Supporting European
Aviation
Moving from cyber-security towards cyber-resilience in aviation
Patrick MANAEATM-CERT Manager
2
No, not this kind of ATM
EUROCONTROL
ATM
Air Traffic Management
EUROCONTROL
Supporting European Aviation
EUROCONTROL 3
EUROCONTROL
EUROCONTROL HISTORY
1960s
1980s
1990s
2000s
2010s
41 Member States &the European Union
2 ‘Comprehensive Agreement’ States: Morocco & Israel
“The designations employed and the presentation of the material on maps in this presentationdo not imply the expression of any opinion whatsoever on the part of EUROCONTROL concerningthe legal status of any country, territory, city or area or of its authorities, or concerning the delimitation of its frontiers or boundaries.”
5
Building the Single European Sky !Provide air traffic services in upper airspace of Benelux &North west of Germany
Manage the pan-European network
R&D -> Deployment
Collect route charges
Placeholder Subtitle
Complexity of Securing the Aviation Ecosystem
EUROCONTROL 7
Evolution of ATM – towards digitalization
=>
State-sponsored / Geo-political
9
Cyber-crime … it’s an industry
EUROCONTROL
Cyber-crime e.g. ransomware
Bristol but also Atlanta, Cleveland, Albany, …
???
EUROCONTROL
Hacktivism more and more e.g. environmentalists
12EUROCONTROL
Regional sectorial (ATM) CERT:combine cyber and domain expertise
13
ATM Stakeholder SOC (1)
ATM Stakeholder SOC (1)ATM Stakeholder
ATM Stakeholder(1)
ATM Stakeholder
Alerts/other Incidents - intelligence/services
EATM-CERT
EUROCONTROL SOCs
Logs Recommendations
CERT-EU
EUROPOL
ENISA
System
NATO/EDA
EASA ECCSA
Cyber intelligence
Provider
Alerts/Incidents
Cyber intelligence
ProviderCyber
intelligenceProvider
CyberIntelligence
Intelligence/services
ATM CI Provider (US & other Regions
ATM CERT)
Thematic CERTs
National CERTs
EA-ISAC
SOC SOC
SOC
National CERTsNational CERTs
Alerts/Incidents
- intelligence
Significant Incidents - intelligence
EUROCONTROL
ATMManufacturerATM
ManufacturerATMManufacturer
ATM StakeholderATM
Stakeholder
EACCC
A-ISAC
EATM-CERT and European National CERTs
EATM-CERT 14
NationalCERTState A
NationalCERT
State B
NationalCERT
State C
NationalCERT
State D
NationalCERT
State E
NationalCERT
State X
Energy
ATM
Healthcare
Finance
…
Pan-European sectorial CERT
Pan-European sectorial CERT => EATM-CERT
Pan-European sectorial CERT
Pan-European sectorial CERT
…
…
EATM-CERT: catalogue of services
EATM-CERT 15
Security Assessment
Alerts & Warnings
Incident Response
Cyber Threat Intelligence
EATM-CERT services1. Penetration test (EUROCONTROL services & products + Aviation stakeholders)2. Bank transfer scams via email3. Credentials leaks detection4. Sensitive document leaks detection5. Cyber Threat Intelligence (CTI) and feeds for aviation6. Quarterly cyber threat landscape report for senior management7. Support to incident response / Artefacts analysis8. TLP:WHITE CTI tools – raising awareness
• Cyber events map, tweeter, 9. Vulnerability scanning of Aviation Stakeholders10. Vulnerability watch11. Training exercises (table-top & technical)
IMPLEMENTING/OPERATING A SOC
EUROCONTROL 17
EUROCONTROL material for stakeholders
SOC Call For Tenders material
EUROCONTROL 18
ATM Security Operations Center
PENTEST ON AVIATION SYSTEMS
EUROCONTROL 19
Security Assessment Results (penetration tests)
EATM-CERT 20
Risk levels definition
EATM-CERT 21
Risk Level
Impact\Likelihood Very unlikely Unlikely Moderate Likely Very likely
Trivial Low Low Low Medium Medium
Minor Low Low Medium Medium High
Moderate Low Medium High High High
Major Medium High High Critical Critical
Serious High High Critical Critical Critical
EATM-CERT 22
Likelihood Explanation
Very UnlikelyThe vulnerability in this likelihood is very unlikely to be exploited since many authentication andauthorization mechanisms exist, i.e. attackers have to pass many defence-in-depth mechanisms.Local access with single or multi factor authentication is an example of this kind of defence-in-depth mechanisms. The threat actors may be insiders, advanced attackers and threat groupswho bypass physical security protections and access to network by stealing some credentials.
