05 | 07 | 2018

Enrico Dani, senior level executive with 20+ years international experience in the security industry

“Cybersecurity:latest threats in industrial environments and their solutions”

05 | 07 | 2018

“Cybersecurity risks are also growing, both in their prevalence and in their disruptive potential. Attacks against businesses have almost doubled in five years, and incidents that would once have been considered extraordinary are becoming more and more commonplace. The financial impact of cybersecurity breaches is rising, and some of the largest costs in 2017 related to ransomware attacks, which accounted for 64% of all malicious emails.

Notable examples included the WannaCry attack attack—which affected 300,000 computers across 150 countries—and NotPetya, which caused quarterly losses of US$300 million for a number of affected businesses

Another growing trend is the use of cyberattacks to target critical infrastructure and strategic industrial sectors, raising fears that, in a worst-case scenario, attackers could trigger a breakdown in the systems that keep societies functioning”

CYBERCRIME IS RANKED #3 GLOBAL RISK

05 | 07 | 2018

Cybercrime today interferesheavily in our private life, in financial markets and atgeopolitical level

Cybercrime in 2017 grew in total by 14% (240% since2011)

CyberWarfare attacks grew by 24% and CyberEspionageattacks grew by 46%

CYBERCRIME IS RANKED #3 GLOBAL RISK

05 | 07 | 2018

Cybercrime costs in 2017 were 500 Billion USD

Estorsions, frauds, money and data theftshit 1 Billion people, approximately

The burden for private citizens was 180 BillionUSD

CYBERCRIME IS A NICE BUSINESS

05 | 07 | 2018

Network out of service:• 1-8 hours (45%)• 9-16 hours (11%)• 17-24 hours (11%)

One third of affectedcompanies has lost 20% of sales due to system downtime

50 days average time to resolve a malicious attack 23 days average time to resolve a ransomware attack

OUT OF SERVICE

05 | 07 | 2018

Old «analog» age

05 | 07 | 2018

EXTERNAL

• Internet

• Web

• Email

• Cloud

INTERNAL

• Hotspots

• Mobile devices

• USB/Media

TODAY ATTACK SURFACE IS MUCH LARGER…

05 | 07 | 2018

Multiple platforms…

05 | 07 | 2018

And SCADA (*):• AS-i – Actuator-sensor interface, a low level 2-wire bus establishing power and

communications to basic digital and analog devices

• BSAP – Bristol Standard Asynchronous Protocol, developed by Bristol Babcock Inc.

• CC-Link Industrial Networks – Supported by the CLPA

• CIP (Common Industrial Protocol) – can be treated as application layer common to DeviceNet, CompoNet, ControlNet and EtherNet/IP

• ControlNet – an implementation of CIP, originally by Allen-Bradley

• DC-BUS – communication over DC power lines, originally by Yamar Electronics Ltd

• DeviceNet – an implementation of CIP, originally by Allen-Bradley

• DF-1 - used by Allen-Bradley ControlLogix, CompactLogix, PLC-5, SLC-500, and MicroLogix class devices

• DirectNet – Koyo / Automation Direct proprietary, yet documented PLC interface

• EtherCAT

• Ethernet Global Data (EGD) – GE Fanuc PLCs (see also SRTP)

• EtherNet/IP – IP stands for "Industrial Protocol". An implementation of CIP, originally created by Rockwell Automation

• Ethernet Powerlink – an open protocol managed by the Ethernet POWERLINK Standardization Group (EPSG).

• FINS, Omron's protocol for communication over several networks, including ethernet.

• FOUNDATION fieldbus – H1 & HSE

• HART Protocol

• HostLink Protocol, Omron's protocol for communication over serial links.

• Interbus, Phoenix Contact's protocol for communication over serial links, now part of PROFINET IO

• IO-Link, for sensors, actuators and such[1]

• MECHATROLINK – open protocol originally developed by Yaskawa, supported by the MMA

• MelsecNet, and MelsecNet II, /B, and /H, supported by Mitsubishi Electric.

• Modbus PEMEX

• Modbus Plus

• Modbus RTU or ASCII or TCP

• OSGP – The Open Smart Grid Protocol, a widely use protocol for smart grid devices built on ISO/IEC 14908.1

• OpenADR – Open Automated Demand Response; protocol to manage electricity consuming/controlling devices

• Optomux – Serial (RS-422/485) network protocol originally developed by Opto 22 in 1982. The protocol was openly documented[2] and over time used for industrial automation applications.

• PieP – An Open Fieldbus Protocol

• Profibus – by PROFIBUS International.

• PROFINET IO

• RAPIEnet – Real-time Automation Protocols for Industrial Ethernet

• Honeywell SDS – Smart Distributed System – Originally developed by Honeywell. Currently supported by Holjeron.

• SERCOS III, Ethernet-based version of SERCOS real-time interface standard

• SERCOS interface, Open Protocol for hard real-time control of motion and I/O

• GE SRTP – GE Fanuc PLCs

• Sinec H1 – Siemens

• SynqNet – Danaher

• TTEthernet – TTTech

• MPI – Multi Point Interface

05 | 07 | 2018

Impossible to stop allattacks, it is a must to implement i) a properprevention and user education awareness, ii) a multi-levelsecurity system and iii) a incidentresponse and disasterrecovery capabilitywhen the attacksucceeds

05 | 07 | 2018

The detection must be based on behavior analysis and AI, rather than known patterns or signatures, and shall attempt to detect any type of misuse that falls out of normal system operation

Behavior analysis allowsdetection of new threats

05 | 07 | 2018

Machine-Learning algorithms, to automatically identify anomalies

Device Profiling, to detect immediately changes in behavior

Forensic: analysis of root cause and activation of the incident response

Awareness, user training and security policies

05 | 07 | 2018

Hackers are hectic in finding new vulnerabilities and in developing new methods of attack

The TTD is an important metric to measure the progress of the detection

In order to analyze the enormousamount of data in the shortesttime possible it is essential to make use of advanced automatedtools

05 | 07 | 2018

Conclusions: the rapid evolution of cyber threats and the complexity of next generation digital networks require a multi-level approach to security: companies have to improve user awareness, implement security policies and disaster response plans, employ expert SOC cyber analysts and provide them with advanced detection tools

05 | 07 | 2018

(*) References:

• WEF The Global Risks Report 2018

• Cisco 2017 Annual Report on Cybersecurity

• Clusit Report on 2018 on ICT security in Italy

• 2017 Ponemon Cost of Cybercrime Study report

• www.ReportsMonitor.com

• www.Ncsc.gov.uk

• https://en.wikipedia.org/wiki/List_of_automation_protocols

05 | 07 | 2018