Cyber war

• Cyber attack to Estonia (27 April – 19 May 2007) – a DDOS attack blocked several governmental and finance web cite

• Before military imitative of Russia in Ossetia, the cyberspace of the Georgia was subject to a DDOS attack

• In 2009 summer, two submarine cable have been cut in Mediterranean sea

COM(2009) 149

China vs USA

In March 2010 a young Chinese researcher has been indicated to the US Congress as a dangerous enemy, because he wrote a scientific paper on the vulnerability of the US electric grid to cyber attack

News on China vs USA

Chinese Army Unit Is Seen as Tied to Hacking Against U.S.

February 18, 2013

Mandiant report stressed that a large part of cyber attack to US infrastructure has been promoted/performed by the Unit 61398 of Chinese Army

Go to have a look to US strategies about CIIP

US – 1996 - PCCIP

In 1996 the President’s Commission on Critical Infrastructure Protection (PCCIP) released the “Marsh Report”. This report for the first time used the term “Critical Infrastructure” (CI)

An infrastructure is “a network of

independent, mostly private-owned, man-made systems that function collaboratively and synergically produce and distribute a continuous flow of essential goods and services”.

A CI is “an infrastructure so vital that

its incapacity or destruction would have a debilitating impact on our defense and national security”.

US – 1998 – PDD63

The work of PCCIP resulted in the Presidential Decision Directive 63 that identified 8 critical sectors.

Any interruption or manipulation of these

critical functions must be brief, infrequent, manageable, geographically isolated, and minimally detrimental to

the welfare of the United States

[Bill Clinton, PDD-63, 1998]

US – 2003 - Strategy

For the first time a National-wide strategy that considers the protection of Critical Infrastructures as a whole.

It is composed by two complementary document on physical and logical security

(focus on anti-terrorism)

It identifies 11 critical sectors and 5 key assets

It stresses the vulnerability induced by the cyberspace and specifically the fragility of SCADA to cyber attack HSPD- 7 (Homeland security Presidential Directive #7)

US 2004 -2006 (change the focus)

Signed by the responsible of all the US departments and agencies

It considers protection of the 11 critivcal sectors and of key resources (CI/KR)

Build a safer … America by enhancing protection of the CI/KR to prevent, deter, neutralize, or mitigate the effects of deliberate efforts by terrorists to destroy

Direct terrorist attacks and natural, manmade, or technological hazards could produce catastrophic losses …. Attacks using components of CI/KR as weapons could have even more devastating physical and psychological consequences

2005

2006

US Strategy

Policy Inputs Federal and Private Roles

Sector Roadmaps

Vision/Goals

Roles & Responsibil

ities Sector Needs

Coordination Strategies

GAO Recommendations Sector-Specific Plans

Drivers/Needs

Control Systems Security Program

www.us-cert.gov/control_systems

Risk Reduction Products CSSP Products

• Control Systems Cyber Security Self Assessment Tool (http://csrp.inl.gov/Self-Assessment_Tool.html)

• Cyber Security Procurement Language for Control Systems (http://www.us-cert.gov/control_systems/pdf/SCADA_Procurement_DHS_Final_to_Issue_08-19-08.pdf)

• Catalog of Control System Security: Recommendations for Standards Developers (http://www.us-cert.gov/control_systems/pdf/Catalog_of_Control_Systems_Security_Recommendations.pdf)

• Securing Your SCADA and Industrial Control Systems Pocket Guide (http://bookstore.gpo.gov)

• US-CERT control systems related Vulnerability notices (http://www.us-cert.gov/control_systems/csdocument.html#vuls)

• Control systems recommended practices (http://csrp.inl.gov/)

• Control systems security awareness and mitigation training classes (http://www.us-cert.gov/control_systems/cstraining.html)

http://www.US-CERT.gov/control_systems

Key Program Areas Assess and mitigate

energy control systems vulnerabilities

Develop advanced secure control systems technologies

Support development of

standards and best practices

Conduct outreach and

awareness

DOE multi-laboratory program designed to: Support industry and government efforts to enhance control systems cyber security across the energy infrastructure

INL

NIST

SNL

PNL

ANL

National SCADA Test Bed – Office of

Electricity Delivery and Energy Reliability

(DOE-OE)

The National SCADA Test Bed is a national capability to help secure SCADA communications and controls within the energy sector. It combines the expertise and resources of several national laboratories into a multi-lab partnership that helps to identify and correct critical security flaws in control The NSTB offers the integrated expertise and resources of multiple national laboratories, including Idaho National Laboratory, Sandia National Laboratories, Argonne National Laboratory, Pacific Northwest National Laboratory, and Oak Ridge National Laboratory.systems and equipment.

