This week, the XVII STIC CCN-CERT Conference | V ESPDEF-CERT Cyberdefense Conference were held in Madrid. Organized by the National Cryptologic Center, CCN, of the National Intelligence Center, and by the Joint Cyber Space Command respectively.
Within the framework of the Spanish presidency of the Council of the European Union, this year’s Cybersecurity Conference set new records in terms of participation, number of speakers, and support from companies and organizations in the sector. They are two of the main cybersecurity congresses in the country along with RootedCon. It is worth remembering that the last edition had more than 11,200 attendees, of which more than 4,000 attended in person.
With more than 220 nationally and internationally renowned speakers, the event addressed key topics such as threats and trends in cybersecurity, future challenges, military operations in cyberspace, advancements in the National Security Scheme (ENS), the National Network of Cybersecurity Operations Centers (RNS), quantum technologies, post-quantum, industrial security, and Artificial Intelligence. Additionally, these conferences received historic support from 109 public and private organizations, including the Department of Homeland Security, the Cybernetic Coordination Office of the Ministry of the Interior, INCIBE, Civil Guard, National Police, and the Organization of American States.
There are always high-profile guests. This time the event featured inaugural speeches from the Minister of Defense, Margarita Robles; the Secretary of State Director of the CNI and CCN, Esperanza Casteleiro; and the Secretary of State for Digitalization and Artificial Intelligence, Carme Artigas.
It is an event with so many interesting parallel talks that it generates a certain FOMO: rooms or modules on threats and trends, industrial security, ENS and regulatory compliance, military operations in cyberspace, security products and technologies, rooted labs, and entrepreneurship and innovation in cybersecurity.
We now briefly report on the content of the talks we have witnessed, in the Govertis room (corresponding to the Industrial Control Module).
Methodology to Define the ‘Essential Inventory’ for Industrial Systems
Led by Nora Susana Alzúa (director of the Industrial Cybersecurity Center in Argentina), and Pablo Daniel Cattaneo (founder and consultant at PhalanX Cybersecurity).
They both indicate that a paper related to this inventory initiative is being prepared at the CCI, which will be available in mid-2024 on their website.
Nora starts by asking questions about how to properly carry out an inventory of our industrial assets and how to value them, in line with the precepts of ISA/IEC 62443, ISO 27002, and NIST CSF. Pablo highlights the differences with respect to an OT inventory, and how the pyramid of dimensions of information security is inverted (continuity and safety, above).
They discuss the need to carry out mixed inventories (manual for isolated devices, and using automatic probes like InproTech Guardian, for connected nodes).
The steps for a good inventory will be to properly define the scope, design the prototype of the information scheme, classify assets based on risk, identify their owners, execute data loading, review it, and update the designs if applicable iteratively, in a process of continuous improvement. And of course, once elaborated: daily maintenance based on defined procedures.
Finally, they briefly describe the content of the proposed inventory card, focusing on the levels of risk and security based on ISA99/IEC62443, and what applicability this inventory has in terms of vulnerability management or patrimonial value.
The Ampere Against Charge: Attacking an Electric Charger in a Smart City.
In this case, Marina Galiano Botella, a biomedical engineer from the CSIRT of the Valencian Community, recounts the rapid transition of cities to a significant degree of technological dependence on their essential services through the use of IoT technologies, without adequately caring for cybersecurity aspects.
She describes the consequences of a large-scale cyberattack in a smart city, based on the studies they have carried out on different models. It is easy to imagine what would happen in the case of malicious manipulation of traffic control cameras or the traffic lights themselves.
Later, she focuses on the practical case of manipulating an electric car charger, possible impact, and lessons learned (including segmentation, use of secure protocols, asset inventory, or continuous monitoring).
TEO Makes a Diagnosis in an Industrial Plant. IEC62443-3-3 with Bad Examples from the Latest News
This talk is given by Miguel Rego and Borja Lanseros from Titanium Industrial Security. In it, humorously, an operator named Teo unravels various aspects of the ISA99/IEC 62443.
They describe its systematic, holistic, and proportional scope, its motivation, and the breakdown of the standard into families of components, systems, procedures, and the general layer.
They then focus on system security requirements and security levels (IEC 62443-3-3), and to whom it applies (owners, integrators, and manufacturers), as they operate, deploy, and develop industrial systems, respectively. They inventory the four security levels (SL, security levels), from least to most exhaustive, which can be current, capacity, or objectives.
