Enforcing Privacy for Critical Infrastructures

EUROPEAN COMMISION

Infrastructures

By Nils UlltveitUniversity of Agder,Norway

Sophia Antipolis, France, 17. January 2013

EUROPEAN COMMISION

Enforcing Privacy for Critical InfrastructuresInfrastructures

By Nils Ulltveit-MoeUniversity of Agder,

Sophia Antipolis, France, 17. January 2013

Project Objective:EUROPEAN COMMISION

Project Objective:

PRECYSE Methodology

Metrics

ISO2700xSecurity Management

standard

Overarching requirements

Other standardsand best practices(NIST, ISA99 etc.)

Methodology

VeriniceISMS tool

Security

MageritRisk assessment

Checklists

Benchmarking

Relationships

ArchitecturePRECYSE tools

ReportsCheck resultsArchitecture

improvements

Protect against attack

Prevent attacks

ISMS tool

Privacyenforcement

EUROPEAN COMMISIONPRECYSE Methodology

Other standardsand best practices(NIST, ISA99 etc.)

Legal, Ethical, PrivacyAnd Policy issues.

(WP8)

Productionsystem

Real

TrustResiliencePrivacy

Checklists

Vuln. Ass.

Benchmarking

Relationships

Architecture

Vulnerabilityassessment

AssetsTest

system

Controls

Gapanalysis

Privacymetrics

Recent Threats on Critical Information Infrastructures EUROPEAN COMMISION

Recent Threats on Critical Information Infrastructures

Objective

� Information leakage control is needed to:

� Protect sensitive information, avoid eavesdropping;

� Detect and restrict unintended flows of sensitive data;

� Support sharing of:Support sharing of:

− best practices,

− attack information;

� Support outsourced Managed Security Services;

� Privacy metrics also aid in detecting some attacks.

EUROPEAN COMMISIONObjective

Information leakage control is needed to:

Protect sensitive information, avoid eavesdropping;

Detect and restrict unintended flows of sensitive data;

Support outsourced Managed Security Services;

Privacy metrics also aid in detecting some attacks.

Information Sharing?

� Beneficial to share attack and vulnerability information:

� Increases security;

� Outsourcing gives networking effect:effect:

− Examples: IDS services, antianti-virus, operating system patches etc.

� Peer-to-peer collaboration between CERTs.

� But... How much information are you willing to share with these semitrusted parties?

EUROPEAN COMMISIONInformation Sharing?

Beneficial to share attack and

Outsourcing gives networking

Examples: IDS services, anti-spam, virus, operating system

peer collaboration between

But... How much information are you willing to share with these semi-

Inhibitors for Information Sharing

� Information sharing is beneficial, especial sharing information about cyber attacks.

� However there are some inhibitors against this (ENISA 2010):

� Often a culture against sharing (suspiciousness);

� Lack of awareness on how to protect sensitive information;

� Lack of technical solutions and standards to efficiently enforce protection of sensitive information.

EUROPEAN COMMISION

Inhibitors for Information Sharing

Information sharing is beneficial, especial sharing information about cyber attacks.

However there are some inhibitors against this (ENISA

Often a culture against sharing (suspiciousness);

Lack of awareness on how to protect sensitive

Lack of technical solutions and standards to efficiently enforce protection of sensitive information.

Sources of Information Leakages

� Accidental leakage of sensitive information:

� Through data queries, error messages or sent data (e.g. IDS alarms);

� Insiders mistakenly sending sensitive information;

� Email on mobile devices.

� Deliberate information leakages:

� Industrial espionage or attacks by insiders;

� External attacks supporting cyber

EUROPEAN COMMISION

Sources of Information Leakages

Accidental leakage of sensitive information:

Through data queries, error messages or sent data

Insiders mistakenly sending sensitive information;

Deliberate information leakages:

Industrial espionage or attacks by insiders;

External attacks supporting cyber-espionage.

PRECYSE Framework and Methodology

� Intentions: develop an open methodology and framework.

� Open Source reference implementation.

� Structured approach for increasing the cyber� Structured approach for increasing the cyberof critical infrastructures and mobile systems.

� Focus on detecting gaps in privacy, security, resilience and trust.

� Support risk analysis.

� Support risk mitigation/control selection.

EUROPEAN COMMISION

PRECYSE Framework and Methodology

Intentions: develop an open methodology and

Open Source reference implementation.

Structured approach for increasing the cyber-security Structured approach for increasing the cyber-security of critical infrastructures and mobile systems.

Focus on detecting gaps in privacy, security, resilience

Support risk mitigation/control selection.

Improvement Process

� Objective: reduce the leakage (or exposure) of private or confidential information:

� Need-to-know principle.

