TAIEX Workshop on Advancing Cyber

Security Capacity in Critical Infrastructure

Existing situation and proposed solutions to improve cybersecurity

24.01.17

Alexey Yankovski

ISACA Kyiv Chapter

2

• Briefly about ISACA

• Cybersecurity – analysis of existing situation in Ukraine

• Proposed solution

- Standards

- Governance model

- Education

- PPP

- International cooperation

• Proposed next steps

Agenda

3

Briefly about ISACA

• International non-profit professional association

• Develops best practices, knowledge, education and professional certifications in

the area of IT Governance, Information Security Management, Cybersecurity and

IT Audit

• Kyiv chapter exists since 2008

• Run by volonteers

• Helps to drive the reforms in Ukraine

• Translates and publicizes international best practices

• Developed a version of a Draft Law of Ukraine on Cybersecurity Fundamentals –

based on international standards

• When the wave of attacks happened in Ukraine – established and delivered to a

number of state organizations a Cybersecurity training focused on Preparation,

Containment and Eradication of a cyberattack

Exist since 1969

More than 200 chapters world wide

more 115 000 members in 180 countries“

4

Cybersecurity – analysis of existing situation in Ukraine

• Reforms are on their way

• Cyber strategy adopted last year

• Government Cyber Center has been created

• Technical solutions are being implemented

• Massive successful attacks on critical infrastructure and state bodies

• Limited skills in organizations to combat cyberattacks

• After attacks organizations are typically left on their own as far as

eradication with limited or no guidelines

• No information sharing. State advisories are not published following

the attacks

• Limited understanding of cybersecurity processes by state

authorities and responsible agencies

• Technical solutions such as Monitoring system/SIEM/IPS

implementations are viewed as panacea with limited attention dedicated

to preparation, containment and eradication phases

5

Cybersecurity – analysis of existing situation in Ukraine

Root causes – 1) Ineffective framework

• Information Protecting framework “KSZI” (based on ND TZI 2.5-004-99

analogue of ISO-15408), is intended for evaluation of security properties

of an IT Product rather than an organization

• Not risk-based (uses threats and protection profiles)

• Lack of organizational measures and governance

• Static rather than dynamic – once the system and it’s controls are

documented and attested – changes are not permitted => cannot be

used for cybersecurity where dynamic changes are needed during

containment/eradication

• Not suitable for medium to large-scale architectures

• Ineffective compliance process – requires use of state-accredited

auditors – historically very corrupt process

• Significant resistance in Ukraine against international standards, in favor

of “KSZI” – lobby by business delivering compliance. Employees trained

under old framework are reluctant to changes too

6

Cybersecurity – analysis of existing situation in Ukraine

Root causes – 2) Ineffective governance model

• Lack of law on cybersecurity – multiple versions exists. Strong lobby in

favour of ineffective “KSZI”

• Private business is concerned that “KSZI” and government-accredited

auditors will be misused to put illegal pressure on business

• Responsibility of Ministers, Supervisory Boards/Management for

cybersecurity of their critical infrastructure in respective industries and

organizations is not defined

• No effective mechanisms for coordination at the operational level of

cyber response among different state agencies. No centralized

command for attack response

• No one handles – preparing and educating organizations, helping them

with eradication after attacks

• No industry-based regulators and standards for cyber (except for the

banking sector)

• No reliance on independent risk-based audit to verify security

7

Cybersecurity – analysis of existing situation in Ukraine

Root causes – 3) Ineffective educational system

• Educational system still focused on preparing students knowledgeable of “KSZI”

rather than international standards

• International professional certifications are not recognized in Ukraine

• Lack of instructors with advanced and modern practical experience and

international certifications

• In “Licensing requirements” for government IT security employees (mandated by

DSTSZI):

there are no requirements of “cybersecurity” education, only for “technical

information protection” and “cryptography”;

there are no requirements as to the level of quality of the cybersecurity

training courses.

• There are no cybersecurity specializations for higher education (forensic

investigator, network defender, auditor, recovery specialist, risk manager etc.)

8

Cybersecurity – analysis of existing situation in Ukraine

Root causes – 4) Ineffective PPP

• No formal PPP programme

• Lack of dialog between businesses and state

• Limited information sharing

• Lack of guidance and support by the state

• State does not sufficiently involve volunteers, experts, and does not rely on third-

party assurance for cybersecurity

• Business not sufficiently self-organized – no industry self-regulation, industry

