D8.11 Societal Impact Interim Report - ATENA · D8.11 Societal Impact Interim Report D8.11 –...

The research leading to these results has received funding from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement no 700581. This document is the property of the ATENA consortium and shall not be distributed or reproduced without the formal approval of the ATENA governing bodies.

Advanced Tools to assEss and mitigate the criticality of

ICT compoNents and their dependencies over Critical

InfrAstructures

D8.11 Societal Impact Interim Report

D8.11 – Societal Impact Interim Report

General information

Dissemination level Public

State Draft

Work package WP8 Project dissemination and commercial strategy

Task Task 8.1

Delivery date 31/10/2017

Version 1.0

Type H2020-DS-2015-1-Project 700581 Project Advanced Tools to assEss and mitigate the criticality of ICT compoNents

and their dependencies over Critical InfrAstructures Title D8.11 Societal Impact Interim Report

Classification Public

Ref. D8.11 Societal Impact Interim Report.docx of 21

Editors

Name Organisation

M. Aubigny ITRUST

Authors

Name Organisation

M. Aubigny, M. Tiits ITRUST

Reviewers

Name Organisation Date

Paolo Pucci FNM 30/10/2017

All the trademarks referred in the document are the properties of their respective owners. Should any trademark attribution be missing, mistaken or erroneous, please contact us as soon as possible for

rectification.





Executive Summary

Cyber-attacks, including those against critical infrastructure, have become high-profile events that attract a lot of headlines in recent years. This is not only headlines. According to a report of the Department of Homeland Security in 2015, the number of reported cyber incidents against critical infrastructure has raised from 198 to 295 between 2012 and 2015 in the U.S. alone. What is more, “cyber aggression is emerging as a major new vector that can be activated to achieve strategic superiority, destabilise states, and cause large-scale economic damage.”

Earlier studies have found that the economic impact of cybercrime relating to French, German and UK enterprises varies between 100 thousand euro to as much as 20 million euro per year per affected company, depending on the type of attack. By another estimate, the average cost of cyber incidents per company per year varied between 2.3 million and 15 million euro in 2015. These are very broad estimates indeed, as seen from the range of the above figures.

What is more, cost of cyber-attacks varies very significantly from company to company, subject to the type and scale of the involved critical infrastructure and seriousness of the incident. Macroeconomic estimates of the potential economic costs of cyber-attacks remain, given the above, speculative at best. Earlier very broad estimates indicate, nonetheless, that we are facing a major issue. According to McAfee & CSIS, the economic impact of cybercrime amounted to 0.41% of EU GDP, i.e. around 55 billion euro, in 2013.

We conclude from the literature review that the socio-economic consequences of an attack, or of a natural event, are likely to be limited if the infected infrastructure is limited in scope and the affected systems were recovered quickly. Therefore, it is vital for an affected firm to be able to neutralise an attack, restore computer and industrial control systems, and resume operations quickly as to insulate themselves from potential attacks.

What is more, the experience of recent years indicates that vendor software, including operating systems, applications and firmware, is increasingly vulnerable to potential attacks, as the number of identified issues continues to grow faster than such problems are solved. Accordingly, owners and maintainers of critical infrastructure (CI) should work with an assumption that there is at least one unpatched security vulnerability in vendor software in each and every CI.

This is where ATENA has clearly a major positive socio-economic impact in protecting the CI and allowing for rapid recovery of services, even though there is no enough data available at this stage to offer a reliable estimate that the adoption of ATENA will bring about in the coming years.





Table of contents 1 Introduction ............................................................................................................................... 5

1.1 Context ..................................................................................................................................................... 5

1.2 Objectives ................................................................................................................................................. 5

1.3 Document Structure ................................................................................................................................. 5

1.4 Glossary ................................................................................................................................................... 5

1.5 Acronym and symbols .............................................................................................................................. 6

2 A history of the societal impact regarding the major incidents in essential services ......... 7

2.1 Global overview of the major incidents .................................................................................................... 7

2.2 Assessment of societal and economic impact ....................................................................................... 10

3 ATENA improvement in terms of resilience .......................................................................... 12

3.1 Typical cyber-attack vectors ................................................................................................................... 12

3.2 ATENA Tools in Terms of Resilience Improvement of Essential Service ............................................... 13

3.3 How ATENA would decrease the societal impact of the cyber threats panorama? ............................... 13

3.3.1 INCREASE THE RESILIENCE TO AVOID OR LIMIT BAD IMPACT ON SOCIETY ...................................................................... 14

3.3.2 A SIMPLISTIC SIMULATION OF THE SOCIETAL BENEFIT OF ATENA DEPLOYMENT ........................................................... 16

4 References .............................................................................................................................. 20

List of figures Figure 1: Geographic distribution of attacks on industrial computers, H1 2017 [14] ......................................... 7

