11

Finmeccanica is Italy’s leading manufacturer in the high technology sector.

Finmeccanica is the largest shareholder in Ansaldo STS with a 40% stake.

About us: Finmeccanica

CP EXPO Workshop - «Risks and Security Management in Logistics and Transports»

Daniele Debertol, PhD.Relator:Ermete Meda, InfoSec ManagerJoint work with:

Genova, 29 October 2013

Cyber Security in Railways Systems, Ansaldo STS experience – Part 2: Cyber Security Strategy and Design

22

“Vital Systems”

• RBC (Radio Block Center)

• Interlocking

Environment

Proprietary Infrastructure that

ensures Railway Safety is not

subject to computer attack

Non-Vital SystemsVital Systems

Signaling Systems: Safety-to-Security relationships

“Non-Vital Systems”

• Centralized Traffic Control

Systems (e.g. TMS), Automation

Systems

Environment

• Commercial ICT Infrastructure

undergoing Cyber Security Risks

(Operational Continuity, Financial

losses, Reputational damage)

Non-Vital Systems

33

… and between vital and non-vital layers

RBC: Radio-Block Center

T1 T2

ERTMS Euroradio

External Systems

Interlocking RBC Interlocking

Train Management System (TMS)

Non-vital layer

Balise

Needs Protection…

Vital layer

44

In the Past Today

� Proprietary HW/SW

� Isolated Systems

� Dedicated Applications

� Structured Information

� Commercial low cost HW/SW

� TCP/IP Protocol

� Interconnected Systems

� Heterogeneous Services (E-mail, Info-web,

VoIP, CCTV, …)

� Structured and unstructured Information

Operating Environment

Today

� Distributed ICT infrastructure spread over long distances, and unattended systems

� Connections between safety critical and non-safety critical layers

� External systems connected to signaling infrastructure

� Human factor (operators, maintainers and… passengers)

Technology Platforms

Evolution and Characteristics of Railway Signaling Systems

55

Cyber Security: protection of Cyber Space. But what is Cyber Space?

Consequences: Dynamic Threat Landscape in unique Cyber Domain

Strategic & Tactical Cyber War MilitaryStuxnet, Operation Aurora, BotnetsTerrorism Politics

Espionage Intellectual Property Zeus, Flame, Mandiant APT1 Report, AET attacks, Botnets, Phishing e-mail

Organized Crime $

Vandalism & Hacktivism Ego, CuriosityDDoS attacks, Wikileaks, Anonymous

Yesterday: many different

environments, side-by-sideToday: one single, big environment

Cyber Space calling, Cyber Security knocking

66

3 Phase Approach

Mature Cyber Security Process

Discovery & Assessment • Identify key risks

• Identify key assets

• Identify gaps

HW/SW Review & Redesign • Countermeasure rationalization

• Security Infrastructure Assessment

• Fill technology gaps

Intelligence & Analytics • Monitoring & Management Improvement

• Big Data Security Analytics

• Real-time Intelligence feeds

1

3

2

77

ICT Security Activities and Governance: Best Practices

Incident Management

Event Identification

Countermeasures

Effort

88

ICT Security Activities and Governance: real life

Reaction

Detection

Prevention

Mo

nito

ring

…

… a

nd

Mo

nito

ring

…

… a

nd

gu

es

s w

ha

t?

Reactive countermeasures

WTF is

going on???

(not excluding Forensics)

Proactive countermeasures

99

Leaving trace-routes behind

Building on top of Information

Technology infrastructures, means

that you get both its weaknesses,

true, but its strenghts as well…

… putting it the other way round:

if a system is not secure by design

– and they are not –,

it will leave plenty of traces for

you to follow!

Cyber Security: taking advantage of IT

1010

So many eyes… giving a very broad view (say, at 365°°°°degrees… to stay safe)… OK…

But where to look for? And for what? And who?

Strategy: enhance monitoring and correlate

Firewalling

Content Filtering

Virtual Patching

IDS/IPS

AAA

1111

Solution: adding IPS/IDS

and Log Correlation

Perimeter Defence - Firewall shortcoming

ManagementConsole

Signalling Plant_1

WAN

Firewall

Module

Signalling Plant_2

…..

Signalling Plant_N

Firewall

Module

Firewall

Module

FirewallModule

Policy Installation

Logs

Traffic

expected results

External Systems

from logs

1212

Solution: adding Virtual Patching

Content Filtering: the do’s and the dont’s

Virtual

Patcher

Virtual

PatcherDirty Traffic

Clean Traffic

Threats Treatment

Analysis: find critical vulnerabilities directly exposed to possible attacks

Remediation: identify (& block) specific packets for the above vulnerabilities

Clean Traffic

Operating system is static, meaning that you can’t change it too often (good…),

but that you won’t be able to patch (at all) either, which is NO GOOD!

1313

Know your flock, and beware of wolves! Barkin’, at the very least

Near Realtime Asset Control

Clean TrafficClean Traffic

GUI

• perform differential discovery onsite for database tuning

• acknowledge variations that should be allowed

• what is left, deal with: either a missing sheep, or a mismatched one,

or… go, bark, there’s a wolf!

Monitoring subnet

WAN

Repeat as needed

• not a performance- or availability-driven tool, though it may help

• based on static asset database loaded offline at project time

1414

Log Correlation

The russian peasant of SIEMs at work: fast and light

Log Files

Events

Console

Sensor_1 Sensor_2 Sensor_n…

Message Correlation

Minimize False Positives

Realtime response (no archiving)

Novelty detection for scheme-in-the-chaos

Correlation

Engine

1515

Cyber Security = Defense line

Do we simply wait for

vulnerabilities to become

actual threats

or

Can we advance from here, and

provide for new services?

The 11th hour (a.m.?)