Unlikely
The vulnerability in this likelihood is unlikely to be exploited since a few authentication andauthorization mechanisms exist, i.e. attackers have to pass a few protection mechanisms. Localaccess without single or multi factor authentication is an example of this kind of protectionmechanisms. The threat actors may be insiders and/or attackers and threat groups who bypassphysical security protections and directly access the network or easily bypass network accessprotections.
Moderate
The vulnerability in this likelihood is moderate to be exploited since many authentication andauthorization mechanisms exist, but the vulnerability may be exploited from the Internet andnot only from Internal. Attackers have to pass many defence-in-depth mechanisms like multifactor authentication, Internet access with strong authentication like certificates and/or multifactor authentication. IP access restrictions are also an example of this kind of the defence-in-depth mechanisms. The threat actors may be targeted advanced attackers and threat groups.
Likely
The vulnerability in this likelihood is likely to be exploited since a few authentication andauthorization mechanisms exist, but the vulnerability may be exploited from the Internet andnot only from Internal. Attackers have to pass a few defence-in-depth mechanisms like weakauthentication, Internet access with user/password authentication or IP access restrictions canbe example of this kind of protections. The threat actors may be novice attackers, untargetedthreat groups in addition to advanced attackers and targeted groups.
Very likelyThe vulnerability in this likelihood is very likely to be exploited since it can be easily exploitedfrom the Internet and not only from Internal. Attackers can directly attack to the systemswithout bypassing the defence-in-depth mechanisms. The threat actors may be scripts kiddiesin addition to novice, advanced attackers and threat groups.
EATM-CERT 23
Impact Explanation
InsignificantOperations: Insignificant impact when operational/safety services can be provided as usual.Finance: Impact can be managed within business unit/branch/section budget.Service Delivery: It causes negligible effects on the ability to provide a business service.Reputation: The reputation can be effected by the isolated complaints of individual stakeholders.
MinorOperations: Minor impact when some operational/safety services are degraded.Finance: Impact requires delegated approval for response.Service Delivery: It impairs the ability to provide a business service.Reputation: The reputation can be affected by the complaints of a key stakeholder on organization/company services and activities.
Moderate
Operations: Moderate impact when some operational/safety services cannot be provided anymore.Finance: Impact requires upper management approval for response.Service Delivery: It severely compromises the ability to provide a business service.Reputation: The reputation can be affected on organization/company services and activities by a key stakeholder.
Major
Operations: Major impact when a majority of operational/safety services cannot be provided anymore for a significant time.Finance: Impact requires the board approval for response.Service Delivery: It causes the short-term inability to provide a critical business service.Reputation: The reputation can be affected on capability to provide functions/services by the majority of the stakeholders.
Serious
Operations: Serious impact when all operational/safety services cannot be provided anymore for a sustained time-frame.Finance: Impact requires government support.Service Delivery: It causes sustained inability to provide a service.Reputation: The reputation cannot be repaired with stakeholders and the organization/company may not continue in its current form.
EATM-CERT 24
Risk Level Example
Critical
Vulnerabilities in this category cause a serious impact on the operational ATM environment from the Internet.
Ex. Shut down air traffic control systems from a web portal.
High
Vulnerabilities in this category can cause a partial impact on the operational ATM environment.
