asfws 2013 - critical infrastructures in the age of cyber insecurity par andrea zapparoli manzoni
DESCRIPTION
Threats, risks, actors, trends, attack techniques, defense issues and possible future scenarios for Critical Infrastructures in the age of cyber insecurity.TRANSCRIPT
Critical Infrastructures in the Age of Cyber Insecurity
Application Security Forum - 2013Western Switzerland
15-16 octobre 2013 - Y-Parc / Yverdon-les-Bains
http://www.appsec-forum.ch
Andrea Zapparoli Manzoni
General Manager / Security Brokers
Agenda
� Who am I
� Cyber Insecurity is the new norm
� Why are we here
2
“Critical Infrastructures in the Age of Cyber Insecurity”
� Why are we here
� Impacts of Cyber Insecurity on Critical Infrastructures
� Latest Incidents
� Remediations ?
� Conclusions
Who am I
3
� Founder, General Manager, Security Brokers
� Founder, CEO, iDIALOGHI
� «Cyberworld» WG Member at OSN/Ce.Mi.S.S.
APASS Board Member / Information Warfare lead res.� APASS Board Member / Information Warfare lead res.
� Assintel Board Member / ICT Security WG leader
� Clusit Board Member / lecturer (SCADA, Social Media
Sec, Anti-fraud, DLP…)
� Co-author of the Clusit Report (2012 and 2013)
Cyber Insecurity is the new norm
4
“It’s a Jungle Out There”
Private Organizations spent USD 20B for
“advanced” ICT Security systems in 2012,
out of a USD 60B budget for ICT Security
spending. Nothwistanding these efforts,
Cyber Insecurity is becoming the norm.0
100
200
300
400
500
600
700
800
1 H 2011 2 H 2011 1 H 2012 2 H 2012 1 H 2013
International Serious Cyber Attacks
From our analyses, which are in line with
those made by other observers (private and
institutional), the rate of attacks against
Companies and Government bodies in 2012
grew by 154% on average compared to
2011 (which was the worst year on record,
until then). In 2013 the speed of this growth
is clearly accelerating.
Why?
1 H 2011 2 H 2011 1 H 2012 2 H 2012 1 H 2013
© Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia – June 2013 Update
Why are we here
5
!=
#1. ICT Products are not as secure as you may think (= insecure by design)
The Fiat on the right was my first car, back in 1987 (it was built in 1971). I was very proud
of it and, after all, it worked well. But it had NO built-in security whatsoever. No brakes,
no seat belts, no ABS, ESP, airbag, headrests, no passive security – nothing.
Today’s ICT is somewhat like my 1971 Fiat, in terms of built-in security. Really.
As a consequence, in 2012 this inherent cyber insecurity had a global (direct and indirect)
estimated cost of USD 388 Billions (that is, Denmark’s GDP).
Why are we here
6
!=
# 2. Cybercrime is the “best” investment on the planet
And attack techniques developed by cybercrime are quickly adopted by other actors…
Why are we here
7
# 3. There is a huge, growing market for 0-days, that is becoming “mainstream”
We receive this kind of offers almost daily… on LinkedIn!
Why are we here
8
Cybercrime is extremely profitable. But there also hackitivists, spies, mercenaries…
40%
50%
60%
36%
32%
54%
31%
52%
38%
Attackers Distribution % - 1H 2011 - 1H 2013
2011
CI, being a valuable target, are under attack from many different actors, for
different reasons (blackmailing, espionage, sabotage, information warfare…)
0%
10%
20%
30%
CYBERCRIME HACKTIVISM ESPIONAGE CYBER WAR. UNKNOWN
24%
5%3%2%
4%
9%7%
3%0%
2011
2012
1H 2013
© Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia – June 2013 Update
So, in a nutshell
9
� 2012: + 150% serious cyberattacks in the world vs 2011
� Huge growth of evil doers and of offensive capabilities
� Everyone is now a target (Citizens, Corporations, Institutions, Gov/Mil)
� All platforms are now a target (PCs, Mobile, Social, Cloud, SCADA…)
� Traditional defenses are not working anymore
� Return of Investment (ROI) for attackers is extremely high
� Risks for attackers are still extremely low
� Growing risk of systemic “Black Swans” (HILP)
� Lack of effective legislation and tools for LEAs
How do we handle all these issues and mitigate these threats?
How do we (re)shape our CIs to prevent these attacks?
Known, noisy attacks to CIs are growing…
10
Victims distribution (from a sample of 2.200 known attacks from the last 36 months)
© Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia – June 2013 Update
But stealth, slow, naughtiest attacks are spreading faster…
Impacts of Cyber Insecurity on CI
11
In the last 5 years, Information and Cyber Warfare have become a reality. Many
actors are developing these capabilities, and many of them are not Nation States.
Impacts of Cyber Insecurity on CI
12
Sorry. You should have attended the Conference to see this slide.
Impacts of Cyber Insecurity on CI
13
Cyber warfare includes a very broad spectrum of
digital attack techniques originally developed by
cyber criminals but within the reach of a growing
number of actors, which are used for different
purposes, variable intensity and against any kind of
target (critical infrastructures, government systems,
military systems, companies of all sizes, banking,
media, private citizens, ...)media, private citizens, ...)
� Nation States
� IC / LEAs
� Organized Cybercrime
� Hacktivists all against all
� Industrial Spies
� Terrorists
� Corporations
� Mercenaries
Impacts of Cyber Insecurity on CI
14
15
Latest Attacks
�The number of known SCADA vulnerabilities has
increased by 25 times (since 2010).
�50% of vulnerabilities allow to execute code.
�There are exploits for 35% of vulnerabilities.
�41% of vulnerabilities are critical. More than 40% of
systems available from the Internet can be hacked by
unprofessional attackers. (Metasploit, anyone?)
�54% and 39% of systems available from the Internet
in Europe and North America respectively are
vulnerable.
� ……Search yourself on Shodan �
Latest Attacks
16
TECNICHE PER TIPOLOGIA 2011 2012 Variazioni 2012 su 2011 2H 2012 1H 2013 1H 2013 su 2H 2012
SQL Injection1 197 435 120,81% 212 162 -23,58%
Unknown 73 294 302,74% 120 106 -11,67%
DDoS 27 165 511,11% 67 97 44,78%
Known Vulnerabilities / Misconfig. 107 142 32,71% 56 78 39,29%
Malware 34 61 79,41% 30 8 -73,33%
Account Cracking 10 41 310,00% 17 46 170,59%
Phishing / Social Engineering 10 21 110,00% 5 2 -60,00%
Attack techniques distribution (from a sample of 2.200 known attacks in the last 36 months)
Phishing / Social Engineering 10 21 110,00% 5 2 -60,00%
Multiple Techniques / APT2 6 13 116,67% 6 61 916,67%
0-day3 5 8 60,00% 3 2 -33,33%
Phone Hacking 0 3 - 0 0 -
Again in 2013 the majority of attacks were made with well known techniques,
exploiting bugs and/or the lack of patching, misconfigurations, organizational
flaws, lack of awareness by users, etc. All these vulnerabilities could and should
be mitigated with a certain ease, still in the first half of 2013 accounted for 69%
of the total. Within this (grim) scenario, DDoS attacks increased by +44% and
APTs by +900%.
© Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia – June 2013 Update
17
Latest Attacks
How an APT works in a CI / SCADA-DCS environment (example)
18
Latest Attacks
But good old web based attacks can do the trick, too….
19
Latest Attacks
20
Latest Attacks
21
Latest Attacks
22
Latest Attacks
23
Latest Attacks
24
Latest Attacks
25
Remediations ?
#1. Update your risk perception. It’s not 2003 anymore…
26
Remediations ?
#2. Assume compromise. 94% of the 7200 known web based interfaces connected to CIs in
the US where attacked in 2012. Several of them where breached.
27
Remediations ?
#3. “Defense in-depth” must become your new mantra. Firewalls are cool, but… ☺☺☺☺
Then repeat to yourself several times a day: “Air gapping doesn’t work anymore”….
28
Remediations ?
#4. Monitor everything. Evaluate risks in real time. Manage your vulnerabilities 365/7/24.
Adopt a Secure Development Life Cycle. Develop and test your BC/DR processes.
Conclusions• The“recent” convergence and standardization of previously closed, proprietary systems and the
growing adoption of OTS hw and sw parts has opened Critical Infrastructures up to security threats
traditionally only found in the IT sector. Expecially when connected to the Internet, these systems
are in great danger.
• We are witnessing the widespread usage of sneaky, customized malicious software that
specifically targets SCADA systems and, and the rise of a huge 0-day market.
• Due to high availability and performance requirements, combined with legacy technologies, SCADA
29
• Due to high availability and performance requirements, combined with legacy technologies, SCADA
systems often lack the capability to support forensic analysis during / after an incident or system
failure. Even when technically possible, many organizations don't have the real time monitoring
and the post-incident cyber analysis tools to distinguish between a normal system failure or
malicious activity.
• This is why CI administrators are unable to determine if their systems experienced a normal
failure or a cyber attack. This uncertainty is being actively leveraged by attackers and (IMHO) is the
BIGGEST issue in CI / industrial automation environments.
• Last but not least, specific skills are lacking in terms of quality and quantity. We need more
experts asap (both on the end user / customer side and on the consulting firms side).
Questions?
30
Merci/Thank you!
Contact:
Andrea Zapparoli Manzoni
31
http://www.security-brokers.com
Slides:
http://slideshare.net/ASF-WS/presentations