They then describe the foundational requirements, that is, the basic security controls that must be applied (such as segmentation, encryption, session management, access controls, backups and recovery… and logs and monitoring), and how these security measures adapt to the zones of the industrial network.
Next, they list a series of deficiencies that they find more frequently in industrial environments, ordered by criticality. They remember that often problems come from a lack of coordination between IT and OT teams.
To close, they indicate the fundamentals of design and the Purdue model with two levels of firewalls, partition into zones and conduits, separation of levels through jump machines and DMZs, remote access via VPN and 2FA, and having auxiliary controls (such as vulnerability analysis, backups, etc.).
They warn in the end that the projects to secure an industrial plant are usually several years in the making, especially if you want to opt for high security levels.
Response to Incidents in Industrial Environments: Particularities, Considerations, and Differences
In this case, the speaker of the talk is Edorta Echave, ICS security architect at SECURE&IT (LKS NEXT) and coordinator of the CCI in the Basque Country, as well as a teacher.
He begins his presentation with an interesting video about different industrial environments and critical infrastructures, which give a good idea of the heterogeneity of the environments, and the professional profiles that defend these networks.
Later, through another video, he exposes the peculiarities and relevant considerations, all those good practices in response to incidents in industrial environments to maximize the uptime of productive processes and avoid stopping or degraded mode, as well as some definitions associated with business continuity such as MTD (Maximum Tolerable Downtime) or RTO (Recovery Time Objective), and the necessary subsequent verification before resuming activity at full performance.
Edorta also points out, showing how easy it can be to manipulate a PLC to cause the overflow of a liquid tank, that it is not only about maintaining the continuity of productive processes; also about their safety on both planes (safety and security).
He also wisely points out in the questions part that sometimes, it is better to stop, than to manufacture poorly.
Breaking Barriers, Securing the Future: Mitigating Risks in Access to Critical Systems in OT Environments
Led by Fernando García Vegas, pre-sales engineer at One Identity, with extensive experience in the OT world.
He starts with the ransomware attack on the Chernobyl radiation monitoring system a few years ago, an event that made international headlines. The attack vector was email, and its unwitting executor, a “happy clicker.”
He then again indicates the importance of OT cybersecurity, and how we are late (traditional perimeter approach, not identity, significant delay compared to IT environments, immaturity of environments and technologies, and unmanaged management, among others).
He recounts how the classic problem in the IT world of authentication, the identification of the actor, MFAs, password managers, etc., has also moved to OT environments, unfortunately.
Later, he proposes a PAM (Privileged Access Management) solution to protect industrial assets, consisting of all actions on devices being audited and monitored, and they can only be performed after being validated through an authorization process. The password also only resides in the Password Vault of the PAM system.
He reminds us in closing, how kingdoms of taifas or silos are not a good idea. The management of OT security must be done in a unified manner in all plants and areas of the organization. Otherwise, the oft-quoted “the chain will be as strong as its weakest link” will apply.
How do industrial SOCs manage the risks of technological cybersecurity?
We have a roundtable moderated by José Valiente of the CCI, with Aarón Flecha, specializing in industrial security incident management at S21sec, Antonio Villalón, security director of S2 Group, and Javier Sevillano, director of the SOC at Innotec Security. An interactive Q&A session with the audience via online response is proposed.
The first question is about which dimension of security takes precedence in industrial environments, and a certain debate is generated between integrity (defended by Villalón due to possible repercussions for society), and availability (which is supported by the majority of the other speakers and attendees).
Next, each of the actors explains who is responsible for risk management in their industrial SOC services, what technical security measures they consider most important and implement in their SOC services, and finally, the certifications they hold and their scope.
They indicate, with a somewhat sorrowful tone, how regulatory pressure is increasingly high, which generates a certain administrative overload in order to maintain the certifications required to provide certain services to some clients, such as those in critical sectors or public administrations.
They then go on to describe what are the critical procedures for the operation of the industrial SOC in the management of industrial cyber incidents, and what consequences they could potentially have (trying to segregate functions to minimize the degree of exposure).
Finally, to close the morning session, they are asked how, given the sensitive nature of the information they handle, they guarantee the confidentiality of the data managed by the staff, concluding that there are actions and controls at the level of people, processes, and technology, but as we know, zero risk does not exist.