Supporting European

Aviation

Moving from cyber-security towards cyber-resilience in aviation

Patrick MANAEATM-CERT Manager

2

No, not this kind of ATM

EUROCONTROL

ATM

Air Traffic Management

EUROCONTROL

Supporting European Aviation

EUROCONTROL 3

EUROCONTROL

EUROCONTROL HISTORY

1960s

1980s

1990s

2000s

2010s

41 Member States &the European Union

2 ‘Comprehensive Agreement’ States: Morocco & Israel

“The designations employed and the presentation of the material on maps in this presentationdo not imply the expression of any opinion whatsoever on the part of EUROCONTROL concerningthe legal status of any country, territory, city or area or of its authorities, or concerning the delimitation of its frontiers or boundaries.”

5

Building the Single European Sky !Provide air traffic services in upper airspace of Benelux &North west of Germany

Manage the pan-European network

R&D -> Deployment

Collect route charges

Placeholder Subtitle

Complexity of Securing the Aviation Ecosystem

EUROCONTROL 7

Evolution of ATM – towards digitalization

=>

State-sponsored / Geo-political

9

Cyber-crime … it’s an industry

EUROCONTROL

Cyber-crime e.g. ransomware

Bristol but also Atlanta, Cleveland, Albany, …

???

EUROCONTROL

Hacktivism more and more e.g. environmentalists

12EUROCONTROL

Regional sectorial (ATM) CERT:combine cyber and domain expertise

13

ATM Stakeholder SOC (1)

ATM Stakeholder SOC (1)ATM Stakeholder

ATM Stakeholder(1)

ATM Stakeholder

Alerts/other Incidents - intelligence/services

EATM-CERT

EUROCONTROL SOCs

Logs Recommendations

CERT-EU

EUROPOL

ENISA

System

NATO/EDA

EASA ECCSA

Cyber intelligence

Provider

Alerts/Incidents

Cyber intelligence

ProviderCyber

intelligenceProvider

CyberIntelligence

Intelligence/services

ATM CI Provider (US & other Regions

ATM CERT)

Thematic CERTs

National CERTs

EA-ISAC

SOC SOC

SOC

National CERTsNational CERTs

Alerts/Incidents

- intelligence

Significant Incidents - intelligence

EUROCONTROL

ATMManufacturerATM

ManufacturerATMManufacturer

ATM StakeholderATM

Stakeholder

EACCC

A-ISAC

EATM-CERT and European National CERTs

EATM-CERT 14

NationalCERTState A

NationalCERT

State B

NationalCERT

State C

NationalCERT

State D

NationalCERT

State E

NationalCERT

State X

Energy

ATM

Healthcare

Finance

…

Pan-European sectorial CERT

Pan-European sectorial CERT => EATM-CERT

Pan-European sectorial CERT

Pan-European sectorial CERT

…

…

EATM-CERT: catalogue of services

EATM-CERT 15

Security Assessment

Alerts & Warnings

Incident Response

Cyber Threat Intelligence

EATM-CERT services1. Penetration test (EUROCONTROL services & products + Aviation stakeholders)2. Bank transfer scams via email3. Credentials leaks detection4. Sensitive document leaks detection5. Cyber Threat Intelligence (CTI) and feeds for aviation6. Quarterly cyber threat landscape report for senior management7. Support to incident response / Artefacts analysis8. TLP:WHITE CTI tools – raising awareness

• Cyber events map, tweeter, 9. Vulnerability scanning of Aviation Stakeholders10. Vulnerability watch11. Training exercises (table-top & technical)

IMPLEMENTING/OPERATING A SOC

EUROCONTROL 17

EUROCONTROL material for stakeholders

SOC Call For Tenders material

EUROCONTROL 18

ATM Security Operations Center

PENTEST ON AVIATION SYSTEMS

EUROCONTROL 19

Security Assessment Results (penetration tests)

