Cybersecurity and Critical Infrastructure

Massimiliano FalcinelliIT security systems

International Atomic Energy Agency

Critical Infrastructure Sectors

A definition from Department of Homeland Security of USA.

There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

Cybersecurity and Critical Infrastructure

Chemical Sector

CommunicationsSector

Dams Sector

Emergency Services Sector

Financial Services Sector

Government Facilities Sector

InformationTechnologySector

TransportationSystemsSector

CommercialFacilitiesSector

CriticalManufacturingSector

DefenseIndustrialBase Sector

EnergySector

Food and AgricultureSector

Healthcare and Public HealthSector

Nuclear ReactorsMaterialsand Waste Sector

Water and WastewaterSystems Sector

Looking back…

First appearance of a dedicated section to the critical infrastructure sectors

What is missing .. On my opinion

Chemical Sector

CommunicationsSector

Dams Sector

Emergency Services Sector

Financial Services Sector

Government Facilities Sector

InformationTechnologySector

TransportationSystemsSector

CommercialFacilitiesSector

CriticalManufacturingSector

DefenseIndustrialBase Sector

EnergySector

Food and AgricultureSector

Healthcare and Public HealthSector

Nuclear ReactorsMaterialsand Waste Sector

Water and WastewaterSystems Sector

The security engineer

A security engineer: do we really need a Sec. Eng?

The awareness on Infosec is always growing.How come?

Cybersecurity investment: a cultural change

Factors: - high-profile security incidents- cybersecurity and privacy

A cultural changeCompanies are allocating more of their overall budget to protect themselves from the increased number of threats.

?????

Cybersecurity investment: a cultural change

A cultural change

TODAY

Cybersecurity investment: a cultural change

Looking back…

What changed !!!

The world has changed !!!

Robotic Surgery !Do you see any risk?

So many IMEIsDo you see any risk?

What changed !!!

The world has changed !!!

Industrial Control Systems (ICS) are physical equipment oriented technologies and systems.

Within the controls systems industry, Industrial Control Systems (ICS) are often referred to as Operational Technology (OT).

An emerging classification developed by the National Science Foundation and NIST is to classify the hybrid IT and OT as Cyber-Physical Systems (CPS).

What changed !!!

xxx.xxx.net//admin/admin.shtml

The world has changed !!! Not only for us !!!

Info Sharing

The world has changed !!! Not only for us !!!

Professional Tools

Social Network and Communication

The world has changed !!! Not only for us !!!

Info Access

The world has changed !!! Not only for us !!!

The SunnyWebBox example

The SunnyWebBox example

This is not a critical infrastructure!! Yes .. It is ..

1 MWh circa 250 $ 2,7 * 250$ = circa 700$/day !!

100 found in 1 hour I can login, change the password, start to intercept modbus messages.. etc.. etc..

Info Access: So easy today .. and not only for us ..

Info Access: So easy today .. and not only for us ..

Info Access: So easy today .. and not only for us ..

The Modbus protocol, from SANS forum

"Modbus Protocol is a messaging structure developed by Modicon in 1979. It is used to establish master-slave/client-server communication between intelligent devices.

Modbus was originally developed as a proprietary communication/command protocol for SCADA/Process Control systems. It has been migrated to TCP/IP since 1999.

One of the first main issues with Modbus is that it is not designed to be run on open networks, it was intended to be used on dedicated lines, such as a serial connection, or a closed network. Ideally this is achieved through an airgap between the PCS network and the corporate IT network.

The Modbus protocol itself contains no security whatsoever. If you can communicate directly with a Modbus server or client you can issue commands. This can be quite important depending on the function that the slave devices are performing. The only real choices are as mentioned previously to completely airgap Modbus from any other network, or severely limit access to authorized masters.

Is the Modbus protocol today really secure?

Not really… still many legacy systems with no security… and many new ones with no security settings…plus the encryption domain is still unknown(man in the middle )

The Protocol Data Unit (PDU) of the MODBUS protocol is simple and independent from the underlying layers. It is composed of a Function code that determines the action to be taken with the following Data segment.

SCADA (Supervisory Control and Data Acquisition) – (ICS Industrial Control Systems)

OK.. But are ICS/SCADA systems today in general secure?

An example: The Modbus protocol. In an imagined scenario, if an attacker successfully insert a transceiver device between two nodes, it can monitor, disrupt and modify the communication or compromise it entirely.

In 2010 a malware called Stuxnet systematically destroyed a fifth of Iran’s nuclear centrifuges by causing them to spin out of control.

In 2013 two American cyber security experts took over the control of an oil rig. It could have been cause serious environmental disaster.

