BCM for National Critical Resources

Copyright © 2015 ardantic - All rights reserved
Continuity and Resilience (CORE)
ISO 22301 BCM Consulting Firm
Presentations by our partners and
extended team of industry experts
Our Contact Details:
INDIA UAE
Continuity and Resilience
Level 15,Eros Corporate Tower
Nehru Place ,New Delhi-110019
Tel: +91 11 41055534/ +91 11 41613033
Fax: ++91 11 41055535
Email: neha@continuityandresilience.com
Continuity and Resilience
P. O. Box 127557
Abu Dhabi, United Arab Emirates
Mobile:+971 50 8460530
Tel: +971 2 8152831
Fax: +971 2 8152888
Email: info@continuityandresilience.com

BCM for national critical
resources
BCM Summit Middle East 2015
Henri Haenni – MBCI / ISO 22301 LI / ISO 27001 LI /
ISO 20000 LA / BCS Green IT
2

Agenda
• Introduction
• What are national critical infrastructures ?
• Which are the threats ?
• Who are the potential attackers ?
• Which are their targets ?
• Are our national critical infrastructures vulnerable ?
• How can we get prepared ?
3

Introduction
4
Stuxnet (2009)
DuQu (2010)
Flame(r) (2012)
SkyWiper

Introduction
5
Extremely
advanced
Zero-day
vulnera-
bilities
Unprece-
dented
capabilities
TargetedWide spread
Stealth
Anonymous
« … unparallaled number
of functionalities… »
Sources : Kaspersky, Lexsi, Symantec
Detected in
Saudi Arabia
Egypt
Iran
Israel
Lebanon
Sudan
Syria
Russia
Austria
Hong Kong
UAE
Several
thousands of
« victims »
Individuals
Enterprises
Public admin
…

Introduction
6Source : Kaspersky
Geography of the
targets
Complexity
« No doubts that it
was sponsored by a
state »
« … a group of
specialists, financed
and managed… » « New phase
in cyberwar »
Evgueni
Kaspersky

Introduction
7Source : Kaspersky
« … Cyber
weapons
directed to any
countries… »
« The most developed
countries are the most
vulnerable »

Introduction
8Source : Cylance OpCleaver, Kaspersky
Retaliation
« Global critical infrastructure
organizations need to take this threat
seriously »
M. Weatherford
Former Deputy Under Secretary for Cyber Security at
the US Dept of Homeland Security
« Shamoon »
malware, similar to
« Flame »
>30’000 affected
endpoints
Countless hours of
recovery
Huge downtime
financial
consequences
2014 :
Ababil
Saffron Rose
Cleaver
…

Introduction
9Source : Cylance OpCleaver

What are national critical
infrastructures ?
10
“These war games are about the real effects of a cyberwar ...
about causing chaos in our streets at home due to sudden
crashes in our critical infrastructure through manipulation
of our banking, transportation, utilities, communications,
and other critical infrastructure industries.
These are all real scenarios.”
Tom Patterson CSO at MagTek & US Air For Senior Advisor, 2010

infrastructures ?
11
Anything that contributes to the safety, wellness, wealth,
integrity, health and stability of a collectivity of people and the
infrastructures and organizations that supports it.
« Critical infrastructure is the backbone of our nation's economy, security and
health. We know it as the power we use in our homes, the water we drink, the
transportation that moves us, and the communication systems we rely on to stay
in touch with friends and family. »
« Critical infrastructure are the assets, systems, and networks, whether physical
or virtual, so vital to the United States that their incapacitation or destruction
would have a debilitating effect on security, national economic security,
national public health or safety, or any combination thereof. »

Copyright © 2015 ardantic - All rights reserved 12
« an asset, system or part thereof located in member states
which is essential for the maintenance of vital societal
functions, health, safety, security, economic or social
well-being of people, and the disruption or destruction of
which would have a significant impact in a member state as a
result of the failure to maintain those functions »
infrastructures ?

infrastructures ?
« We safeguard critical infrastructure to
assure social and economic stability
within Abu Dhabi and beyond using
integrated security strategies and the
sharing of best practices through public-
private partnerships. »

infrastructures ?
14
They are like the « chakras » or vital points of the nations

infrastructures ?
15
Energies
Agriculture
Emergencies
Energies transport &
processing
Chemicals Healthcare
Manufacturing
Water supply
Transports
Gov’t services
Financials
Telecoms
IT
Defence

infrastructures ?
Domino effect

17
infrastructures ?
Critical
infratructures
ICT &
network
Financials
Gov’t facilities
& services
Healthcare
Manufac-
tures
Agriculture &
food network
Emergen-
cies
Transport
network
Natural
resources
Chemicals
Water/Dams
Oil/Rigs
Ore/Mines
Machines
Metal
Electr.
Pharma
Fertilizers
Basics
Fire
Medics
Law enforc.
Railw
Airports
Roads
Ports
Defence
Energies
& grid
Nuclear
Refineries
Pipelines
Smart gridCivil prot.

18
infrastructures ?
Critical
infratructures
ICT &
network
Financials
Gov’t facilities
& services
Healthcare
Manufac-
tures
Agriculture &
food network
Emergen-
cies
Transport
network
Natural
resources
Chemicals
Water/Dams
Oil/Rigs
Ore/Mines
Machines
Metal
Electr.
Pharma
Fertilizers
Basics
Fire
Medics
Law enforc.
Railw
Airports
Roads
Ports
Defence
Energies
& grid
Nuclear
Refineries
Pipelines
Smart gridCivil prot.

