Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

New Threat Trends in CII(Critical Information Infrastructure)

225 visualizaciones

Publicado el

[Keynote] New Threat Trends in CII(Critical Information Infrastructure) @ The 14th Meridian Conference 2018, Seoul, Korea, October 17-19, 2018.

Publicado en: Ingeniería
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí

New Threat Trends in CII(Critical Information Infrastructure)

  1. 1. New Threat Trends in CII
  2. 2. Contents ◼ Who am I? ◼ What is CII? ◼ What is Industry 4.0? ◼ New Risks of CII in Industry 4.0 ◼ Conclusion & Summary
  3. 3. Who am I? ◼ Seungjoo (Gabriel) Kim (金 昇 柱) ◼ 1999. 02 : Ph.D on Cryptography @ Sungkyunkwan Univ. ◼ 1998.12~2004.02 : Team Manager @ KISA (Korea Internet & Security Agency) ◼ 2004.03~2011.02 : Associate Professor @ Sungkyunkwan Univ. ◼ 2011.03~Now : Full Professor @ Department of Cyber Defense, Korea Univ.
  4. 4. Who am I? ◼ 2011.03~Now : Co-Founder/Advisory Director of a hacker group, HARU and an international security & hacking conference, SECUINSIDE.
  5. 5. Department of Cyber Defense? ◼ Established in 2012 ◼ 30 students / year ◼ Joint educational programs with Korea Army (Cyber Command) ◼ Full Scholarship over Guaranteed Employment ◼ Upon graduation, they are to be commissioned as second lieutenants and must serve in the military for 7 years ◼ Accept top 1% of students in the national college entrance exam (Korean SAT)
  6. 6. Department of Cyber Defense? ◼ In 2015 and 2018, our students from Dept. of CYDF at Korea University won the TOP prize at the DEFCON CTF for the first time in Asia!
  7. 7. Hacker Group, HARU? ◼ Founded in 2011 ◼ Acronym of “HAckers’ Re-Union” or “HAckers aRe Us” ◼ One of the biggest association of underground hacking groups and communities in Korea ◼ 8+ Honorable Members : ◼ BLACK.PERL (www.bpsec.co.kr), CNSECURITY (www.cnsec.co.kr), FlyHigh, GRAYHASH (BEISTLAB, www.grayhash.com), Hackerschool (www.hackerschool.org), iNET COP (www.inetcop.net), NSHC (www.nshc.net), SEWORKS (Wowhacker, www.seworks.co), etc.
  8. 8. Critical Information Infra. ◼ CII : Infrastructure that provides an essential support for economic and social well-being, for public safety and for the functioning of key government responsibilities. ◼ However, the definition of critical infrastructure varies from country to country and is fluid, as the definition and list of infrastructures deemed to be critical have changed or matured over the time.
  9. 9. Critical Information Infra. (Source: Munish Sharma, "Securing Critical Information Infrastructure: Global Perspectives and Practices", April 2017)
  10. 10. Industry 4.0
  11. 11. Industry 4.0 Mechanization, water power, steam power Mass production, assembly line, electrical energy Computer and further automation Cyber Physical Systems
  12. 12. ◼ The 4th industrial revolution (Industry 4.0) is transforming the next generation of manufacturing systems by making it smarter, well-connected, self-organized, decentralized, and flexible. ◼ To accelerate this transformation, industrial sectors have planned to commit US$ 907 billion per annum to Industry 4.0. Industry 4.0
  13. 13. (e.g.) Digital Twin Digital twin is a S/W representations of assets and processes that are used to understand, predict, and optimize performance in order to achieve improved business outcomes (named one of Gartner's Top 10 Strategic Technology Trends for 2017).
  14. 14. (e.g.) Smart Manufacturing (Source: Michele H.Ahuett-Garza and T.Kurfess, "A Brief Discussion on the Trends of Habilitating Technologies for Industry 4.0 and Smart Manufacturing", Manufacturing Letters, Feb 17, 2018) By maximizing SC flexibility, Smart Manufacturing enables mass customization!
  15. 15. CII Security in Industry 4.0 ◼ So far, critical infrastructures were isolated and focused on operational safety. Drastically ↓Changed! ◼ However, Industry 4.0 increases the digitalization and connectivity of the industry. ◼ Examples of such inter-connected systems may include traffic monitoring and control systems communicating with smart vehicles, energy related systems communicating with smart homes and smart meters, monitoring systems connected with autonomous sensors in nuclear plants, power grids and body area networks.
  16. 16. CII Security in Industry 4.0 ◼ This increasing connectivity and interdependencies between CII elements increases the risk of cyber security threats.
  17. 17. CII Security in Industry 4.0 ◼ This increasing connectivity and interdependencies between CII elements increases the risk of cyber security threats. ◼ Risk 1. No air-gap, everything connected! ◼ Risk 2. Increased complexity ◼ Risk 3. Global outsourcing is essential & Enterprise processes become more digitized. ◼ Risk 4. How to manage billions connected devices? ◼ Risk 5. You (one team in one company) can not verify all the products by yourself. ◼ Risk 6. Misconception about blockchain
  18. 18. 1st Change in Security Env. No air-gap, everything connected!
  19. 19. No Air Gap!
  20. 20. No Air Gap! British American Security Information Council UK nuclear submarine fleet