� Based on a gap analysis:

� Measure information leakages;

� Requires privacy metrics, indicators and checklists.

� Supports the well-known Plan Do Check Act (PDCA) model of improvement.

EUROPEAN COMMISIONImprovement Process

Objective: reduce the leakage (or exposure) of private or confidential information:

Measure information leakages;

Requires privacy metrics, indicators and checklists.

known Plan Do Check Act (PDCA)

Improvement Process:Plan Do Check Act

� Plan information protection scheme:

� anonymisation policy, encryption, access control, measurements etc.

� Enforcement (Do) a privacy policy.

� Check that the policy works as intended:

� Trigger actions if privacy leakages exceed threshold;� Trigger actions if privacy leakages exceed threshold;

� Verify that protection scheme is operative;

� Verify information opacity (transparent/mixed/encrypted).

� Act - perform corrective actions:

� Improve IDS rules and events to be less privacy invasive;

� Improve privacy controls/privacy enforcement;

� Improve measurements, indicators, checks or processes.

EUROPEAN COMMISION

Improvement Process:Plan Do Check Act

Plan information protection scheme:

anonymisation policy, encryption, access control, measurements etc.

Check that the policy works as intended:

Trigger actions if privacy leakages exceed threshold;Trigger actions if privacy leakages exceed threshold;

Verify that protection scheme is operative;

Verify information opacity (transparent/mixed/encrypted).

Improve IDS rules and events to be less privacy invasive;

Improve privacy controls/privacy enforcement;

Improve measurements, indicators, checks or processes.

Privacy Metricsand Indicators

� Used for enforcement:

� Planning anonymisation;

� Verifying anonymisation (over time);

� Trigger reevaluation of policy;Trigger reevaluation of policy;

� Indicate fault conditions (faulty configurations, unexpected traffic etc.);

� Detect attacks:

− Abuse, theft of sensitive information, concealing attacks etc.

� Risk analysis and management:

� Quantify the risk of leaking private or confidential information from critical infrastructures;

EUROPEAN COMMISION

Privacy Metricsand Indicators

Verifying anonymisation (over time);

Trigger reevaluation of policy;Trigger reevaluation of policy;

Indicate fault conditions (faulty configurations,

Abuse, theft of sensitive information, concealing attacks

Risk analysis and management:

Quantify the risk of leaking private or confidential information from critical infrastructures;

Privacy metric: Information Entropy

� Shannon Entropy (Claude Shannon, 1948)

� Useful to detect anomalies in information being transmitted.

H1�X�= ∑

x∈Symbols

P [X=x]log

transmitted.

� Unintended information leakages

� Anomalous information or services

� Particularly useful for DoS attacks

− Measures information dispersion

� Attacks on encrypted protocols (SSH, SSL etc)

� Other attacks

EUROPEAN COMMISION

Privacy metric: Information Entropy

Shannon Entropy (Claude Shannon, 1948)

Useful to detect anomalies in information being

log1

P [X=x ]

Unintended information leakages

Anomalous information or services

Particularly useful for DoS attacks

Measures information dispersion

Attacks on encrypted protocols (SSH, SSL etc)

SID 1:1437 Windows Multimedia Download

Anonymiseddata

EUROPEAN COMMISION

SID 1:1437 Windows Multimedia Download

Inside gzip

Start of gzipCompressedstream

Inside gzipstream

Privacy enforcement control

Proxy/anonymiser

deanonymiserIDSIDSIDS

Higher orderIDS

(correlation)

Trusted higher order IDS/SIEM

� Anonymise individual elements and attributes of IDS alarms

� XACML-based authorisation, decision cache

� Multi-level security and deanonymisation

� Compatible with the IDMEF IDS alarm format.

� Can be used with existing SIEM solutions.

EUROPEAN COMMISION

Privacy enforcement control

Higher orderIDS

(correlation)

Proxy/anonymiser

SOCFrontend

Trusted higher order IDS/SIEM

Alarmdb

deanonymiser

Anonymise individual elements and attributes of IDS

based authorisation, decision cache

level security and deanonymisation

Compatible with the IDMEF IDS alarm format.

Can be used with existing SIEM solutions.

Thank you!

This presentation has been partially supported by the project «PRECYSE Protection, prevention and reaction to cyberfunded by the European Commission under the FP7 programme with contract

number FP7-SEC-2012-1-285181 http://www.precyse.eu

EUROPEAN COMMISIONThank you!

This presentation has been partially supported by the project «PRECYSE –Protection, prevention and reaction to cyber-attacks to critical infrastructures», funded by the European Commission under the FP7 programme with contract

285181 http://www.precyse.eu