In 2013 the SCADA Strangelove team reported their findings about the vulnerabilities of several industrial protocols including MODBUS. They exploited “zero day” bugs and took over entire networks within the matter of hours.

In 2013 two ICS expert compromised multiple industrial facilities through radio frequency channel. They took access over temperature sensors, and were able to falsify the real data

And Today?

Where are we today?

Cyber attacks against supervisory control and data acquisition (SCADA) systems doubled in 2014, according to Dell’s annual threat report.

The majority of these attacks targeted Finland, the United Kingdom, and the United States, Dell said, noting that the reason is likely the fact that SCADA systems are more common in these regions and more likely to be connected to the Internet. In 2014, Dell said that it saw 202,322 SCADA attacks in Finland, 69,656 in the UK, and 51,258 in the US.

Where are we today?

“Since companies are only required to report data breaches that involve personal or payment information, SCADA attacks often go unreported,” said Patrick Sweeney, executive director, Dell Security. “This lack of information sharing combined with an aging industrial machinery infrastructure presents huge security challenges that will to continue to grow in the coming months and years.”

“Because companies are only required to report data breaches that involve personal or payment information, SCADA attacks often go unreported,” Dell said in its report. “As a result, other industrial companies within the space might not even know a SCADA threat exists until they are targeted themselves.”

Where are we today?

A recent report published by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) showed that while ICS vendors have been targeted by various types of malicious actors, over half of the attacks reported to the agency in 2014 involved advanced persistent threats (APTs).

ICS-CERT has issued alerts for multiple campaigns over the last year, including one which focused on the use of the Havex RAT in attacks aimed at ICS, and the second related to BlackEnergy Attacks exploiting vulnerabilities in products from GE, Advantech/Broadwin, and Siemens.

Where are we today?

SCADA systems

Acquisition: includes sensors, meters and field devices, such as photo sensors, pressure sensors, temperature sensors and flow sensors.

In 2014, only about 1% of the total ICS/SCADA vulnerabilities were present in data acquisition. CVE-2014-2378. (road traffic sensor accepted modifications without sufficient checks)

Conversion: Remote terminal unit (RTU), intelligent electronic devices (IEDs) and programmable logic controllers (PLC)

In 2014 about 14% of vulnerabilities were present in the conversation component. PLC in CVE-2014-0769. (Port 4000/TCP debug service and Port 4001/TCP log service could allow modification of memory and logging).

Communication: ModBus, DNP3, ControlNet, ProfiBus, ICCP, OCP and others.

21% of vulnerabilities were present in communication. CVE-2014-5410, CVE-2014-0761, CVE-2014-2342, CVE-2013-6143 are some of the example that affected DNP3 components and DNP3 components.

Source:

Presentation and Control (HMI): This consists of devices used to monitor and control data received from various communication channels. It includes Human Machine Interface (HMI), which the operator uses to monitor and react to alerts and alarms.

63% were found in this component. Most ics/scada vendors have shifted or are shifting to web based HMIs. As a result a lot of directory traversal attacks, buffer overflows, XSS, SQL Injection, CSRF and other web related vulnerabilities affected this component. Some examples are CVE-2014-5436, CVE-2014-5417, CVE-2014-2358, CVE-2014-2376, CVE-2014-2353 and CVE-2014-0751.

Where are we today?

Source:

As vendors migrate HMI to web based systems, more vulnerabilities have now appear in web HMI components. Data communication and conversion are still affected with vulnerabilities but attackers tend to gravitate towards the easiest path to exploitation and web based HMI is an easy target.

HMI: human–machine interface

15 mins of my systems crawling for this presentation

So many internet-connected systems.. No interest?

“Allo stato attuale”, spiega il legale a Formiche.net, “i gruppi terroristici utilizzano le tecnologie o la rete Internet esclusivamente per scopi specifici, che però non hanno niente a che vedere con la raccolta di informazioni, ovvero con la possibilità di compiere attentati o, più in generale, di ingenerare terrore attraverso questi strumenti”.

Will it change?

Be informed, be proactive ….

And always ask your security engineers to double check, if you have one

Be informed, be proactive and don’t forget the basic

Follow basic security practices:

- Access control and access roles- Patching- Removing debug services- Check if your system is inadvertently exposed to the Internet- Couple that all above with auditing and vulnerability assessments - and you are on your way to a much better (and more secure) ICS/SCADA infrastructure.

http://www.toolswatch.org/wp-content/uploads/2015/11/ICSSCADA-Top-10-Most-Dangerous-Software-Weaknesses.pdf

Be informed, be proactive and don’t forget the basic

Be aware of the threaths:

Cyber ThreatsBlack EnergyDuquFlameHavexOperation CleaverShamoonStuxnet

Be informed, be proactive and don’t forget the basic

Tools and Guidelines: