chiesa_ isecom

1

ITN 2009 – Torino, 15 Ottobre 2009

Attacchi ad infrastrutture critiche: Attacchi ad infrastrutture critiche: storie di vita vissuta storie di vita vissuta

Raoul Chiesa

Founder, Honorary President, @ Mediaservice.netDirector of Communication, Board of Directors Member, ISECOM

Senior Advisor, Strategic Alliances & Cybercrime Issues at the United [email protected]

Document KeywordsDocument KeywordsInfrastrutture Critiche Nazionali; SCADA; Automazione Industriale; Incidenti di Sicurezza; Attacchi Informatici; Hacking; Sicurezza Nazionale; Penetration Test.

2


AgendaWho is who

- Il relatore- ISECOM- UNICRI

I crimini Hi-Tech nel XXI secolo & l’hacking

Le Infrastrutture Critiche Nazionali- Attacchi- Problematiche riscontrate- Incidenti- TETRA- Soluzioni

Contatti, Q&A

3


Il relatoreRaoul Chiesa– Director of Communications at ISECOM

– Institute for Security and Open Methodologies– Originally called the Ideahamster Organization (Est. 2000)– Open Source Community Registered OSI

– Project Manager for H.P.P., OSSTMM Key Contributor• OPST, OPSA, ISECOM Authorized International Trainer

– Professor of IT Security at various Universities & Masters (Italy)– Advisor on Cybercrime for the United Nations at UNICRI– Board of Directors Member at ISECOM, CLUSIT, Telecom Security Task

Force, and ISO ISMS IUG & OWASPItalian Chapters

4


ISECOM: who is who• Institute for Security and Open Methodologies (Est.

2002) • Una Non-Profit Organization (registrata)• Sedi a Barcelona (Spagna) e New York (U.S.A.)• Open Source Community Registered OSI: utilizza un

processo di Open and Peer Review assicurando Qualità e sviluppando una Chain of Trust, diventando così una community internazionalmente riconosciuta.

• Una Certification Authority “grown in the trust” e supportata da istituzioni accademiche (La Salle University network).

5


UNICRI: who is who

• United Nations Interregional Crime & Justice Research Institute

• Fondato nel 1968 per assistere le organizzazioni governative, intergovernative e non-governative nella creazione e miglioramento di policy nel campo della crime prevention e criminal justice.

• WHQ a Torino (UN Staff College, ITC/ILO); uffici a Roma, Ginevra, New York, Luanda (Angola), Maputo (Mozambico).

6


Information Security

• L’evoluzione dei crimini dovrebbe essere analizzata da punti di vista innovativi

• Diversamente, non saremmo in grado di comprendere i nuovi nemici e, soprattutto, le loro motivazioni

• Informazione è la keyword per le minacce di oggi

• You got the information, you got the power…

7


21st Century

Le minacce odierne si stanno trasformando, ed evolvendo:

• Hacking “for fun”• (Low-level) Hacking for money/phishing• (High-level) Hacking/Industrial espionage• On-line Child pornography (business)• Botnets• Critical Information Infrastructures, CNI & SCADA• Cyberterrorism• Copyright & Intellectual property violations• E-Commerce frauds, scams• On line gambling• Privacy issues (social networks)

8


Low-level hackers: “script-kiddies” hunting for known security flaws(kind of “NEW”) Phishing, Remote low-level Social Engineering AttacksInsiders (user/supervisor/admin)Disgruntled Employees

High-level, sophisticated hackers, Organized Crime: middle and high level attacksHobbiest hackersUnethical “security guys”Unstructured attackers (SCAMs, medium & high-level hi-tech frauds,VISHING …)Structured attackers (“the italian job”, targeted attacks, industrial espionage)

Espionage, TerrorismForeign EspionageHacktivist (unfunded groups)Terrorist groups (funded)State sponsored attacks

Hacking: macro tipologie di attackers

9


Critical National Infrastructures: high-level view

Le (principali) Infrastrutture Critiche Nazionali odierne possono essere riassunte in:

TelecommunicationsElectrical power systemsGas and oil storage and transportationBanking and financeTransportationWater supply systemsEmergency services (medical, police, fire and rescue)Continuity of government

