Finmeccanica is Italy's largest manufacturer in the high technology sector and Ansaldo STS's largest shareholder. The document discusses cyber security strategies for railway signaling systems, distinguishing between vital systems that ensure safety and non-vital systems subject to cyber risks. It promotes a mature approach to cyber security including discovery and assessment, redesign to address gaps, and intelligence/analytics. Best practices include incident management, monitoring, and governance. Specific strategies proposed include enhancing monitoring through correlation, adding virtual patching and firewall logging, near real-time asset control, and lightweight security information and event management.
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Ansaldo STS at CPExpo 2013: "Risks and Security Management in Logistics and Transports part 2"
1. About us: Finmeccanica
CP EXPO Workshop - «Risks and Security Management in
Logistics and Transports»
Cyber Security in Railways Systems, Ansaldo STS
experience – Part 2: Cyber Security Strategy and Design
Relator:
Joint work with:
Daniele Debertol, PhD.
Ermete Meda, InfoSec Manager
Finmeccanica is Italy’s leading manufacturer in the high technology sector.
Genova, 29 October 2013
Finmeccanica is the largest shareholder in Ansaldo STS with a 40% stake.
1
2. Signaling Systems: Safety-to-Security relationships
“Vital Systems”
• RBC (Radio Block Center)
• Interlocking
Environment
Proprietary Infrastructure that
ensures Railway Safety is not
subject to computer attack
Vital Systems
“Non-Vital Systems”
• Centralized Traffic Control
Systems (e.g. TMS), Automation
Systems
Environment
• Commercial ICT Infrastructure
undergoing Cyber Security Risks
(Operational Continuity, Financial
losses, Reputational damage)
Non-Vital Systems
Non-Vital Systems
2
3. … and between vital and non-vital layers
Needs Protection…
External Systems
Non-vital layer
Train Management System (TMS)
Interlocking
RBC
Interlocking
Vital layer
ERTMS Euroradio
T2
T1
Balise
RBC: Radio-Block Center
3
4. Evolution and Characteristics of Railway Signaling Systems
Technology Platforms
In the Past
Today
Proprietary HW/SW
Isolated Systems
Dedicated Applications
Structured Information
Commercial low cost HW/SW
TCP/IP Protocol
Interconnected Systems
Heterogeneous Services (E-mail, Info-web,
VoIP, CCTV, …)
Structured and unstructured Information
Operating Environment
Today
Distributed ICT infrastructure spread over long distances, and unattended systems
Connections between safety critical and non-safety critical layers
External systems connected to signaling infrastructure
Human factor (operators, maintainers and… passengers)
4
5. Cyber Space calling, Cyber Security knocking
Cyber Security: protection of Cyber Space. But what is Cyber Space?
Yesterday: many different
environments, side-by-side
Today: one single, big environment
Consequences: Dynamic Threat Landscape in unique Cyber Domain
Strategic & Tactical Cyber War
Military
Terrorism
Politics
Espionage
Intellectual Property
Organized Crime
$
Vandalism & Hacktivism
Ego, Curiosity
Stuxnet, Operation
Aurora, Botnets
Zeus, Flame,
Mandiant APT1
Report, AET attacks,
Botnets, Phishing email
DDoS attacks,
Wikileaks, Anonymous
5
7. ICT Security Activities and Governance: Best Practices
Incident Management
Event Identification
Countermeasures
Effort
7
8. ICT Security Activities and Governance: real life
Reactive countermeasures
Reaction
WTF is
Detection
… and guess what?
… and Monitoring…
Monitoring…
Prevention
going on???
(not excluding
Forensics)
Proactive countermeasures
8
9. Cyber Security: taking advantage of IT
Building on top of Information
Technology infrastructures, means
that you get both its weaknesses,
true, but its strenghts as well…
… putting it the other way round:
if a system is not secure by design
– and they are not –,
it will leave plenty of traces for
you to follow!
Leaving trace-routes behind
9
10. Strategy: enhance monitoring and correlate
Content Filtering
Virtual Patching
AAA
Firewalling
IDS/IPS
So many eyes… giving a very broad view (say, at 365°degrees… to stay safe)… OK…
°
But where to look for? And for what? And who?
10
12. Content Filtering: the do’s and the dont’s
Operating system is static, meaning that you can’t change it too often (good…),
but that you won’t be able to patch (at all) either, which is NO GOOD!
Dirty Traffic
Virtual
Patcher
Clean Traffic
Clean Traffic
Threats Treatment
Analysis: find critical vulnerabilities directly exposed to possible attacks
Remediation: identify (& block) specific packets for the above vulnerabilities
Solution: adding Virtual Patching
12
13. Near Realtime Asset Control
• not a performance- or availability-driven tool, though it may help
• based on static asset database loaded offline at project time
Repeat as needed
• perform differential discovery onsite for database tuning
• acknowledge variations that should be allowed
• what is left, deal with: either a missing sheep, or a mismatched one,
or… go, bark, there’s a wolf!
Clean Traffic
Clean Traffic
GUI
Monitoring subnet
WAN
Know your flock, and beware of wolves! Barkin’, at the very least
13
14. The russian peasant of SIEMs at work: fast and light
Events
Console
Message Correlation
Minimize False Positives
Realtime response (no archiving)
Novelty detection for scheme-in-the-chaos
Correlation
Engine
Log Files
Sensor_1
Sensor_2
…
Sensor_n
Log Correlation
14
15. The 11th hour (a.m.?)
Do we simply wait for
vulnerabilities to become
actual threats
or
Can we advance from here, and
provide for new services?
Cyber Security = Defense line
15