Figure 2: Targeted Essential Services and nature of attacks vector [6] ............................................................. 9

Figure 3. The distribution of major cyber-attacks by motivation ....................................................................... 10

Figure 4: Annual cost of cyber crime according to the type of threats ............................................................. 11

Figure 5. Typical cyber-attack vectors [14] ....................................................................................................... 12

Figure 6: Simulation of the Societal Benefit of ATENA ..................................................................................... 19

List of tables Table 1: Tables of simulation parameters ......................................................................................................... 17

Table 2: Set-up and maintenance cost of the solution ..................................................................................... 18

Table 3: Simulation Computation Table ............................................................................................................ 19





1 Introduction

1.1 Context

According to the project Description of Action [5], one of the objectives of the project is to provide innovative research to counteract “successful attacks against CIs which may produce not only relevant technical and economic damages, but endanger fundamental societal values of the European societies, such as privacy and persona freedom of autonomous action:” i.e. to provide a methodology and tools with a relevant and reliable added value in terms of societal benefit.

The present document constitutes a first (and declaredly preliminary) report of the societal impact monitoring for the ATENA project.

Critical infrastructure is susceptible to a variety of cyber- and non-cyber incidents. Major natural events, such as floods or strong winds that may or may not come as the result of storms, hurricanes, may have severe consequences. Likewise, technical failures in physical infrastructure, failures of industrial control systems, and cyber-attacks may all severely impact the functionality of CIs.

1.2 Objectives

The objectives of the document are:

• To identify the societal impact of the lack of resilience in Essential Service and to identify the cause of major outage in specific sectors as Energy and Water sectors;

• To ensure that ATENA solutions’ requirements are able to mitigate these major causes.

The present document limits its scope to results that are measured in the project period M1-M18.

1.3 Document Structure

The chapter of the document respectively deals with:

• Chapter 2 report an overview of the main causes of these incidents and cross match with ATENA requirements to assess the societal impact of the ATENA research project in terms of resilience improvement.

• Chapter 3 provides a preliminary rationale of the ATENA Module functionality requirements considering the societal impact. A simulation of Societal Benefit of ATENA tool is also proposed by a pure financial point of view.

1.4 Glossary

A glossary of the main terms adopted in the project is available in deliverable D2.1 [1]. For the sake of maintenance, manageability and completeness, the reader is also invited to refer to the project-level separate glossary document (i.e., D2.0 ATENA glossary) – a non-contractual document that we are hosting on ATENA web site (https://www.atena-h2020.eu/) for public use.





1.5 Acronyms and symbols

Acronym or symbol

Explanation

AMNG Asset Management Module

CI Critical Infrastructure

CM Composer

CSIS Center for Strategic and International Studies

DL Detection Layer

DDos Distributed Denial of Service

DoS Denial of Service

GCHQ Government Communications Headquarters

GDP Gross Domestic Product (considered per capita)

GDPR General Data Protection Regulation

ENISA European Network and Information Security Agency

FBI Federal Bureau of Investigation

IACS Industrial and Automation Control Systems

IEC International Electrotechnical Commission

ISO International Organization for Standardization

MN Mitigation Module

OPC DA OLE for Process Control Data Access

PII Personally identifiable information

RANT Risk Analysis Tool

RP Risk Predictor

SCADA Supervisory Control and Data Acquisition

SMN Secure Mediation Gateway

SWIFT Society for Worldwide Interbank Financial Telecommunication





2 A history of the societal impact regarding the major incidents in essential services

2.1 Global overview of the major incidents

Cyber-attacks, including those against critical infrastructure, have become high-profile events that attract a lot of headlines in recent years. This is not only headlines. According to a report of the Department of Homeland Security in 2015, the number of reported cyber incidents against critical infrastructure has raised from 198 to 295 between 2012 and 2015 in the U.S. alone. What is more, “cyber aggression is emerging as a major new vector that can be activated to achieve strategic superiority, destabilise states, and cause large-scale economic damage [6].”

Hackers, whatever their motivations, have become more capable, while much of the world’s core infrastructure continues to depend on legacy technology, such as outdated firmware and operating systems, that is more and more difficult to secure. This leaves a door open for fairly simple, yet potentially devastating attacks.

Across the globe, 38% of computers being, which are part of industrial enterprise technology infrastructure, faced attempted attacks in the first half of 2017. While this is the case, attacks were detected on more than 60% of industrial computers in Vietnam, Algeria and Morocco. (Figure 1)

Figure 1: Geographic distribution of attacks on industrial computers, H1 2017 [14]

The infection attempts on industrial computers are sporadic in most cases, and attack tools are to industrial automation systems. In fact, there appears to be very little difference between malware that is detected on industrial computers and the malware found on corporate computers more generally. Overall, about 18 thousand different versions of malware were detected on industrial automation systems. The most dangerous type of malware – botnet agents that can be remotely controlled via command-and-control servers or traces of thereof activity were detected on 5% of all industrial computers that were attacked in the second half of 2016.





