cyber war - isticom.it · mandiant report stressed that a large ... mitigation training classes ......
TRANSCRIPT
• Cyber attack to Estonia (27 April – 19 May 2007) – a DDOS attack blocked several governmental and finance web cite
• Before military imitative of Russia in Ossetia, the cyberspace of the Georgia was subject to a DDOS attack
• In 2009 summer, two submarine cable have been cut in Mediterranean sea
COM(2009) 149
China vs USA
In March 2010 a young Chinese researcher has been indicated to the US Congress as a dangerous enemy, because he wrote a scientific paper on the vulnerability of the US electric grid to cyber attack
News on China vs USA
Chinese Army Unit Is Seen as Tied to Hacking Against U.S.
February 18, 2013
Mandiant report stressed that a large part of cyber attack to US infrastructure has been promoted/performed by the Unit 61398 of Chinese Army
US – 1996 - PCCIP
In 1996 the President’s Commission on Critical Infrastructure Protection (PCCIP) released the “Marsh Report”. This report for the first time used the term “Critical Infrastructure” (CI)
An infrastructure is “a network of
independent, mostly private-owned, man-made systems that function collaboratively and synergically produce and distribute a continuous flow of essential goods and services”.
A CI is “an infrastructure so vital that
its incapacity or destruction would have a debilitating impact on our defense and national security”.
US – 1998 – PDD63
The work of PCCIP resulted in the Presidential Decision Directive 63 that identified 8 critical sectors.
Any interruption or manipulation of these
critical functions must be brief, infrequent, manageable, geographically isolated, and minimally detrimental to
the welfare of the United States
[Bill Clinton, PDD-63, 1998]
US – 2003 - Strategy
For the first time a National-wide strategy that considers the protection of Critical Infrastructures as a whole.
It is composed by two complementary document on physical and logical security
(focus on anti-terrorism)
It identifies 11 critical sectors and 5 key assets
It stresses the vulnerability induced by the cyberspace and specifically the fragility of SCADA to cyber attack HSPD- 7 (Homeland security Presidential Directive #7)
US 2004 -2006 (change the focus)
Signed by the responsible of all the US departments and agencies
It considers protection of the 11 critivcal sectors and of key resources (CI/KR)
Build a safer … America by enhancing protection of the CI/KR to prevent, deter, neutralize, or mitigate the effects of deliberate efforts by terrorists to destroy
Direct terrorist attacks and natural, manmade, or technological hazards could produce catastrophic losses …. Attacks using components of CI/KR as weapons could have even more devastating physical and psychological consequences
2005
2006
US Strategy
Policy Inputs Federal and Private Roles
Sector Roadmaps
Vision/Goals
Roles & Responsibil
ities Sector Needs
Coordination Strategies
GAO Recommendations Sector-Specific Plans
Drivers/Needs
Risk Reduction Products CSSP Products
• Control Systems Cyber Security Self Assessment Tool (http://csrp.inl.gov/Self-Assessment_Tool.html)
• Cyber Security Procurement Language for Control Systems (http://www.us-cert.gov/control_systems/pdf/SCADA_Procurement_DHS_Final_to_Issue_08-19-08.pdf)
• Catalog of Control System Security: Recommendations for Standards Developers (http://www.us-cert.gov/control_systems/pdf/Catalog_of_Control_Systems_Security_Recommendations.pdf)
• Securing Your SCADA and Industrial Control Systems Pocket Guide (http://bookstore.gpo.gov)
• US-CERT control systems related Vulnerability notices (http://www.us-cert.gov/control_systems/csdocument.html#vuls)
• Control systems recommended practices (http://csrp.inl.gov/)
• Control systems security awareness and mitigation training classes (http://www.us-cert.gov/control_systems/cstraining.html)
http://www.US-CERT.gov/control_systems
Key Program Areas Assess and mitigate
energy control systems vulnerabilities
Develop advanced secure control systems technologies
Support development of
standards and best practices
Conduct outreach and
awareness
DOE multi-laboratory program designed to: Support industry and government efforts to enhance control systems cyber security across the energy infrastructure
INL
NIST
SNL
PNL
ANL
National SCADA Test Bed – Office of
Electricity Delivery and Energy Reliability
(DOE-OE)
The National SCADA Test Bed is a national capability to help secure SCADA communications and controls within the energy sector. It combines the expertise and resources of several national laboratories into a multi-lab partnership that helps to identify and correct critical security flaws in control The NSTB offers the integrated expertise and resources of multiple national laboratories, including Idaho National Laboratory, Sandia National Laboratories, Argonne National Laboratory, Pacific Northwest National Laboratory, and Oak Ridge National Laboratory.systems and equipment.
US National SCADA Test Bed Program (NSTB)
http://www.inl.gov/scada/
StuxNet • Stuxnet is a very big project, very
well planned and very well funded”.
