Cyber Security in Real-Time Systems

Transport Security Event – Olympia“Advanced Persistent and Insider Threats”

David Spinks – Chairman CSIRS

September 2011CSIRS

Cyber Security in Real-Time Systems

CSIRSCyber Security in Real-Time Systems

Introduction

CSIRSCyber Security in Real-Time Systems

Linkedin CSIRS : http://www.linkedin.com/groupRegistration?gid=3623430

CSIRSCyber Security in Real-Time Systems

Why me?

1970/75 –Worlds First Large Scale Automation

1990 - 2000

Railtrack Safety Critical Software

Sizewell B Software Emergency Shut Down code validation

UK Government assessment of Embedded Software Aviation

CSIRSCyber Security in Real-Time Systems

Current Business Environments

&Drivers

Smart Grid

Cost Reduction by Private Utilities

Emerging ChangingThreat Profile

Integration Real Time <> Commercial IT

Real Time (SCADA) based on Windows

Use of wireless to effect remote management

Real Time designed by “engineers”

CSIRSCyber Security in Real-Time Systems

ThreatsCurrent Trends

Stuxnet Changed Everything

Expertise

GatherIntelligence

Social Engineering

Focused

The first advanced persistent threat APT

Why is APT different?

Multiple entry points across supplier chain

Focus on social engineering and use of insiders.

Gathering of intelligence across a range of suppliers.

Attack has a complex event sequence across multiple technologies.

Malware is sophisticated and likely developed and proved on test beds.

Do not to place in designs of Nuclear Plant in the public domain!

http://www.prleap.com/pr/167858/

eXtremeDB Embedded In-Memory Database Adds Safety and Efficiency In Nuclear Waste Processing Control System

So have there been any other APTs since Stuxnet?

Many successful security attacks have been designated as APT by the company that has been breached.

Closest to this model is the RSA breach entry via EMC and staff being exposed to Phishing attacks lack of RSA CSO ......

Farthest away is repeated breaches suffered by Sony ....

Many organisations have a history of under investment in Information Security ....

CSIRSCyber Security in Real-Time Systems

Insider Threats

What is an insider threat?

A breach or part of an attack executed from within the existing trust domain(s) by an individual who has some kind of existing authentications

The breach event may be deliberate or accidental. The individual may be a current or past employee, contractor, customer, partner or supplier.

The individual will have a “motive” which may or may not be logical.

Many insider threats will be trivial actions that form an intelligence gathering exercise

CSIRSCyber Security in Real-Time Systems

Why is an insider threat so dangerous?

Immediate compromise of traditional security perimeter!

Traditional baseline security measures are ineffective

Traditional concepts of “trust” are invalid - many frauds and thefts are executed with the assistance of employees and executives! No-one is immune to potential compromise.

Pilot studies using DLP software and tools show a staggering high number of deliberate security breaches executed by a high % of all staff. Ignorance of policy ... Finding ways around the rules. Stupidity!

CSIRSCyber Security in Real-Time Systems

Possible defence and detection

Security training and awareness

Communication and Implementation of penalties.

Concept of “you will be caught” and example will be made.

Security culture

Evaluation of suppliers and partners (supply chain!)

Use of DLP and Log Analysis

Good HR policies and procedures monitoring behaviours

CSIRSCyber Security in Real-Time Systems

CSIRSCyber Security in Real-Time Systems

What actions do we need to consider?

Understanding

Design Solution

Implement

Manage & Improve

Possible Cyber Security Solution

Implementation of baseline security

Implementation of APT detection and response

ISO 27001 CobiT 4.1/5.0

Implementation of baseline security examples

Robust Identity Management solutions RBAC

Basic log collection, analysis and reporting

Intrusion detection and prevention

Penetration testing of external facing firewalls

Security training and awareness (defending social engineering and phishing)

Encryption of critical and sensitive data

Mandatory no exceptions executive led will not detect or mitigate APT

Advanced security measures :

PKI/Digital signatures and key management

Data loss prevention proactive and reactive.

Integrated approach to log analysis (applications and IdM) real-time alerts to SOC

Applications and web hosting code analysis

Governance, Risk and Compliance in real-time

Security incident and near miss reporting.

Mandatory no exceptions executive led.

Conclusions :

APTs are very difficult to detect and once detected to then defend against

Expenditure on security processes and tools needs to be increased

Security should be implemented top down with executive sponsorship.

All employees are part of the defence silver bullets will not work.

CSIRSCyber Security in Real-Time Systems

Thank you

Q&A

david.spinks@hp.comdspinks41@gmail.com