Cyber Security Awareness of Critical Infrastructures in North East of Italy Scenario and Guide - Nova Goriza 2016
- 1. Vaš partner za varovanje informacij
Kliknite, če želite urediti slogCyber security awareness of critical
infrastructures in N/E of Italy: scenarios and
guidelines for self-assesement
Ozaveščenost o varnosti spleta in kritične infrastrukture
v severni Italiji: Scenariji in smernice kako opraviti
samooceno
Luca Moroni – Via Virtuosa
INFOSEK 2016 - Nova Goriza – 1/12/2016
- 2. ISACA VENICE research team coordinator
✔ Research n.1: Vulnerability and Penetration Test. User’s guidelines
about third party penetration test.
✔ Research n.5: Cyber Security Awareness of N/E Italian Critical
Infrastructures: Scenarios and Guidelines for self-assessment
Member of ISACA VENICE Chapter Translation team
✔ Securing Mobile Devices – ITA
Research team coordinator Cybersecurity Risk Insurance
Geaduation in Computer Science (1989 Milan), CISA e ITIL V3
certified and other tech certification
Focused on Cybersecurity since 2000 and lecturer in some
seminars about this topic
Founder of the innovative company Via Virtuosa, which focuses
on scouting and promotion expertise in Cybersecurity and IT
governance in NE of Italy.
Luca
Moroni
Who am i
- 3. Giuseppe Esposito CISA, PMP, LA 27001, CSA-
STAR, 22301, 9001, ITIL-V3 Foundation, ISO2000
Foundation
Alessandro Guarino LA 27001
Pierlugi Sartori CISSP, CISM, CGEIT, CRISC,
MBCI
and
Chapter past president Orillo Narduzzo for the trust
Thanks to my team in this Research
- 4. On 2014Th this question:
Have you never done an internal Cybersecurity analysis?
Yes
No
No need
Vulnerability Assessment e Penetration Test. User’s
guidelines in selection third parity of penetration tests
Where the analysis is composed of a series of processes that simulate the actions normally
performed by an employee and consultant in the internal network.
- 5. Disaster 9 October 1963 - Vajont Dam. During initial filling, a
massive landslide caused a man-made megatsunami in the
lake. https://en.wikipedia.org/wiki/Vajont_Dam
But if was a Company or a PA with an
impact on social life?
- 6. An infrastructure is considered critical in
Europe if an incident would have a serious
impact on the social life of the citizens, that
is, for example, on health, physical and
logical security or economic well-being of
citizens or the effective functioning of the
State; or it could lead to serious social
consequences or other dramatic
consequences for the community.
What is a Critical Infrastructure (IC)?
- 7. • Energy
• Telecommunications
• Water
• Food
• Health
• Transports
• Banks
• Civil defence
• ALL COMPANIES IN WHICH THE DAMAGEMENT OF
SYSTEMS IMPACTS LIFE
What is an Italian Critical Sector?
- 8. 9/3/2014: The Italian Cabinet for the first time places first of the Cyber
Threat.
Italy has one of the highest rates in Europe of medium companies, small
and micro - enterprises, which hold assets in terms of know -how.
Two main problems :
1 ) Stakeholders using cyber tools
2 ) Small and medium-sized enterprises are far less protected
Source: http://www.agendadigitale.eu/infrastrutture/722_cybercrime-danneggia-il-sistema-italia-per-20-40-mld-annui.htm
Cyber Threat for Italian IC
- 9. Feb. 2016: Special attention should
be given to the legislative and
regulatory framework that addresses
issues related to the protection of
critical infrastructure in the IC
support sector.
Source: http://www.mizs.gov.si/fileadmin/mizs.gov.si/pageuploads/Informacijska_druzba/pdf/Cyber_Security_Strategy_Slovenia.pdf
Cyber Threat for Slovenia IC
- 10. ® White Paper 2013 Isaca Venezia
Cyber Security Awareness of Critical Infrastructures in North East of Italy: Scenario and Guidelines for self-assessment
Survey on 55 companies
The companies belonging to the sectors
critics in the Italy North East
Emergency
Food
Water
Telecommuni
cations
Health
Transports
Banks
Civil Defence
Energy
- 11. Yes No
® White Paper 2013 Isaca Venezia
Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement
Survey on 55 companies
QUESTION: Have you ever had any IT
security problems?
- 12. Yes No
QUESTION: Is there a spending forecast
specifically dedicated to IT security?
® White Paper 2013 Isaca Venezia
Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement
Survey on 55 companies
- 14. Yes No
® White Paper 2013 Isaca Venezia
Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement
Survey on 55 companies
QUESTION:
Assuming that you you have a critical infrastructure, are you
aware a violation of your IT systems may have consequences
outside your company?
