Emerging threats and cyberattacks against critical ...tenace/download/Meeting1... · Introduction...

Emerging threats and cyberattacks againstcritical infrastructures

Chapter 2 of “Threat model and attack analysis” (WP1)TENACE 2nd meeting

Federico Maggi1 Stefano Zanero1

1POLIMI (leader)

2UNITN

3UNIPI

4POLITO

5CNR

June 12, 2013

DISCLAIMER

These slides must be considered as a DRAFT. Therefore, it is farfrom being complete, exhaustive, free from mistakes.

Emerging threats and cyberattacks

Outline

Introduction

ThreatsActorsMotivation and goals

VulnerabilitiesNetwork and infrastructure layerSCADA/ICS and Embedded DevicesApplicationsBusiness layer

AttacksCase study: StuxnetCase study: Aramco

Remediation and protection approaches

Introduction






Introduction

IT systems and CIs have converged

I controlling CIs remotely (e.g., over the Internet) is feasibleand convenient

I consolidate the operation of CIs

I As a result, CIs and IT systems have converged.


Introduction

Security consequences

I security concerns and threats

I two previously isolated worlds, the Internet and the CIsystems, are now interconnected

I the Internet is itself a critical asset of modern CIs

I their controlling systems are often distributed (over remote,Internet-connected locations).

Introduction






Threats

Old threats: high impact

I Well-known threats such as malware, botnets, or denial ofservice attacks

I became threats for CIs as well

I core difference CIs can take actions that ultimately impact thephysical environment


Threats

Impact on the physical world

I safety risks

I possibility of production loss

I equipment damage

I information theft

I loss of human life


Threats

Actors

Are actors really active?Or, is it just probing?

I the actors behind the weekly reported in the news as“cyberattacks” are probing without causing deliberate damage

I CI security complex

I In order of importance:

1. Nation states2. Nonstate organized threat groups3. Hacktivists4. Business-oriented attackers5. Casual attackers


Threats

Actors

Nation states

I new actor

I CIs are relevant target in modern cyberwarfare

I attacks against CIs can be politically or economicallymotivated

I extension: state-sponsored attackers


Threats

Actors

Nonstate organized threat groups

I cyberterrorists

I e.g., Aramco


Threats

Actors

Hacktivists

I lot of attention recently

I little or no technical hacking skills

I relies on cyber weapons (e.g., script kiddies, attack services,botnets, malware or exploitation kits)

I cause damage to a system (e.g., denial of service, defacement)

I sign of protest


Threats

Actors

Business-oriented attackers

I traditional category of attackers

I abusive activities against competitor-controlled CIs

I gain business advantage


Threats

Actors

Casual attackers

I script kiddies

I gain much more importance in the context of CIs

I little or no technical skills

I against Internet-facing CIs (e.g., SHODANhttp://www.shodanhq.com) can cause serious damage

http://www.shodanhq.com


Threats

Motivation and goals

Political, strategical, warfare

I scarcity of reliable information

I most of the attacks have warfare or strategical motivations

I Stuxnet, Aramco, Duqu

I goal: exfiltrating intelligence or secret information.

I no certain statement about the final use of such information

I political nature

I nation states and hacktivists


Threats

Motivation and goals

Economical

I Business-oriented and nation states

I also before CIs era

I higher economical impact

Introduction






Vulnerabilities

Different classes of vulnerabilities

I increased connectivity + open design + use of COTScomponents cause logical + design vulnerabilities

I components not built with security in mind

I application layer also exposes vulnerabilities

I lacks of security features


Vulnerabilities

Network and infrastructure layer

Infrastructure layer is particularly critical

I CIs are controlled by distributed system over a network

I thus, the infrastructure layer is particularly critical


Vulnerabilities


Conflicting requirements

I control systems were electronically isolated

I industrial plants focused on physical security

I demands for increased connectivity

I factory floor and the corporate network with complexinter-network such as the Internet


Vulnerabilities


Was security through obscurity better?

I before: proprietary solutions, weak form of security throughobscurity

I now: SCADA communication protocols towards openinternational standards

I commercial off-the shelf hardware and software components

I encapsulation of beyond-SCADA application protocols overTCP: new vulnerabilities

I “the hackers don’t know our systems”: false now

I open standards: easy for attackers to gain in-depth knowledge

I benefit: proprietary protocols did not guarantee real security


Vulnerabilities


Scalable monitoring mechanisms

I wireless sensor networks (WSNs) are a natural solution

I distributed: increases the survivability of the network incritical situations

I large-scale WSNs are less likely to be entirely affected byfailures or attacks.

