Cyber Threats to SCADA Systems
Prof. Roberto Setola Università CAMPUS BioMedico di Roma
Critical Infrastructure Protection
A Real Time Alerting System: Tools & Models
Roma, 28 February 2011
02/03/2011 2Roberto Setola – [email protected] 2
• Associeted Professor at CAMPUS Biomedico of Rome (Control Systems)
• Expert of CIP (on topic from 2002)– Italian Government WG on CIIP (2003/04)– G8 CIIP group and G8 High Tech Crime (2003/05)
• Coordinator EU CIPs project SecuFood• Editor of the magazine Safety&Security (2008‐
10)
• Editor of the magazine Information Security(from 2011)
• Co‐Editor of 6 books on CIIP, HS and Matlab• Co‐Guest editors of 3 special issue on CIP • Associated editor of IJSSE• Founder, Secretary of AIIC (from 2006)
• Member IFIP 11.10, EuroSCSIE, MNE7
The author – Roberto Setola
Cyber Threat to Scada System, is it real ?
There are evidences about effective cyber‐attacks to SCADA system
02/03/2011 4Roberto Setola – [email protected] 4
02/03/2011 5Roberto Setola – [email protected] 55
Overall Incident Trends
5
1 2 3 24 4
1
6
13
27
17
1982
- 199
3
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
Something Changes Here
BCIT Industrial Security Incident Database (ISID) tracks network cyber incidents that directly impact industrial and SCADA operations.Both malicious and accidental incidents are tracked.
02/03/2011 6Roberto Setola – [email protected] 66
Something Happens in 2001…
13
13
1214
1
6
39
1982 - 1993 1994 - 2001 2002 - 2004
InternalAccidentalExternalExpon. (External)
Accidental58%
Internal15%
External27%
1982 ‐2001
External67%
Accidental25%
Internal2%
Audit4%
Other2%
2002 ‐2004
02/03/2011 7Roberto Setola – [email protected] 77
Threats to IT and CII
some source but different consequences …
Infrastr
uttura Corporate
(amministrativo
-gestionale)
Infrastr
uttura IC
S
(Scada difesa,
controllo,
conduzione)
02/03/2011 8Roberto Setola – [email protected] 8
Cyber crime
Cyber espionage
Cyber terrorism
Cyber war
Cyber ThreatsOn the base of the motivation of the attackers we can catalogue in:
Cyber ‐ crime
02/03/2011 10Roberto Setola – [email protected] 10
2003 ‐ Slammer
Sourcebug into a common used software (Microsoft SQL server)
Consequences (some…)• Finance: in USA 13.000 ATM out-of-work; in Italy
11.000 postal office off-line• Emergency: 911 in Seattle stopped• Transportation: many flights delayed or canceled in
Huston• Electricity: SCADA of two US utilities stopped
DDoS
02/03/2011 11Roberto Setola – [email protected] 11
2000 – Maroochy ShireSourceAn ex‐employer used a wireless Internet connection to penetrate into SCADA of sewage treatment plantConsequences 47 “abnormal” accidents in January-
April 2000 1.200.000 liters of raw sewage
dispersed in the environment Potable water compromised in the
area
Cyber ‐ espionage
… nothing of new
02/03/2011 13Roberto Setola – [email protected] 13
Terrorist use largely the net to• Communicate• Proselytism• Fund raising• Training• Etc.
Cyber Terrorism
… but until today, there are no evidence that they are planning any type of cyber attack
Cyber war
02/03/2011 15Roberto Setola – [email protected] 15
• Cyber attack to Estonia (27 April – 19 May 2007) – a DDOS attack blocked several governmental and finance web cite
• Before military imitative of Russia in Ossetia, the cyberspace of the Georgia was subject to a DDOS attack
Cyber (experiments) war ?
