www.ria.ee FOR OFFICIAL USE ONLY Estonian Overview of practical CIIP activities in EE Aare Reintam ISKE area manager CIIP unit
Nov 18, 2014
www.ria.ee
FOR OFFICIAL USE ONLY
Estonian
Overview of practical CIIP activities in EE
Aare ReintamISKE area manager
CIIP unit
www.ria.ee
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY
Outline of my talk
• What is the aim of protecting CII?
• Community building
• Activities - security assessments and port scanning
• Legislation, regulations, ICS/SCADA guidelines
www.ria.ee
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY
When talking about CII protection
• We mean vital services that depend on IT systems
• Electricity supply (production, transmission, distribution)
• Data communications
• Water supply and sewerage
• Air navigation service
• …
• 43 vital services in total
www.ria.ee
www.ria.ee
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY
CII Incidents and impact on economy• Some examples from this year CII incidents in Europe
Sector Time Impact Reason
Energy Sept 2013 2,5 hours the hole county electricity distribution was interrupted
Software error
Railway transport
March 2013
3 hours long Interruption of train service between two main cities in Europe
Optical cable breakage. Trains leading dispatcher was unable to carry out work and had to stop the traffic
Air transport
August 2013
3 hours interruption in X city air travel service. No planes could land.
Flight control software error.
www.ria.ee
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY
Community building• CIIP lead (expert / mid-management level)
• SCADA workgroup
• CII protection council
• Annual CIIP conference
• CERT-EE lead (expert level)
• Government system administrators
• ISP & hosting abuse handlers
• CERT + CIIP joint events
• 0ct0b3rf3st
• EISA management lead:
• Quarterly reports to high government officials
• Seminars for management
www.ria.ee
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY
How to keep communities running?
• Regular meetings on interesting topics
• Share information
• State sponsored training, seminars, conferences etc.
• 5 day advanced SCADA security
• Netflow, IDS, logging
• Managing small office networks (SOHO)
• …
• Social events
www.ria.ee
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY
Security assessment projects
• Find out what is the “real” security level of vital service provider
• Based on attack scenarios
• Verifying them with penetration testing
• State sponsored
• We are using 3rd party consultants
www.ria.ee
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY
Sample security assessment task list
• Information gathering from public sources
• Corporate LAN security assessment (Windows domain, servers, workstations, Wi-Fi etc.)
• Network perimeter testing (from corporate <-> SCADA <-> control network)
• Assessment of SCADA servers, operator workstation etc.
• Remote access to networks (VPN)
• Physical security
www.ria.ee
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY
Finding CII equipment from the Internet
• Locating possibly vulnerable devices before the “bad guys”
• Notifying the owner and explaining the risk
• Using shodanhq.com and other tools
www.ria.ee
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY
Legislation & guidelines
• We are giving input to Ministry of justice to amend appropriate legislation.
• Security measure regulation is established:
• Security responsibilities have to be in place when providing vital services
• Implement security standard (ISO 27001, our own local standard “ISKE” or industry specific)
• ICS/SCADA security guidelines
• 25 security controls
www.ria.ee
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY
To sum up
• Incidents happen on daily basis
• Only legislation is not enough
• There has to be balanced responsibility between state and service providers
• People are important