I Security in a WSNs is a long-term problem

I security breach =¿ safety issue with possible consequences

I WSNs may become an attractive target for an adversary(unattended


Vulnerabilities

SCADA/ICS and Embedded Devices

Proprietary protocols encapsulation

I Originally: SCADA systems employed ad-hoc protocols

I functional requirements more important than securityrequirements

I now: migration of SCADA systems to the TCP/IP networkstack

I previously unprotected SCADA protocols are exposed on theTCP/IP carrier

I attacks to a corporate network could then tunnel into aSCADA system

I SHODAN search engine http://www.shodanhq.com

I SCADA/ICS lack of security features

I absence of proper authentication and authorization schemes

http://www.shodanhq.com


Vulnerabilities

SCADA/ICS and Embedded Devices

software bugs in SCADA devices

I input validation bug lead to whole infrastructure exposure

I e.g., fuzzing can successfully crash SCADA equipment

I requires extensive software testing

I embedded devices may expose specific vulnerabilities thatcould be exploited to compromise the whole system

I are not managed as regular computers

I embedded-devices security is generally overlooked

I e.g., unprotected firmware upgrade utility in SCADA fielddevices


Vulnerabilities

Applications

Careful trust modeling needed

I distributed nature

I exchange of messages among pieces of code deployed ondifferent components

I need for trust management for managing the trust relations

I interdependences can be exploited in coordinated, strategicattacks


Vulnerabilities

Business layer

The weak link is always exploitable

I operationally speaking, CIs are “ordinary businesses”

I Stuxnet spread through an employee’s USB key

I employees are a well-known point of failure

I social engineering and (spear) phishing have significant impacton CIs


Vulnerabilities

Business layer

Social engineering

trick the user in giving away information or performing someactionse.g., e-mail, phone call, bogus technical supportfocus: system to the human operatorsnot technical, yet backed by technical platforms to develop anddeploy social engineeringe.g., Citadel is a popular “social platform” for building customattacks


Vulnerabilities

Business layer

Targeted attacks

I targeted against a particular person or organization

I victim as a “proxy” for the attack

I pre-existent knowledge on victim or infrastructure

I e.g., the attacker “spoofs” the communication as comingfrom trusted identities

I trick email recipients to perform the compromising action

I more technical

I e.g., 0-day exploits are a sign of a targeted attackdifficult to detect, mitigate, assess, and remediate


Vulnerabilities

Business layer

Sequence of dependent failures

I interdependences among CI components

I ripple effect in the power grid

I potentially catastrophic

I difficult to predict

I privatization of some CIs

I profit-driven management

Introduction






Attacks

Attacks as violation of security properties

I example security properties that can be violated

I authorizationI access-controlI availability


Attacks

Case study: Stuxnet

W32.Stuxnet 2009–2010

I targeted attack that

I many obscure points

I specifically to propagate into and compromise aSiemens-branded ICSs

I 0-day vulnerability, a Windows rootkit, a PLC rootkit

I goal: modify the functioning of PCLs to alter the operation ofthe equipment

I serious damage


Attacks

Case study: Stuxnet

Symantec (2013)

I earlier Stuxnet versions contained malicious code unleashed bythe U.S. and Israel several years ago

I Stuxnet active about two years before the main incident

I Stuxnet basically failed, or was not intended to succeed


Attacks

Case study: Aramco

Symantec and Kaspersky (2012)

I novel worm dubbed “Shamoon”

I cyber espionage and sabotage attacks in the middle East area

I unique payload/action

I steal and delete files + replaces with a picture of an Americanflag on flames

I the “Cutting Sword of Justice” group claimed responsibility

I against 30,000 Saudi Aramco workstations

I did not hit any of the production control computers andnetworks

Introduction







Traditional approaches unsuitable for CIs

I complexity, heterogeneity, adaptability

I novel challenges on the design of risk mitigation systems

I vulnerability assessments is well fit for traditional IT systems

I unsatisfactory and limited in scope for CIs

I the required downtime is unacceptable for CIs

I patching CI components is problematic (availability,large-scale)

I testbeds with physical and virtual devices (are these realistic?)

I can help to identify common vulnerabilities



Network segregation (control vs. corporate network)

I complete physical segregation is not feasible (large-scale anddistributed)

I does not protect from physical access to control networks(e.g., social engineering)

I utopia: security-focused redesign of the communicationprotocols

I incompatibility with legacy systems

I adoption of unused function fields in standard SCADAprotocols

I for confidentiality and integrity

I transparent tunneling



Perfect context for IDSs?

I traffic monitoring and anomaly detection

I difficult: traditional IT networks have user-generated traffic

I easy: typical CI networks have uniform and low-volume traffic

Emerging threats and cyberattacks against critical ...tenace/download/Meeting1... · Introduction...

Documents

Transcript of Emerging threats and cyberattacks against critical ...tenace/download/Meeting1... · Introduction...