Many attempted attacks on industrial computers get blocked, or the infected systems get secured without immediate major impact for the corporate operations. Some of the recent attacks have, however, been very significant. We describe these cases very briefly in the following.1

1. A massive power outage, which left the most areas of Western Ukraine in dark in December 2015, was a result of a SCADA cyber-attack. This attack started with spear phishing e-mails, which are relatively simple to arrange and led eventually to overwriting firmware on SCADA equipment [6] [21]. Malware called Black Energy was used for this attack. Another attack, which targeted the Pivichna substation near Kiev, hit the country in an apparent attempt to seed insecurity and demonstrate the vulnerability of Ukraine’s infrastructure exactly one year after the first attack. ESET experts believe that highly configurable CrashOverride/Industroyer malware, which can be used for attacking any industrial environment, was used for attacking the Ukrainian energy networks in 20162.

2. An attack on dam in Rye Brook, 25 miles north of New York City, is another remarkable case, where hackers succeeded to access the core command-and-control system with a cellular modem. The hacker would have been able to operate the sluice gate, which controls water levels and flow rates, but the gate had been disconnected for maintenance when the intrusion occurred. This attack, which took place in 2013, went unreported until 2016, when the U.S. Department of Justice charged 7 Iranian government-linked hackers [24].

3. Also, the FBI and the Department of Homeland Security published recently an attack on the number of nuclear plants in the U.S. The “amber” alert to industry noted that spear phishing e-mails have been used for targeting industrial control engineers who have direct access to systems that, if damaged, could lead to an explosion, fire or a spill of dangerous material. The fake job application résumés, which were sent to the targeted individuals, were Microsoft Word documents that were laced with malicious code [18].

The above attacks in Ukraine and the U.S. are by far not the only attacks on energy or water infrastructure. The GCHQ has warned that they had detected "advanced state-sponsored hostile threat actors, who are known to target the energy and manufacturing sectors” in U.K. Apparently, no disruption was caused, but the GCHQ warned that "a number of Industrial Control System engineering and services organisations are likely to have been compromised [7]. " The World Energy Council has also flagged the issue and stated that “since the last report, UK energy security has seen a marked refocusing on to non-industry-related external threats such as those from terrorism and cyber-attacks, whether individual or state-sponsored [27]."

But the attacks are not limited to pure industrial sectors: services sectors are also considered as a large target as shows a series of attacks against SWIFT global banking system were reported in 2015-2016.

1. First, an attempted billion-dollar theft from the Bangladesh central bank via its account at the New York Federal Reserve Bank was reported. It was only for a typo that the hackers had made that they were able to steal 81 million dollars and not the full 1 billion dollars that they were after. [23]

2. Thereafter, an attack that affected a commercial bank in Vietnam was reported. Both attacks involved malware written to both issues unauthorised SWIFT messages and to

1 We do not seek to offer a comprehensive list of list of cyber incidents here. A number of actors, such as

Center for Strategic & International Studies have documented such lists at least since 2006. 2 The CrashOverride/Industroyer malware works with four industrial protocols – IEC 60870-5-101 (aka IEC

101), IEC 60870-5-104 (aka IEC 104), IEC 61850, OLE for Process Control Data Access (OPC DA) – that are widely used in the energy and water supply, transport and other types of critical infrastructures. [8]





conceal that the messages had been sent. Attackers targeted SWIFT member banks, and SWIFT’s own core communication network was not compromised [24].

Attacks through ransomware, more lucrative and easy to organise (some ransomware is sold as service for thousand euros by hackers, who does not want to take the responsible for the attack), is definitely a good path for black hats. Therefore, ransomware, which requests an anonymous payment (mostly in bitcoin the untraceable money of the 21st century) in order decrypt the hard drives of the infected systems, has become the most ‘popular’ type of malware. WannaCry malware infected more than 300,000 computers rapidly in a wide range of countries. In Britain, the National Health Service was the worst hit. Staff of the infected hospitals were forced to revert to pen and paper. People in affected areas were advised to seek medical care only in emergencies [25].

The following Figure 2 provided in a recent ENISA report gives a quick overview of the most targeted sectors (ICT, Financial, Energy, Administration) and the most used vector of attacks (Malware, Dos & DDos, Phishing).

Figure 2: Targeted Essential Services and nature of attacks vector [6]

But to understand the nature of attacks and succeed to deploy a real shielding strategy, we should not only consider the attacks themselves (impact, technical path) but also the motivation of them. Gandhi et al [11] mapped major cyber-attacks that have occurred since mid-1990s across the World by their motivation, and found that such attacks are strongly correlated to political and





cultural conflicts. In fact, in hybrid warfare, such as the cyber-attacks on Estonia in 2007 or Russia-Georgia conflict in 2008, politically motivated attacks may precede or co-inside with other violent action.

