Emerging threats and cyberattacks againstcritical infrastructures
Chapter 2 of “Threat model and attack analysis” (WP1)TENACE 2nd meeting
Federico Maggi1 Stefano Zanero1
1POLIMI (leader)
2UNITN
3UNIPI
4POLITO
5CNR
June 12, 2013
DISCLAIMER
These slides must be considered as a DRAFT. Therefore, it is farfrom being complete, exhaustive, free from mistakes.
Emerging threats and cyberattacks
Outline
Introduction
ThreatsActorsMotivation and goals
VulnerabilitiesNetwork and infrastructure layerSCADA/ICS and Embedded DevicesApplicationsBusiness layer
AttacksCase study: StuxnetCase study: Aramco
Remediation and protection approaches
Introduction
ThreatsActorsMotivation and goals
VulnerabilitiesNetwork and infrastructure layerSCADA/ICS and Embedded DevicesApplicationsBusiness layer
AttacksCase study: StuxnetCase study: Aramco
Remediation and protection approaches
Emerging threats and cyberattacks
Introduction
IT systems and CIs have converged
I controlling CIs remotely (e.g., over the Internet) is feasibleand convenient
I consolidate the operation of CIs
I As a result, CIs and IT systems have converged.
Emerging threats and cyberattacks
Introduction
Security consequences
I security concerns and threats
I two previously isolated worlds, the Internet and the CIsystems, are now interconnected
I the Internet is itself a critical asset of modern CIs
I their controlling systems are often distributed (over remote,Internet-connected locations).
Introduction
ThreatsActorsMotivation and goals
VulnerabilitiesNetwork and infrastructure layerSCADA/ICS and Embedded DevicesApplicationsBusiness layer
AttacksCase study: StuxnetCase study: Aramco
Remediation and protection approaches
Emerging threats and cyberattacks
Threats
Old threats: high impact
I Well-known threats such as malware, botnets, or denial ofservice attacks
I became threats for CIs as well
I core difference CIs can take actions that ultimately impact thephysical environment
Emerging threats and cyberattacks
Threats
Impact on the physical world
I safety risks
I possibility of production loss
I equipment damage
I information theft
I loss of human life
Emerging threats and cyberattacks
Threats
Actors
Are actors really active?Or, is it just probing?
I the actors behind the weekly reported in the news as“cyberattacks” are probing without causing deliberate damage
I CI security complex
I In order of importance:
1. Nation states2. Nonstate organized threat groups3. Hacktivists4. Business-oriented attackers5. Casual attackers
Emerging threats and cyberattacks
Threats
Actors
Nation states
I new actor
I CIs are relevant target in modern cyberwarfare
I attacks against CIs can be politically or economicallymotivated
I extension: state-sponsored attackers
Emerging threats and cyberattacks
Threats
Actors
Nonstate organized threat groups
I cyberterrorists
I e.g., Aramco
Emerging threats and cyberattacks
Threats
Actors
Hacktivists
I lot of attention recently
I little or no technical hacking skills
I relies on cyber weapons (e.g., script kiddies, attack services,botnets, malware or exploitation kits)
I cause damage to a system (e.g., denial of service, defacement)
I sign of protest
Emerging threats and cyberattacks
Threats
Actors
Business-oriented attackers
I traditional category of attackers
I abusive activities against competitor-controlled CIs
I gain business advantage
Emerging threats and cyberattacks
Threats
Actors
Casual attackers
I script kiddies
I gain much more importance in the context of CIs
I little or no technical skills
I against Internet-facing CIs (e.g., SHODANhttp://www.shodanhq.com) can cause serious damage
Emerging threats and cyberattacks
Threats
Motivation and goals
Political, strategical, warfare
I scarcity of reliable information
I most of the attacks have warfare or strategical motivations
I Stuxnet, Aramco, Duqu
I goal: exfiltrating intelligence or secret information.
I no certain statement about the final use of such information
I political nature
I nation states and hacktivists
Emerging threats and cyberattacks
Threats
Motivation and goals
Economical
I Business-oriented and nation states
I also before CIs era
I higher economical impact
Introduction
ThreatsActorsMotivation and goals
VulnerabilitiesNetwork and infrastructure layerSCADA/ICS and Embedded DevicesApplicationsBusiness layer
AttacksCase study: StuxnetCase study: Aramco
Remediation and protection approaches
Emerging threats and cyberattacks
Vulnerabilities
Different classes of vulnerabilities
I increased connectivity + open design + use of COTScomponents cause logical + design vulnerabilities
I components not built with security in mind
I application layer also exposes vulnerabilities
I lacks of security features
Emerging threats and cyberattacks
Vulnerabilities
Network and infrastructure layer
Infrastructure layer is particularly critical
I CIs are controlled by distributed system over a network
I thus, the infrastructure layer is particularly critical
Emerging threats and cyberattacks
Vulnerabilities
Network and infrastructure layer
Conflicting requirements
I control systems were electronically isolated
I industrial plants focused on physical security
I demands for increased connectivity
I factory floor and the corporate network with complexinter-network such as the Internet
Emerging threats and cyberattacks
Vulnerabilities
Network and infrastructure layer
Was security through obscurity better?
I before: proprietary solutions, weak form of security throughobscurity
I now: SCADA communication protocols towards openinternational standards
I commercial off-the shelf hardware and software components
I encapsulation of beyond-SCADA application protocols overTCP: new vulnerabilities
I “the hackers don’t know our systems”: false now
I open standards: easy for attackers to gain in-depth knowledge
I benefit: proprietary protocols did not guarantee real security
Emerging threats and cyberattacks
Vulnerabilities
Network and infrastructure layer
Scalable monitoring mechanisms
I wireless sensor networks (WSNs) are a natural solution
I distributed: increases the survivability of the network incritical situations
I large-scale WSNs are less likely to be entirely affected byfailures or attacks.
