KONTINUITET POSLOVANJA i · BCM-DR-CM područja 3 Upravljanje kontinuitetom poslovanja (BCM),...
Transcript of KONTINUITET POSLOVANJA i · BCM-DR-CM područja 3 Upravljanje kontinuitetom poslovanja (BCM),...
Sadržaj predavanja i uvodBCM-DR-CM (UKP-OK-UKS) područja
Barometar rizika poslovanja
Kako cyber-rizik utječe na poslovanje
Što se događa u slučaju (is)pada infrastrukture?
Veliki kibernetički napadi… Stuxnet (Iran)
Mirai
Industroyer & NotPetya (Ukrajina)
Što može pomoći (u slučaju…)
IPDRR okvir
Kritični sektori
Regulativa
Situacija u Hrvatskoj… Ključna tijela po sektorima
Mogući scenariji (rasprava i komentari)
Trendovi i zaključci
O meni
Ciljevi prezentacije su… Podizanje svijesti o cyber-rizicima,
Razmatranje mogućih posljedica kibernetičkih napada (na infrastrukturu),
uključujući (ne)izravnu štetu poslovanju i kvaliteti života.2
BCM-DR-CM područja
3
Upravljanje kontinuitetom poslovanja (BCM), upravljanje krizama (CM) i oporavak od katastrofa (DR) povezani su i uzajamno podržani
procesi kojima je cilj osigurati da subjekt/tvrtka/država može nastaviti s radom (pružanjem osnovnih usluga klijentima, poštujući zadane
parametre MTO-RTO-RPO-SDO) nakon incidenta*, uz minimiziranje žrtava i štete, istovremeno štiteći interese svojih stanovnika,
ključnih gospodarskih subjekata i dionika, reputaciju, brand i aktivnosti koje stvaraju dodatne vrijednosti..
BCM ima fokus na otpornost i omogućavanje oporavka poslovnih operacija
CM ima fokus na donošenju odluka i komunikaciji (za vrijeme krize), a
DR ima fokus na tehnologiji i komunalijama (pripremi preduvjeta za nastavak rada).
Vezani procesi su upravljanje rizicima i incidentima, fizička i informacijska sigurnost...
*INCIDENT može postati/eskalirati u
PROBLEM, KRIZU ili KATASTROFU
Kako cyber-rizik utječe na poslovanje
6
Bilo da su posljedica kibernetičkog napada
ili (češće) prekida rada ili kvarova na ICT
sustavima, cyber incidenti su glavni uzrok
prekida poslovanja modernih umreženih tvrtki
čija su primarna imovina često podaci, usluge
(platforme), ili njihove grupe korisnika/kupaca
ili dobavljača.
TIPOVI EKONOMSKIH GUBITAKA UZROKOVANI CYBER INCIDENTIMA
prihodi, reputacija, pritužbe, oporavak, kazne
Veliki kibernetički napadi - Stuxnet
8
DATE
Reported for the first time in 2009, Stuxnet shook the entire energy industry by
hitting in 2010. StuxNet remains the most complex and sophisticated malware.
ENVIRONMENT
The attack was launched to sabotage centrifuges of the uranium enrichment
plant in Natanz, Iran. Via an infected and unchecked USB key, the virus
entered the operational network. This is the first targeted attack that required
upstream preparation.
METHOD
Previously, hackers have spied on several Iranian nuclear facilities and carried
out extensive research and development works.
Second, to approach its target, Stuxnet exploited not less than 4 vulnerabilities
0day (today all corrected by Microsoft) targeting different versions of Windows,
as well as the famous MS08-067 vulnerability (executing code remotely via a
RPC request) patched several years ago.
Stuxnet has been able to attack complex Siemens WinCC / PCS 7 SCADA
software systems (software for automation control and management, in this
case the speed of centrifuge rotations). This allowed it to execute arbitrary
code with administrator rights and install 2 concealment tools (aka rootkits).
Stuxnet has recorded, once a month, the control system sensors values in a
21-second period. Then, during the attack’s execution, Stuxnet replayed these
21 seconds in a loop. Thus, for the control room’s operators everything was
normal but during this time Stuxnet executed its malicious work. The virus took
control of the machines (controling valves to increase the pressure of the
injected gas and compromise centrifuges and computers regulating the speed
of centrifuges via third-party).
Unusual information for a virus: the attack required knowledge of industrial
processes, Windows vulnerabilities and programming languages (C and C++).