Figure 3. The distribution of major cyber-attacks by motivation

The use of cyber-attacks for political purposes has been clearly in rise in recent years. Cyber-attacks are cheap and effective. They are easily scalable from an attack against an individual to an attack against an entire economy. They have a potentially very strong impact. Yet, they are difficult to predict or trace back to the initiator of the attack [18].

2.2 Assessment of societal and economic impact

The potential societal and economic consequences of the attacks are manifold, and include psychological effects (Mass panic, societal drive for policy changes, societal opinion manipulation3), information or privacy losses, financial losses, technological effects, physical system loss, even risk to or loss of human life among others.

The literature on societal and economic impact of attacks against critical infrastructure is still in its infancy. One can calculate with some certainty direct costs of the attack, such as cost of the repair of the infrastructure and the loss of income that is associated with the downtime of the infrastructure. Yet, the cost to the involved business and its customers is likely very significantly, depending on specific attack vector, size of the business involved, etc.

For example, an attack on a local electricity or water distribution system that supplies a small village would always be limited in its scope and the potential losses. However, a potential natural

3 The responsibles of the new political party “En Marche” has denounced several time coordinated attacks

against their website during the presidential campaign: cf. Le Monde, “En marche ! dénonce un piratage « massif et coordonné » de la campagne de Macron” http://www.lemonde.fr/election-presidentielle-2017/article/2017/05/06/l-equipe-d-en-marche-fait-etat-d-une-action-de-piratage-massive-et-coordonnee_5123310_4854003.html





event, technical failure or cyber-attack that involves a nuclear power station may lead to severe socio-economic and environmental consequences, which may include loss of human lives.4

Furthermore, interdependence between critical infrastructure may lead to situations, where an operational failure on one critical infrastructure propagates relatively rapidly into other infrastructure. For example, a power fault may lead to a failure of the water and gas supplies, etc., increasing the societal and economic impact of the event.

Earlier studies have found that the economic impact of cybercrime relating to French, German and UK enterprises varies between 100 thousand euro to as much as 20 million euro per year per affected company, depending on the type of attack [6]. Ponemon Institute has estimated that the average cost per company per year that can vary between 2.3 million and 15 million euro in 2015 [21].

Macroeconomic estimates of the potential economic costs of cyber-attacks remain, given the above, speculative at best. The first estimates confirm, nonetheless, that we are facing a major issue. According to McAfee & CSIS, the economic impact of cybercrime amounted to 0.41% of EU GDP, i.e. around 55 billion euro, in 2013. Germany was the most affected Member State, where the losses reached 1.6% of GDP. [19]

Europol has estimated that the cost of cybercrime is around 265 billion euro per year [11]. The trend is clearly on a rise. Juniper forecasts that the economic cost of data breaches alone will quadruple by 2019, to reach 2 trillion euro worldwide [15].

The following figures from the same ENISA report draw up the financial impact of each type of attack and gives a quick overview of the security flaws to counter by improvement strategy at short terms: access management and traffic monitoring to avoid malicious insiders, resilience to massive attacks (against Dos/DDos attacks), securing the web applications (by code reviewing) and continuous awareness of people (employee, users, etc.)

Figure 4: Annual cost of cyber crime according to the type of threats

We conclude from the literature review that the socio-economic consequences of an attack, or of a natural event, are likely to be limited, if the infected infrastructure is limited in scope and the affected systems were recovered quickly. Therefore, it is vital for an affected firm to be able to neutralise an attack, restore computer and industrial control systems, and resume operations quickly as to insulate themselves from potential attacks.

4 Think of technical failure that led to Chernobyl nuclear disaster in 1986.





3 ATENA improvement in terms of resilience

3.1 Typical cyber-attack vectors

Internet remains the main cyber-attack vector for industrial computers. Social engineering, such as the use of phishing e-mails, remains the single most important attack vector, which is an especially difficult one to address, as software and/or hardware updates do not protect against human error. Likewise, attempts to download malware from Internet or to access known malicious web resources were detected on 20% of industrial computers in the first half of 2017.

1. If the Stuxnet story showed that huge and organised attacker, with almost unlimited resources, can be performed an attack into the most secure network by infecting the industrial component before their deployment (with the known collateral effect), the easiest way to penetrate isolated networks is chiefly by targeting removable media, such as USB drives, that are used to distribute malware; compromising local intranet resources or network hardware that are accessible from industrial network; infecting computers of the contractors of industrial companies, such as technicians and service personnel, that connect to industrial control systems. (Figure 5)

Figure 5. Typical cyber-attack vectors [14]

2. Insecure networks and bad networks access rules are equally important weaknesses of the CIs. Unpatched vulnerabilities in operating system or application software remain a critical and growing issue as well.





