www.ria.ee

FOR OFFICIAL USE ONLY

Estonian

Overview of practical CIIP activities in EE

Aare ReintamISKE area manager

CIIP unit

www.ria.ee

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

Outline of my talk

• What is the aim of protecting CII?

• Community building

• Activities - security assessments and port scanning

• Legislation, regulations, ICS/SCADA guidelines

www.ria.ee

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

When talking about CII protection

• We mean vital services that depend on IT systems

• Electricity supply (production, transmission, distribution)

• Data communications

• Water supply and sewerage

• Air navigation service

• …

• 43 vital services in total

www.ria.ee

www.ria.ee

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

CII Incidents and impact on economy• Some examples from this year CII incidents in Europe

Sector Time Impact Reason

Energy Sept 2013 2,5 hours the hole county electricity distribution was interrupted

Software error

Railway transport

March 2013

3 hours long Interruption of train service between two main cities in Europe

Optical cable breakage. Trains leading dispatcher was unable to carry out work and had to stop the traffic

Air transport

August 2013

3 hours interruption in X city air travel service. No planes could land.

Flight control software error.

www.ria.ee

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

Community building• CIIP lead (expert / mid-management level)

• SCADA workgroup

• CII protection council

• Annual CIIP conference

• CERT-EE lead (expert level)

• Government system administrators

• ISP & hosting abuse handlers

• CERT + CIIP joint events

• 0ct0b3rf3st

• EISA management lead:

• Quarterly reports to high government officials

• Seminars for management

www.ria.ee

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

How to keep communities running?

• Regular meetings on interesting topics

• Share information

• State sponsored training, seminars, conferences etc.

• 5 day advanced SCADA security

• Netflow, IDS, logging

• Managing small office networks (SOHO)

• …

• Social events

www.ria.ee

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

Security assessment projects

• Find out what is the “real” security level of vital service provider

• Based on attack scenarios

• Verifying them with penetration testing

• State sponsored

• We are using 3rd party consultants

www.ria.ee

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

Sample security assessment task list

• Information gathering from public sources

• Corporate LAN security assessment (Windows domain, servers, workstations, Wi-Fi etc.)

• Network perimeter testing (from corporate <-> SCADA <-> control network)

• Assessment of SCADA servers, operator workstation etc.

• Remote access to networks (VPN)

• Physical security

www.ria.ee

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

Finding CII equipment from the Internet

• Locating possibly vulnerable devices before the “bad guys”

• Notifying the owner and explaining the risk

• Using shodanhq.com and other tools

www.ria.ee

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

Legislation & guidelines

• We are giving input to Ministry of justice to amend appropriate legislation.

• Security measure regulation is established:

• Security responsibilities have to be in place when providing vital services

• Implement security standard (ISO 27001, our own local standard “ISKE” or industry specific)

• ICS/SCADA security guidelines

• 25 security controls

www.ria.ee

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY

To sum up

• Incidents happen on daily basis

• Only legislation is not enough

• There has to be balanced responsibility between state and service providers

• People are important

Thank You!

www.ria.ee

Aare ReintamAare.reintam@ria.ee