EATM-CERT 20

Risk levels definition

EATM-CERT 21

Risk Level

Impact\Likelihood Very unlikely Unlikely Moderate Likely Very likely

Trivial Low Low Low Medium Medium

Minor Low Low Medium Medium High

Moderate Low Medium High High High

Major Medium High High Critical Critical

Serious High High Critical Critical Critical

EATM-CERT 22

Likelihood Explanation

Very UnlikelyThe vulnerability in this likelihood is very unlikely to be exploited since many authentication andauthorization mechanisms exist, i.e. attackers have to pass many defence-in-depth mechanisms.Local access with single or multi factor authentication is an example of this kind of defence-in-depth mechanisms. The threat actors may be insiders, advanced attackers and threat groupswho bypass physical security protections and access to network by stealing some credentials.

Unlikely

The vulnerability in this likelihood is unlikely to be exploited since a few authentication andauthorization mechanisms exist, i.e. attackers have to pass a few protection mechanisms. Localaccess without single or multi factor authentication is an example of this kind of protectionmechanisms. The threat actors may be insiders and/or attackers and threat groups who bypassphysical security protections and directly access the network or easily bypass network accessprotections.

Moderate

The vulnerability in this likelihood is moderate to be exploited since many authentication andauthorization mechanisms exist, but the vulnerability may be exploited from the Internet andnot only from Internal. Attackers have to pass many defence-in-depth mechanisms like multifactor authentication, Internet access with strong authentication like certificates and/or multifactor authentication. IP access restrictions are also an example of this kind of the defence-in-depth mechanisms. The threat actors may be targeted advanced attackers and threat groups.

Likely

The vulnerability in this likelihood is likely to be exploited since a few authentication andauthorization mechanisms exist, but the vulnerability may be exploited from the Internet andnot only from Internal. Attackers have to pass a few defence-in-depth mechanisms like weakauthentication, Internet access with user/password authentication or IP access restrictions canbe example of this kind of protections. The threat actors may be novice attackers, untargetedthreat groups in addition to advanced attackers and targeted groups.

Very likelyThe vulnerability in this likelihood is very likely to be exploited since it can be easily exploitedfrom the Internet and not only from Internal. Attackers can directly attack to the systemswithout bypassing the defence-in-depth mechanisms. The threat actors may be scripts kiddiesin addition to novice, advanced attackers and threat groups.

EATM-CERT 23

Impact Explanation

InsignificantOperations: Insignificant impact when operational/safety services can be provided as usual.Finance: Impact can be managed within business unit/branch/section budget.Service Delivery: It causes negligible effects on the ability to provide a business service.Reputation: The reputation can be effected by the isolated complaints of individual stakeholders.

MinorOperations: Minor impact when some operational/safety services are degraded.Finance: Impact requires delegated approval for response.Service Delivery: It impairs the ability to provide a business service.Reputation: The reputation can be affected by the complaints of a key stakeholder on organization/company services and activities.

Moderate

Operations: Moderate impact when some operational/safety services cannot be provided anymore.Finance: Impact requires upper management approval for response.Service Delivery: It severely compromises the ability to provide a business service.Reputation: The reputation can be affected on organization/company services and activities by a key stakeholder.

Major

Operations: Major impact when a majority of operational/safety services cannot be provided anymore for a significant time.Finance: Impact requires the board approval for response.Service Delivery: It causes the short-term inability to provide a critical business service.Reputation: The reputation can be affected on capability to provide functions/services by the majority of the stakeholders.

Serious

Operations: Serious impact when all operational/safety services cannot be provided anymore for a sustained time-frame.Finance: Impact requires government support.Service Delivery: It causes sustained inability to provide a service.Reputation: The reputation cannot be repaired with stakeholders and the organization/company may not continue in its current form.

EATM-CERT 24

Risk Level Example

Critical

Vulnerabilities in this category cause a serious impact on the operational ATM environment from the Internet.

Ex. Shut down air traffic control systems from a web portal.

High

Vulnerabilities in this category can cause a partial impact on the operational ATM environment.

