About us: Finmeccanicasts.hitachirail.com/sites/ansaldosts/files/downloads/ansaldosts-cpex… ·...
Transcript of About us: Finmeccanicasts.hitachirail.com/sites/ansaldosts/files/downloads/ansaldosts-cpex… ·...
11
Finmeccanica is Italy’s leading manufacturer in the high technology sector.
Finmeccanica is the largest shareholder in Ansaldo STS with a 40% stake.
About us: Finmeccanica
CP EXPO Workshop - «Risks and Security Management in Logistics and Transports»
Daniele Debertol, PhD.Relator:Ermete Meda, InfoSec ManagerJoint work with:
Genova, 29 October 2013
Cyber Security in Railways Systems, Ansaldo STS experience – Part 2: Cyber Security Strategy and Design
22
“Vital Systems”
• RBC (Radio Block Center)
• Interlocking
Environment
Proprietary Infrastructure that
ensures Railway Safety is not
subject to computer attack
Non-Vital SystemsVital Systems
Signaling Systems: Safety-to-Security relationships
“Non-Vital Systems”
• Centralized Traffic Control
Systems (e.g. TMS), Automation
Systems
Environment
• Commercial ICT Infrastructure
undergoing Cyber Security Risks
(Operational Continuity, Financial
losses, Reputational damage)
Non-Vital Systems
33
… and between vital and non-vital layers
RBC: Radio-Block Center
T1 T2
ERTMS Euroradio
External Systems
Interlocking RBC Interlocking
Train Management System (TMS)
Non-vital layer
Balise
Needs Protection…
Vital layer
44
In the Past Today
� Proprietary HW/SW
� Isolated Systems
� Dedicated Applications
� Structured Information
� Commercial low cost HW/SW
� TCP/IP Protocol
� Interconnected Systems
� Heterogeneous Services (E-mail, Info-web,
VoIP, CCTV, …)
� Structured and unstructured Information
Operating Environment
Today
� Distributed ICT infrastructure spread over long distances, and unattended systems
� Connections between safety critical and non-safety critical layers
� External systems connected to signaling infrastructure
� Human factor (operators, maintainers and… passengers)
Technology Platforms
Evolution and Characteristics of Railway Signaling Systems
55
Cyber Security: protection of Cyber Space. But what is Cyber Space?
Consequences: Dynamic Threat Landscape in unique Cyber Domain
Strategic & Tactical Cyber War MilitaryStuxnet, Operation Aurora, BotnetsTerrorism Politics
Espionage Intellectual Property Zeus, Flame, Mandiant APT1 Report, AET attacks, Botnets, Phishing e-mail
Organized Crime $
Vandalism & Hacktivism Ego, CuriosityDDoS attacks, Wikileaks, Anonymous
Yesterday: many different
environments, side-by-sideToday: one single, big environment
Cyber Space calling, Cyber Security knocking
66
3 Phase Approach
Mature Cyber Security Process
Discovery & Assessment • Identify key risks
• Identify key assets
• Identify gaps
HW/SW Review & Redesign • Countermeasure rationalization
• Security Infrastructure Assessment
• Fill technology gaps
Intelligence & Analytics • Monitoring & Management Improvement
• Big Data Security Analytics
• Real-time Intelligence feeds
1
3
2
77
ICT Security Activities and Governance: Best Practices
Incident Management
Event Identification
Countermeasures
Effort
88
ICT Security Activities and Governance: real life
Reaction
Detection
Prevention
Mo
nito
ring
…
… a
nd
Mo
nito
ring
…
… a
nd
gu
es
s w
ha
t?
Reactive countermeasures
WTF is
going on???
(not excluding Forensics)
Proactive countermeasures
99
Leaving trace-routes behind
Building on top of Information
Technology infrastructures, means
that you get both its weaknesses,
true, but its strenghts as well…
… putting it the other way round:
if a system is not secure by design
– and they are not –,
it will leave plenty of traces for
you to follow!
Cyber Security: taking advantage of IT
1010
So many eyes… giving a very broad view (say, at 365°°°°degrees… to stay safe)… OK…
But where to look for? And for what? And who?
Strategy: enhance monitoring and correlate
Firewalling
Content Filtering
Virtual Patching
IDS/IPS
AAA
1111
Solution: adding IPS/IDS
and Log Correlation
Perimeter Defence - Firewall shortcoming
ManagementConsole
Signalling Plant_1
WAN
Firewall
Module
Signalling Plant_2
…..
Signalling Plant_N
Firewall
Module
Firewall
Module
FirewallModule
Policy Installation
Logs
Traffic
expected results
External Systems
from logs
1212
Solution: adding Virtual Patching
Content Filtering: the do’s and the dont’s
Virtual
Patcher
Virtual
PatcherDirty Traffic
Clean Traffic
Threats Treatment
Analysis: find critical vulnerabilities directly exposed to possible attacks
Remediation: identify (& block) specific packets for the above vulnerabilities
Clean Traffic
Operating system is static, meaning that you can’t change it too often (good…),
but that you won’t be able to patch (at all) either, which is NO GOOD!
1313
Know your flock, and beware of wolves! Barkin’, at the very least
Near Realtime Asset Control
Clean TrafficClean Traffic
GUI
• perform differential discovery onsite for database tuning
• acknowledge variations that should be allowed
• what is left, deal with: either a missing sheep, or a mismatched one,
or… go, bark, there’s a wolf!
Monitoring subnet
WAN
Repeat as needed
• not a performance- or availability-driven tool, though it may help
• based on static asset database loaded offline at project time
1414
Log Correlation
The russian peasant of SIEMs at work: fast and light
Log Files
Events
Console
Sensor_1 Sensor_2 Sensor_n…
Message Correlation
Minimize False Positives
Realtime response (no archiving)
Novelty detection for scheme-in-the-chaos
Correlation
Engine
1515
Cyber Security = Defense line
Do we simply wait for
vulnerabilities to become
actual threats
or
Can we advance from here, and
provide for new services?
The 11th hour (a.m.?)