SlideShare a Scribd company logo

Cyber Security Awareness of Critical Infrastructures in North East of Italy Scenario and Guide - Nova Goriza 2016

Luca Moroni ✔✔
Luca Moroni ✔✔

Critical Infrastructures (IC) are essential elements in our economic and social life. Cyber incidents in such organizations could create a “domino effect”. This must be an important concern in a National Cyber Security Policy. Now EU Cybersecurity Act

Related slideshows

Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
 
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other SectorsICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
ICS Supply Chain Security: Learning from Recent Incidents and Other Sectors
 
Presentazione Security Challenga 12/9/16 Bologna
Presentazione Security Challenga 12/9/16 BolognaPresentazione Security Challenga 12/9/16 Bologna
Presentazione Security Challenga 12/9/16 Bologna
 
1 of 36
Download to read offline
Vaš partner za varovanje informacij Kliknite, če želite urediti slogCyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement
 Ozaveščenost o varnosti spleta in kritične infrastrukture v severni Italiji: Scenariji in smernice kako opraviti samooceno Luca Moroni – Via Virtuosa INFOSEK 2016 - Nova Goriza – 1/12/2016
ISACA VENICE research team coordinator ✔ Research n.1: Vulnerability and Penetration Test. User’s guidelines about third party penetration test. 
 ✔ Research n.5: Cyber Security Awareness of N/E Italian Critical Infrastructures: Scenarios and Guidelines for self-assessment Member of ISACA VENICE Chapter Translation team ✔ Securing Mobile Devices – ITA Research team coordinator Cybersecurity Risk Insurance Geaduation in Computer Science (1989 Milan), CISA e ITIL V3 certified and other tech certification Focused on Cybersecurity since 2000 and lecturer in some seminars about this topic Founder of the innovative company Via Virtuosa, which focuses on scouting and promotion expertise in Cybersecurity and IT governance in NE of Italy. Luca Moroni Who am i
Giuseppe Esposito CISA, PMP, LA 27001, CSA- STAR, 22301, 9001, ITIL-V3 Foundation, ISO2000 Foundation Alessandro Guarino LA 27001 Pierlugi Sartori CISSP, CISM, CGEIT, CRISC, MBCI and Chapter past president Orillo Narduzzo for the trust Thanks to my team in this Research
On 2014Th this question:
 Have you never done an internal Cybersecurity analysis? Yes No No need Vulnerability Assessment e Penetration Test. User’s guidelines in selection third parity of penetration tests Where the analysis is composed of a series of processes that simulate the actions normally performed by an employee and consultant in the internal network.
Disaster 9 October 1963 - Vajont Dam. During initial filling, a massive landslide caused a man-made megatsunami in the lake. https://en.wikipedia.org/wiki/Vajont_Dam But if was a Company or a PA with an impact on social life?
An infrastructure is considered critical in Europe if an incident would have a serious impact on the social life of the citizens, that is, for example, on health, physical and logical security or economic well-being of citizens or the effective functioning of the State; or it could lead to serious social consequences or other dramatic consequences for the community. What is a Critical Infrastructure (IC)?
• Energy • Telecommunications • Water • Food • Health • Transports • Banks • Civil defence • ALL COMPANIES IN WHICH THE DAMAGEMENT OF SYSTEMS IMPACTS LIFE What is an Italian Critical Sector?
9/3/2014: The Italian Cabinet for the first time places first of the Cyber Threat. Italy has one of the highest rates in Europe of medium companies, small and micro - enterprises, which hold assets in terms of know -how. Two main problems : 1 ) Stakeholders using cyber tools 2 ) Small and medium-sized enterprises are far less protected Source: http://www.agendadigitale.eu/infrastrutture/722_cybercrime-danneggia-il-sistema-italia-per-20-40-mld-annui.htm Cyber Threat for Italian IC
