Threats, risks, actors, trends, attack techniques, defense issues and possible future scenarios for Critical Infrastructures in the age of cyber insecurity.
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andrea Zapparoli Manzoni
1. Critical Infrastructures in the
Age of Cyber Insecurity
Andrea Zapparoli Manzoni
General Manager / Security Brokers
Application Security Forum - 2013
Western Switzerland
15-16 octobre 2013 - Y-Parc / Yverdon-les-Bains
http://www.appsec-forum.ch
2. 2
Agenda
“Critical Infrastructures in the Age of Cyber Insecurity”
Who am I
Cyber Insecurity is the new norm
Why are we here
Impacts of Cyber Insecurity on Critical Infrastructures
Latest Incidents
Remediations ?
Conclusions
3. 3
Who am I
Founder, General Manager, Security Brokers
Founder, CEO, iDIALOGHI
«Cyberworld» WG Member at OSN/Ce.Mi.S.S.
APASS Board Member / Information Warfare lead res.
Assintel Board Member / ICT Security WG leader
Clusit Board Member / lecturer (SCADA, Social Media
Sec, Anti-fraud, DLP…)
Co-author of the Clusit Report (2012 and 2013)
5. 5
Why are we here
#1. ICT Products are not as secure as you may think (= insecure by design)
!=
The Fiat on the right was my first car, back in 1987 (it was built in 1971). I was very proud
of it and, after all, it worked well. But it had NO built-in security whatsoever. No brakes,
no seat belts, no ABS, ESP, airbag, headrests, no passive security – nothing.
Today’s ICT is somewhat like my 1971 Fiat, in terms of built-in security. Really.
As a consequence, in 2012 this inherent cyber insecurity had a global (direct and indirect)
estimated cost of USD 388 Billions (that is, Denmark’s GDP).
6. 6
Why are we here
# 2. Cybercrime is the “best” investment on the planet
!=
And attack techniques developed by cybercrime are quickly adopted by other actors…
7. 7
Why are we here
# 3. There is a huge, growing market for 0-days, that is becoming “mainstream”
We receive this kind of offers almost daily… on LinkedIn!
9. 9
So, in a nutshell
2012: + 150% serious cyberattacks in the world vs 2011
Huge growth of evil doers and of offensive capabilities
Everyone is now a target (Citizens, Corporations, Institutions, Gov/Mil)
All platforms are now a target (PCs, Mobile, Social, Cloud, SCADA…)
Traditional defenses are not working anymore
Return of Investment (ROI) for attackers is extremely high
Risks for attackers are still extremely low
Growing risk of systemic “Black Swans” (HILP)
Lack of effective legislation and tools for LEAs
How do we handle all these issues and mitigate these threats?
How do we (re)shape our CIs to prevent these attacks?
11. 11
Impacts of Cyber Insecurity on CI
In the last 5 years, Information and Cyber Warfare have become a reality. Many
actors are developing these capabilities, and many of them are not Nation States.
12. 12
Impacts of Cyber Insecurity on CI
Sorry. You should have attended the Conference to see this slide.
13. 13
Impacts of Cyber Insecurity on CI
Cyber warfare includes a very broad spectrum of
digital attack techniques originally developed by
cyber criminals but within the reach of a growing
number of actors, which are used for different
purposes, variable intensity and against any kind of
target (critical infrastructures, government systems,
military systems, companies of all sizes, banking,
media, private citizens, ...)
Nation States
IC / LEAs
Organized Cybercrime
Hacktivists
Industrial Spies
Terrorists
Corporations
Mercenaries
all against all
15. 15
Latest Attacks
The number of known SCADA vulnerabilities has
increased by 25 times (since 2010).
50% of vulnerabilities allow to execute code.
There are exploits for 35% of vulnerabilities.
41% of vulnerabilities are critical. More than 40% of
systems available from the Internet can be hacked by
unprofessional attackers. (Metasploit, anyone?)
54% and 39% of systems available from the Internet
in Europe and North America respectively are
vulnerable.
……Search yourself on Shodan
26. 26
Remediations ?
#2. Assume compromise. 94% of the 7200 known web based interfaces connected to CIs in
the US where attacked in 2012. Several of them where breached.
27. 27
Remediations ?
#3. “Defense in-depth” must become your new mantra. Firewalls are cool, but… ☺
Then repeat to yourself several times a day: “Air gapping doesn’t work anymore”….
28. 28
Remediations ?
#4. Monitor everything. Evaluate risks in real time. Manage your vulnerabilities 365/7/24.
Adopt a Secure Development Life Cycle. Develop and test your BC/DR processes.
29. 29
Conclusions
•
The“recent” convergence and standardization of previously closed, proprietary systems and the
growing adoption of OTS hw and sw parts has opened Critical Infrastructures up to security threats
traditionally only found in the IT sector. Expecially when connected to the Internet, these systems
are in great danger.
•
We are witnessing the widespread usage of sneaky, customized malicious software that
specifically targets SCADA systems and, and the rise of a huge 0-day market.
•
Due to high availability and performance requirements, combined with legacy technologies, SCADA
systems often lack the capability to support forensic analysis during / after an incident or system
failure. Even when technically possible, many organizations don't have the real time monitoring
and the post-incident cyber analysis tools to distinguish between a normal system failure or
malicious activity.
•
This is why CI administrators are unable to determine if their systems experienced a normal
failure or a cyber attack. This uncertainty is being actively leveraged by attackers and (IMHO) is the
BIGGEST issue in CI / industrial automation environments.
•
Last but not least, specific skills are lacking in terms of quality and quantity. We need more
experts asap (both on the end user / customer side and on the consulting firms side).