Overall, Kaspersky [14] considers the following type of vulnerabilities particularly critical:

• remote code execution;

• remote damage to hardware or software or DDoS capability;

• crypto attacks to network communication resources of data transferred via the networks;

• remote access to process configuration, control data for stealing, altering, duplicating, etc.;

• manipulation with access credentials including local and remote users.

What is more, according to US ISC-CERT [14], the number of identified vulnerabilities grows faster than the number of problems eliminated. Often, vendors do not prioritise closing the severest vulnerabilities either, and prefer to fix vulnerabilities as a part of the next general update rather than releasing quick fixes that address specific vulnerabilities. As a result, for various reasons, virtually each and every vendor software has an unfixed vulnerability. Furthermore, it is increasingly speculated that the commercially distributed computer security software itself may serve as an attack tool in some cases [13].

Knowledge of the typical attack-vectors empowers allows one to block the most likely cyber-attacks, but this is by far not sufficient to make sure that the while industrial control system is actually secure. It may very well be that a new previously unknown malware will be introduced, or a completely new attack vector will be imagined for taking down a major strategic CI, and causing, thereby, severe societal and economic consequences. Therefore, monitoring of the network for any unexplained irregularities remains an important aspect of the defence of the CIs.

3.2 ATENA Tools in Terms of Resilience Improvement of Essential Service

According to ISO 22316:2017 Security and resilience — Organisational resilience — Principles and attributes, the organisational resilience can be defined as the “ability of an organisation to absorb and adapt in a changing environment”. In ISO 27031:2010 Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity, the resilience is defined as the “ability of an organisation to resist being affected by disruptions”. These two definitions describe two faces of the same coin based on the mechanical definition of the resilience i.e. “the ability of a material to absorb energy when it is deformed elastically”. In the case of an Essential Service, this ability could be described both the capacity to slow down the increase of the risk and the capacity to quickly restore an acceptable level of risk if the risk level has increased. It could also extend this definition to the ability of the infrastructure to minimise the real impact (successful exploitation of vulnerability by an attacker) and restore the full capacity of the service.

This last definition is closely bound to the societal impact of the project. If ATENA are able to minimise the impact and to help to restore the infrastructure to restore the service, the impact on society (at any level: financial, psychological, etc.) will be less than without the ATENA system.

3.3 How ATENA would decrease the societal impact of the cyber threats panorama?

The present section is based on the requirements of ATENA tools as described in the deliverable D3.6 [13]. The real societal impact should be reassessed after the validation process of the tools developed during the project, i.e. for M36.





3.3.1 Increase the resilience to avoid or limit bad impact on society

The description below links the functionalities of ATENA systems (cf. D3.6) with the capacity to avoid (totally: F or partially/indirectly : P or Not : N) impact on different societal parameters.

In the table below the societal impact is assessed from 5 points of view:

1. Psychological (PSY) regarding the psychological traumatism in case of an incident or the manipulation of service.

2. Privacy (PRI) regarding the loss of privacy

3. Safety (SAF) regarding the danger from a physical point of view in case of an incident

4. Economical (ECO) regarding the loss of GDP.

5. Financial (FIN) regarding the potential loss for the operator.

Societal Impact Parameter

Tool PSY PRI SAF ECO FIN Explanation5

ATN_VMS_FUN_01: The

Vulnerability Management System shall provide a regular and automated assessment of the vulnerability state of all infrastructure assets.

VMS F F F F F

By regularly controlling and managing the vulnerability state of its component the essential service operator is able to avoid exploit on its infrastructure which could lead to service malfunctioning.

ATN_VMS_FUN_03: The

Vulnerability Management System shall include a vulnerability monitoring module linked to the Secure Mediation Gateway to analyse the criticality of new vulnerability information retrieved from CSIRT alert flows, neighbouring information and security incidents (coming from the detection layer).

VMS F F F F F

This functionality allows to increase the awareness of the essential service operator regarding potential vulnerability or exploit already performed in similar environment. This functionality should allow the operator to avoid such threat or consider security measure before threat occurs.

ATN_VMS_FUN_07. The

Vulnerability Management System shall provide information to other CIs and CSIRT about discovered vulnerability in a standardised format.

VMS F F F F F

This functionality very useful to increase the awareness of a country regarding the cyber-threat. The capability to rate potential vulnerability and share the information should increase the resilience of the overall society.

ATN_VMS_FUN_13. The

Vulnerability Management System shall manage the different probes.

VMS F F F F F

The capability to register new probes is essential to be able to retrieve more information on vulnerability and increase consequently the vulnerability database and the efficiency of the awareness.

ATN_AMNG_FUN_01. The Assets

Management Module shall contain an internal repository to store the critical infrastructure’s assets information.