MOTIVATION
Several investigations have revealed that the creation of Stuxnet was
mandated by the US, supported by Israel with the help of an internal
accomplice for state spying.
CONSEQUENCES
Stuxnet was the first attack that has hindered the functioning of an infrastructure
and damaged industrial facilities. It was estimated that several hundred
centrifuges have been destroyed or disabled by this process. The plant fell
behind in its nuclear program. The worm also affected 45.000 computer
systems, including 30.000 in Iran - PCs owned by employees of the Bashhr
nuclear power plant. The other 15.000 systems are computers and power
plants in Germany, France, India and Indonesia, all using Siemens technologies
RECOMMENDATION
No axis of defence can be neglected on such critical industrial systems. It is
suggested to set up a cyber-attack detection system that monitors network
exchanges up to the process. It is necessary to compare the values exchanged
between the PLCs and the supervision and thus to detect the process’ drift and
the supervision tool’s compromise. In addition, it is advised to segment the
networks, to code exchanges on the industrial process as well as a “patching”
of all the industrial IS equipment and software. It is recommended to implement
cybersecurity good practices and requirements by design, in particular the
software and equipment’s choice so that only a few vulnerabilities remain.
Veliki kibernetički napadi - Mirai
9
Internet of Things (IoT) je sustav međusobno povezanih računalnih uređaja, mehaničkih i digitalnih strojeva,
senzora, nosivih i drugih predmeta, životinja ili ljudi koji se služe jedinstvenim identifikatorima (UID) s mogućnošću
prijenosa podataka putem Interneta bez potrebe za dodatnom interakcijom između ljudi ili između ljudi i računala.
...djelo Minecraft poduzetnika, vrhunac u rujnu 2016, 15.194 DDoS napada u kampanji,
ISP-ovi, Amazon, PayPal... zaštita naprednijim anti-DDoS servisima, mirror DNS-ovima
Veliki kibernetički napadi - Industroyer
10
DATE
Industroyer targeted Ukraine in December 2016. as the biggest threat against
industrial control systems since Stuxnet. This was the first virus designed
specifically to attack power grids.
ENVIRONMENT
A less severe blackout was created in the west of the country in December
2015 (BlackEnergy, KillDisk malwares), but still impacting. Just before
midnight, the high-voltage station Pivnichna, north of Kiev (Ukraine’s capital),
completely blown after computer attack. To restore electricity, the technicians
had to return to manual mode and intervene on the station concerned.
METHOD
Industroyer (aka Crash Override) used 2 backdoors, a module to launch DDoS
attacks, a wiper and 4 protocol flaws (IEC 60870-5-101, IEC 60870-5-104, IEC
61850 and OPC DA) allowing communication with the electricity network. Its
main component, a backdoor, has allowed hackers to control power grid
systems via a highly complex software, capable of attacking any network of
European power plants and relays.
By simultaneously using these protocols, this malware has been able to get on
the network administrators PCs, scan the network, identify the different
targeted devices and take remote control. The hackers were able to open the
transformer’ breakers and generate a blackout. The goal was to distract from
their primary objective the infrastructure communication protocols. Hackers
have also added a module to remove their traces (data wiper).
MOTIVATION
The hackers had excellent knowledge of the attacked power grid, suggesting
that they were either extremely organized or backed by a state. The goal was
above all to sabotage and disrupt the electrical networks.
CONSEQUENCES
The virus paralyzed relay station and disrupted power network operation for
almost an hour. About 230.000 Ukrainians were affected for up to 6 hours.
Industroyer is a threat that has to be taken very seriously. It has been designed
to suit any type of plant. Due to its modularity and ability to easily monitor
network operations, it could be exported to Europe, Asia and the Middle East.
RECOMMENDATION
Regarding this complex attack, many aspects must be considered, including
network segmentation, industrial processes coding and employees cyber
training. Crisis management is also essential, especially on activity transfer,
isolation of part of the network, restoration of saved data. The risk analysis has
to evaluate the obvious vulnerabilities of the IS and to work on its security.
Finally, a cyber-attack detection system capable of analyzing the protocols
specific to the energy sector may/should ensures an efficient detection on these
critical systems.
Veliki kibernetički napadi - NotPetya
11
DATE
NotPetya targeted Ukraine in June 2017. It was the most damaging cyberattack
in the history.
ENVIRONMENT
After cyberattacks on Ukraine’s power grid in 2015 and 2016, attack in June
2017 swamped Ukrainian banks, goverment agencies, airports, media and
utility/electricity companies.Similar infections were reported in France, Germany,
Italy, Poland, Russia, United Kingdom, the United States and Australia.
METHOD
Hackers combined code tested in power grid attacks with Petya malware.
NotPetya used in the 2017 attack uses EternalBlue, an exploit that takes
advantage of vulnerability in Windows' Server Message Block (SMB) protocol.
EternalBlue is generally believed to have been developed by the NSA. The
malware harvests passwords and uses other techniques to spread to other
computers on the same network, and uses those passwords in conjunction with
PSExec to run code on other local computers. Additionally, although it still
purports to be ransomware, the encryption routine was modified so that the
malware could not technically revert its changes. This characteristic, along with
other unusual signs (including low unlock fee of US$300, and using single, fixed
Bitcoin wallet to collect ransom payments), prompted speculations that this
attack was not intended to be a profit-generating venture, but to damage devices
quickly, and ride off the media attention.
MOTIVATION
It was as close to cyberwar as possible.
CONSEQUENCES
NotPetya attack cost is estimated $10 billion to clean up. This was the most
damaging attack in history, of a scale and cost that would far exceeded damage
caused by any fired missile. Beside impact on Ukraine’s critical infrastructure
(power grid, airports…), it was spread worldwide and cripled multinationals like
Maersk, FedEx, DHL, Montelez, Merck…
RECOMMENDATION
Prepare cyber-defence strategy, and start with staff cyber training. Crisis
management should cover activity re-alocation, isolation of part of the network,
restoration of data and operations. Risk analysis has to assess vulnerabilities
of IS supporting critical infrastructure. Redundant NOCs can improve resilience.
Cyber-attack detection systems should be up-to-date.
Što može pomoći (u slučaju…)
Implementirane mjere sigurnosti (preventivne, reaktivne…posebice ICT)
Implementirana redundancija
(kopije podataka i dodatni linkovi, različite putanje i mediji, više pružatelja usluga…)
Spremna rješenja za oporavak od katastrofe i nastavak poslovanja (DR/BCM)
(DR serveri, backup-i app/linkova/podataka, zamjenske lokacije za nastavak rada)
BC/DR planovi & operativne procedure i upute za oporavak/nastavak rada
(u kojima je jasno definirano TKO-ŠTO-KAD-S KIME/ČIME-ZAŠTO radi…)
Unaprijed definirana komunikacija, eskalacija i koordinacija (workflow)
Treninzi (barem za ključne ljude/timove) i testovi
Registar rizika (ažuran, uz praćenje realizacija mjera propisanih akcijskim planom)
12
IPDRR okvir
13
IDENTIFY (PREPOZNAJ)
PROTECT (ZAŠTITI)
DETECT (OTKRIJ)
RESPOND (PODUZMI MJERE)
RECOVER (POPRAVI)
Regulativa
EU
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a
high common level of security of network and information systems across the Union (EU NIS)
Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of
Directive (EU) 2016/1148
…
Hrvatska
Zakon o informacijskoj sigurnosti
Uredba o mjerama informacijske sigurnosti
Zakon o kritičnim infrastrukturama (2013)
Nacionalna strategija kibernetičke sigurnosti i Akcijski plan za provedbu Nacionalne strategije kibernetičke sigurnosti
Zakon o kibernetičkoj sigurnosti operatera ključnih usluga i davatelja digitalnih usluga (ZKS, 06.07.2018, Sabor)
Uredba o kibernetičkoj sigurnosti operatera ključnih usluga i davatelja digitalnih usluga (26.07.2018, Vlada)
Okvir dobrih praksi za usklađivanje operatora ključnih usluga s mjerama ZKS-a i provođenje ocjene sukladnosti
Smjernice za dostavu obavijesti o incidentima (u skladu sa ZKS-om)
…
15
Our drugi mogući scenariji
18
Telekomunikacije/linkovi (utjecaj na druge),
Kontrola prometa (zračne luke, gradski semafori),
Kontrola granica (uskoro smo u Schengen-u)
Trendovi i zaključci (za kraj)
Kibernetički napadi evoluirali su od haktivizma, špijunaže, hakiranja... danas imamo globalno ratište
►budući ratovi mogu se dogoditi u cyber prostoru ili barem će biti će hibridni (cyber+konvencionalni)
Možemo očekivati napade na pametne domove (smart home)
Kibernetički napadi predstavljaju naprednu prijetnju kritičnoj infrastrukturi
►napadi koji prouzrokuju poremećaje kritične infrastrukture imati će ogroman utjecaj na poslovanje i
kvalitetu života
20