I Security in a WSNs is a long-term problem
I security breach =¿ safety issue with possible consequences
I WSNs may become an attractive target for an adversary(unattended
Emerging threats and cyberattacks
Vulnerabilities
SCADA/ICS and Embedded Devices
Proprietary protocols encapsulation
I Originally: SCADA systems employed ad-hoc protocols
I functional requirements more important than securityrequirements
I now: migration of SCADA systems to the TCP/IP networkstack
I previously unprotected SCADA protocols are exposed on theTCP/IP carrier
I attacks to a corporate network could then tunnel into aSCADA system
I SHODAN search engine http://www.shodanhq.com
I SCADA/ICS lack of security features
I absence of proper authentication and authorization schemes
Emerging threats and cyberattacks
Vulnerabilities
SCADA/ICS and Embedded Devices
software bugs in SCADA devices
I input validation bug lead to whole infrastructure exposure
I e.g., fuzzing can successfully crash SCADA equipment
I requires extensive software testing
I embedded devices may expose specific vulnerabilities thatcould be exploited to compromise the whole system
I are not managed as regular computers
I embedded-devices security is generally overlooked
I e.g., unprotected firmware upgrade utility in SCADA fielddevices
Emerging threats and cyberattacks
Vulnerabilities
Applications
Careful trust modeling needed
I distributed nature
I exchange of messages among pieces of code deployed ondifferent components
I need for trust management for managing the trust relations
I interdependences can be exploited in coordinated, strategicattacks
Emerging threats and cyberattacks
Vulnerabilities
Business layer
The weak link is always exploitable
I operationally speaking, CIs are “ordinary businesses”
I Stuxnet spread through an employee’s USB key
I employees are a well-known point of failure
I social engineering and (spear) phishing have significant impacton CIs
Emerging threats and cyberattacks
Vulnerabilities
Business layer
Social engineering
trick the user in giving away information or performing someactionse.g., e-mail, phone call, bogus technical supportfocus: system to the human operatorsnot technical, yet backed by technical platforms to develop anddeploy social engineeringe.g., Citadel is a popular “social platform” for building customattacks
Emerging threats and cyberattacks
Vulnerabilities
Business layer
Targeted attacks
I targeted against a particular person or organization
I victim as a “proxy” for the attack
I pre-existent knowledge on victim or infrastructure
I e.g., the attacker “spoofs” the communication as comingfrom trusted identities
I trick email recipients to perform the compromising action
I more technical
I e.g., 0-day exploits are a sign of a targeted attackdifficult to detect, mitigate, assess, and remediate
Emerging threats and cyberattacks
Vulnerabilities
Business layer
Sequence of dependent failures
I interdependences among CI components
I ripple effect in the power grid
I potentially catastrophic
I difficult to predict
I privatization of some CIs
I profit-driven management
Introduction
ThreatsActorsMotivation and goals
VulnerabilitiesNetwork and infrastructure layerSCADA/ICS and Embedded DevicesApplicationsBusiness layer
AttacksCase study: StuxnetCase study: Aramco
Remediation and protection approaches
Emerging threats and cyberattacks
Attacks
Attacks as violation of security properties
I example security properties that can be violated
I authorizationI access-controlI availability
Emerging threats and cyberattacks
Attacks
Case study: Stuxnet
W32.Stuxnet 2009–2010
I targeted attack that
I many obscure points
I specifically to propagate into and compromise aSiemens-branded ICSs
I 0-day vulnerability, a Windows rootkit, a PLC rootkit
I goal: modify the functioning of PCLs to alter the operation ofthe equipment
I serious damage
Emerging threats and cyberattacks
Attacks
Case study: Stuxnet
Symantec (2013)
I earlier Stuxnet versions contained malicious code unleashed bythe U.S. and Israel several years ago
I Stuxnet active about two years before the main incident
I Stuxnet basically failed, or was not intended to succeed
Emerging threats and cyberattacks
Attacks
Case study: Aramco
Symantec and Kaspersky (2012)
I novel worm dubbed “Shamoon”
I cyber espionage and sabotage attacks in the middle East area
I unique payload/action
I steal and delete files + replaces with a picture of an Americanflag on flames
I the “Cutting Sword of Justice” group claimed responsibility
I against 30,000 Saudi Aramco workstations
I did not hit any of the production control computers andnetworks
Introduction
ThreatsActorsMotivation and goals
VulnerabilitiesNetwork and infrastructure layerSCADA/ICS and Embedded DevicesApplicationsBusiness layer
AttacksCase study: StuxnetCase study: Aramco
Remediation and protection approaches
Emerging threats and cyberattacks
Remediation and protection approaches
Traditional approaches unsuitable for CIs
I complexity, heterogeneity, adaptability
I novel challenges on the design of risk mitigation systems
I vulnerability assessments is well fit for traditional IT systems
I unsatisfactory and limited in scope for CIs
I the required downtime is unacceptable for CIs
I patching CI components is problematic (availability,large-scale)
I testbeds with physical and virtual devices (are these realistic?)
I can help to identify common vulnerabilities
Emerging threats and cyberattacks
Remediation and protection approaches
Network segregation (control vs. corporate network)
I complete physical segregation is not feasible (large-scale anddistributed)
I does not protect from physical access to control networks(e.g., social engineering)
I utopia: security-focused redesign of the communicationprotocols
I incompatibility with legacy systems
I adoption of unused function fields in standard SCADAprotocols
I for confidentiality and integrity
I transparent tunneling