- 15. • Regulations: decided by EU and focused around IC and its IT
security systems
• Italy also adds SMB
• Cyber attacks spread
• Principles work for all, not just for designated IC
• Approach based on risk management and to its assessment to
understand the context in which the business is located
• If the Production Plant use the same ICT technologies, these
may suffer the same risks the data room does (see Stuxnet)
Source: BSI analysis about cyber security 2012
Factory’s scenario
- 18. • Unauthorised use of remote manteinance services (eg. )
• Online attacks through the offices network
• Attacks to standard IT devices inthe production plant network
• DDOS attacks
• Human errors or sabotage
• Introduction of Viruses and Trojans through removable storages (USB,
cameras, mobile phones, …)
• Reading and writing of unencripted commands (VPN)
• Unauthenticated access to the factory system resources (and default
configurations)
• Violations to network devices
• Technical problems (backup configuration)
Source: BSI analysis about cyber security 2012
Factory: Top 10 Threat
- 19. I must prepare to
update!
What’s the
matter? It
works!
MORE INTERESTED
IN CYBERSECURITY
MORE INTERESTED
IN AVAILABILITY
Paul Steven
Production Manager vs. CIO
PROBLEM!
- 20. Factory Security requirements IT
Availability, Integrity,
Confidentiality
Security Priority Order Confidentiality, Integrity,
Availability
h24x365d
(Restart not possible)
Availability Office time 8h
(Restart possible)
In the worst cases very serious,
even possible victims
Company Risk Money loss, Privacy violation
Brand Reputation
10 - 20 Years Longevity infrastructure 3-5 Years
Real Time Response times Not Important
It depends on the Producer. But
long (one time every 1~4 years)
Update times Frequent and Regulars
Production & Automation Office Update responsibility IT Office
Different Standards / defined by
Nation
Security Standard International Standard
Devices (Equipment, Products)
Services (Continuity)
Security Objective Information security
Production Manager vs. CIO
- 21. QUESTION:
Which of these IT security elements has never taken into
consideration?
® White Paper 2013 Isaca Venezia
Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesement
Survey on 55 companies
- 22. Hacker ROI
MORE INTEREST
IN CYBERSECURITY
MORE INTEREST
IN AVAILABILITY
Where I create
more damage
and maybe I
can blackmail a
company
- 23. April 30, 2016.
http://securityaffairs.co/wordpress/46824/malware/bwl-electric-ransomware.html
IC Incidents evolution
YESTERDAY TODAY
- 24. The level of information security will
become a value and reliable indicator for
the company.
More responsibility is required
- 25. WE Created 5 checklist, One for each of the five areas of
processes in which IS decomposed Management Business
Continuity For a Critical Infrastructure.
1. Preventive measures
2. Crisis Management Revision
3. Actual crisis managment
4. Follow-up (after the crisis)
5. Trainings
Our contribution: a self-assessment tool
- 26. First check list: Preventive measures
Preventive measures concerning the processes related to the
prevention of disasters .
Example
Area "preventive measures"
Section "Information Technology":
1.7.3.2 Critical data are stored in different places?
(This checks for backup located in multiple places )
Our contribution: a self-assessment tool
- 27. Second check list: Crisis Management Revision
The review of crisis management as the business environment preparation
so that there is an effective response to disastrous situations.
Example
Area "Crisis Management Revision"
Section " Requested information and archives "
2.1.5.3 The necessary files are all at your fingertips?
(This checks for necessary files for crisis management)
Our contribution: a self-assessment tool
- 28. Third check list: Actual crisis managment
The management of real crisis includes the processes required to contain the
consequences of a disaster when it happens .
Example
Area "Managing the real Crisis“
Section "Treatment of critical data and archives"
3.2.9.1 The media and critical files are always kept in a fire-proof containers
and flooding?
(This checks the effectiveness of the archives and supports security measures
during a disaster )
Our contribution: a self-assessment tool
- 29. Fourth check list: Follow-up (after the crisis)
The follow-up allows to derive the elements of improvement of the management
system of direct experience in managing a disaster .
Example
Area "Follow -up"
4.9 It was done an inventory of damaged buildings , facilities and equipment?
(Only when the crisis did occur, it operates a check on damaged equipment . The
follow-up is used to improve the system from the direct experience of a crisis)
Our contribution: a self-assessment tool
- 30. Fifth check list: Trainings
The exercises are the response test their disaster .
Example
Area "Exercises "
Section "Generality"
5.1.3 The internal and external communication channels are tested?
(The exercises are necessary to hold the whole structure prepared to face a
possible crisis. The communication channels are one of the necessary
infrastructure to ensure efficient management of disasters )
Our contribution: a self-assessment tool
- 31. •Europe must impose a management of the problem and
support companies costs.
•Recognized standards, such as ISO 27001 or COBIT, are poorly
adopted by companies because it is not perceived as a value.
• Some Critical sectors (eg. Banks) already uses cybersecurity
framework standards (eg. ITA 263).
•Our check list can provide guidance to an auditor
•A Critical company must execute a Gap analysis on the
cybersecurity.
•SMB Critical Infrastructures and factories are a State
weakness
Conclusions
- 32. LUCA! You are always catastrophic
Why are we talking about this?
- 33. Why are we talking about this?
LUCA! Too much fantasy
- 34. Why are we talking about this?
Awareness
Italy 13-4-2016
http://www.zeusnews.it/n.php?c=24139
Italian electric generator controlled by anyone via the Internet