3. Critical Infrastructure Sectors
A definition from Department of Homeland
Security of USA.
There are 16 critical infrastructure sectors whose assets, systems, and networks,
whether physical or virtual, are considered so vital to the United States that their
incapacitation or destruction would have a debilitating effect on security, national
economic security, national public health or safety, or any combination thereof.
4. Cybersecurity and Critical Infrastructure
Chemical
Sector
Communications
Sector
Dams
Sector
Emergency Services
Sector
Financial
Services
Sector
Government
Facilities
Sector
Information
Technology
Sector
Transportation
Systems
Sector
Commercial
Facilities
Sector
Critical
Manufacturing
Sector
Defense
Industrial
Base Sector
Energy
Sector
Food and
Agriculture
Sector
Healthcare and
Public Health
Sector
Nuclear
Reactors
Materials
and Waste
Sector
Water and
Wastewater
Systems Sector
6. What is missing .. On my opinion
Chemical
Sector
Communications
Sector
Dams
Sector
Emergency Services
Sector
Financial
Services
Sector
Government
Facilities
Sector
Information
Technology
Sector
Transportation
Systems
Sector
Commercial
Facilities
Sector
Critical
Manufacturing
Sector
Defense
Industrial
Base Sector
Energy
Sector
Food and
Agriculture
Sector
Healthcare and
Public Health
Sector
Nuclear
Reactors
Materials
and Waste
Sector
Water and
Wastewater
Systems Sector
The security
engineer
9. Cybersecurity investment: a cultural change
Factors:
- high-profile security incidents
- cybersecurity and privacy
A cultural change
Companies are allocating more of their overall
budget to protect themselves from the increased
number of threats.
?????
12. What changed !!!
The world has changed !!!
Robotic Surgery !
Do you see any risk?
So many IMEIs
Do you see any risk?
13. What changed !!!
The world has changed !!!
Industrial Control Systems (ICS) are physical
equipment oriented technologies and systems.
Within the controls systems
industry, Industrial Control Systems
(ICS) are often referred to as
Operational Technology (OT).
An emerging classification
developed by the National Science
Foundation and NIST is to classify
the hybrid IT and OT as Cyber-
Physical Systems (CPS).
20. The SunnyWebBox example
This is not a critical infrastructure!! Yes .. It is ..
1 MWh circa 250 $ 2,7 * 250$ = circa 700$/day !!
100 found in 1 hour I can login,
change the password, start to
intercept modbus messages.. etc..
etc..
24. The Modbus protocol, from SANS forum
"Modbus Protocol is a messaging structure developed by Modicon in 1979. It is used
to establish master-slave/client-server communication between intelligent devices.
Modbus was originally developed as a proprietary communication/command
protocol for SCADA/Process Control systems. It has been migrated to TCP/IP since
1999.
One of the first main issues with Modbus is that it is not designed to be run on
open networks, it was intended to be used on dedicated lines, such as a serial
connection, or a closed network. Ideally this is achieved through an airgap between
the PCS network and the corporate IT network.
The Modbus protocol itself contains no security whatsoever. If you can communicate
directly with a Modbus server or client you can issue commands. This can be quite
important depending on the function that the slave devices are performing. The
only real choices are as mentioned previously to completely airgap Modbus from
any other network, or severely limit access to authorized masters.
25. Is the Modbus protocol today really secure?
Not really… still many legacy systems with no security… and many new ones with no
security settings…plus the encryption domain is still unknown(man in the middle )
The Protocol Data Unit (PDU) of the
MODBUS protocol is simple and
independent from the underlying layers. It
is composed of a Function code that
determines the action to be taken with
the following Data segment.
SCADA (Supervisory Control and Data Acquisition) – (ICS Industrial Control Systems)
26. OK.. But are ICS/SCADA systems today in general
secure?
An example: The Modbus protocol.
In an imagined scenario, if an attacker successfully insert
a transceiver device between two nodes, it can monitor,
disrupt and modify the communication or compromise it
entirely.
In 2010 a malware called Stuxnet
systematically destroyed a fifth of Iran’s
nuclear centrifuges by causing them to
spin out of control.
In 2013 two American cyber security
experts took over the control of an oil
rig. It could have been cause serious
environmental disaster.
In 2013 the SCADA Strangelove team reported their findings about the
vulnerabilities of several industrial protocols including MODBUS. They exploited
“zero day” bugs and took over entire networks within the matter of hours.
In 2013 two ICS expert compromised multiple industrial facilities through radio
frequency channel.
They took access over temperature sensors, and were able to falsify the real data
And
Today?
27. Where are we today?
Cyber attacks against supervisory control and data acquisition (SCADA) systems
doubled in 2014, according to Dell’s annual threat report.