02/03/2011 16Roberto Setola – [email protected] 16
China‐ USA
In March 2010 a young Chinese researcher has been indicated to the US Congress as a dangerous enemy, because he wrote a scientific paper on the vulnerability of the US electric grid to cyber attack
Go to have a look to US strategies about CIP
02/03/2011 18Roberto Setola – [email protected] 18
US StrategyPolicy Inputs Federal and Private Roles
Sector Roadmaps
Vision/Goals
Roles &Responsibilities
Sector Needs
CoordinationStrategies
GAO RecommendationsSector-Specific Plans
Drivers/Needs
02/03/2011 19Roberto Setola – [email protected] 19
Control Systems Security Program
www.us‐cert.gov/control_systems
02/03/2011 20Roberto Setola – [email protected] 20
Building Security into Control SystemsProvides sample or recommended languagefor control systems security requirements– New SCADA / control systems– Legacy systems– Maintenance contracts
Risk Reduction Products Cyber Security Procurement Language for Control Systems
02/03/2011 21Roberto Setola – [email protected] 21
Key Program AreasAssess and mitigate energy control
systems vulnerabilitiesDevelop advanced secure control
systems technologiesSupport development of standards
and best practicesConduct outreach and awareness
DOE multi‐laboratory program designed to:
Support industry and government efforts to enhance control systems cyber security across the energy infrastructure
INL
NIST
SNL
PNL
ANL
National SCADA Test Bed – Office of Electricity Delivery and Energy Reliability (DOE-OE)
02/03/2011 22Roberto Setola – [email protected] 22
ESTEC Feasibility Study
TESTINGACTIVITY
ASSET OWNERS RESEARCHERS
REGULATION BODIESVENDORS
KEY STAKEHOLDERS
Design a network of test center to analyse security issue of SCADA system in the energy framework
Two Sectors• Electricity (Power plants, Transmission lines, Distribution lines)• Oil and Gas (Extraction, Refining, Treatment, Storage, Pipelines, Dispatching centres)
StuxNet
The change !
The «first» cyber‐attack to a SCADA system
Until 2010… great attention, but no evidences
02/03/2011 24Roberto Setola – [email protected] 24
StuxNet• Stuxnet is a very big project, very well planned and very well funded”.
• Liam O’ Murchu, Supervisor NAM Security Response, Symantec
• Complex design and not common skillset required• Specific Siemens automation control technology expertise
• 3 millions $ cost‐estimation• Frank Rieger, CTO, GSMK
• It uses 4 different “0‐days attack”
• It has a double digital signature stolen to JMicron e alla Realtek
02/03/2011 25Roberto Setola – [email protected] 25
StuxNet
Source trend micro 2010
It has a very sophisticated architecture and has been developed using several languages
It uses sevaral mechanisms to propapgate but …..
02/03/2011 26Roberto Setola – [email protected] 26
StuxNet
Country Infected PCIran 62,867Indonesia 13,336India 6,552United States 2,913Australia 2,436Britain 1,038Malaysia 1,013Pakistan 993Germany 5 [but no cnsequences]Italy ?
Stuxnet is a complex‐design threat, targeting specific industrial controlsystems vulnerabilities.
02/03/2011 27Roberto Setola – [email protected] 27
The cyber threat to SCADA system (and to critical infrastructure) is real
One Obiviousness
02/03/2011 28Roberto Setola – [email protected] 28
How are SCADA system ready to Stuxnet like threats ?
02/03/2011 29Roberto Setola – [email protected] 29
Associazione Italiana esperti Infrastrutture Critiche
A no-profit association to promote safety&securityculture inside critical infrastructures
www.InfrastruttureCritiche.it
AIIC = Italian Association of Critical Infrastructures’
experts
02/03/2011 30Roberto Setola – [email protected] 30
Systems, methods and toolsfor the security and the crisis management
IV editionDecember 2011
Master in Homeland Security
02/03/2011 31Roberto Setola – [email protected] 31
SafeComp 2011
18 -21 September 2011Naples (Italy)
Key ThemeSafety and security of computer-basedsystems and infrastructures:from risk assessment to threat mitigation
The 30th International Conference on
Computer Safety, Reliability and Security