Feb. 2016: Special attention should be given to the legislative and regulatory framework that addresses issues related to the protection of critical infrastructure in the IC support sector. Source: http://www.mizs.gov.si/fileadmin/mizs.gov.si/pageuploads/Informacijska_druzba/pdf/Cyber_Security_Strategy_Slovenia.pdf Cyber Threat for Slovenia IC
® White Paper 2013 Isaca Venezia Cyber Security Awareness of Critical Infrastructures in North East of Italy: Scenario and Guidelines for self-assessment Survey on 55 companies The companies belonging to the sectors critics in the Italy North East Emergency Food Water Telecommuni cations Health Transports Banks Civil Defence Energy
Yes No ® White Paper 2013 Isaca Venezia Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement Survey on 55 companies QUESTION: Have you ever had any IT security problems?
Yes No QUESTION: Is there a spending forecast specifically dedicated to IT security? ® White Paper 2013 Isaca Venezia Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement Survey on 55 companies
Scenario
Yes No ® White Paper 2013 Isaca Venezia Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement Survey on 55 companies QUESTION: Assuming that you you have a critical infrastructure, are you aware a violation of your IT systems may have consequences outside your company?
• Regulations: decided by EU and focused around IC and its IT security systems • Italy also adds SMB • Cyber attacks spread • Principles work for all, not just for designated IC • Approach based on risk management and to its assessment to understand the context in which the business is located • If the Production Plant use the same ICT technologies, these may suffer the same risks the data room does (see Stuxnet) Source: BSI analysis about cyber security 2012 Factory’s scenario
YESTERDAY TODAY ARCHITECTURE physical dedicated links Open network based on IP ADSL, USB, WIFI TECHNOLOGY proprietary systems using specific protocols Standard systems with standard protocols INCIDENTS low Rapidly growing Factory: Cybersecurity evolution
Factory: Cybersecurity evolution YESTERDA Y TODAY ARCHITECT URE physical dedicated links Open network based on IP ADSL, USB, WIFI TECHNOLO GY proprietary systems using specific protocols Standard systems with standard protocols INCIDENTS low Rapidly growing SOURCE USA: http://www.scadahacker.com/
• Unauthorised use of remote manteinance services (eg. ) • Online attacks through the offices network • Attacks to standard IT devices inthe production plant network • DDOS attacks • Human errors or sabotage • Introduction of Viruses and Trojans through removable storages (USB, cameras, mobile phones, …) • Reading and writing of unencripted commands (VPN) • Unauthenticated access to the factory system resources (and default configurations) • Violations to network devices • Technical problems (backup configuration) Source: BSI analysis about cyber security 2012 Factory: Top 10 Threat
I must prepare to update! What’s the matter? It works! MORE INTERESTED IN CYBERSECURITY MORE INTERESTED IN AVAILABILITY Paul Steven Production Manager vs. CIO PROBLEM!
Factory Security requirements IT Availability, Integrity, Confidentiality Security Priority Order Confidentiality, Integrity, Availability h24x365d 
 (Restart not possible) Availability Office time 8h
 (Restart possible) In the worst cases very serious, even possible victims Company Risk Money loss, Privacy violation Brand Reputation 10 - 20 Years Longevity infrastructure 3-5 Years Real Time Response times Not Important It depends on the Producer. But long (one time every 1~4 years) Update times Frequent and Regulars Production & Automation Office Update responsibility IT Office Different Standards / defined by Nation Security Standard International Standard Devices (Equipment, Products) 
 Services (Continuity) Security Objective Information security Production Manager vs. CIO