• Liam O’ Murchu, Supervisor NAM Security Response, Symantec
• Complex design and not common skillset required
• Specific Siemens automation control technology expertise
• 3 millions $ cost-estimation • Frank Rieger, CTO, GSMK
• It uses 4 different “0-days attack”
• It has a double digital signature stolen to JMicron e alla Realtek
StuxNet
Fonte trend micro 2010
It has a very sophisticated architecture and has been developed using several languages
It uses sevaral mechanisms to propapgate but …..
StuxNet
Country Infected PC Iran 62,867 Indonesia 13,336 India 6,552 United States 2,913 Australia 2,436 Britain 1,038 Malaysia 1,013 Pakistan 993 Germany 5 [but no cnsequences] Italy ?
Stuxnet is a complex-design threat, targeting specific industrial control systems vulnerabilities.
Stuxnet sfruttando la vulnerabilità CVE-2010-2772 Siemens SIMATIC WinCC Default Password Security Bypass, ottiene l'accesso al database di back-end di SQL server WinCC SQL questo permette all'attaccante di vedere il database dei progetti e delle informazioni nel server di progetti WinCC può modificare le impostazioni di configurazione e accedere o eliminare file per cancellare ogni traccia dell’attacco
Il WORM_STUXNET cerca il file S7OTBXDX.DLL
utilizzato da sistemi di Siemens WinCC nella cartella di sistema di Windows rinomina il file originale in S7OTBXSX.DLL e lo sostituisce con un proprio file con funzionalità modificate queste funzionalità sono utilizzate per accedere, leggere, scrivere e cancellare i blocchi di codice sul PLC in un sistema infetto, quando queste funzioni sono chiamate, Stuxnet esegue codici supplementari, prima di richiamare la vera funzionalità posta in S7OTBXSX.DLL vengono così modificati i dati inviati da o verso il PLC
Nello specifico se il PLC ad una specifica chiamata
risponde con una stringa specifica, allora aggiunge del codice a quello eseguito sul PLC
StuxNet
L’ obiettivo di StuxNet potrebbero essere state le centrifughe della raffineria nucleare di Natanz nel 2009 il numero di centrifughe attive presso Natanz è diminuito, ma non è chiaro se questo è dovuto a StuxNet, e se questo era il risultato atteso di StuxNet l'attacco ha comunque ritardato il programma nucleare dell'Iran
Possibile obiettivo ???
IRONGATE (2014-2015)
IRONGATE invokes ICS attack concepts first seen in Stuxnet, it operates against Siemens’ PLC environment to perform a man-in-the-middle attack against process input-output (IO) - but it operates only inside simulation environment PLCSIM.
The malware replaces a Dynamic Link Library (DLL) with a malicious DLL, which then acts as a broker between a PLC and the legitimate monitoring software. This malicious DLL records five seconds of 'normal' traffic from a PLC to the user interface and replays it, while sending different data back to the PLC
It seems to be a test case, proof of concept, or research activity for ICS attack techniques
27/03/2018 www.coseritylab.it 24
IRONGATE
Even if IRONGATE does not compare to Stuxnet in terms of complexity, ability to propagate, or geopolitical implications, it demonstrates new features.
• Sandbox evasion. Some droppers for the IRONGATE malware would not run if VMware or Cuckoo Sandbox environments were employed. The malware uses these techniques to avoid detection and resist analysis, and developing these anti-sandbox techniques indicates that the author wanted the code to resist casual analysis attempts.
• Active masking. IRONGATE actively records and plays back process data to hide manipulations, whereas Stuxnet did not attempt to hide its process manipulation, but suspended normal operation of the updateing function S7-315 (HMI shows static data).
27/03/2018 www.coseritylab.it 25
Dragonfly/HAVEX
• The Dragonfly campaign was an espionage effort that targeted numerous industrial control system locations, estimates put it at over 2,000 sites, with a large emphasis on electric power and petrochemical asset owners. The Dragonfly campaign leveraged the HAVEX malware
• The HAVEX malware leveraged legitimate functionality in the OPC protocol to map out the industrial equipment and devices on an ICS network.
• Dragonfly campaign was focused entirely on espionage.
27/03/2018 www.coseritylab.it 26
BLACKENERGY 2 malware
• malware contained exploits for specific types of HMI applications including Siemens SIMATIC, GE CIMPLICITY, and Advantech WebAccess.
• to start to learn the industrial process and gain the graphical representation of that ICS through the HMI
27/03/2018 www.coseritylab.it 27
Ukrainian black-out 2015
On December 23, 2015 100,000 people in and around the Ukrainian city of Ivano-Frankivsk were left without power for six hours. Power companies experienced unscheduled power outages. In addition, there have also been reports of malware found in Ukrainian companies in a variety of critical infrastructure sectors.