Critical
infrastructure
Air Traffic Control Financial systems Power grid
Involves
Passengers, airports, air
navigation authorities,
regulators, aeronautics
industry
Individuals, enterprises,
banks, insurances, funds,
regulators, market
infrastructure
Consumers, power plants,
substations, distribution
grid, regulating authorities
Security
requirements
Security, extreme
performance, reliability,
massive interoperability
Availability, confidentiality,
integrity, authentication,
access control, non
repudiation
Reliability, interoperability,
performance, resilience
Vulnerabilities
Unencrypted data links,
capabilities to temper radar
rendering, remote control
of aircraft
Use of mobile apps,
human factor, susceptibility
to phishing,
unpreparedness
SCADA obsolescence,
hyper interconnectivity,
market deregulation, smart
metering
19
infrastructures ?
Sources : H. Teso. Aircraft hacking (2013), Critical Infrastructure protection

infrastructures ?
20
Mass injuries or
casualties
Large scale
environmental
damages
Important loss of
services
Loss of
confidence, civil
unrest

infrastructures ?
21
Interdepen-
dencies
Physical
Information
systems
Geographical
Logical
Source : Critical Infrastructure protection 2014

Which are the threats ?
22
Can take « real, large scale » actions !!!

Who are the potential attackers?
23
Who
Smart
hacker
Competitor Hacktivist
Organized
crime
Terrorist
groups
Countries,
nations
Resources
Almost
none
Money, time,
limited skills
Limited but
organized
and skilled
Very large : money, time,
skills
Infinite
Motivations
Ego, self
esteem
To sabotage
competitors
image
Campaign
based.
ideological
Money,
power,
blackmail
Ideological,
political,
nothing to
lose
Geostrategy,
economical,
political,
espionage
Capabilities
Very
limited
Limited Extensive Very important Unlimited
Damages
Most of the
time, none
Focused,
material only
Serious,
purpose-
bound
Regional
High profile
incidents,
spectacular
Nation level,
massive

Which are their targets ?
• Combination of cyber & physical attacks to destroy or
invalidate critical supplies
• Disruption of international communications backbones
preventing any financial transactions
• Cyber attacks on the control systems of a major
power/smart grid leading to large areas blackout
 DDoS, routing attacks, malwares, protocol attacks, insider
 Control can be taken and left dormant for further coordinated attacks
• Coordinated cyber attacks on the rail grid, air control and
traffic control systems to generate massive congestions
24

What are the vulnerabilities ?
25
Vulnerability chain
Infrastructure, SCADA, network Applications Users
Brute force Human errors

• Use of standard communication protocols
• Increased use of commercialy available HW or SW components
• Absence of any authentication/authorization protocols
• Increased number of internet-facing SCADA appliances
SCADA
• Interconnectivity
• Critical infrastrutures are going mainstream
• More and more connected to corporate networks
• Use of poorly protected wireless protocols
Network
• Distributed architectures on different platforms
• Vulnerability to compromised sensorsApplication
• The most vulnerable components of allHuman factor
26

27
Massive
interconnectivity
Reliability
Availability
Efficiency
Resilience
Vulnerability
Obsolesence

How can we get prepared ?
28
Robust
critical
infrastructure
Impacts
analysis
Vulnerability &
risks
assessment
Prevention
security
measures
Contingency
measures
Resilience to
disasters
Community /
social
resilience
Awareness
Crisis
management
structure

At national, regional or local level
29
National
level
Regional
level
Local /
Private
level
Organization
National crisis
management
agency
Regional
coordination
entities
Local or cities
authorities
Private CI
owners/operators
Preparedness
• Defines security standards
• Provide BC/DR methods /
templates / training
• Monitors preparedness state via
regional and local reporting
• Monitors CI usage
• Participates in exercises and
awareness campaigns
• Acquire and develop expertise on
regional specifics in relation with
CI
• Report to national level
• Participates in local exercises and
awareness campaigns
• Implement security standards
• Monitors local preparedness
• Report to regional
Incident
• CI owner leads recovery and
restoration of CI service
• Assess local level or CI impact
and damages, report
• Activates restoration plans for CI
• Activates crisis mgmt and
response procedures
• Assesses impacts, damages at
national level
• Identifies options for recovery
• Provides SMEs to assist CI
owners/operators
• Activates recovery and restoration
plans at regional level
• Assesses impacts, damages at
regional level, report
• Coordinates local level recovery
actions
• Liaise with CI owners/operators

At critical infrastructure level
30
Context analysis and modeling
Identify
scenarios
Define impact
scales
Identify and
model CI
components
Identify
stakeholders
Identify
possible
threats
Identify
possible
attackers
Security requirements
Determine
security
requirements
Perform gap /
maturity
analysis
Risk analysis
Assess
impacts of
attacks
Assess
risks
Assess
likelihood of
attacks
Design & implement security measures (prevention)
Design + impl
security
architecture
Design + impl
critical infras.
modifications
Design + plan
security tests
Design + plan
compliance
assessment
Design + impl
monitoring
programme
Identify
existing vul-
nerabilities
Design & implement crisis management & recovery planning
Setup crisis
mgmt org &
procedures
Setup local
continuity
solutions
Develop fast
recovery local
solutions
Setup
exercising
programme
Review for
changes

Key success factors
• Government led infrastructure and organizational resilience
directives (national infrastructures department)
• Government assisted (cyber) security standards definition,
threats and vulnerabilities identification and impact
assessment (sector based)
• Government supported communities awareness campaigns
• Government representatives supervised exercises on major
CIs
• Sustainable public/private partnerships with CI owners or
operators (regulatory)
• Government and CI level surveillance structure (national
intelligence agency)
31

Questions ?

Thank you for your Attention
‫اهتمامكم‬ ‫على‬ ‫لكم‬ ‫شكرا‬

BCM for National Critical Resources

More Related Content

Similar to BCM for National Critical Resources (20)

More from Continuity and Resilience (20)

Recently uploaded (20)

BCM for National Critical Resources