ict and international security
play

ICT and international security Gian Piero Siroli, Physics and - PowerPoint PPT Presentation

Feb 23, 2024 •163 likes •530 views

ICT and international security Gian Piero Siroli, Physics and Astronomy Dept. Univ. of Bologna & CERN Caffe della Scienza, Livorno, May 2014 What a cyber-weapon can look like: Stuxnet A worm designed to sabotage a specific

  1. ICT and international security Gian Piero Siroli, Physics and Astronomy Dept. Univ. of Bologna & CERN Caffe ’ della Scienza, Livorno, May 2014

  2. What a cyber-weapon can look like: Stuxnet  A “worm” designed to sabotage a specific industrial process. It penetrates a particular subsystem of a SCADA industrial control systems of a single producer (Siemens). Once injected, it spreads silently in the Windows/SCADA infrastructure looking for specific Programmable Logic Controllers (PLC) and reprogram them to alter the functionality, showing at the same time normal running conditions to the monitoring system  Reported in June 2010. First example of a precision military-grade cyber-weapon, deployed to seek and damage a real world physical target, operating the machinery outside its safe/usual performance envelope. Heavy insider knowledge, combination of cyber-war and intelligence  Disruption of Iran's nuclear program by damaging centrifuges at uranium enrichment facility in Natanz  Worm analyzed in public conferences, papers from various authors, probably the best studied piece of malware in history. Executable code available on the network Caffe ’ della Scienza, Livorno, May, 2014 Gian Piero Siroli

  3. What is Stuxnet?  How: Stuxnet intercepts communications with the PLC, determines whether the system is the intended target, modifies the existing PLC code to change the operational parameters. It hides the PLC infection from the operator using rootkit functionality. All these activities take place in two different environments: the Windows environment where the control software (WinCC/STEP7) is running AND at the PLC level, where the malicious code in assembly language (MC7) is injected and executed. Stuxnet determines the target asap and looks for specific configuration before activating Caffe ’ della Scienza, Livorno, May, 2014 Gian Piero Siroli

  4. What is a worm  Self-replicating segment of code able to autonomously spread travelling across networks without any human intervention. Usually containing a “payload” (malware) activating on target systems. A computer virus needs human activity (email, distribution of infected files) and an application to attach to Code Red worm propagation during 24h following release (2001) Caffe ’ della Scienza, Livorno, May, 2014 Gian Piero Siroli

  5. Industrial Control Systems and SCADA ICSs assist in the management of equipment  found in critical infrastructure facilities (electric power generation & distribution, water and wastewater treatment, oil and gas refineries, chemical and food production, transportation). Acting on real daily life equipment SCADA (Supervisory Control and Data  Acquisition) systems: highly distributed systems used to control geographically dispersed assets, often scattered over thousands of square kilometers, where centralized data acquisition and control are critical to system operation PLC (Programmable Logic Controllers):  computer-based low level devices that control real world processes and equipment, used throughout SCADA and DCS. Automation of field "sensors” "actuators“ and (motor starters, pumps, solenoids, pilot lights/displays/devices, speed drives, valves, motion control). Hard real time system Caffe ’ della Scienza, Livorno, May, 2014 Gian Piero Siroli

  6. Many intrusion vectors and open doors Caffe ’ della Scienza, Livorno, May, 2014 Gian Piero Siroli

  7. Critical infrastructures strongly dependent on ICT, intrinsically unsafe and vulnerable  Security flaws inherent in Internet Protocol suite (TCP/IP, most widely used communication standard on the Internet). Security not was not a primary design consideration. Many attacks are “legal” actions according to protocols  Faulty implementation of protocols and improper configuration  Bugs in s/w code, flaws in architecture & design  Security often not (properly) implemented  Vulnerabilities of ICT underlying layer projected onto critical infrastructures Caffe ’ della Scienza, Livorno, May, 2014 Gian Piero Siroli

  8. First Infection: Enterprise Computer Infected USB drive infiltrated into the plant and inserted into computer  (employees laptop infected off-site, infected project files from contractor). Malicious act or through social engineering. “Air - gap” overcome Stuxnet successfully installs even though computer is fully patched  and up to date with anti-virus signatures Rootkit installed to hide files and activities  Attempts connection to Command-and-Control server for updates  Infects any new USB Flash drive inserted into computer  Caffe ’ della Scienza, Livorno, May, 2014 Gian Piero Siroli (animation from E.Byres, Tofino Security)