QUESTION: Which of these IT security elements has never taken into consideration? ® White Paper 2013 Isaca Venezia Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement Survey on 55 companies
Hacker ROI MORE INTEREST IN CYBERSECURITY MORE INTEREST IN AVAILABILITY Where I create more damage and maybe I can blackmail a company
April 30, 2016. 
 http://securityaffairs.co/wordpress/46824/malware/bwl-electric-ransomware.html IC Incidents evolution YESTERDAY TODAY
The level of information security will become a value and reliable indicator for the company. More responsibility is required
WE Created 5 checklist, One for each of the five areas of processes in which IS decomposed Management Business Continuity For a Critical Infrastructure. 1. Preventive measures 2. Crisis Management Revision 3. Actual crisis managment 4. Follow-up (after the crisis) 5. Trainings Our contribution: a self-assessment tool
First check list: Preventive measures Preventive measures concerning the processes related to the prevention of disasters . Example Area "preventive measures" Section "Information Technology": 1.7.3.2 Critical data are stored in different places? (This checks for backup located in multiple places ) Our contribution: a self-assessment tool
Second check list: Crisis Management Revision The review of crisis management as the business environment preparation so that there is an effective response to disastrous situations. Example Area "Crisis Management Revision" Section " Requested information and archives " 2.1.5.3 The necessary files are all at your fingertips? (This checks for necessary files for crisis management) Our contribution: a self-assessment tool
Third check list: Actual crisis managment The management of real crisis includes the processes required to contain the consequences of a disaster when it happens . Example Area "Managing the real Crisis“ Section "Treatment of critical data and archives" 3.2.9.1 The media and critical files are always kept in a fire-proof containers and flooding? (This checks the effectiveness of the archives and supports security measures during a disaster ) Our contribution: a self-assessment tool
Fourth check list: Follow-up (after the crisis) The follow-up allows to derive the elements of improvement of the management system of direct experience in managing a disaster . Example Area "Follow -up" 4.9 It was done an inventory of damaged buildings , facilities and equipment? (Only when the crisis did occur, it operates a check on damaged equipment . The follow-up is used to improve the system from the direct experience of a crisis) Our contribution: a self-assessment tool
Fifth check list: Trainings The exercises are the response test their disaster . Example Area "Exercises " Section "Generality" 5.1.3 The internal and external communication channels are tested? (The exercises are necessary to hold the whole structure prepared to face a possible crisis. The communication channels are one of the necessary infrastructure to ensure efficient management of disasters ) Our contribution: a self-assessment tool
•Europe must impose a management of the problem and support companies costs. •Recognized standards, such as ISO 27001 or COBIT, are poorly adopted by companies because it is not perceived as a value. • Some Critical sectors (eg. Banks) already uses cybersecurity framework standards (eg. ITA 263). •Our check list can provide guidance to an auditor •A Critical company must execute a Gap analysis on the cybersecurity. •SMB Critical Infrastructures and factories are a State weakness Conclusions
LUCA! You are always catastrophic Why are we talking about this?
Why are we talking about this? LUCA! Too much fantasy
Why are we talking about this? Awareness Italy 13-4-2016 http://www.zeusnews.it/n.php?c=24139 
 Italian electric generator controlled by anyone via the Internet
Question?
Thanks! l.moroni@viavirtuosa.it Free download
 http://www.isaca.org/chapters5/Venice/Benefits/Documents/ISACA_VENICE_QUADERNI_05_INFRA_CRITICHE.pdf

More Related Content

Cyber Security Awareness of Critical Infrastructures in North East of Italy Scenario and Guide - Nova Goriza 2016

  • 1. Vaš partner za varovanje informacij Kliknite, če želite urediti slogCyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement
 Ozaveščenost o varnosti spleta in kritične infrastrukture v severni Italiji: Scenariji in smernice kako opraviti samooceno Luca Moroni – Via Virtuosa INFOSEK 2016 - Nova Goriza – 1/12/2016
  • 2. ISACA VENICE research team coordinator ✔ Research n.1: Vulnerability and Penetration Test. User’s guidelines about third party penetration test. 
 ✔ Research n.5: Cyber Security Awareness of N/E Italian Critical Infrastructures: Scenarios and Guidelines for self-assessment Member of ISACA VENICE Chapter Translation team ✔ Securing Mobile Devices – ITA Research team coordinator Cybersecurity Risk Insurance Geaduation in Computer Science (1989 Milan), CISA e ITIL V3 certified and other tech certification Focused on Cybersecurity since 2000 and lecturer in some seminars about this topic Founder of the innovative company Via Virtuosa, which focuses on scouting and promotion expertise in Cybersecurity and IT governance in NE of Italy. Luca Moroni Who am i
  • 3. Giuseppe Esposito CISA, PMP, LA 27001, CSA- STAR, 22301, 9001, ITIL-V3 Foundation, ISO2000 Foundation Alessandro Guarino LA 27001 Pierlugi Sartori CISSP, CISM, CGEIT, CRISC, MBCI and Chapter past president Orillo Narduzzo for the trust Thanks to my team in this Research
  • 4. On 2014Th this question:
 Have you never done an internal Cybersecurity analysis? Yes No No need Vulnerability Assessment e Penetration Test. User’s guidelines in selection third parity of penetration tests Where the analysis is composed of a series of processes that simulate the actions normally performed by an employee and consultant in the internal network.
  • 5. Disaster 9 October 1963 - Vajont Dam. During initial filling, a massive landslide caused a man-made megatsunami in the lake. https://en.wikipedia.org/wiki/Vajont_Dam But if was a Company or a PA with an impact on social life?
  • 6. An infrastructure is considered critical in Europe if an incident would have a serious impact on the social life of the citizens, that is, for example, on health, physical and logical security or economic well-being of citizens or the effective functioning of the State; or it could lead to serious social consequences or other dramatic consequences for the community. What is a Critical Infrastructure (IC)?
  • 7. • Energy • Telecommunications • Water • Food • Health • Transports • Banks • Civil defence • ALL COMPANIES IN WHICH THE DAMAGEMENT OF SYSTEMS IMPACTS LIFE What is an Italian Critical Sector?
  • 8. 9/3/2014: The Italian Cabinet for the first time places first of the Cyber Threat. Italy has one of the highest rates in Europe of medium companies, small and micro - enterprises, which hold assets in terms of know -how. Two main problems : 1 ) Stakeholders using cyber tools 2 ) Small and medium-sized enterprises are far less protected Source: http://www.agendadigitale.eu/infrastrutture/722_cybercrime-danneggia-il-sistema-italia-per-20-40-mld-annui.htm Cyber Threat for Italian IC
  • 9. Feb. 2016: Special attention should be given to the legislative and regulatory framework that addresses issues related to the protection of critical infrastructure in the IC support sector. Source: http://www.mizs.gov.si/fileadmin/mizs.gov.si/pageuploads/Informacijska_druzba/pdf/Cyber_Security_Strategy_Slovenia.pdf Cyber Threat for Slovenia IC
  • 10. ® White Paper 2013 Isaca Venezia Cyber Security Awareness of Critical Infrastructures in North East of Italy: Scenario and Guidelines for self-assessment Survey on 55 companies The companies belonging to the sectors critics in the Italy North East Emergency Food Water Telecommuni cations Health Transports Banks Civil Defence Energy
  • 11. Yes No ® White Paper 2013 Isaca Venezia Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement Survey on 55 companies QUESTION: Have you ever had any IT security problems?
  • 12. Yes No QUESTION: Is there a spending forecast specifically dedicated to IT security? ® White Paper 2013 Isaca Venezia Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement Survey on 55 companies
  • 14. Yes No ® White Paper 2013 Isaca Venezia Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement Survey on 55 companies QUESTION: Assuming that you you have a critical infrastructure, are you aware a violation of your IT systems may have consequences outside your company?
  • 15. • Regulations: decided by EU and focused around IC and its IT security systems • Italy also adds SMB • Cyber attacks spread • Principles work for all, not just for designated IC • Approach based on risk management and to its assessment to understand the context in which the business is located • If the Production Plant use the same ICT technologies, these may suffer the same risks the data room does (see Stuxnet) Source: BSI analysis about cyber security 2012 Factory’s scenario
  • 16. YESTERDAY TODAY ARCHITECTURE physical dedicated links Open network based on IP ADSL, USB, WIFI TECHNOLOGY proprietary systems using specific protocols Standard systems with standard protocols INCIDENTS low Rapidly growing Factory: Cybersecurity evolution
  • 17. Factory: Cybersecurity evolution YESTERDA Y TODAY ARCHITECT URE physical dedicated links Open network based on IP ADSL, USB, WIFI TECHNOLO GY proprietary systems using specific protocols Standard systems with standard protocols INCIDENTS low Rapidly growing SOURCE USA: http://www.scadahacker.com/
  • 18. • Unauthorised use of remote manteinance services (eg. ) • Online attacks through the offices network • Attacks to standard IT devices inthe production plant network • DDOS attacks • Human errors or sabotage • Introduction of Viruses and Trojans through removable storages (USB, cameras, mobile phones, …) • Reading and writing of unencripted commands (VPN) • Unauthenticated access to the factory system resources (and default configurations) • Violations to network devices • Technical problems (backup configuration) Source: BSI analysis about cyber security 2012 Factory: Top 10 Threat
  • 19. I must prepare to update! What’s the matter? It works! MORE INTERESTED IN CYBERSECURITY MORE INTERESTED IN AVAILABILITY Paul Steven Production Manager vs. CIO PROBLEM!
  • 20. Factory Security requirements IT Availability, Integrity, Confidentiality Security Priority Order Confidentiality, Integrity, Availability h24x365d 
 (Restart not possible) Availability Office time 8h
 (Restart possible) In the worst cases very serious, even possible victims Company Risk Money loss, Privacy violation Brand Reputation 10 - 20 Years Longevity infrastructure 3-5 Years Real Time Response times Not Important It depends on the Producer. But long (one time every 1~4 years) Update times Frequent and Regulars Production & Automation Office Update responsibility IT Office Different Standards / defined by Nation Security Standard International Standard Devices (Equipment, Products) 
 Services (Continuity) Security Objective Information security Production Manager vs. CIO
  • 21. QUESTION: Which of these IT security elements has never taken into consideration? ® White Paper 2013 Isaca Venezia Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement Survey on 55 companies
  • 22. Hacker ROI MORE INTEREST IN CYBERSECURITY MORE INTEREST IN AVAILABILITY Where I create more damage and maybe I can blackmail a company
  • 23. April 30, 2016. 
 http://securityaffairs.co/wordpress/46824/malware/bwl-electric-ransomware.html IC Incidents evolution YESTERDAY TODAY
  • 24. The level of information security will become a value and reliable indicator for the company. More responsibility is required
  • 25. WE Created 5 checklist, One for each of the five areas of processes in which IS decomposed Management Business Continuity For a Critical Infrastructure. 1. Preventive measures 2. Crisis Management Revision 3. Actual crisis managment 4. Follow-up (after the crisis) 5. Trainings Our contribution: a self-assessment tool
  • 26. First check list: Preventive measures Preventive measures concerning the processes related to the prevention of disasters . Example Area "preventive measures" Section "Information Technology": 1.7.3.2 Critical data are stored in different places? (This checks for backup located in multiple places ) Our contribution: a self-assessment tool
  • 27. Second check list: Crisis Management Revision The review of crisis management as the business environment preparation so that there is an effective response to disastrous situations. Example Area "Crisis Management Revision" Section " Requested information and archives " 2.1.5.3 The necessary files are all at your fingertips? (This checks for necessary files for crisis management) Our contribution: a self-assessment tool
  • 28. Third check list: Actual crisis managment The management of real crisis includes the processes required to contain the consequences of a disaster when it happens . Example Area "Managing the real Crisis“ Section "Treatment of critical data and archives" 3.2.9.1 The media and critical files are always kept in a fire-proof containers and flooding? (This checks the effectiveness of the archives and supports security measures during a disaster ) Our contribution: a self-assessment tool
  • 29. Fourth check list: Follow-up (after the crisis) The follow-up allows to derive the elements of improvement of the management system of direct experience in managing a disaster . Example Area "Follow -up" 4.9 It was done an inventory of damaged buildings , facilities and equipment? (Only when the crisis did occur, it operates a check on damaged equipment . The follow-up is used to improve the system from the direct experience of a crisis) Our contribution: a self-assessment tool
  • 30. Fifth check list: Trainings The exercises are the response test their disaster . Example Area "Exercises " Section "Generality" 5.1.3 The internal and external communication channels are tested? (The exercises are necessary to hold the whole structure prepared to face a possible crisis. The communication channels are one of the necessary infrastructure to ensure efficient management of disasters ) Our contribution: a self-assessment tool
  • 31. •Europe must impose a management of the problem and support companies costs. •Recognized standards, such as ISO 27001 or COBIT, are poorly adopted by companies because it is not perceived as a value. • Some Critical sectors (eg. Banks) already uses cybersecurity framework standards (eg. ITA 263). •Our check list can provide guidance to an auditor •A Critical company must execute a Gap analysis on the cybersecurity. •SMB Critical Infrastructures and factories are a State weakness Conclusions
  • 32. LUCA! You are always catastrophic Why are we talking about this?
  • 33. Why are we talking about this? LUCA! Too much fantasy
  • 34. Why are we talking about this? Awareness Italy 13-4-2016 http://www.zeusnews.it/n.php?c=24139 
 Italian electric generator controlled by anyone via the Internet