Ex. Degradation of ATC systems by inserting fake flight plan information from a web portal requiring strong authentication.

Medium

Vulnerabilities in this category can cause a serious impact to ATM supporting systems from the Internet or a partial impact on ATM systems from the local ATM environment.

Ex. Shut down monitoring systems of ATC environment from a web portal.

Low

Vulnerabilities in this category have limited impact to ATM supporting systems or non-ATM related systems.

Ex. Vulnerabilities to corporate email infrastructure from local network.

Information

Gaining limited information about configuration is classifie d as level 1 informational -level vulnerabilities. The vulnerability in this category gives some basic information to the attacker about the system.

Ex. Information leaked by web server headers about software version.

CYBER THREAT INTELLIGENCE & INNOVATIVE CYBER-SECURITY SERVICES

EUROCONTROL 25

Quarterly cyber threat landscape reportTLP:WHITE CTI tools – raising awareness

26

27Cyber

Credentials

2018 Q3

202018 Q4

732019 Q1

2019 Q2

89

Number of monitored domains

2019 Q3

96

ruppert65

*******

123456123456

123456

Q1 2019

Q2 2019

Q3 2018Q3 2019

Q4 2018

2018

Q3

37302

2018

Q4

68087

2019

Q1

113147

2019

Q2

132176

2019

Q3

132558

Number of leaked credentials

2019 Q4

87

2019

Q4

152455

73

58 Constituents

Sharing cyber-information

MISP

EUROCONTROL 29

IsraelNational CERTManufacturerInternational organizations

2018 Q2

2019 Q12018

Q3

2018 Q4

2019 Q2

2019 Q3

2019 Q4

L u f t h a n s a

E C C S A

A i r p o r tS c h i p h o l

T H AL E S

AI R B U S

T u r k ish Ai r l i n e s

I AT A

EUROCONTROL 31

MISP - Integration

SIEM

Document leaks

EUROCONTROL 32

Fraudulent websites impersonating airlines

EATM-CERT 34

https://c.golddiggergames.be/9661/61283

Ryanair

http://www.com-cana.com/?Anniversary-dUMwHQantas Airlines

http://www.singạporeair.com/free-tickets/ Singapore Airlines

http://www.easyonefly.com

easyJet

http://www.aa.com-flightus.com

American Airlines

December 19

https://c.golddiggergames.be/9661/61283https://c.golddiggergames.be/9661/61283http://www.com-cana.com/?Anniversary-dUMwHhttp://www.sing%E1%BA%A1poreair.com/free-tickets/http://www.easyonefly.com/http://www.aa.com-flightus.com/

Email Fraud

EUROCONTROL 35

36EUROCONTROL

20 domain names suspended upon EATM-CERT request , another 3 suspensions requested:

eurocontrolint.net eurcontrol.inteurocontrol.int.net

euro-control-int.com

euro-control.eueurocontrolintl.int

eurocontrolintl.com

eurocontrolt.net

eurocontrolintl.net

eurocontroll.int

eurocontrol-intl.net euro-control-int.orgeurcontrolint.net eurocontrolin.int eurocontrolint.eu.comeurocontrotint.net

eurocontrolinc.com euro-control-int.net euro-controlint.net eurocontroladmin.neteu-control.info eurocontrols.org eurocontrolx.net eurocontroladmincentre.neteurocontrolcrco4.com eurocontrolintl.in

euro-control.net

eurocontolint.net

eurocontrolunits.net

euro-control.org eurocontroint.net eurocontrol.comeurocontrolint.in eurocontroint.in

eurocontrols.net

eurocontrolints.net eurocontroladmin.ineurocontrolaudits.net eurocontrolaudit.net

mail-eurocontrol.com

int-eurocontrol.com

eurocontroint.in

eurocontrolunit.net

euro-control.net

Email Fraud Attack surface

Domain nameDomain closure:

status Attempts counteurcontrolint.net Suspended 50

eurocontroladmin.net Suspended 29euro-control-int.org Suspended 13

euro-control.net Suspended 8eurocontolint.net Suspended 5euro-control.org Suspended 3

euro-controlinc.com Suspended 2eurocontrotint.net Suspended 2eurocontroint.net Suspended 1

eurocontrolints.net Suspended 1

2 - Fraudulent e-mails

USE OF MITRE ATT&CK

EUROCONTROL 38

• Framework based on observed adversaries behaviour• Common language• Answer to InfoSec Questions• Deals with