  21. 21. No Air Gap! Recent suggestions that the fleet is vulnerable have sometimes been met with complacency and claims that the isolated 'air-gapped' systems cannot be penetrated. Whilst we recognize that it is important not to be alarmist, these claims are false.
  22. 22. No Air Gap! Malware injection during manufacturing(a.k.a supply chain), mid-life refurbishment or software updates and data transmission interception allow potential adversaries to conduct long-term cyber operations.
  23. 23. No Air Gap!
  24. 24. No Air Gap!
  25. 25. No Air Gap!
  26. 26. 2nd Change in Security Env. CIIP in Industry 4.0 era. becomes more and more complex with increased maintenance costs.
  27. 27. ◼ Because of the increasing connectivity and interdependencies, CIIP in Industry 4.0 era. becomes more and more complex with increased maintenance costs. ◼ Increasing new IT services ◼ Increasing usage of common COTS software ◼ Increasing integration and information flows between systems ◼ Heavily connected to other IT services ◼ Even connected to INTERNET Security by Design
  28. 28. ◼ This in turns decreases the efficacy of security. Security by Design First Law of Software Quality e = mc2 errors = (more code)2 or (more connected)2
  29. 29. ◼ CIIP in Industry 4.0 era. becomes more and more complex with increased maintenance costs. ◼ This in turns decreases the efficacy of security. ↓ ◼ Need ‘Security by Design’ to cope with complexity! Security by Design
  30. 30. ◼ Security by Design (in a narrow sense) : Considering security as early as the design phase of the software development process. ◼ Security by Design (in a broader sense) : Systematically organized and methodically equipped framework that is applied over the lifecycle of secure software. Security by Design (Source: Michael Waidner, Michael Backes, Jörn Müller-Quade, "Development of Secure Software with Security By Design", Fraunhofer SIT Technical Reports, July 2014)
  31. 31. ◼ Security by Design (in a narrow sense) : Considering security as early as the design phase of the software development process. ◼ Security by Design (in a broader sense) : Systematically organized and methodically equipped framework that is applied over the lifecycle of secure software. Security by Design (Source: Michael Waidner, Michael Backes, Jörn Müller-Quade, "Development of Secure Software with Security By Design", Fraunhofer SIT Technical Reports, July 2014) From the design stage, optimize to reduce attack surface as minimal as possible!
  32. 32. 3rd Change in Security Env. Nobody builds everything themselves any more. So (global) outsourcing is essential! & In the industry 4.0 era, enterprise processes become more digitized. ↓ Need (global) supply chain security!
  33. 33. ◼ A supply chain is defined as the global network of organizations and activities associated with the flow of goods and information from the raw materials stage to the end users. ◼ If the vision of Industry 4.0 is to be realized, most enterprise processes must become more digitized. Global Supply Chain Security
  34. 34. ◼ However, due to the heavy automation and monitoring, end-to-end digitization, distributed and well-connected components, supply chain security issues are well known and exploited to great effect by cybercriminals. ◼ Industry 4.0 gives the cybercriminal more opportunity to dig into the top of the supply chain, reaching into the smart factory through its dependent actors. Global Supply Chain Security
  35. 35. Global Supply Chain Security
  36. 36. Global Supply Chain Security The spark that starts World War III is not a nuclear bomb, but a supply chain hack!
  37. 37. Global Supply Chain Security
  38. 38. ◼ As seen before, in the era of industry 4.0, global supply chains may have be more susceptible to attacks at every stage. ◼ So, vendors need to ensure the integrity of the supply chain by merging traditional management practices with auditable, certifiable system security requirements. ◼ Also, with the help of CC(Common Criteria), we can greatly reduce the risks associated with the global supply chain. Global Supply Chain Security
  39. 39. ◼ Usually a large, networked and distributed secure system like CII is built from a number of component systems. These components may be independently developed and evaluated. ◼ Additionally, during design of a large and complex secure system, one would like to break up the system into modules which are small enough to be subject to security analysis, and then to demonstrate security properties in the overall system by means of those of the modules. Secure Composition
  40. 40. ◼ If each of its components satisfies the some security property, then an entire system satisfies that security property? Secure Composition
  41. 41. ◼ Unfortunately, secure composition of complex systems to medium-high assurance levels is not solved today. ◼ The existing monolithic approaches cannot cope with the complexity of modern CPS. ◼ certMILS develops a security certification methodology for complex composable safety- critical systems. Secure Composition
  42. 42. Secure Composition ◼ certMILS @ Horizon 2020 Project
  43. 43. 4th Change in Security Env. We will have more than 25 billion connected devices by 2020! How to manage it?
  44. 44. Security operations must be significantly more automated and manageable! 4th Change in Security Env.