US National SCADA Test Bed Program (NSTB)

http://www.inl.gov/scada/

StuxNet

La svolta !

Attacchi ai sistemi di Controllo.

Da potenziale rischio ad effettiva minaccia

StuxNet • Stuxnet is a very big project, very

well planned and very well funded”.

• Liam O’ Murchu, Supervisor NAM Security Response, Symantec

• Complex design and not common skillset required

• Specific Siemens automation control technology expertise

• 3 millions $ cost-estimation • Frank Rieger, CTO, GSMK

• It uses 4 different “0-days attack”

• It has a double digital signature stolen to JMicron e alla Realtek

0-day market (2)

StuxNet

Fonte trend micro 2010

It has a very sophisticated architecture and has been developed using several languages

It uses sevaral mechanisms to propapgate but …..

StuxNet

Country Infected PC Iran 62,867 Indonesia 13,336 India 6,552 United States 2,913 Australia 2,436 Britain 1,038 Malaysia 1,013 Pakistan 993 Germany 5 [but no cnsequences] Italy ?

Stuxnet is a complex-design threat, targeting specific industrial control systems vulnerabilities.

Stuxnet sfruttando la vulnerabilità CVE-2010-2772 Siemens SIMATIC WinCC Default Password Security Bypass, ottiene l'accesso al database di back-end di SQL server WinCC SQL questo permette all'attaccante di vedere il database dei progetti e delle informazioni nel server di progetti WinCC può modificare le impostazioni di configurazione e accedere o eliminare file per cancellare ogni traccia dell’attacco

Il WORM_STUXNET cerca il file S7OTBXDX.DLL

utilizzato da sistemi di Siemens WinCC nella cartella di sistema di Windows rinomina il file originale in S7OTBXSX.DLL e lo sostituisce con un proprio file con funzionalità modificate queste funzionalità sono utilizzate per accedere, leggere, scrivere e cancellare i blocchi di codice sul PLC in un sistema infetto, quando queste funzioni sono chiamate, Stuxnet esegue codici supplementari, prima di richiamare la vera funzionalità posta in S7OTBXSX.DLL vengono così modificati i dati inviati da o verso il PLC

Nello specifico se il PLC ad una specifica chiamata

risponde con una stringa specifica, allora aggiunge del codice a quello eseguito sul PLC

StuxNet

L’ obiettivo di StuxNet potrebbero essere state le centrifughe della raffineria nucleare di Natanz nel 2009 il numero di centrifughe attive presso Natanz è diminuito, ma non è chiaro se questo è dovuto a StuxNet, e se questo era il risultato atteso di StuxNet l'attacco ha comunque ritardato il programma nucleare dell'Iran

Possibile obiettivo ???

Video on Stuxnet

How are SCADA system ready to Stuxnet like threats ?

IRONGATE (2014-2015)

IRONGATE invokes ICS attack concepts first seen in Stuxnet, it operates against Siemens’ PLC environment to perform a man-in-the-middle attack against process input-output (IO) - but it operates only inside simulation environment PLCSIM.

The malware replaces a Dynamic Link Library (DLL) with a malicious DLL, which then acts as a broker between a PLC and the legitimate monitoring software. This malicious DLL records five seconds of 'normal' traffic from a PLC to the user interface and replays it, while sending different data back to the PLC

It seems to be a test case, proof of concept, or research activity for ICS attack techniques

27/03/2018 www.coseritylab.it 24

IRONGATE

Even if IRONGATE does not compare to Stuxnet in terms of complexity, ability to propagate, or geopolitical implications, it demonstrates new features.