The majority of these attacks targeted Finland, the United Kingdom, and the United States, Dell said, noting that
the reason is likely the fact that SCADA systems are more common in these regions and more likely to be
connected to the Internet.
In 2014, Dell said that it saw 202,322 SCADA attacks in Finland, 69,656 in the UK, and 51,258 in the US.
28. Where are we today?
“Since companies are only required to report data breaches that involve personal or
payment information, SCADA attacks often go unreported,” said Patrick Sweeney,
executive director, Dell Security. “This lack of information sharing combined with an
aging industrial machinery infrastructure presents huge security challenges that will to
continue to grow in the coming months and years.”
“Because companies are only required to report data breaches that involve personal or
payment information, SCADA attacks often go unreported,” Dell said in its report. “As a
result, other industrial companies within the space might not even know a SCADA
threat exists until they are targeted themselves.”
29. Where are we today?
A recent report published by the Industrial Control Systems Cyber Emergency
Response Team (ICS-CERT) showed that while ICS vendors have been targeted by
various types of malicious actors, over half of the attacks reported to the agency
in 2014 involved advanced persistent threats (APTs).
ICS-CERT has issued alerts for multiple campaigns over the last year, including
one which focused on the use of the Havex RAT in attacks aimed at ICS, and the
second related to BlackEnergy Attacks exploiting vulnerabilities in products from
GE, Advantech/Broadwin, and Siemens.
30. Where are we today?
SCADA systems
Acquisition: includes sensors, meters and field devices, such as photo sensors, pressure sensors,
temperature sensors and flow sensors.
In 2014, only about 1% of the total ICS/SCADA vulnerabilities were present in data
acquisition. CVE-2014-2378. (road traffic sensor accepted modifications without sufficient
checks)
Conversion: Remote terminal unit (RTU), intelligent electronic devices (IEDs) and programmable logic
controllers (PLC)
In 2014 about 14% of vulnerabilities were present in the conversation component. PLC in
CVE-2014-0769. (Port 4000/TCP debug service and Port 4001/TCP log service could allow
modification of memory and logging).
Communication: ModBus, DNP3, ControlNet, ProfiBus, ICCP, OCP and others.
21% of vulnerabilities were present in communication. CVE-2014-5410, CVE-2014-0761, CVE-
2014-2342, CVE-2013-6143 are some of the example that affected DNP3 components and
DNP3 components.
Source:
Presentation and Control (HMI): This consists of devices used to monitor and control data received
from various communication channels. It includes Human Machine Interface (HMI), which the
operator uses to monitor and react to alerts and alarms.
63% were found in this component. Most ics/scada vendors have shifted or are shifting to
web based HMIs. As a result a lot of directory traversal attacks, buffer overflows, XSS, SQL
Injection, CSRF and other web related vulnerabilities affected this component. Some
examples are CVE-2014-5436, CVE-2014-5417, CVE-2014-2358, CVE-2014-2376, CVE-2014-
2353 and CVE-2014-0751.
31. Where are we today?
Source:
As vendors migrate HMI to web based systems, more vulnerabilities have now
appear in web HMI components. Data communication and conversion are still
affected with vulnerabilities but attackers tend to gravitate towards the easiest
path to exploitation and web based HMI is an easy target.
HMI: human–machine interface
32. 15 mins of my systems crawling for this presentation
33. So many internet-connected systems.. No interest?
“Allo stato attuale”, spiega il legale a Formiche.net, “i gruppi terroristici
utilizzano le tecnologie o la rete Internet esclusivamente per scopi specifici,
che però non hanno niente a che vedere con la raccolta di informazioni,
ovvero con la possibilità di compiere attentati o, più in generale, di
ingenerare terrore attraverso questi strumenti”.
Will it
change?
34. Be informed, be proactive ….
And always ask your security engineers to double check,
if you have one
35. Be informed, be proactive and don’t forget the basic
Follow basic security practices:
- Access control and access roles
- Patching
- Removing debug services
- Check if your system is inadvertently exposed to the Internet
- Couple that all above with auditing and vulnerability assessments
- and you are on your way to a much better (and more secure) ICS/SCADA infrastructure.
http://www.toolswatch.org/wp-
content/uploads/2015/11/ICSSCADA-Top-10-
Most-Dangerous-Software-Weaknesses.pdf
36. Be informed, be proactive and don’t forget the basic
Be aware of the threaths:
Cyber Threats
Black Energy
Duqu
Flame
Havex
Operation Cleaver
Shamoon
Stuxnet
37. Be informed, be proactive and don’t forget the basic
Tools and Guidelines: