KONTINUITET POSLOVANJA i

KRITIČNA INFRASTRUKTURA

Tonći Kaleb

OTP banka Hrvatska d.d.

Sadržaj predavanja i uvodBCM-DR-CM (UKP-OK-UKS) područja

Barometar rizika poslovanja

Kako cyber-rizik utječe na poslovanje

Što se događa u slučaju (is)pada infrastrukture?

Veliki kibernetički napadi… Stuxnet (Iran)

Mirai

Industroyer & NotPetya (Ukrajina)

Što može pomoći (u slučaju…)

IPDRR okvir

Kritični sektori

Regulativa

Situacija u Hrvatskoj… Ključna tijela po sektorima

Mogući scenariji (rasprava i komentari)

Trendovi i zaključci

O meni

Ciljevi prezentacije su… Podizanje svijesti o cyber-rizicima,

Razmatranje mogućih posljedica kibernetičkih napada (na infrastrukturu),

uključujući (ne)izravnu štetu poslovanju i kvaliteti života.2

BCM-DR-CM područja

3

Upravljanje kontinuitetom poslovanja (BCM), upravljanje krizama (CM) i oporavak od katastrofa (DR) povezani su i uzajamno podržani

procesi kojima je cilj osigurati da subjekt/tvrtka/država može nastaviti s radom (pružanjem osnovnih usluga klijentima, poštujući zadane

parametre MTO-RTO-RPO-SDO) nakon incidenta*, uz minimiziranje žrtava i štete, istovremeno štiteći interese svojih stanovnika,

ključnih gospodarskih subjekata i dionika, reputaciju, brand i aktivnosti koje stvaraju dodatne vrijednosti..

BCM ima fokus na otpornost i omogućavanje oporavka poslovnih operacija

CM ima fokus na donošenju odluka i komunikaciji (za vrijeme krize), a

DR ima fokus na tehnologiji i komunalijama (pripremi preduvjeta za nastavak rada).

Vezani procesi su upravljanje rizicima i incidentima, fizička i informacijska sigurnost...

*INCIDENT može postati/eskalirati u

PROBLEM, KRIZU ili KATASTROFU

Barometar rizika poslovanja (Allianz 2019)

4

Barometar rizika poslovanja, nastavak

5

Kako cyber-rizik utječe na poslovanje

6

Bilo da su posljedica kibernetičkog napada

ili (češće) prekida rada ili kvarova na ICT

sustavima, cyber incidenti su glavni uzrok

prekida poslovanja modernih umreženih tvrtki

čija su primarna imovina često podaci, usluge

(platforme), ili njihove grupe korisnika/kupaca

ili dobavljača.

TIPOVI EKONOMSKIH GUBITAKA UZROKOVANI CYBER INCIDENTIMA

prihodi, reputacija, pritužbe, oporavak, kazne

Kad (is)padne infrastruktura…

7

Veliki kibernetički napadi - Stuxnet

8

DATE

Reported for the first time in 2009, Stuxnet shook the entire energy industry by

hitting in 2010. StuxNet remains the most complex and sophisticated malware.

ENVIRONMENT

The attack was launched to sabotage centrifuges of the uranium enrichment

plant in Natanz, Iran. Via an infected and unchecked USB key, the virus

entered the operational network. This is the first targeted attack that required

upstream preparation.

METHOD

Previously, hackers have spied on several Iranian nuclear facilities and carried

out extensive research and development works.

Second, to approach its target, Stuxnet exploited not less than 4 vulnerabilities

0day (today all corrected by Microsoft) targeting different versions of Windows,

as well as the famous MS08-067 vulnerability (executing code remotely via a

RPC request) patched several years ago.

Stuxnet has been able to attack complex Siemens WinCC / PCS 7 SCADA

software systems (software for automation control and management, in this

case the speed of centrifuge rotations). This allowed it to execute arbitrary

code with administrator rights and install 2 concealment tools (aka rootkits).

Stuxnet has recorded, once a month, the control system sensors values in a

21-second period. Then, during the attack’s execution, Stuxnet replayed these

21 seconds in a loop. Thus, for the control room’s operators everything was

normal but during this time Stuxnet executed its malicious work. The virus took

control of the machines (controling valves to increase the pressure of the

injected gas and compromise centrifuges and computers regulating the speed

of centrifuges via third-party).

Unusual information for a virus: the attack required knowledge of industrial

processes, Windows vulnerabilities and programming languages (C and C++).

MOTIVATION

Several investigations have revealed that the creation of Stuxnet was

mandated by the US, supported by Israel with the help of an internal

accomplice for state spying.

CONSEQUENCES

Stuxnet was the first attack that has hindered the functioning of an infrastructure

and damaged industrial facilities. It was estimated that several hundred

centrifuges have been destroyed or disabled by this process. The plant fell

behind in its nuclear program. The worm also affected 45.000 computer

systems, including 30.000 in Iran - PCs owned by employees of the Bashhr

nuclear power plant. The other 15.000 systems are computers and power

plants in Germany, France, India and Indonesia, all using Siemens technologies

RECOMMENDATION

No axis of defence can be neglected on such critical industrial systems. It is

suggested to set up a cyber-attack detection system that monitors network

exchanges up to the process. It is necessary to compare the values exchanged

between the PLCs and the supervision and thus to detect the process’ drift and

the supervision tool’s compromise. In addition, it is advised to segment the

networks, to code exchanges on the industrial process as well as a “patching”

of all the industrial IS equipment and software. It is recommended to implement

cybersecurity good practices and requirements by design, in particular the

software and equipment’s choice so that only a few vulnerabilities remain.

Veliki kibernetički napadi - Mirai

9

Internet of Things (IoT) je sustav međusobno povezanih računalnih uređaja, mehaničkih i digitalnih strojeva,

senzora, nosivih i drugih predmeta, životinja ili ljudi koji se služe jedinstvenim identifikatorima (UID) s mogućnošću

prijenosa podataka putem Interneta bez potrebe za dodatnom interakcijom između ljudi ili između ljudi i računala.

...djelo Minecraft poduzetnika, vrhunac u rujnu 2016, 15.194 DDoS napada u kampanji,

ISP-ovi, Amazon, PayPal... zaštita naprednijim anti-DDoS servisima, mirror DNS-ovima

Veliki kibernetički napadi - Industroyer

10

DATE

Industroyer targeted Ukraine in December 2016. as the biggest threat against

industrial control systems since Stuxnet. This was the first virus designed

specifically to attack power grids.

ENVIRONMENT

A less severe blackout was created in the west of the country in December

2015 (BlackEnergy, KillDisk malwares), but still impacting. Just before

midnight, the high-voltage station Pivnichna, north of Kiev (Ukraine’s capital),

completely blown after computer attack. To restore electricity, the technicians

had to return to manual mode and intervene on the station concerned.

METHOD

Industroyer (aka Crash Override) used 2 backdoors, a module to launch DDoS

attacks, a wiper and 4 protocol flaws (IEC 60870-5-101, IEC 60870-5-104, IEC

61850 and OPC DA) allowing communication with the electricity network. Its

main component, a backdoor, has allowed hackers to control power grid

systems via a highly complex software, capable of attacking any network of

European power plants and relays.

By simultaneously using these protocols, this malware has been able to get on

the network administrators PCs, scan the network, identify the different

targeted devices and take remote control. The hackers were able to open the

transformer’ breakers and generate a blackout. The goal was to distract from

their primary objective the infrastructure communication protocols. Hackers

have also added a module to remove their traces (data wiper).

MOTIVATION

The hackers had excellent knowledge of the attacked power grid, suggesting

that they were either extremely organized or backed by a state. The goal was

above all to sabotage and disrupt the electrical networks.

CONSEQUENCES

The virus paralyzed relay station and disrupted power network operation for

almost an hour. About 230.000 Ukrainians were affected for up to 6 hours.

Industroyer is a threat that has to be taken very seriously. It has been designed

to suit any type of plant. Due to its modularity and ability to easily monitor

network operations, it could be exported to Europe, Asia and the Middle East.

RECOMMENDATION

Regarding this complex attack, many aspects must be considered, including

network segmentation, industrial processes coding and employees cyber

training. Crisis management is also essential, especially on activity transfer,

isolation of part of the network, restoration of saved data. The risk analysis has

to evaluate the obvious vulnerabilities of the IS and to work on its security.

Finally, a cyber-attack detection system capable of analyzing the protocols

specific to the energy sector may/should ensures an efficient detection on these

critical systems.

Veliki kibernetički napadi - NotPetya

11

DATE

NotPetya targeted Ukraine in June 2017. It was the most damaging cyberattack

in the history.

ENVIRONMENT

After cyberattacks on Ukraine’s power grid in 2015 and 2016, attack in June

2017 swamped Ukrainian banks, goverment agencies, airports, media and

utility/electricity companies.Similar infections were reported in France, Germany,

Italy, Poland, Russia, United Kingdom, the United States and Australia.

METHOD

Hackers combined code tested in power grid attacks with Petya malware.

NotPetya used in the 2017 attack uses EternalBlue, an exploit that takes

advantage of vulnerability in Windows' Server Message Block (SMB) protocol.