  9. Propagation on Enterprise Network Rapidly spreads to Print Servers and File Servers within hours of initial  infection Establishes P2P network and access to C&C server (but the worm is  autonomous, no remote control, “Launch and Forget”) Infects any new USB Flash drive inserted into any computer  Caffe ’ della Scienza, Livorno, May, 2014 Gian Piero Siroli (animation from E.Byres, Tofino Security)

  10. Penetrating Perimeter Network System Admin (Historian) becomes infected through network printer  and file shares System Admin connects via VPN to Perimeter Network and infects the  CAS Server and its WinCC SQL Server database Caffe ’ della Scienza, Livorno, May, 2014 Gian Piero Siroli (animation from E.Byres, Tofino Security)

  11. Propagation on Perimeter Network Infects Web Navigation Server’s WinCC SQL Server  Infects STEP7 Project files  Infects other Windows hosts on the subnet like WSUS, AVS etc  Caffe ’ della Scienza, Livorno, May, 2014 Gian Piero Siroli (animation from E.Byres, Tofino Security)

  12. Propagation to Control Networks Leverages network connections between Perimeter and Process  Control Network Exploits database connections between CAS Server (Perimeter) and  OS Server (PCN) Infects other hosts on PCN via Shares, WinCC or STEP7 methods  … until it gets at the  interface of the PLC level, and propagates further crossing it … Caffe ’ della Scienza, Livorno, May, 2014 Gian Piero Siroli (animation from E.Byres, Tofino Security)

  13. Final steps - I  Stuxnet “fingerprints” the connected PLCs  If the right PLC is found (only two Siemens CPUs are infected), it replaces the S7 communication libraries (DLLs) used for exchanging data with PLCs adding hidden functionality. Stuxnet is the vector to deliver the attack code (15000 LOC) to the PLCs  Stuxnet is now controlling the communication between SCADA & PLC (“Man in the Middle”) . It intercepts the input values from sensors and give fake (prerecorded) data to legitimate programs Caffe ’ della Scienza, Livorno, May, 2014 Gian Piero Siroli

  14. Final steps - II  Stuxnet downloads and replaces code and data to alter PLC behavior This code varies the rotational speed of the centrifuges over months, wearing them out by slowly cracking centrifuge rotors and inhibiting uranium enrichment …in the meantime… everything looks normal at the SCADA supervisor level Caffe ’ della Scienza, Livorno, May, 2014 Gian Piero Siroli

  15. Technical summary - I Stuxnet is a threat targeting specific industrial control systems likely in Iran, very probably an uranium enrichment infrastructure (it searches for facilities that have a minimum of 33 frequency converters installed). The ultimate goal of Stuxnet is to sabotage that facility by reprogramming PLCs to operate as the attackers intend them to, out of their specified boundaries Stuxnet contains many features such as:  Self-replicates through removable drives exploiting a vulnerability allowing auto-execution  Spreads in a LAN through a vulnerability in the Windows Print Spooler. Also spreads through SMB  Copies and executes itself on remote computers running a WinCC database server and through network shares  Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded Caffe ’ della Scienza, Livorno, May, 2014 Gian Piero Siroli

  16. Technical summary - II  Updates itself through a P2P mechanism within a LAN, just injecting a new version of the worm  Compromises the O/S by exploiting a total of four(!) zero-day exploits (unpatched MS vulnerabilities worth >$100k, two for self-replication and two for escalation of privilege) and it takes advantage of seven different propagation processes  Establishes a P2P connection to a C&C server that allows the hacker to download and execute code, including updated versions  Contains a Windows rootkit that hides its binaries. Hides modified code on PLCs, first PLC rootkit ever seen  Attempts to bypass security products. Signed with two trusted (stolen) digital certificates (for drivers) to avoid being detected  Many different versions starting 6/2009  Sophisticated techniques to limit/avoid reverse engineering of the code (encryption, anti-anti debug)  One of the most complex and carefully engineered worms ever seen. Science-fiction code Caffe ’ della Scienza, Livorno, May, 2014 Gian Piero Siroli

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
International Brand 46 years of experience in the Security Industry More than 3,000 security