AMNG

F F F P P

The information management for CI is a vital to avoid unconscious risk minimisation especially in terms of collateral impact on society (PSY or PRI).


Management Module shall be able to provide updates of the monitored infrastructure. Each update will contain only the assets information that had been actually updated

AMNG

F F F P P

The asset management process is an essential process to monitor in an efficient way the asset especially to be able to monitor the security configuration in appropriate ways.

5 How ATENA functionality limits or avoids negative societal impact.








Management Module shall implement a system to secure exchange and storage of the CI assets information. AMN

G N F P P P

In the current cyber-threat environment information exchange is a real asset to fight against multiform attack vector. However, the almost mandatory information exchange shall be performed to avoid any flaw in the security and a non-willing increase of societal impact.

ATN_CM_FUN_01. The composer

shall be able to measure the security level of each state of any system element

CM F F F F F

This functionality shall ensure that security policy, configuration policy are applied and are in line both with the vulnerability state of the component and the threat level. In that sense, the composer is a key element to increase both the security level of the society and its security awareness.

ATN_CM _FUN_05. Among all the

possible (system/elements) states, the composer shall be able to indicate which one should be implemented by the operators to achieve a defined security level

CM P P F P P

The security state of components is essential for CI stakeholders to be able to operate the infra in a secure way for him and for their end users or subcontractors.

ATN_DL_FUN_01. The Cyber

Detection Layer shall include different types of detection agents and be capable of handling different types of events (structured and unstructured data).

DL N P F F F

Increase the range of detection will directly increase the security of the overall infra and consequently of the society using the infra.


Detection Layer should not interfere with system availability. DL P N P F F

As availability for CI is the main parameters, all monitoring operations shall be impacted as little as possible the availability i.e. the service of society.


Detection Layer shall provide a near/soft real-time monitoring of the system devices to be able to detect potential cyber threats/attacks.

DL P P F P P

Safety issue is generally linked to quick cascading effect which requires a real-time detection capability.


Detection Layer should not interfere with normal operations of ICS/SCADA systems.

DL

Idem as ATN_DL_FUN_03

ATN_DL_NFUN_01. The architecture

of the Cyber Detection Layer shall follow a modular approach, allowing easy addition of new probes/data sources and new data processing technologies, to adapt to future evolution trends and to adapt to the specific requirements of each deployment scenario.

DL F F F F F

Idem ATN_VMS_FUN_13

ATN_DL_NFUN_02. The Cyber

Detection Layer should be a scalable solution.

DL F F F F F

This functionality is an important one from societal point of view: as society is moving environment, the detection layer should consider the scalability as a main point to be able to ensure the security monitoring in a proper way and for all.







ATN_SMN_FUN_05. The Secure

Mediation Gateway shall operate in a distributed context. SMN F F F F F

This functionality is basically linked with the structure of the citizen area and with the mandatory requirement applicable to Essential Service (for everybody/everywhere).

ATN_SMN_FUN_10. The Secure

Mediation Gateway shall supply audit logs to save the information concerning the source of the data received.

SNM P F P P P

As some information could contain PII (Personal Identified Information), the logging capability of the system during the information communication to avoid any data leakage.

ATN_SMN_NFUN_03. The Secure

Mediation Network should be organised in autonomous and isolated modules that should be easily deployable by means of an independent mechanism so to ensure the scaling up and limit the impacts of the system.

SMN F F F F F

Idem ATN_VMS_FUN_13

ATN_RANT_FUN_09. The RANT

shall include a dedicated process to compute the current risk level of user’s infrastructure at different layer level (component, sub-service or node)

RANT

F P F F F

The assessment of the current risk at different layer is an essential functionality of ATENA to support responsible in the management of the current situation and avoid incident which could impact the society: to be able to put the infrastructure in secure state is required.

ATN_RP_FUN_07. The Risk

Predictor shall exploit models of CIs under faults to understand the cascading effects of faults on interdependent CIs.

RP F P F F F

The current risk evaluation is not sufficient to ensure the societal security: the operators should be able to predict and handle potential threat on their infrastructure.

ATN_RP_FUN_09. The Risk

Predictor shall also employ in near real-time models which are able to predict the Quality of Service delivered by IACS systems under faults or cyber attacks

RP F N F F F

Idem with QoS oriented perspective.

Cf. ATN_DL_FUN_03

ATN_MM_FUN_05. The Mitigation

Module shall provide several possible counteractions to the operators.

MN P P F P P

Functionality important to consider the societal complexity.

ATN_MM_FUN_13. The Mitigation

Module shall take into account not only the risk associated with the decision, but also other criteria such as the cost of the decision.

MN F F F F F

This functionality is directly in line with societal concern: the best solution for mitigation should consider the overall range of impacts to provide the best solution.