• Strategy• Tactics• Operations

• Improves detection coverage• Setting Priorities• Emulating Adversaries

EUROCONTROL 39

Reference: MITRE ATT&CK CTI Training Slides

EUROCONTROL 40

Reference: MITRE ATT&CK CTI Training Slides

All together … as we are as strong as the weakest link

Cybersecurity management framework

43

Invest in Humans

Adapt processes

Apply a secure development lifecycle

Build a Trust Framework

Cybersecurity and resilience Symposium - Amman- Jordan, 15-17 October 2019 44

Investing in Humans

CEO & Senior Management Staff

Adapting processes

Applying a secure development lifecycle

EUROCONTROL 47

BMSHVAC

Power Supply

Building a Trust Framework

Cyber Strategy& Action Plan

Secure Exchange of info

Regulatory framework (ESCP)RegulationsAMCGuidanceStandards

Sharing cyber information

Industry

TLP:WHITE & GREENResearchers – vulnerability disclosureMedia Management

Services of common interest

Use proven standards

ISO 27KNIST 800

TRAINING, EXERCISES

EUROCONTROL 53

Crisis management exercise: Room42

EUROCONTROL 54

Crisis management exercise: Room42

EUROCONTROL 55

Crisis management exercise: Room42

EUROCONTROL 56

IANS Trainings

• EUROCONTROL has training facilities Luxembourg IANS

• We are planning to expand cyber security trainings with more technical ones

57

EUROCONTROLCapture The Flag

58

Being cyber secure is an illusion … let’s become cyber resilient all together as we are as strong as the weakest link.

Cyber resilience will not make you 100% cyber-proof but will assure your business!

AND YOU CAN’T DO IT ALONE …so let’s support the establishment of a cyber-resilience

framework.

THANK YOU

patrick.mana@eurocontrol.int

61

mailto:patrick.mana@eurocontrol.int

Moving from cyber-security towards cyber-resilience in aviationSlide Number 2EUROCONTROLEUROCONTROL HISTORYBuilding the Single European Sky !Complexity of Securing the Aviation EcosystemSlide Number 7State-sponsored / �Geo-politicalSlide Number 9Cyber-crime e.g. ransomwareSlide Number 11Hacktivism more and more e.g. environmentalistsRegional sectorial (ATM) CERT:�combine cyber and domain expertiseEATM-CERT and European National CERTsEATM-CERT: catalogue of servicesEATM-CERT servicesImplementing/operating a socEUROCONTROL material for stakeholdersPentest on aviation systemsSecurity Assessment Results (penetration tests)Risk levels definitionSlide Number 22Slide Number 23Slide Number 24Cyber threat intelligence & Innovative cyber-security servicesQuarterly cyber threat landscape report�TLP:WHITE CTI tools – raising awarenessCredentialsSharing cyber-information MISPMISP - IntegrationDocument leaksFraudulent websites impersonating airlinesEmail FraudEmail Fraud Attack surface2 - Fraudulent e-mailsUse of MITRE ATT&CKSlide Number 39Slide Number 40Slide Number 41Slide Number 42Cybersecurity management frameworkSlide Number 44Slide Number 45Slide Number 46Slide Number 47Slide Number 48Slide Number 49Slide Number 50Slide Number 51Slide Number 52Training, exercisesCrisis management exercise: Room42Crisis management exercise: Room42Crisis management exercise: Room42IANS TrainingsEUROCONTROL �Capture The FlagSlide Number 59Slide Number 60THANK YOU