International Brand 46 years of experience in the Security Industry More than 3,000 security

International Brand 46 years of experience in the Security Industry More than 3,000 security products office@rottner-security.co.za www.rottner-security.co.za 2 International Brand South Africa Romania United Kingdom Hungary The

631 views • 28 slides
9 th ARF ISM on Maritime Security International Maritime Organization Security and Safety

9 th ARF ISM on Maritime Security International Maritime Organization Security and Safety

9 th ARF ISM on Maritime Security International Maritime Organization Security and Safety Dave Edwards U.S. Coast Guard Chairman, International Civil Aviation Organization/International Maritime Organization Joint Working Group on SAR 1

299 views • 5 slides
International social security standards and challenges to social security Lessons for a

International social security standards and challenges to social security Lessons for a

15 th PPF MEMBERS CONFERENCE Arusha 19-21 October 2005 International social security standards and challenges to social security Lessons for a Tanzanian reform debate Krzysztof Hagemejer Policy coordinator Social Security Department,

499 views • 47 slides
Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

CSS441 Internet Security Web Security TLS/SSL Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015

832 views • 32 slides
Transport Level Security HTTPS SSH CSS322: Security and Cryptography Sirindhorn International

Transport Level Security HTTPS SSH CSS322: Security and Cryptography Sirindhorn International

CSS322 Transport Security Web Security TLS/SSL Transport Level Security HTTPS SSH CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013

687 views • 32 slides
Patrol Services International PATROL SERVICES INTERNATIONAL We are a private security business

Patrol Services International PATROL SERVICES INTERNATIONAL We are a private security business

FGS Presents: Patrol Services International PATROL SERVICES INTERNATIONAL We are a private security business committed to closing the gap between law enforcement and security by providing targeted patrols in your community. OUR HISTORY

419 views • 18 slides
Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology

Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology

ITS335 Internet Security Internet Security Secure Email Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015 its335y15s2l10,

450 views • 25 slides
Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

ITS335 Web Security Browsing Applications Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2 February 2014 its335y13s2l09,

446 views • 31 slides
Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

ITS335 Web Security Browsing Applications Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015 its335y15s2l08,

680 views • 35 slides
Underground Security International Regulations on Atmospheric Monitoring Mining Production

Underground Security International Regulations on Atmospheric Monitoring Mining Production

Underground Security International Regulations on Atmospheric Monitoring Mining Production Security Seminar Presented by Dave McCullough May 9, 2013 Canadian Embassy, Buenos Aires Regulation Standards Type of Mine International Regulations

825 views • 50 slides
The ILO Social Security Inquiry | SSI Florence Bonnet Social Security Department International

The ILO Social Security Inquiry | SSI Florence Bonnet Social Security Department International

Steve Brandon 16e Confrence internationale des actuaires et statisticiens de la scurit sociale Ottawa, Canada. le 16-18 septembre 2009 The ILO Social Security Inquiry | SSI Florence Bonnet Social Security Department International

704 views • 31 slides
ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* *

ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* *

ICSS2015: International Cyber Security Strategy Congress: Cyber Security and Forensic Readiness* * Preliminary programme, subject to revision/update status 16 December 2014 4 February 2015 Day 1: Cyber Security Readiness Registration KU

306 views • 4 slides
WELCOME TO UMBs Global Medical and Security Assistance Program Who is International SOS?

WELCOME TO UMBs Global Medical and Security Assistance Program Who is International SOS?

WELCOME TO UMBs Global Medical and Security Assistance Program Who is International SOS? International SOS is the worlds leading medical and security services company 79,000+ accredited 27 Assistance Centers Worldwide providers

486 views • 13 slides
Office of Nuclear Security Department of Nuclear Safety and Security 1 OUTLINE Introduction

Office of Nuclear Security Department of Nuclear Safety and Security 1 OUTLINE Introduction

International Atomic Energy Agency International Physical Protection Advisory Service (IPPAS) 2012 EUROSAFE Forum 6 November 2012, Brussels, Belgium Office of Nuclear Security Department of Nuclear Safety and Security 1 OUTLINE

436 views • 42 slides
YOUR SPEAKER 2016 CHIEF SECURITY OFFICER PRAETORIAN CONSULTING INTERNATIONAL (CYBER

YOUR SPEAKER 2016 CHIEF SECURITY OFFICER PRAETORIAN CONSULTING INTERNATIONAL (CYBER

YOUR SPEAKER 2016 CHIEF SECURITY OFFICER PRAETORIAN CONSULTING INTERNATIONAL (CYBER SECURITY AUTOMATION) 2014 HEAD OF INFORMATION SECURITY WORLDLINE (ATOS GROUP) (LEVEL ONE SERVICE PROVIDER) 2014 CISO LEVEL SECURITY, RISK

266 views • 24 slides
Cyber@UC Meeting 61 Running a Linux box securely If Youre New! Join our Slack:

Cyber@UC Meeting 61 Running a Linux box securely If Youre New! Join our Slack:

Cyber@UC Meeting 61 Running a Linux box securely If Youre New! Join our Slack: ucyber.slack.com SIGN IN! (Slackbot will post the link in #general) Feel free to get involved with one of our committees: Content Finance Public

297 views • 11 slides
(jeez y) Where is the Internet? Answers from : (G. Whilikers) Out there. (Mike) the way I

(jeez y) Where is the Internet? Answers from : (G. Whilikers) Out there. (Mike) the way I

(jeez y) Where is the Internet? Answers from : (G. Whilikers) Out there. (Mike) the way I see it, the "internet" has to be somewhere. a router collects the internet to my house sure. but somewhere on earth there HAS to be some

610 views • 32 slides
Efficient Distributed Workload (Re-)Embedding Monika Stefan Stefan Henzinger Neumann Schmid

Efficient Distributed Workload (Re-)Embedding Monika Stefan Stefan Henzinger Neumann Schmid

Efficient Distributed Workload (Re-)Embedding Monika Stefan Stefan Henzinger Neumann Schmid Many Years Ago Single server Systems were fixed and workload-agnostic Simple communication patterns (if at all), endpoints fixed

686 views • 67 slides
Probabilistic Graphical Models David Sontag New York University Lecture 5, Feb. 28, 2013 David

Probabilistic Graphical Models David Sontag New York University Lecture 5, Feb. 28, 2013 David

Probabilistic Graphical Models David Sontag New York University Lecture 5, Feb. 28, 2013 David Sontag (NYU) Graphical Models Lecture 5, Feb. 28, 2013 1 / 22 Todays lecture 1 Using VE for conditional queries 2 Running-time of variable

342 views • 22 slides
Threats, Threat Agents, and Vulnerabilities COMM037 Computer Security Dr Hans Georg Schaathun

Threats, Threat Agents, and Vulnerabilities COMM037 Computer Security Dr Hans Georg Schaathun

Threats, Threat Agents, and Vulnerabilities COMM037 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2010 Week 5 Dr Hans Georg Schaathun Threats, Threat Agents, and Vulnerabilities Autumn 2010 Week 5 1 / 46

1.56k views • 108 slides
SharePoint Security Advanced SharePoint Security Tips and Tools 22 Feb 2012 OWASP L.A. 2012

SharePoint Security Advanced SharePoint Security Tips and Tools 22 Feb 2012 OWASP L.A. 2012

SharePoint Security Advanced SharePoint Security Tips and Tools 22 Feb 2012 OWASP L.A. 2012 Los Angeles, CA Presen sented ed b by: Francis Brown Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W Br Brief ef Int

606 views • 58 slides
Which Websites are Censored, Anyway? Zachary Weinberg zackw@cmu.edu Carnegie Mellon University

Which Websites are Censored, Anyway? Zachary Weinberg zackw@cmu.edu Carnegie Mellon University

Which Websites are Censored, Anyway? Zachary Weinberg zackw@cmu.edu Carnegie Mellon University 17 July 2014 Sources Herdict , 20092014: 65,000 URLs reported as inaccessible (not necessarily censored) by users worldwide Citizen Lab ,

359 views • 7 slides
Networked Malware Session 37 INST 346 Technologies, Infrastructure and Architecture SQL

Networked Malware Session 37 INST 346 Technologies, Infrastructure and Architecture SQL

Networked Malware Session 37 INST 346 Technologies, Infrastructure and Architecture SQL Injection Attack SELECT * FROM users WHERE name = ' ' OR '1'='1'; statement = "SELECT * FROM users WHERE name = ' " + userName + " ';"

674 views • 17 slides

More recommend