As the previous table shows, the functionality requirements of ATENA modules have been established to ensure a highest level of security but also to minimise the societal impact not only from a financial point of view but by considering the personal sphere of citizens (minimisation of psychological impact due to failure of essential service and respect of privacy).

3.3.2 A simplistic simulation of the societal benefit of ATENA

deployment

As the previous chapter shows, the societal impact of cyber-attacks is often evaluated in financial loss from several thousand euros to billion euros: it encompasses the operational loss and image loss of the operator but also the economic loss of the country 'expressed in % of GDP). It could





also include the loss due to legal pursuit for privacy breaches (according to GDPR 5 % of the annual turnover or 20 Mio € in the worst case).

If the societal impact of cyber-crime in the area of essential services can be described in cost for people or country, the easy way to assess the benefit societal impact of the deployment of ATENA solution is undoubtedly the financial gain of the solution for the operator and in general for the society. It could also be the easy way to convince potential end users to deploy the solution.

The table and graphs above is a simplistic simulation of the ATENA benefit. It should be review and improve to become a sustainable business roadmap. In the present document is considered as a first insight in this direction. The present simulation is based on several assumptions both to estimate the potential loss in case of cyber-attacks on the targeted infrastructure, the efficiency of the solution regarding the attacks and also the cost to deploy and maintain the solution (not only regarding hardware and software implementation cost but also regarding the human resource costs).

1. The first table (cf. Table 1) describes the general parameters of the essential service according to its European establishment.

a. Where the essential service is deployed in Europe (in a large country, medium, small or very small country according to the GDP of the country)?

b. What is the economic weight of the essential service in terms of turnover? (in Mio €)

c. What is the probable efficiency of the tools regarding its capability to reduce the annual loss.

d. What is the average rate of one Man Year in K€/year?

Table 1: Tables of simulation parameters

2. Table 2 is a rough approximation of the set-up costs and maintenance costs of the overall solution considered as a set of tools developed by ATENA partners. It includes for 500 nodes (equipped):

a. The cost of software and hardware to be deployed (with 5 years amortising duration) and maintained.

b. The cost of internal/external resources needed for the set-up process and the maintenance.

Parameters

Type of country Medium

GDP Billion € 350

Annual Turnover (Mio €) 1000

Value of Man Year Rate (k€) 80

Efficiency rate of ATENA tools 10%

Type of Country Large Medium Small Very Small

Average GDP (Billion $) 2479 420 203 45





Table 2: Set-up and maintenance cost of the solution

3. Table 3 is the computation table of the benefit of ATENA system for the targeted infrastructure. The computation is also based on different assumptions:

a. We have estimated that the solution to be efficient should equip 2500 nodes with a deployment plan of 500 node/years. The set-up cost is considered comparable even if in the real environment the set-up cost will be more important the first years.

b. Without ATENA tools, the assessment of annual loss due to incidents (especially cyber-crime) has been as following:

i. The financial loss (for the operator) is estimated at 5% of the turnover.

ii. The loss due to privacy issue has been estimated according to GDPR penalty rules (maxi 20 Mio€) but also more limited (0,5% instead of 5% for the GDPR).

iii. The loss for the economy of the country (collateral impact on society) has been estimated at 0.01% of the GDP.

c. The capability of loss avoidance due to the implementation of ATENA tools is estimated as following:

i. For the financial impact: proportional to the rate of implementation and the rate of efficiency (here is 10%).

ii. For the privacy impact: no benefit as soon as the rate of implementation is less than 50% and after proportional to the rate of implementation.

iii. For the economic impact: same rules as for the financial impact.

According to these assumptions, it is possible to assess the total financial avoidance of the solution and, with respect with the cost of the implementation (set-up and maintenance), the Return of investment for the operator and also the increase of wealth for the society (i.e. the inferred % of GDP increase allowed by the implementation of the tools).

Resources to implement and maintain tools / 500

nodes

(including production cost)

HW/SW

(k€)

HW/SW

amortizing

duration

(year)

HW/SW

/year)

RAO model (MULTITEL) 1 75 5 15 4 4 5 5 2 2

ENEA model (ENEA) 1 75 5 15 4 4 5 5 2 2

CISIA Pro model (ROMA3) 1 75 5 15 4 4 5 5 2 2

ADAPTOR (LEONARDO) 1 75 5 15 4 4 5 5 2 2

SMGW (LEONARDO) 1 75 5 15 4 4 5 5 2 2

ASSET MGT SYST (LEONARDO) 1 75 5 15 4 4 5 5 2 2

VMS (including plug-in) (ITRUST) 1 75 5 15 4 4 5 5 2 2

RANT (ITRUST) 1 75 5 15 4 4 5 5 2 2

COMPOSER (CRAT) 1 75 5 15 4 4 5 5 2 2

DSS (ROMA3) 1 75 5 15 4 4 5 5 2 2

MITIGATION (ROMA3) 1 75 5 15 4 4 5 5 2 2

ATENA ressources for 500 Nodes 825 165 44 44 165 165 22 22

HR Man Year

(interne/externe)