• Sandbox evasion. Some droppers for the IRONGATE malware would not run if VMware or Cuckoo Sandbox environments were employed. The malware uses these techniques to avoid detection and resist analysis, and developing these anti-sandbox techniques indicates that the author wanted the code to resist casual analysis attempts.

• Active masking. IRONGATE actively records and plays back process data to hide manipulations, whereas Stuxnet did not attempt to hide its process manipulation, but suspended normal operation of the updateing function S7-315 (HMI shows static data).

27/03/2018 www.coseritylab.it 25

Dragonfly/HAVEX

• The Dragonfly campaign was an espionage effort that targeted numerous industrial control system locations, estimates put it at over 2,000 sites, with a large emphasis on electric power and petrochemical asset owners. The Dragonfly campaign leveraged the HAVEX malware

• The HAVEX malware leveraged legitimate functionality in the OPC protocol to map out the industrial equipment and devices on an ICS network.

• Dragonfly campaign was focused entirely on espionage.

27/03/2018 www.coseritylab.it 26

BLACKENERGY 2 malware

• malware contained exploits for specific types of HMI applications including Siemens SIMATIC, GE CIMPLICITY, and Advantech WebAccess.

• to start to learn the industrial process and gain the graphical representation of that ICS through the HMI

27/03/2018 www.coseritylab.it 27

Ukrainian black-out 2015

On December 23, 2015 100,000 people in and around the Ukrainian city of Ivano-Frankivsk were left without power for six hours. Power companies experienced unscheduled power outages. In addition, there have also been reports of malware found in Ukrainian companies in a variety of critical infrastructure sectors.

BLACKENERGY 3 malware

• They learned the operations and used the legitimate functionality of distribution management systems to disconnect substations from the grid

• It uses the KillDisk malware to cancel serial-to-Ethernet devices

A malware performs the attack, and a second malware delayed restoration

27/03/2018 www.coseritylab.it 29

• ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware. Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs).

• ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system. The malware is highly modular and not all functionality is deployed to all victims.

«la mia preoccupazione maggiore non sono le informazioni che possono rubarmi oggi ….

Il rischio maggiore

Ma quelle che mi hanno rubato negli anni scorsi»

[Il Security Manager di una importante infrastruttura italiana]

Industroyer (ESET) o CRASHOVERRIDE (Dragos)

27/03/2018 www.coseritylab.it 32

«interferenza esterna

proveniente dalla rete informatica»

Ukrenergo

17 dicembre 2016 black

out di 1 ora che ha

interessato il territorio

Ucraino

• It does not exploit vulnerabilities or 0-days

• It leveraged the OPC protocol to help it map the environment and select its targets similar to HAVEX.

• It targeted the libraries and configuration files of HMIs to understand the environment further and leveraged HMIs as BLACKENERGY 2

• It is a platform to conduct attacks against grid operations systems in various environments and not confined to work only on specific vendor platforms (even if it contains specific elements to attack and destroy ABB components)

December 2017 – Attack to Safety Instrumented System

27/03/2018 www.coseritylab.it 33

TRITON

• It is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers

• During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process.

• TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented suggesting the adversary independently reverse engineered this protocol

• FireEye supposes that the attacker inadvertently shutdown operations while developing the ability to cause physical damage for the following reasons

27/03/2018 www.coseritylab.it 34

SIS (Safety Instrumented System)

Functional Safety: it is part of the overall safety that depends on a system or equipment operating correctly in response to its inputs

A safety instrumented system (SIS) consists of an engineered set of hardware and software controls to perform to failsafe or maintain safe operation of a process when unacceptable or dangerous conditions occur.

Implements Safety Instrumented Functions (SIFs). Each SIF achieves a Safety Integrity Level (SIL)

27/03/2018 www.coseritylab.it 35

IEC 61511

Why an attack to a SIS Attack Option 1: Use the SIS to shutdown the process • The attacker can reprogram the SIS logic to cause it

to trip and shutdown a process that is, in actuality, in a safe state. In other words, trigger a false positive.