EternalBlue is generally believed to have been developed by the NSA. The

malware harvests passwords and uses other techniques to spread to other

computers on the same network, and uses those passwords in conjunction with

PSExec to run code on other local computers. Additionally, although it still

purports to be ransomware, the encryption routine was modified so that the

malware could not technically revert its changes. This characteristic, along with

other unusual signs (including low unlock fee of US$300, and using single, fixed

Bitcoin wallet to collect ransom payments), prompted speculations that this

attack was not intended to be a profit-generating venture, but to damage devices

quickly, and ride off the media attention.

MOTIVATION

It was as close to cyberwar as possible.

CONSEQUENCES

NotPetya attack cost is estimated $10 billion to clean up. This was the most

damaging attack in history, of a scale and cost that would far exceeded damage

caused by any fired missile. Beside impact on Ukraine’s critical infrastructure

(power grid, airports…), it was spread worldwide and cripled multinationals like

Maersk, FedEx, DHL, Montelez, Merck…

RECOMMENDATION

Prepare cyber-defence strategy, and start with staff cyber training. Crisis

management should cover activity re-alocation, isolation of part of the network,

restoration of data and operations. Risk analysis has to assess vulnerabilities

of IS supporting critical infrastructure. Redundant NOCs can improve resilience.

Cyber-attack detection systems should be up-to-date.

Što može pomoći (u slučaju…)

Implementirane mjere sigurnosti (preventivne, reaktivne…posebice ICT)

Implementirana redundancija

(kopije podataka i dodatni linkovi, različite putanje i mediji, više pružatelja usluga…)

Spremna rješenja za oporavak od katastrofe i nastavak poslovanja (DR/BCM)

(DR serveri, backup-i app/linkova/podataka, zamjenske lokacije za nastavak rada)

BC/DR planovi & operativne procedure i upute za oporavak/nastavak rada

(u kojima je jasno definirano TKO-ŠTO-KAD-S KIME/ČIME-ZAŠTO radi…)

Unaprijed definirana komunikacija, eskalacija i koordinacija (workflow)

Treninzi (barem za ključne ljude/timove) i testovi

Registar rizika (ažuran, uz praćenje realizacija mjera propisanih akcijskim planom)

12

IPDRR okvir

13

IDENTIFY (PREPOZNAJ)

PROTECT (ZAŠTITI)

DETECT (OTKRIJ)

RESPOND (PODUZMI MJERE)

RECOVER (POPRAVI)

Kritični sektori u EU i EFTA

14

Regulativa

EU

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a

high common level of security of network and information systems across the Union (EU NIS)

Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of

Directive (EU) 2016/1148

…

Hrvatska

Zakon o informacijskoj sigurnosti

Uredba o mjerama informacijske sigurnosti

Zakon o kritičnim infrastrukturama (2013)

Nacionalna strategija kibernetičke sigurnosti i Akcijski plan za provedbu Nacionalne strategije kibernetičke sigurnosti

Zakon o kibernetičkoj sigurnosti operatera ključnih usluga i davatelja digitalnih usluga (ZKS, 06.07.2018, Sabor)

Uredba o kibernetičkoj sigurnosti operatera ključnih usluga i davatelja digitalnih usluga (26.07.2018, Vlada)

Okvir dobrih praksi za usklađivanje operatora ključnih usluga s mjerama ZKS-a i provođenje ocjene sukladnosti

Smjernice za dostavu obavijesti o incidentima (u skladu sa ZKS-om)

…

15

Ključna tijela po sektorima

16

Our mogući scenarij - energija

17

Our drugi mogući scenariji

18

Telekomunikacije/linkovi (utjecaj na druge),

Kontrola prometa (zračne luke, gradski semafori),

Kontrola granica (uskoro smo u Schengen-u)

Mogući scenarij - vojni(!?)

19

Trendovi i zaključci (za kraj)

Kibernetički napadi evoluirali su od haktivizma, špijunaže, hakiranja... danas imamo globalno ratište

►budući ratovi mogu se dogoditi u cyber prostoru ili barem će biti će hibridni (cyber+konvencionalni)

Možemo očekivati napade na pametne domove (smart home)

Kibernetički napadi predstavljaju naprednu prijetnju kritičnoj infrastrukturi

►napadi koji prouzrokuju poremećaje kritične infrastrukture imati će ogroman utjecaj na poslovanje i

kvalitetu života

20

O meni

Specijalist za rizike - BCM koordinator u OTP banci Hrvatska d.d.

Bivši IS developer, IT revizor…

Imam stručne certifikate ISACA CISA, CRISC… PECB ISO 22301 LI…

Živim u Splitu, a volim filmove, nogomet i kafiće uz more…