Ex. Degradation of ATC systems by inserting fake flight plan information from a web portal requiring strong authentication.
Medium
Vulnerabilities in this category can cause a serious impact to ATM supporting systems from the Internet or a partial impact on ATM systems from the local ATM environment.
Ex. Shut down monitoring systems of ATC environment from a web portal.
Low
Vulnerabilities in this category have limited impact to ATM supporting systems or non-ATM related systems.
Ex. Vulnerabilities to corporate email infrastructure from local network.
Information
Gaining limited information about configuration is classifie d as level 1 informational -level vulnerabilities. The vulnerability in this category gives some basic information to the attacker about the system.
Ex. Information leaked by web server headers about software version.
CYBER THREAT INTELLIGENCE & INNOVATIVE CYBER-SECURITY SERVICES
EUROCONTROL 25
Quarterly cyber threat landscape reportTLP:WHITE CTI tools – raising awareness
26
27Cyber
Credentials
2018 Q3
202018 Q4
732019 Q1
2019 Q2
89
Number of monitored domains
2019 Q3
96
ruppert65
*******
123456123456
123456
Q1 2019
Q2 2019
Q3 2018Q3 2019
Q4 2018
2018
Q3
37302
2018
Q4
68087
2019
Q1
113147
2019
Q2
132176
2019
Q3
132558
Number of leaked credentials
2019 Q4
87
2019
Q4
152455
73
58 Constituents
Sharing cyber-information
MISP
EUROCONTROL 29
IsraelNational CERTManufacturerInternational organizations
2018 Q2
2019 Q12018
Q3
2018 Q4
2019 Q2
2019 Q3
2019 Q4
L u f t h a n s a
E C C S A
A i r p o r tS c h i p h o l
T H AL E S
AI R B U S
T u r k ish Ai r l i n e s
I AT A
EUROCONTROL 31
MISP - Integration
SIEM
Document leaks
EUROCONTROL 32
Fraudulent websites impersonating airlines
EATM-CERT 34
https://c.golddiggergames.be/9661/61283
Ryanair
http://www.com-cana.com/?Anniversary-dUMwHQantas Airlines
http://www.singạporeair.com/free-tickets/ Singapore Airlines
http://www.easyonefly.com
easyJet
http://www.aa.com-flightus.com
American Airlines
December 19
https://c.golddiggergames.be/9661/61283https://c.golddiggergames.be/9661/61283http://www.com-cana.com/?Anniversary-dUMwHhttp://www.sing%E1%BA%A1poreair.com/free-tickets/http://www.easyonefly.com/http://www.aa.com-flightus.com/
Email Fraud
EUROCONTROL 35
36EUROCONTROL
20 domain names suspended upon EATM-CERT request , another 3 suspensions requested:
eurocontrolint.net eurcontrol.inteurocontrol.int.net
euro-control-int.com
euro-control.eueurocontrolintl.int
eurocontrolintl.com
eurocontrolt.net
eurocontrolintl.net
eurocontroll.int
eurocontrol-intl.net euro-control-int.orgeurcontrolint.net eurocontrolin.int eurocontrolint.eu.comeurocontrotint.net
eurocontrolinc.com euro-control-int.net euro-controlint.net eurocontroladmin.neteu-control.info eurocontrols.org eurocontrolx.net eurocontroladmincentre.neteurocontrolcrco4.com eurocontrolintl.in
euro-control.net
eurocontolint.net
eurocontrolunits.net
euro-control.org eurocontroint.net eurocontrol.comeurocontrolint.in eurocontroint.in
eurocontrols.net
eurocontrolints.net eurocontroladmin.ineurocontrolaudits.net eurocontrolaudit.net
mail-eurocontrol.com
int-eurocontrol.com
eurocontroint.in
eurocontrolunit.net
euro-control.net
Email Fraud Attack surface
Domain nameDomain closure:
status Attempts counteurcontrolint.net Suspended 50
eurocontroladmin.net Suspended 29euro-control-int.org Suspended 13
euro-control.net Suspended 8eurocontolint.net Suspended 5euro-control.org Suspended 3