10


Critical National Infrastructures: zooming/1Sector Sample Target Sub-sectors

1.Energy and Utilities Electrical power (generation, transmission, nuclear)Natural gasOil production and transmission systems

2.Communications andInformation Technology Telecommunications (phone, fax, cable, satellites)

Broadcasting systemsSoftwareHardwareNetworks (Internet)

3. Finance BankingSecurities Investment

4.Health Care HospitalsHealth-care facilities

Blood-supply facilitiesLaboratoriesPharmaceuticals

5. Food Food safetyAgriculture and food industryFood distribution

11


Critical National Infrastructures: zooming/2Sector Sample Target Sub-sectors

6. Water Drinking waterWastewater management

7. Transportation AirRailMarineSurface

8. Safety Chemical, biological, radiological, and nuclear safetyHazardous materialsSearch and rescueEmergency services (police, fire, ambulance and others)Dams

9. Government Government facilities Government services (for example meteorological services)Government information networksGovernment assetsKey national symbols (cultural institutions and national sites and monuments)

10. Manufacturing Chemical industryDefence industrial base

12


China is attacking: UK

13


China is attacking: USA

14


China is attacking: Germany

The comments follow charges made by a top German intelligence official that computer hacking by China was occurring on an almost daily basis.

15


China is attacking: France

France has become the fourth country to speak out against hackers in China following an attack on French government systems.

Francis Delon, France's secretary general for national defence, claimed that the country's systems had been compromised and that the evidence pointed to China.

16


Key issues Conseguenza

Reti piatte (no segmentazione) Vita facile ai wormNo FW ..arriva di tuttoNo AV vulns note, bloccano la rete!No xIDS Incident handling ?!? Anomalie ? Attacchi ?

Trojan “ad-hoc” ? No Integrity Checker Modifiche ai file eseguibiliSicurezza fisica Accesso fisico non autorizzatoSecurity Through Obscurity Non funziona più (GSM Association docet)Differenze culturali Paradigma C-I-A VS A-I-C

I problemi riscontrati

17


SCADA&NCIs: incidents

18



19



20


SCADA: going commercial…

Videoclip time !

21


SCADA&NCIs: sabotage

22



23


SCADA: incidents

24



25



26


TETRA & 911

• Nel 2007 siamo stati chiamati per effettuare verifiche di sicurezza presso un Paese dell’area GCC (Middle-East)

• Oltre ad un assessment di sicurezza “standard”, ci èstato chiesto di “spegnere il 911”

• Dopo aver richiesto autorizzazioni estese, e dopo aver toccato con mano lo scetticismo (vendor, e Cliente), ci siamo messi all’opera

• Dopo 14 minuti il 911 era down: no police, no ambulance, no fire department.

27


Altri case-studies (sotto NDA)

• Negli ultimi 3 anni ci siamo anche occupati di verificare l’effettivo livello di sicurezza esistente presso:– Energy Plants (Test Plant)

– Pharmaceutical (live)

– Finance

– Telco

– Air transport

– Highways

– Chemical

– Industry

• ..In tutti questi casi, siamo riusciti a violare con successo l’infrastruttura e/o il target individuato.

28


Possibili soluzioni ? Cultura!

• Cybercrime Trainings on SCADA & NCIs @ the United Nations (Torino, Italy)

– http://www.unicri.it/wwd/cybertraining/index.php

– http://www.unicri.it/wwd/cybertraining/info_security.php– http://www.unicri.it/wwd/cybertraining/hacker_profiling.php– http://www.unicri.it/wwd/cybertraining/SCADA.php– http://www.unicri.it/wwd/cybertraining/digital_forensics.php

– http://www.unicri.it/wwd/cybertraining/ap-form_info.php

29


Contacts, Q&AContacts:

• If you are interested in ISECOM projects:Raoul Chiesa, Director of Communications at ISECOM [email protected]

• If you are interested in professional penetration testing for governments and LEAs:Raoul Chiesa, Chief Technical Officer & Tiger Team manager [email protected]

• If you are interested in UNICRI’s Cybercrime Trainings:Raoul Chiesa, Senior Advisor & Strategic Alliances [email protected]

GRAZIE DELL’ATTENZIONE!

DOMANDE ?

chiesa_ isecom

Business