Attack Option 2: Reprogram the SIS to allow an unsafe state • The attacker can reprogram the SIS logic to allow

unsafe conditions to persist. Increased risk that a hazardous situation will cause physical consequences (e.g. impact to equipment, product, environment and human safety).

Attack Option 3: Reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard • The attacker can manipulate the process into an

unsafe state from the DCS while preventing the SIS from functioning appropriately with potential impact to human safety, the environment, or damage to equipment, the extent of which depends on the physical constraints of the process and the plant design

27/03/2018 www.coseritylab.it 36

27/03/2018 www.coseritylab.it 37

27/03/2018 www.coseritylab.it 38

DEFENSE STRATEGY

39 27/03/2018 www.coseritylab.it

27/03/2018 www.coseritylab.it 40

27/03/2018 www.coseritylab.it 41

ANSI/ISA-99 Standards

A zone is defined as a grouping of logical or physical assets that share common security requirements based on factors such as criticality and consequence

27/03/2018 www.coseritylab.it 42

27/03/2018 www.coseritylab.it 43

27/03/2018 www.coseritylab.it 44

Defense in Depth

27/03/2018 www.coseritylab.it 45

If you entrench yourself behind strong fortifications,

you compel the enemy to seek a solution elsewhere. [Carl von Clausewitz]

Basing a security design on hiding behind a single monolithic

solution is called the Bastion Model and results in the

possibility of a single point of failure.

Defense in depth is the

coordinated use of multiple

security countermeasures to protect an asset

Defense in Depth

27/03/2018 www.coseritylab.it 46

Fluid border

27/03/2018 www.coseritylab.it 47

Intrusion Detection and Prevention

Systems

27/03/2018 www.coseritylab.it 48

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations Some IDS have the ability to respond to detected intrusions and they are typically referred to as an intrusion prevention system (IPS).

Anomaly-based Intrusion Detection System

The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created

27/03/2018 www.coseritylab.it 49

Anomaly Detection System

27/03/2018 www.coseritylab.it 50

Fault detection and isolation system

Stealth Attack

Intelligent attacker can find attacks that do not trigger alarms (in fault detection or Bad-Data Detector)

This attack is very ambiguous (it is syntactically and semantically correct)

Self-Detection system

27/03/2018 www.coseritylab.it 52

…. Tomorrow IIOT

Social Engineering

Human Factor

“ Due cose sono infinite:

l'universo e la stupidità umana, ma riguardo l'universo ho ancora dei dubbi. „ Albert Einstein

27 March 2018 56

Scenario overview

SCADA 1: FACIES

PLC

Reservoir Sensors

Reservoir Sensors

Reservoir

Sensors

SCADA 3: Cooling Towers

The reservoir 2 provides water to the residential area 2

The reservoir 3 provides water to the industrial area, and provides water to the cooling towers.

Any attack to the infrastructure 2 threatens the water flow from the Infrastructure 2, in terms of denial of water to residential and industrial area. Thus the 3 CI are connected.

SCADA 2: Dam

Infrastructure 2: Dam

Infrastructure 3: Cooling

Towers

Infrastructure 1: FACIES water management system

IDS ES

RP/FDS

Alerting System

58

FACIES Architecture

Sensors

Pumps

Valves

PLC SCADA (iFix) HMI

SWITCH

IDS EXPERT SYSTEM

FAULT DETECTIO

N

RISK PREDICTO

R

The FACIES Testbed – Local Network

59

Physical System

Cyber-attacks

Physical attacks

• De facto protocol for industrial applications

• Open, public, application layer messagin protocol

• Master/slave communication structure

The Modbus Protocol

Modbus

Packet

IP Packe

t

TCP Pack

et

Transaction ID

Protocol

ID

Length

Unit ID

MBAP Header

PDU

Modbus TCP/IP ADU

Function Code

Data

• Attacker modifies data field of Modbus packet

• Ettercap + etterfilter tools through ARP Poisoning

• Tampered sensor measurement on Operator interface

Experimental Results

Water level during cyber-attack – Actual vs. Operator interface

Data modification:

Tank 3 – 100% leak fault

Pump 2 fault

Valve 17 fault

Simulated Scenarios – Multiple Fault

Se volete approfondire….