BLACKENERGY 3 malware
• They learned the operations and used the legitimate functionality of distribution management systems to disconnect substations from the grid
• It uses the KillDisk malware to cancel serial-to-Ethernet devices
A malware performs the attack, and a second malware delayed restoration
27/03/2018 www.coseritylab.it 29
• ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware. Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).
• ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system. The malware is highly modular and not all functionality is deployed to all victims.
«la mia preoccupazione maggiore non sono le informazioni che possono rubarmi oggi ….
Il rischio maggiore
Ma quelle che mi hanno rubato negli anni scorsi»
[Il Security Manager di una importante infrastruttura italiana]
Industroyer (ESET) o CRASHOVERRIDE (Dragos)
27/03/2018 www.coseritylab.it 32
«interferenza esterna
proveniente dalla rete informatica»
Ukrenergo
17 dicembre 2016 black
out di 1 ora che ha
interessato il territorio
Ucraino
• It does not exploit vulnerabilities or 0-days
• It leveraged the OPC protocol to help it map the environment and select its targets similar to HAVEX.
• It targeted the libraries and configuration files of HMIs to understand the environment further and leveraged HMIs as BLACKENERGY 2
• It is a platform to conduct attacks against grid operations systems in various environments and not confined to work only on specific vendor platforms (even if it contains specific elements to attack and destroy ABB components)
TRITON
• It is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers
• During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process.
• TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented suggesting the adversary independently reverse engineered this protocol
• FireEye supposes that the attacker inadvertently shutdown operations while developing the ability to cause physical damage for the following reasons
27/03/2018 www.coseritylab.it 34
SIS (Safety Instrumented System)
Functional Safety: it is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs
A safety instrumented system (SIS) consists of an engineered set of hardware and software controls to perform to failsafe or maintain safe operation of a process when unacceptable or dangerous conditions occur.
Implements Safety Instrumented Functions (SIFs). Each SIF achieves a Safety Integrity Level (SIL)
27/03/2018 www.coseritylab.it 35
IEC 61511
Why an attack to a SIS Attack Option 1: Use the SIS to shutdown the process • The attacker can reprogram the SIS logic to cause it
to trip and shutdown a process that is, in actuality, in a safe state. In other words, trigger a false positive.
Attack Option 2: Reprogram the SIS to allow an unsafe state • The attacker can reprogram the SIS logic to allow
unsafe conditions to persist. Increased risk that a hazardous situation will cause physical consequences (e.g. impact to equipment, product, environment and human safety).
Attack Option 3: Reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard • The attacker can manipulate the process into an
unsafe state from the DCS while preventing the SIS from functioning appropriately with potential impact to human safety, the environment, or damage to equipment, the extent of which depends on the physical constraints of the process and the plant design
27/03/2018 www.coseritylab.it 36
ANSI/ISA-99 Standards
A zone is defined as a grouping of logical or physical assets that share common security requirements based on factors such as criticality and consequence
27/03/2018 www.coseritylab.it 42
Defense in Depth
27/03/2018 www.coseritylab.it 45
If you entrench yourself behind strong fortifications,
you compel the enemy to seek a solution elsewhere. [Carl von Clausewitz]
Basing a security design on hiding behind a single monolithic
solution is called the Bastion Model and results in the
possibility of a single point of failure.
Defense in depth is the
coordinated use of multiple
security countermeasures to protect an asset
Intrusion Detection and Prevention
Systems
27/03/2018 www.coseritylab.it 48
An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations Some IDS have the ability to respond to detected intrusions and they are typically referred to as an intrusion prevention system (IPS).
Anomaly-based Intrusion Detection System
The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created
27/03/2018 www.coseritylab.it 49
Stealth Attack
Intelligent attacker can find attacks that do not trigger alarms (in fault detection or Bad-Data Detector)
This attack is very ambiguous (it is syntactically and semantically correct)
…. Tomorrow IIOT
Human Factor
“ Due cose sono infinite:
l'universo e la stupidità umana, ma riguardo l'universo ho ancora dei dubbi. „ Albert Einstein
Scenario overview
SCADA 1: FACIES
PLC
Reservoir Sensors
Reservoir Sensors
Reservoir
Sensors
SCADA 3: Cooling Towers
The reservoir 2 provides water to the residential area 2
The reservoir 3 provides water to the industrial area, and provides water to the cooling towers.
Any attack to the infrastructure 2 threatens the water flow from the Infrastructure 2, in terms of denial of water to residential and industrial area. Thus the 3 CI are connected.
