

2013 agreement for the development of cybersecurity solutions and services to protect command-and-control systems

• Strict Isolation• Strict Isolation

• CSOC• CSOC• CSOC• CSOC

20




Home area network

AMI WAN AMI WAN

Smart meter

Smart meter

• Encryption of end-point device communication

• IDS

• Encryption of end-point device communication

• IDS

Security layer/Firewall

• Encryption of customer and utility data

• Low cost per end point

• Encryption of customer and utility data

• Low cost per end point

• Authentication of meter control signals

• Authentication of meter control signals

Enterprise network

Control network

Field site

Field site

Partner site

• Dedicated scadasecurity

• Dedicated scadasecurity

• IDS and IPS

• Network Access Control

• Strong authent

• Resilience

• Encryption

• IDS and IPS

• Network Access Control

• Strong authent

• Resilience

• Encryption

• Strict Isolation• Strict Isolation

• Network Security• Network Security

Summary

▌ CIIP deployment in ASEAN countries is working progress

Despite the challenges, there are also success stories too

- E.g. Malaysia, Singapore, Indonesia (CERT/TCC)

▌ CIIP/Cybersecurity is a 24/7 (365 days) business

It’s costly, but doing without it is even worse

▌ Co-ordination & co-operation among stake holders is crucial

21




Encourages trust, knowledge sharing & skills transfer

▌ Future threat vectors need our full attention

Dependencies & interdependencies will become more complex

▌ Security Framework for CIIP

Treat CIIP security as a cycle. Prevention is important, but is never impervious. Plan across the cycle, including feedback loops for continual improvement

Every year, Thales e-Security Consulting

Services team performs more than:

� 5,000 vulnerability assessments

� 100 penetration tests

� 100 technical audits

� 50 hardware security evaluations

� 20 code security auditing

10 supporting engagements to CII security

Key Highlights

22




� 10 supporting engagements to CII security approval

� 10 designs of risks analysis and security policies of global organisations

� 5 designs of continuity and crisis management

� 3 security training & awareness programmes

Thales e-Security Consulting Services team also supports global organisations to design, manage & control their IT & CII security

Q&A Session

Thank You

[email protected]

23




Thank YouThank You

Dr. Mohammad Shahir CISSP, CEngSenior Security Consultant

Thales [email protected]

+603 2178 3800+6016 249 7882

critical information infrastructure protection

Documents