Move securely within the cyberworld Two national projects: 28/06/2018 Smart Grid Luxembourg Cockpit and IDS4ICS Dr. Carlo Harpes itrust consulting s.à r.l. Tel: +352 26 176 212 6 55, rue Gabriel Lippmann Fax: +352 26 710 978 L-6947 Niederanven Web: www.itrust.lu
Move securely within the cyberworld 0. Common concepts (also common with ATENA) itrust consulting s.à r.l. Tel: +352 26 176 212 6 55, rue Gabriel Lippmann Fax: +352 26 710 978 L-6947 Niederanven Web: www.itrust.lu
Idea 1: Independent security/risk monitoring Independent tool for security at the Management level cf. MICIE H Abdo, Mohamad Kaouk, Jean-Marie Flaus, François Masse. A new approach that considers cyber security within industrial risk analysis using a cyber bow-tie analysis. 2017. <hal-01521762> 3 / 20
Idea 2: Add more structure 4 / 20
Idea 3: Include security appliances and automize Risk analysis 5 / 20
Idea 4: Build upon TRICK Service T ool for R isk management of an I SMS based on a C entral K nowledge base 1. Context & assets valuation (cf.2 7005, 29134) 2. Gap analysis (27002,27019, IEC 62443, 27552…; 3. Qualitatively assess threats, vulnerabilities, risks; 4. Quantified assessment of impacts and likelihoods; 5. Risk treatment plan, sorted by phases and ROSI; 6. DPIA compliant to GDPR, RAR compliant to CSSF. itrust consulting - 10 year anniversary - June 21st 2017 19 / 24
Advantage of Dynamic risk assessments Manual work Inconsistency Generate analysis from model Consistent dependency model Snapshot view Insufficient info Real-time Including logs and alerts 7 / 20
Logical architecture Automated Manual Dynamic & dependency-aware Static risk risk analysis analysis Dependency Risk monitoring platform model Update Log Intrusion check monitor detection 8 / 20
1. Smart Grid Luxembourg – Cockpit (SGLC) (2013-2017)
SGLC objectives 1. Contribute to security assessment and vulnerability search for smartmeter architecture 1. Dependency model 2. Pentest 3. Conceive tools and methods for trafic analysis and IDS 4. Designing the feedback of detection information and its transformation into performance indicators to continuously update the estimated level of risks 1. Firewall log parser 2. Linux Software Checker 3. Dependency model 4. TRICK Cockpit (TRICK Service + dynamic risk analysis) 5. Integrate static risk assessment and dynamic feedback … 10 / 20
TRICK Cockpit architecture • Firewall log parser • Software checker for Linux • IDS ( work in progress ) 11 / 20
TRICK Screen shots 12 / 20
TRICK Screen shots Qualitative classification of the number of risks versus real time monitoring of total expected losses 13 / 20
2. Intrusion Dection System for Industrial Control Systems (IDS4ICS)
DepOT (Dependency Overview Tool) Open source https://draw.trickservice.com/ 15 / 20
TRICK API alert risk Security Risk monitoring Risk monitoring appliance agent platform time=1496221744, loc=4176575, fileid=1496181541, time-dependent action=deny, orig=172.16.255.94, place holder i/f_dir=inbound, i/f_name=eth0.000, product=VPN-1 & FireWall-1, rule=12, src=10.76.251.12, s_port=34505, dst=10.76.251.4, service=20200, proto=tcp 16 / 20
TRICK API −Δ𝑢/𝐼 𝑆 = 𝑇 ⋅ 1 €€ 2 1 0.5 0.9 0.2 0.1 SEVERITY 0.1 HALF-LIFE TIME 17 / 20
Self learning and clustering Learn normal (“good”) behaviour and create profiles (“clusters”) 1 cluster of similar network packets 1 network packet pkt size data rate Raise alerts on new clusters Add f ainting to adapt to time changes 18 / 20
TRICK API TRICK Service Risk monitoring Risk analysis tool SCADA OFFICE DMZ NETWORK NETWORK Intrusion detection Probe Probe Probe DepOT TRICK Service Dependency Web interface modelling tool 26.06.2018 19
Next steps Merge with ATENA tools Apply in the Scada testbed Find customers for pilot deployment 20 / 20
Move securely within the cyberworld
