Philippe-Emmanuel Maulion, Corporate Information Security Officer of SITA (Société Internationale de Télécommunications Aéronautiques) shared perspectives from the air transport sector, with numerous practical examples.
The threat landscape addressed by SITA includes airports, aircraft, air traffic management and all steps in between – the whole cycle of air transport covering both passenger and freight security. Motivated, sophisticated and targeted cyber-attacks are evident across the expanse of global air transport. Many attacks are not necessarily aimed at the air industry per se, but are part of global attacks aimed at specific countries or regions. Cyber security is therefore a key business issue, and cyber security related expenditure is forecast to grow 8.3% CAGR through 2020 in the air transport sector.
Cyber threat intelligence gathering reveals that adversaries are not systems, but people who are smart and who pursue goals. They are professionals and are well funded either by crime or by political aims.
Applying cyber threat intelligence tends to follow a military-style approach, is highly structured, and is based on years of experience. Intelligence reports support operational decision making and shared understanding between security actors.
Typical attacks show seven stages: reconnoitre; weaponize; deliver; exploit; control; execute; maintain. Defending each stage requires different intelligence / approaches to disrupt the flow of the attack. Proactive detection mitigation will address the early stages, while incident response processes deal with the later stages if they are achieved.
A range of actions to address each stage were presented. For example, self-reconnaissance can reveal your own weaknesses, and can allow you to identify what your adversaries can use/do against you – also fingerprints on your systems will show what is happening.
In general, cybersecurity intelligence must address:
- What campaigns are targeting my industry or similar companies to mine?
- Who are the adversaries I should be (most) concerned about?
- What is the nature of the attacker e.g. criminal, hacktivism, industrial espionage?
- What tactics, techniques and procedures (TTPs) are these attackers using?
- What are the TTPs most seen?
- What vulnerabilities are being exploited? Weaknesses most observed?
- How should I best adapt my defences to counter these attackers?
- How have other victims reacted?
These issues can be addressed in isolation, but with significant cost. Cooperation and sharing of information can reduce cost within a single industry, such as Rail, where issues to be addressed are greatly in common. Cooperation also speeds response and recovery.
The overarching goals should address:
- Identify weaknesses most observed.
- Identify vulnerabilities that are being exploited.
- Support informed decision making; clarify the risk landscape.
- Decrease the time to detect an attack.
- Prevent attacks.
- Augment incident response capability; facilitate investigation of attacks.
- Improve information security management practices.
All of these can be better addressed through cooperation within the European Rail Area.
Dr Maulion emphasised, in summing up: The cybersecurity threat is real, co-ordinated and happening now – across all industries, including rail; Cybersecurity intelligence can help individual organisations address and respond to threats; Industry-wide shared intelligence is most helpful to protect a specific industry.
“CyberSecurity4Rail” Railway Industry Conference - Brussels 4th October 2017
- Welcome and overview: “Co-operation is essential in the quest to manage technology and people for security”
- Cyber security – don’t be a victim: “Information is power and control of information has unexpected consequences”
- The regulators’ view on cyber security: “Multi-modal transport requires data exchange and interconnection”
- Security in the SERA – policy considerations: “The need for common understanding, guidelines and best practices”
- The Network and Information Security Directive (NIS Directive): “A host of European actions in cyber security”
- The railway sector perspective on cyber security: “Integrated approach to security and safety without duplication”
- How airlines protect against cyber-attack: “Adversaries are not systems, but people who are smart and who pursue goals”
- Secure networks for collaborative services: “Networks are the risk – meshed networks provide a segmented and secure response”
- First panel discussion: Product liability, staff training & awareness, information sharing in both safety and security…”
- Cyber security and resilience of transport infrastructure: “Current European initiatives in cyber security supporting Rail”
- Perspectives from a European railway operator: “Trains as data centres – protecting train IT as a cyber-crime target”
- Lessons learned from EU projects SECRET and CYRAIL: “Rail as critical infrastructure requires strong projects to protect it”
- Perspectives of a railway infrastructure manager: “Extensive premises, public accessibility – DB managing security risks”
- The telecommunications view: “Risk management depends on agility”
- The IT provider view: “Understand vulnerability and develop avoidance and mitigation strategies”
- Second panel discussion: “The need for co-ordinated action”
- Closing keynote address: “Achieving an EURail-ISAC, without replication or over-regulation….”
- The Way Forward: “Establishing a European Railway ISAC based on a common understanding”
- Annexe - Conference Evaluation Summary – Consensus