SCADA 2: Dam
Infrastructure 2: Dam
Infrastructure 3: Cooling
Towers
Infrastructure 1: FACIES water management system
IDS ES
RP/FDS
Alerting System
58
FACIES Architecture
Sensors
Pumps
Valves
PLC SCADA (iFix) HMI
SWITCH
IDS EXPERT SYSTEM
FAULT DETECTIO
N
RISK PREDICTO
R
• De facto protocol for industrial applications
• Open, public, application layer messagin protocol
• Master/slave communication structure
The Modbus Protocol
Modbus
Packet
IP Packe
t
TCP Pack
et
Transaction ID
Protocol
ID
Length
Unit ID
MBAP Header
PDU
Modbus TCP/IP ADU
Function Code
Data
• Attacker modifies data field of Modbus packet
• Ettercap + etterfilter tools through ARP Poisoning
• Tampered sensor measurement on Operator interface
Experimental Results
Water level during cyber-attack – Actual vs. Operator interface
Data modification:
Se volete approfondire….
www.sicurezzaegiustizia.com/setola-roberto/
CASD (Centro Alti Studi della Difesa)
La strategia globale di protezione delle
infrastrutture e risorse critiche
contro gli attacchi terroristici
www.casd.difesa.it
http://www.difesa.it/SMD/CASD/Istituti_militari/CeMISS/Pub
blicazioni/News206/2012-02/Pagine/Lastrategiaglobal.as
px
Approfondimenti
Approfondimenti (2)
J. Lopez, R. Setola, S. Woulthusen
Critical Infrastructure Protection: Information Infrastructure:
Models, Analysis, and Defence
2012
www.Springer.com
Approfondimenti (3)
F. Flammini, G. Franceschetti, R. Setola
Effective Surveillance for
Homeland Security: Balancing Technology and
Social Issues
CRC Press 2013
Managing the Complexity of Critical Infrastructures
R. Setola, V. Rosato, E. Kyriakides, E. Rome
Managing the Complexity of
Critical Infrastructures
Springer 2016
https://link.springer.com/content/pdf/10.1007/978-3-319-51043-
9.pdf
09/11/2010 16Roberto Setola – [email protected] 16
Master in Homeland Security - date
• Termine iscrizione: 26 Novembre 2010
• Selezione candidati: 3 Dicembre 2010
• Inizio lezioni: 16 Dicembre 2009
• Termine Master: Dicembre 2011
Le lezioni si svolgeranno per l’intera giornata del giovedì e del venerdì di norma a settimane ed una volta al mese il sabato mattina
Aula Magna della RUI, viale Africa 27 (zona Metro B – Laurentina)
09/11/2010 8Roberto Setola – [email protected] 8
Master in Homeland Security – Consiglio ScientificoDirettore Scientifico• Prof. Roberto Setola (Univ. Campus Bio-Medico di Roma & AIIC)• Prof.ssa Marcella Trombetta (Univ. Campus Bio-Medico , Vice Direttore)
Comitato Scientifico• Ing. Luigi D’Angelo (Protezione Civile)• Dott. Dario De Marchi (Responsabile Ufficio Stampa Ministero dello
Sviluppo Economico)• Dott. Francesco di Maio (Responsabile Security ENAV)• Ing. Alfonso Farina (Selex Sistemi Integrati)• Dott. Franco Fiumara (Responsabile Protezione Aziendale FS)• Prof. Giorgio Franceschetti (Università Napoli Federico II)• Prof. Luigi Glielmo (Università Sannio)• Dott. Giuseppe Lasco (Direttore Sicurezza Aziendale Terna)• Dott. Francesco Lambiase (BCManager)• Prof. Stefano Panzieri (Università Roma Tre)• Ing. Concetta Pragliola (Ansaldo STS)• Dott. Giorgio Riondino (Capo di Gabinetto Ministro per l’Attuazione del
Programma di Governo)• Dott. Damiano Toselli (Responsabile Security Telecom Italia)• Dott. Umberto Saccone (Responsabile Security ENI)• Prof. Giuseppe Sciutto (Presidente NITEL)• Dott. Giuseppe Vozza (Responsabile Sicurezza Gruppo ENEL)• Dott. Domenico Vulpiani (Dirigente Generale della Polizia di Stato
Consigliere per la Sicurezza Informatica e per la protezione delle Infrastrutture Critiche del Ministero dell'Interno)
a.a. 2010/11
Sistemi, metodi e strumenti per la security e il crisis
management
X edizione
Febbraio 2018
Master in Homeland Security
Perchè un Master in Homeland Security
Prof. Roberto Setola
Università Campus Bio-Medico di Roma
Giornata di Studio
La sicurezza dei cittadini
nelle aree metropolitane
Roma, 25 Ottobre 2010
Sala Conferenze, PRABB Università Campus Bio-Medico, Roma
09/11/2010 7Roberto Setola – [email protected] 7
III ed. Master in Homeland Security - partner
Enti organizzatori
Soggetti Partner
Con il contributo dell’ Arma dei Carabinieri
a.a. 2010-11