About itrust consulting itrust consulting An SME from Luxembourg specialising in • Information Security Systems, with four business lines • Audit and hacking • Consulting, innovation, sourcing • Research and development • Training and awareness • Skills and products brought collectively by all 20 employees • Organisational and technical audits: ISMS, Archiving, BCP/DRP Management, Data protection • Penetration testing: Vulnerability scans and assessment, Black-and-white-box penetrations tests, Social engineering, Certification and accreditation Audits • Malware.lu CERT • Consulting Risk management: TRICK Service, DPIA, risks assessment on PKI and e-money, ISMS documentation, implementation • Licencing: Software checker, AVCaesar • Research and & Development: H2020, National • Standardisation ISED 4/5/2018 itrust consulting: bIoTope: IoT (Security) Standards 22
About malware.lu CERT CERT: Computer Emergency Response Team • Incident Response • Forensic Investigation • Malware Analysis • R&D • Participation to international conferences (Defcon Las Vegas, hack.lu) • Knowledge transfer (APT1: technical backstage) itrust consulting CERT respects the incident-handling guidelines provided by NIST: • Preparation Containment Recovery • Identification Eradication Follow-up What we learned operating a CERT • a lot on threats and malware, • that in the future, all organisations SHALL manage how to react to security incidents, i.e., have CERTs as partners / subcontractors. 23
About our Research projects On-going projects ATENA Advanced Tools to assEss and mitigate the criticality of ICT componNents and their dependencies over infrAstructures bioTope Building an IoT OPen innovation Ecosystem for connected smart objects SGLC (SmartGrid Luxembourg- Cockpit) We will create a real-time risk monitoring tool for the Lu smartmeter network and similar ICS. IDS4ICS (PhD by FNR) PhD project with UniLux and Institut Telecom on Intrusion Detection System and Risk monitoring for Industrial Control Systems Former projects FP7 CockpitCI (Cybersecurity on SCADA: risk prediction, analysis and reaction tools for Critical Infrastructures): CockpitCI defined and implemented an online distributed risk predictor, and designed a tool able to detect critical situations such as cyber attacks and enable reaction strategies FP7 TREsPASS (Technology-supported Risk Estimation by Predictive Assessment of Socio-technical Security): We led the development And integration of the TREsPASS tools, such as Attack Tree tools, TRICK Service, ... DIAMONDS (Security testing): We developed malwasm , malware.lu CERT, … ESA project LASP (Localisation Assurance Service Provider): The LASP project, led by itrust consulting, aimed at developing a demonstrator to ensure the location correctness (subcontr. uni.lu) FP7 Liveline: Live Ict services Verified by EGNOS to find Lost Individuals in Emergency situations FP7 MICIE: Design of a risk prediction tool for interdependent Critical Infrastructures CELTIC BUGYO Beyond: Building security assurance in open infrastructure beyond: we developed TRICK light CIPS SPARC (Space Awareness for Critical Infrastructures): with telespatio , Uni. Roma3… The project will analyse the space threats, their impact and set up security good practices guidelines FP7 i-GOing (i-GalilieO indoor navigation): Galilleo like signals by network of pseudolites for indoor navigation 24
About our research qualities Official: itrust consulting registered as a research institution by the Luxembourg Ministry of • Economy, the first without base funding • Committed: Involved in research from the earliest days of its existence (MICIE and Bugyo Beyond from 2008) • Focused: Dedicated research department • Culture: Almost all technical personnel have been (or are) involved in research projects • Value: Business always a target • Bold: Unafraid to explore risky topics (e.g. blockchain) • Results-oriented: Research successfully used to design/enhance itrust products (AVCaesar, Software Checker, TRICK products) 25
Recommend
More recommend