  45. 45. Automation
  46. 46. Automation Fully autonomous system for finding and fixing security vulnerabilities @ Smithsonian
  47. 47. Automation Mayhem @ human game, DefCon 2016 Korea University
  48. 48. ◼ However, security automation is NOT AI- security! ◼ Automation is basically making a H/W or S/W that is capable of doing things automatically — without human intervention. ◼ AI(Artificial Intelligence) is a science and engineering of making intelligent machines. AI is all about trying to make machines or S/W mimic, and eventually supersede human behavior and intelligence. Thus AI can respond and make decisions according to varying environment parameters which are NOT known at the time of design (e.g., zero-day). Automation
  49. 49. 5th Change in Security Env. Despite our great care for security, weak spots or vulnerabilities of products can STILL be found. & This situation will become WORSE in the era of the 4th industrial revolution, when the number of devices connected to the Internet increases exponentially. ↓ Crowd sourced security protection : Bug Bounty
  50. 50. ◼ Bug Bounty : Companies pay external ethical hackers for finding and reporting vulnerabilities. ◼ The first bug bounty program dates back to 1983 from operating system company Hunter & Ready, Inc. Bug Bounty
  51. 51. ◼ A little over a decade later in 1995, Jarrett Ridlinghafer, a technical support engineer at Netscape Communications Corporation coined the phrase 'Bugs Bounty'. ◼ There are now potentially hundreds of bug bounty programs in operation. ◼ Google, AT&T, Microsoft, Mozilla, General Motors, Starbucks, United Airlines and many others. ◼ Even US government departments are getting in on the act. Bug Bounty
  52. 52. Bug Bounty
  53. 53. Bug Bounty
  54. 54. Bug Bounty This means that they already knew it before the start of the competition!
  55. 55. 6th Change in Security Env. Blockchain is becoming a key element of the Industry 4.0 transformation. ↓ Blockchain is NOT a panacea!
  56. 56. ◼ So far, key elements of the Industry 4.0 transformation include ◼ 3D printing, ◼ robotizing and automation, ◼ smart factory with IoT and machine learning, and ◼ supply chain digitization. ◼ Now, blockchain, the distributed-ledger technology behind cryptocurrencies including Bitcoin, is becoming a key technology driving this digital revolution. Blockchain Is NOT Panacea!
  57. 57. Blockchain Is NOT Panacea! Internet Decentralized Blockchain Platform Internet Of Things (IOT) Artificial Intelligence (AI) Data Analytics Business (Smart City, etc)
  58. 58. ◼ One misconception that is commonly spread about blockchain technology is that it's completely unhackable. ◼ Blockchain just provides : ◼ Decentralization, ◼ Immutability, ◼ Transparency, and ◼ Availability. Blockchain Is NOT Panacea!
  59. 59. ◼ The major problems that blockchains have is 'privacy' and 'low transaction speed’. ◼ Blockchain technology does not offer much defensive value beyond the protection of data integrity and availability. ◼ The wrong use of blockchain for time critical systems may lead the failure of CIIP. Blockchain Is NOT Panacea!
  60. 60. ◼ Industry 4.0 has made many changes to the security paradigm of the CII (1/5) : ◼ (No Air-Gap) Do not trust the isolated 'air-gapped' systems any more! ◼ (Security by Design) The increasing connectivity and interdependencies make CIIP more and more complex, and this in turns decreases the efficacy of security. To cope with complexity, we need ‘Security by Design’. Summary
  61. 61. ◼ Industry 4.0 has made many changes to the security paradigm of the CII (2/5) : ◼ (Global Supply Chain Security) Outsourcing is essential and the enterprise manufacturing processes become more susceptible to cyber attacks. So we need global supply chain security, and here CC(Common Criteria) can help to ensure the integrity of the supply chain. Summary
  62. 62. ◼ Industry 4.0 has made many changes to the security paradigm of the CII (3/5) : ◼ (Secure Composition) Usually a large, networked and distributed secure system like CII is built from a number of component systems. These components may be independently developed and evaluated. But, secure composition of complex systems to medium-high assurance levels is not solved today. Summary
  63. 63. ◼ Industry 4.0 has made many changes to the security paradigm of the CII (4/5) : ◼ (Automation) We will have more than 25 billion connected devices by 2020. Thus the security operations for CIIP must be more automated and manageable! ◼ (Bug Bounty) Despite our great care for security, weak spots or vulnerabilities of product can still be found. This situation will worsen in the era of the 4th industrial revolution, when the number of devices connected to the Internet increases exponentially. So we need crowd sourced security protection program, a.k.a. 'Bug Bounty’. Summary
  64. 64. ◼ Industry 4.0 has made many changes to the security paradigm of the CII (5/5) : ◼ (Limitations of Blockchain) Blockchain is becoming a key technology driving Industry 4.0. However, one misconception that is commonly spread about blockchain technology is that it's completely unhackable. Blockchain Is not a panacea! Summary
  65. 65. New Threat Trends in CII

×