www.sicurezzaegiustizia.com/setola-roberto/

CASD (Centro Alti Studi della Difesa)

La strategia globale di protezione delle

infrastrutture e risorse critiche

contro gli attacchi terroristici

www.casd.difesa.it

http://www.difesa.it/SMD/CASD/Istituti_militari/CeMISS/Pub

blicazioni/News206/2012-02/Pagine/Lastrategiaglobal.as

px

Approfondimenti

Approfondimenti (2)

J. Lopez, R. Setola, S. Woulthusen

Critical Infrastructure Protection: Information Infrastructure:

Models, Analysis, and Defence

2012

www.Springer.com

Approfondimenti (3)

F. Flammini, G. Franceschetti, R. Setola

Effective Surveillance for

Homeland Security: Balancing Technology and

Social Issues

CRC Press 2013

Managing the Complexity of Critical Infrastructures

R. Setola, V. Rosato, E. Kyriakides, E. Rome

Managing the Complexity of

Critical Infrastructures

Springer 2016

https://link.springer.com/content/pdf/10.1007/978-3-319-51043-

9.pdf

09/11/2010 16Roberto Setola – r.setola@unicampus.it 16

Master in Homeland Security - date

• Termine iscrizione: 26 Novembre 2010

• Selezione candidati: 3 Dicembre 2010

• Inizio lezioni: 16 Dicembre 2009

• Termine Master: Dicembre 2011

Le lezioni si svolgeranno per l’intera giornata del giovedì e del venerdì di norma a settimane ed una volta al mese il sabato mattina

Aula Magna della RUI, viale Africa 27 (zona Metro B – Laurentina)

09/11/2010 8Roberto Setola – r.setola@unicampus.it 8

Master in Homeland Security – Consiglio ScientificoDirettore Scientifico• Prof. Roberto Setola (Univ. Campus Bio-Medico di Roma & AIIC)• Prof.ssa Marcella Trombetta (Univ. Campus Bio-Medico , Vice Direttore)

Comitato Scientifico• Ing. Luigi D’Angelo (Protezione Civile)• Dott. Dario De Marchi (Responsabile Ufficio Stampa Ministero dello

Sviluppo Economico)• Dott. Francesco di Maio (Responsabile Security ENAV)• Ing. Alfonso Farina (Selex Sistemi Integrati)• Dott. Franco Fiumara (Responsabile Protezione Aziendale FS)• Prof. Giorgio Franceschetti (Università Napoli Federico II)• Prof. Luigi Glielmo (Università Sannio)• Dott. Giuseppe Lasco (Direttore Sicurezza Aziendale Terna)• Dott. Francesco Lambiase (BCManager)• Prof. Stefano Panzieri (Università Roma Tre)• Ing. Concetta Pragliola (Ansaldo STS)• Dott. Giorgio Riondino (Capo di Gabinetto Ministro per l’Attuazione del

Programma di Governo)• Dott. Damiano Toselli (Responsabile Security Telecom Italia)• Dott. Umberto Saccone (Responsabile Security ENI)• Prof. Giuseppe Sciutto (Presidente NITEL)• Dott. Giuseppe Vozza (Responsabile Sicurezza Gruppo ENEL)• Dott. Domenico Vulpiani (Dirigente Generale della Polizia di Stato

Consigliere per la Sicurezza Informatica e per la protezione delle Infrastrutture Critiche del Ministero dell'Interno)

a.a. 2010/11

Sistemi, metodi e strumenti per la security e il crisis

management

X edizione

Febbraio 2018

Master in Homeland Security

Perchè un Master in Homeland Security

Prof. Roberto Setola

Università Campus Bio-Medico di Roma

r.setola@unicampus.it

Giornata di Studio

La sicurezza dei cittadini

nelle aree metropolitane

Roma, 25 Ottobre 2010

Sala Conferenze, PRABB Università Campus Bio-Medico, Roma

09/11/2010 7Roberto Setola – r.setola@unicampus.it 7

III ed. Master in Homeland Security - partner

Enti organizzatori

Soggetti Partner

Con il contributo dell’ Arma dei Carabinieri

a.a. 2010-11

r.setola@unicampus.it