Implementation (set-up)

HW/SW in k€

HR Man Year

(interne/externe)

Maintenance (/year)

Apllicability





Table 3: Simulation Computation Table

The two following figures depict an illustration of the simulation (the Excel document used for the simulation is enclosed in the present document (cf. icon)):

Simulator:

Microsoft Excel

Worksheet

Figure 6: Simulation of the Societal Benefit of ATENA





4 References

[1] D2.1 State of Art, 30.11.2016

[2] D3.1 ATENA System Requirements and Specifications, 30.11.2016.

[3] D3.6: ATENA System Requirements and Specifications. 31.10.2017.

[4] D5.1 Reference Architecture of Decision Support System, 30.11.2016.

[5] ATENA Consortium, “Advanced Tools to assEss and mitigate the criticality of ICT compoNents and their dependencies over Critical InfrAstructures (ATENA) – Grant Agreement no. 700581,” Horiz. 2020 Call H2020-DS-2015-1 Top. DS-03-2015 Type action IA, 2016.

[6] Beijing Knownsec Information Technology Co. Ltd., Malicious Code Analysis on Ukraine's Power Grid Incident V4, Knownsec Security Team.

[7] Business Insider, Russia hacked UK energy companies on election day, http://uk.businessinsider.com/russia-hacked-uk-energy-companies-election-day-2017-7

[8] ESET, CrashOverride/Industroyer: Biggest malware threat to critical infrastructure since Stuxnet, 12 June 2017.

[9] European Political Strategy Centre, Building an Effective European Cyber Shield, EPSC Strategic Notes 24, May 2017

[10] European Union Agency for Network and Information Security (ENISA), ‘The cost of incidents affecting CIIs’, August 2016.

[11] Europol, European Cybercrime Centre, https://www.europol.europa.eu/crime-areas-and-trends/crime-areas/cybercrime

[12] Gandhi, Robin et al, Dimensions of Cyber-Attacks: Social, Political, Economic, and Cultural, IEEE Technology and Society Magazine, Spring, 2011.

[13] The Guardian, NSA contractor leaked US hacking tools by mistake, Kaspersky says, 26 October 2017, https://www.theguardian.com/technology/2017/oct/26/kaspersky-russia-nsa-contractor-leaked-us-hacking-tools-by-mistake-pirating-microsoft-office

[14] ICS-CERT Monitor, November/December 2016, https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Nov-Dec2016_S508C.pdf

[15] Juniper Research, Press Release: ‘Cybercrime will cost businesses over $2 trillion by 2019’, 12 May 2015.

[16] Kaspersky, Threat Landscape for Industrial Automation systems in H2 2016.

[17] Kaspersky, Threat Landscape for Industrial Automation systems in H1 2017, https://ics-cert.kaspersky.com/reports/2017/09/28/threat-landscape-for-industrial-automation-systems-in-h1-2017/

[18] Lipton, E., Sanger, D. E., Shane, S., ‘The Perfect Weapon: How Russian Cyberpower Invaded the U.S.’, The New York Times, 13 December 2016.

[19] McAfee & Center for Strategic and International Studies, ‘Net Losses: Estimating the Global Cost of Cybercrime’, 2014, p 9.

[20] New York Times, Hackers Are Targeting Nuclear Facilities, Homeland Security Dept. and F.B.I. Say, 6 July 2017, https://www.nytimes.com/2017/07/06/technology/nuclear-plant-hack-report.html.

[21] Ponemon Institute, Global Report on the Cost of Cyber Crime, 2015

[22] Reuters, Ukraine's power outage was a cyber attack: Ukrenergo, 18 January 2017.

[23] Reuters, SWIFT confirms new cyber thefts, hacking tactics, 12 December 2016.

[24] SWIFT, Customer communication: Customer security issues, 13 May 2016





[25] Telegraph, NHS cyber attack: Everything you need to know about 'biggest ransomware' offensive in history, 20 May 2017.

[26] Thompson, Mark; Iranian Cyber Attack on New York Dam Shows Future of War, Time, 24 March 2016, http://time.com/4270728/iran-cyber-attack-dam-fbi/.

[27] World Energy Council, World Energy Issues Monitor 2016, https://www.worldenergy.org/wp-content/uploads/2016/03/2016-World-Energy-Issues-Monitor-Full-report.pdf

D8.11 Societal Impact Interim Report - ATENA · D8.11 Societal Impact Interim Report D8.11 –...

Documents

Transcript of D8.11 Societal Impact Interim Report - ATENA · D8.11 Societal Impact Interim Report D8.11 –...