1. Cyber Security in Real-Time Systems
Transport Security Event – Olympia
“Advanced Persistent and Insider Threats”
David Spinks – Chairman CSIRS
September 2011
CSIRS
Cyber Security in Real-Time Systems
2. Introduction
CSIRS
Cyber Security in Real-Time Systems
3. CSIRS
Cyber Security in Real-Time Systems
Linkedin CSIRS : http://www.linkedin.com/groupRegistration?gid=3623430
4. Why me?
CSIRS
Cyber Security in Real-Time Systems
6. 1990 - 2000
Railtrack Safety
Critical Software
Sizewell B Software Emergency
Shut Down code validation
UK Government
assessment of Embedded
Software Aviation
8. Smart Grid
Emerging Changing
Cost Reduction by
Threat Profile
Private Utilities
Integration Real Time Real Time (SCADA)
<> Commercial IT based on Windows
Use of wireless to Real Time designed
effect remote by “engineers”
management
10. Stuxnet Changed Everything
Expertise
Focused
Gather
Intelligence
Social
Engineering
The first advanced persistent threat APT
11. Why is APT different?
Multiple entry points across supplier chain
Focus on social engineering and use of insiders.
Gathering of intelligence across a range of suppliers.
Attack has a complex event sequence across multiple technologies.
Malware is sophisticated and likely developed and proved on test beds.
12. Do not to place in designs of Nuclear Plant in the public domain!
http://www.prleap.com/pr/167858/
eXtremeDB Embedded In-Memory Database Adds Safety and Efficiency In
Nuclear Waste Processing Control System
13. So have there been any other APTs since Stuxnet?
Many successful security attacks have been designated as APT by the
company that has been breached.
Closest to this model is the RSA breach entry via EMC and staff being
exposed to Phishing attacks lack of RSA CSO ......
Farthest away is repeated breaches suffered by Sony ....
Many organisations have a history of under investment in Information
Security ....
15. What is an insider threat?
A breach or part of an attack executed from within the existing
trust domain(s) by an individual who has some kind of existing
authentications
The breach event may be deliberate or accidental. The
individual may be a current or past employee, contractor,
customer, partner or supplier.
The individual will have a “motive” which may or may not be
logical.
Many insider threats will be trivial actions that form an
intelligence gathering exercise
CSIRS
Cyber Security in Real-Time Systems
16. Why is an insider threat so dangerous?
Immediate compromise of traditional security perimeter!
Traditional baseline security measures are ineffective
Traditional concepts of “trust” are invalid - many frauds and
thefts are executed with the assistance of employees and
executives! No-one is immune to potential compromise.
Pilot studies using DLP software and tools show a staggering
high number of deliberate security breaches executed by a
high % of all staff. Ignorance of policy ... Finding ways
around the rules. Stupidity!
CSIRS
Cyber Security in Real-Time Systems
17. Possible defence and detection
Security training and awareness
Communication and Implementation of penalties.
Concept of “you will be caught” and example will be made.
Security culture
Evaluation of suppliers and partners (supply chain!)
Use of DLP and Log Analysis
Good HR policies and procedures monitoring behaviours
CSIRS
Cyber Security in Real-Time Systems
18. What actions do we need
to consider?
CSIRS
Cyber Security in Real-Time Systems
19. Possible Cyber Security Solution
Understanding Implementation of
baseline security
Design Solution
ISO 27001 CobiT 4.1/5.0
Implement
Implementation of APT
Manage & Improve
detection and response
20. Implementation of baseline security examples
Robust Identity Management solutions RBAC
Basic log collection, analysis and reporting
Intrusion detection and prevention
Penetration testing of external facing firewalls
Security training and awareness (defending social engineering and phishing)
Encryption of critical and sensitive data
Mandatory no exceptions executive led will not detect or mitigate APT
21. Advanced security measures :
PKI/Digital signatures and key management
Data loss prevention proactive and reactive.
Integrated approach to log analysis (applications and IdM) real-time alerts to SOC
Applications and web hosting code analysis
Governance, Risk and Compliance in real-time
Security incident and near miss reporting.
Mandatory no exceptions executive led.
22. Conclusions :
APTs are very difficult to detect and once detected to
then defend against
Expenditure on security processes and tools needs to be
increased
Security should be implemented top down with
executive sponsorship.
All employees are part of the defence silver bullets will
not work.
23. Thank you
Q&A
david.spinks@hp.com
dspinks41@gmail.com
CSIRS
Cyber Security in Real-Time Systems