How to Mitigate the Consequences What are the Countermeasures? CYRAIL Final Conference Paris, 18.09.2018 How to Mitigate the Consequences What are the Countermeasures? Taha Abdelmoutaleb Cherfia fortiss

Common Mitigation Strategies Introduction of common mitigation strategies that are appropriate to address the threats targeting railways in order to prevent or minimize their impact on the different critical assets.

Common Mitigation Strategies System Administration Bastion Hosts Logging and Monitoring Multi-Factor Authentication Administrator Audit Logging 3 4 2 5 1 SA AS NS DP DS Device Security Access Controls Antivirus / Anti-Malware Firewalls Hardware Encryption Application Security Application Firewalls Database Firewalls Application Whitelisting Email Security Data Leakage Protection Data Protection Data Encryption Secure Socket Layer Transport Layer Security Digital Signature Password Policy Network Security Network Segmentation Network Access Control Internet Protocol Security Network Intrusion Detection/Prevention Virtual Private Network

System Administration Objective: System Administration is the foundation for any infrastructure security measures, and it needs to be a top priority. It provides measures to prevent intruders from getting control over the system. Solutions: Bastion Hosts Logging and Monitoring Host Hardening Multi-Factor Authentication Administrator Audit Logging

Application Security Objective: Application Security provides measures to protect and secure an application from different attacks that exploit its vulnerabilities at different stages of an application lifecycle from design to deployment. Solutions: Application Firewalls Database Firewalls Application Whitelisting Email Security Data Leakage Protection (DLP)

Network Security Objective: Network Security is is the combination of physical and software preventative measures and activities that protect the underlying network infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure. Solutions: Network Segmentation Network Access Control Internet Protocol Security Network Intrusion Detection/Prevention Virtual Private Network (VPN)

Device Security Objective: Device Security (DS) involves protecting endpoint devices such as personal computers, mobile devices and servers from cyber-attacks. It provides mechanisms to restrict access rights to these endpoints to authorized users. Solutions: Access Controls Antivirus / Anti-Malware Firewalls Hardware Encryption

Data Protection Objective: Data Protection is the process of safeguarding the use of data systems and networks to prevent the unauthorized use of data, and the unintentional or deliberate distortion of data. Solutions: Data Encryption Secure Socket Layer (SSL) Transport Layer Security (TLS) Digital Signature Password Policy

Human Factor People play a fundamental role in an effective cybersecurity strategy because they are often the weakest link in the cybersecurity chain. Solution: Railway actors should provide Cybersecurity Awareness Training to their employees including executives, systems administrators, developers, and incident reporters to ensure they are aware of their responsibilities with regard to cybersecurity concerns. Cybersecurity training should include training on policies and potential cybersecurity threats to the railway actor and its business. Verizon, “2018 Data Breach Investigations Report” (2018). Available at: https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf

Advanced Mitigation Strategies Security by Design and Multiple Independent Layers of Security are some of the trending concepts in cybersecurity that may help to provide a strong mitigation strategy.

Traditional Security Security cannot be an afterthought! Before: Security is considered after the definition of the system, meaning that security mechanisms are fitted into its pre-existing design. Conflicts with the system requirements + New vulnerabilities

Security by Design Security Security should play an integral role throughout all phases of the system life cycle. Analysis Design Security Planning Implementation Maintenance

Security by Design: Principles Description Least Privilege An entity should be given only those privileges that it needs in order to complete its task. Fail Safely Unless an entity is given an explicit access to an object, it should be denied access to that object. Economy of Mechanism Security mechanisms should be as simple as possible. Complete Mediation Each and every access to an object must be checked to ensure that it is allowed Open Design Security should not depend on secrecy of its design or implementation. Separation of Privilege A system should not grant permission based on a single condition. Least Common Mechanism Mechanism used to access resources should not be shared Psychological Acceptability Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present. Defense in Depth Use of multiple security mechanisms such that if one mechanism fails, another will be already in place to prevent a full breach.

MILS: Multiple Independent Layers of Security MILS is a high-assurance security architecture based on the concepts of separation and controlled information flow. MILS is founded on the understanding that security is not a one-size- fits all proposition. MILS supports the coexistence of both trustworthy and untrusted components. Each component is isolated and each may communicate with the others based on the policy enforcements functions. MILS architecture allows the execution of multiple components at different safety/security levels or classifications (mixed-criticality).

MILS: Properties In order to be effective, all system security must be NEAT Property Description Non-bypassable Policy enforcement functions cannot be circumvented Evaluatable Policy enforcement functions are small enough and simple enough that proof correctness is practical and affordable Always-invoked Policy enforcement functions are invoked each and every time Tamperproof Policy enforcement functions and the data that configures them cannot be modified without authorization