CERTs, ISACs

9

Cybersecurity – proposed solution

1) Implement international frameworks instead of KSZI

• ISO-27000 – series and NIST Critical Infrastructure

Protection Framework

• NIST Guide to Industrial Control Systems security

• Industry-based best practices – e.g. NERC CIP for Energy

• Original standards should be used rather than their

translation/adoption to ensure that Ukraine does not fall

behind during the translation and adoption process

10

Use of NIST framework shall be mandatory for cyber

incident preparation and response*

Preparation1 Detection and

analysis

2Containment Eradication

4Recovery

53

* Based on NIST Computer Security Incident Handling Guide

• Identify emergency

organization and

develop

emergency

response plan

• Identify critical

assets

• Perform risk

analysis and

implement

countermeasures

• Set up

communication

with authorities

• Implement incident

monitoring process

• Select and implement

event monitoring tools

and intrusion detection

systems

• Train responsible

individuals to perform

incident investigation

including reverse-

engineering of hostile

code and identify

command and control

centers

• Set up information

sharing with industry

players

• Mobilize emergency

response team

• Develop plan for containment

of intruders and cleansing of

the environment

• Search for samples of

malware

• Improve protection of the

most critical services and

payment systems

• Perform emergency

measures to Improve security

of Active Directory, external

perimeter and internal

network

• This may include completely

disconnecting organization

from Internet, limiting

customer services, removing

systems from domain

• Implement additional

operational non-IT dependent

controls (limits,

reconciliations, additional

approvals, statistical

deviations monitoring, etc.)

• Return to normal

operation

• Remove unnecessary

additional operational

controls

• Identify infected

systems across the

whole network based

on malware samples

analysis and reinstall

them

• Clean-up or install a

new Active Directory

domain, migrate to the

new domain

• Clean-up of the access

rights, change of

passwords and reissue

of crypto keys

• Fine-tuning of the

intrusion detection

systems and

monitoring tools

• Run intrusion

diagnostics software on

a regular basis

• Select and install

additional security tools

that need to be

implemented

11

Cybersecurity – proposed solution

2) Implement effective governance model and compliance process

• Centralized command (rather than coordination) of the responsible state

agencies for cyber response and eradication

• Analysis of malware samples and publishing of advisories and YARA rules

to identify the intruders (information sharing)

• Education and training programme for preparation, identification,

containment and eradication for critical infrastructure for state and privately-

owned CI – must be done immediately!

• Responsibilities of the Ministers, SBs and Management shall be defined

• CI owners shall be tasked to perform risk-assessment, develop remediation

plans and report to the responsible ministries

• Independent risk-based audits, under international standards shall be

mandated for the state-owned CI

• State accreditation of the audit firms shall be replaced with requirements to

have staff certified under international standards for cybersecurity

• Law on cybersecurity fundamentals (based on international standards and

independent audit) shall be passed by the Parliament. Law on Information

Protection – shall be changed

Слайд 12

Critical

Infrastructure

Self-regulating organization

for energy

Results of the risksassessment andremediation plan

5

Ministry of

Energy

Development/approval of industrystandards forcybersecurity

2

Independent auditorsRisk-based

cybersecurityassessment

4

State Cyber Center,Government CERT

Consultations, AdvisoriesSupport during containmentand response, Approval ofindustry standards andpriority risks

1

Consultations,Advisories, malwaresamples, Supportduring containmentand eradication

1

ICS ISAC

Govt. ISAC

of UkraineIndustry

ISAC

Foreilgn

ISACs

Sharing of informationabout attacks andmalware samples

7

Reporting to the regulator6

Example - Possible cybersecurity governance model for

Energy sector

Priority risks3

Priority risks, Industry-specific standards and requirements

3

13

Cybersecurity – proposed solution

3) Education

• Build educational programmes around internationally-accepted frameworks

• Formally recognized international professional certifications for cyber and

information security and mandate that for responsible personnel (e.g. top

managers responsible for cyber, security staff, etc.)

• Recognize international professional certifications for university instructors as

part of the qualification process (in addition to publications and patents)\

4) PPP

• Implement information sharing, install information sharing platform

• Establish national dialogue by means of creation of Cybersecurity Counsel

including responsible state staff and industry representatives

• Government shall rely on independent audit firms and certified professionals

to provide assurance for the critical infrastructure

• Industry self-regulation for cybersecurity – industrial regulators, CERTs, ISACs

• Government shall use responses of volunteers and consultants to deliver on

its commitments - in particular to deliver training, incident response

• Ensure independent review by the industry experts of the state decisions,

budgets and solutions in the area of Cybersecurity and information protection

14

Cybersecurity – proposed solution

International cooperation

1) Since Ukraine is used as a playground by international hackers to test

the tools and techniques to be used against the rest of the world, other

countries should be interested to give a hand to Ukraine to improve its

cybersecurity, help with containment and eradication of the existing

incidents, as well as provide expertise and tools necessary to set up

CERTs, ISACs, improve forensic capabilities, etc.

2) Information sharing of the malware samples should be established

with Ukraine, in order for the rest of the world to be prepared for the attacks

that international hacker groups tested on Ukrainian infrastructures

15

Cybersecurity – next steps

• State-wide Cybersecurity transformation programme should be

established and centrally driven by an international team of experts

• Crisis management office shall be established for cybersecurity, until an

effective governance model is implemented

Immediate steps should be:

• Analysis of malware samples and publishing of advisories and YARA

rules to identify intrusions in other government-owned and private

organizations thorough Ukraine

• Education and training programme for preparation, identification,

containment and eradication for critical infrastructure for state and

privately-owned CI