euro-controlinc.com Suspended 2eurocontrotint.net Suspended 2eurocontroint.net Suspended 1
eurocontrolints.net Suspended 1
2 - Fraudulent e-mails
USE OF MITRE ATT&CK
EUROCONTROL 38
• Framework based on observed adversaries behaviour• Common language• Answer to InfoSec Questions• Deals with
• Strategy• Tactics• Operations
• Improves detection coverage• Setting Priorities• Emulating Adversaries
EUROCONTROL 39
Reference: MITRE ATT&CK CTI Training Slides
EUROCONTROL 40
Reference: MITRE ATT&CK CTI Training Slides
All together … as we are as strong as the weakest link
Cybersecurity management framework
43
Invest in Humans
Adapt processes
Apply a secure development lifecycle
Build a Trust Framework
Cybersecurity and resilience Symposium - Amman- Jordan, 15-17 October 2019 44
Investing in Humans
CEO & Senior Management Staff
Adapting processes
Applying a secure development lifecycle
EUROCONTROL 47
BMSHVAC
Power Supply
Building a Trust Framework
Cyber Strategy& Action Plan
Secure Exchange of info
Regulatory framework (ESCP)RegulationsAMCGuidanceStandards
Sharing cyber information
Industry
TLP:WHITE & GREENResearchers – vulnerability disclosureMedia Management
Services of common interest
Use proven standards
ISO 27KNIST 800
TRAINING, EXERCISES
EUROCONTROL 53
Crisis management exercise: Room42
EUROCONTROL 54
Crisis management exercise: Room42
EUROCONTROL 55
Crisis management exercise: Room42
EUROCONTROL 56
IANS Trainings
• EUROCONTROL has training facilities Luxembourg IANS
• We are planning to expand cyber security trainings with more technical ones
57
EUROCONTROLCapture The Flag
58
Being cyber secure is an illusion … let’s become cyber resilient all together as we are as strong as the weakest link.
Cyber resilience will not make you 100% cyber-proof but will assure your business!
AND YOU CAN’T DO IT ALONE …so let’s support the establishment of a cyber-resilience
framework.
THANK YOU
61
mailto:[email protected]
Moving from cyber-security towards cyber-resilience in aviationSlide Number 2EUROCONTROLEUROCONTROL HISTORYBuilding the Single European Sky !Complexity of Securing the Aviation EcosystemSlide Number 7State-sponsored / �Geo-politicalSlide Number 9Cyber-crime e.g. ransomwareSlide Number 11Hacktivism more and more e.g. environmentalistsRegional sectorial (ATM) CERT:�combine cyber and domain expertiseEATM-CERT and European National CERTsEATM-CERT: catalogue of servicesEATM-CERT servicesImplementing/operating a socEUROCONTROL material for stakeholdersPentest on aviation systemsSecurity Assessment Results (penetration tests)Risk levels definitionSlide Number 22Slide Number 23Slide Number 24Cyber threat intelligence & Innovative cyber-security servicesQuarterly cyber threat landscape report�TLP:WHITE CTI tools – raising awarenessCredentialsSharing cyber-information MISPMISP - IntegrationDocument leaksFraudulent websites impersonating airlinesEmail FraudEmail Fraud Attack surface2 - Fraudulent e-mailsUse of MITRE ATT&CKSlide Number 39Slide Number 40Slide Number 41Slide Number 42Cybersecurity management frameworkSlide Number 44Slide Number 45Slide Number 46Slide Number 47Slide Number 48Slide Number 49Slide Number 50Slide Number 51Slide Number 52Training, exercisesCrisis management exercise: Room42Crisis management exercise: Room42Crisis management exercise: Room42IANS TrainingsEUROCONTROL �Capture The FlagSlide Number 59Slide Number 60THANK YOU