Hacking ad impianti industriali: cronache recenti ed incidenti,

noti e non notinoti e non noti.

Raoul Chiesa, OPST, OPSABoard of Directors: CLUSIT, ISECOM, TSTF.net, OWASP Italy

M2M Building Automation & Industrial Security& Industrial Security

7 Aprile 2009

INTRODUZIONE

2

I relatori – Raoul Chiesa aka NobodyDirector of Communications at ISECOM

OSSTMM Key Contributor Project Manager di HPPOSSTMM Key Contributor, Project Manager di HPP• Open Source Security Testing Methodology Manual• Rilasciato nel gennaio 2001

Più di 3 ili i di d l d• Più di 3 milioni di downloads

Direttore Tecnico presso @ Mediaservice.net Srl

Docente di IT Security presso varie Università e Master di ISSpeaker ad eventi di sicurezza nazionali ed internazionali

Membro dei Comitati Direttivi CLUSIT, ISECOM, Telecom Security Task Force(TSTF.net), OWASP Italian ChapterConsulente per le Nazioni Unite sul cybercrime presso l’UNICRI.

3

Le problematiche di sicurezza in bi ti iti iambienti critici

Ho operato in questi ambienti nel corso degli ultimi due anni, in Italia ed all’estero.Mi sono principalmente occupato di:

Sicurezza organizzativa (standard, policy, …)Verifiche di Sicurezza (Penetration Test, Security Audit)Hardening (questo sconosciuto)

Quanto emerso è a dir poco sconvolgente.E lo dice anche il NIST, lo US Cyber Defense, loE lo dice anche il NIST, lo US Cyber Defense, lo US Homeland Security, la Commissione Europea…

4

Perché parlare di questi ti ?argomenti ?

Nel corso del 2008 insieme ad Alessio Pennasilico hoNel corso del 2008, insieme ad Alessio Pennasilico ho compiuto azioni di “evangelism” in Italia ed all’estero.I contesti erano i più diversi: dalle conferenze hackerI contesti erano i più diversi: dalle conferenze hacker (IT Undeground, HITB, CONfidence, CCC, etc…) alle Università ed agli eventi “classici” (BBF, IWCE, etc..)Università ed agli eventi classici (BBF, IWCE, etc..)In tutti i casi, enorme è stato l’interesse dimostrato dal pubblicopubblico.…ad onor del vero, il nostro talk era un mix di “sano terrorismo” ed una “basic overview” di questi monditerrorismo ed una basic overview di questi mondi…Volevamo fare riflettere, ma senza entrare troppo nel dettaglio Nel mentre ci siamo formati Sul campodettaglio. Nel mentre, ci siamo formati. Sul campo.

5

Infrastrutture critiche nazionaliLe NCIs hanno forti legami con i mondi SCADA e di Industrial AutomationNelle prossime tre slide ho cercato di priassumere – secondo gli standard e le logiche ad oggi esistenti, primi tra tutti lo US Homelandgg , pSecurity Department – le principali infrastrutture critiche nazionali, organizzate per settori., g pIl brutto è che, per ognuno di questi settori, attacchi ed intrusioni sono già avvenuti conattacchi ed intrusioni sono già avvenuti, con successo…

6

Infrastrutture critiche nazionali / 1SECTOR Sample Target sub-sectorsEnergy and Utilities Electrical power (generation,

transmission nuclear)transmission, nuclear)Natural GasOil production and tranmission systems

C i ti d I f ti T l i ti ( h f blCommunications and Information Technology

Telecommunications (phone, fax, cable, wireless & WiMax, satellite)Broadcasting systemsSoftwareSoftwareHardwareNetworks (Internet)

Finance BankingSecuritiesInvestment

Health Care HospitalsHealth-care facilitiesBlood-supply facilities

7

Pharmaceuticals

Infrastrutture critiche nazionali / 2SECTOR Sample Target sub-sectorsFood Food safety

Agriculture and Food IndustryAgriculture and Food IndustryFood distribution

Water Drinking WaterW t t tWastewater management

Transportation AirRailMarineSurface

Safety Chemical, biological, radiological, and y , g , g ,nuclear safetyHazardous materialsSearch and rescueEmergency services (police, fire, ambulance and others)Dams

8

Infrastrutture critiche nazionali / 3SECTOR Sample Target sub-sectorsGovernment Government facilities

Government services (i.e., meteorological services)G t I f ti N t kGovernment Information NetworksGovernment AssetsKey national symbols (cultural instit tions national sites mon ments)institutions, national sites, monuments)

Manufacturing Chemical IndustryDefence industrial base

9

Esempi reali…

Un paio di “real examples” per toccare conUn paio di real examples , per toccare con mano ciò di cui stiamo parlando.“Managing p mps” (USA MN)“Managing pumps” (USA, MN)The Gulf (Mexico)

10

11

12

Le problematiche tecniche

13

Ergonomia / 1

Donald A. Norman, La caffettiera del masochistaJames Reason, L’errore umano

14

Ergonomia / 2

Evitare diConfondersi…

15

Ergonomia / 3

Eravamo abituati a…

http://www.metroland.org.uk/signal/amer01.jpg

16

Ergonomia / 4

Ora lavoriamoIn modo diverso.

http://www.ihcsystems.com/section_n/images/efficientdredgingnewsapril2005_Page_09_Image_0002.jpg

17

Blockbuster

“Il sistema di gestione della centrale elettrica non grispondeva. L’operatore stava guardando un DVD sul computer di gestione”g

CSO di una utility di distribuzione energia elettricaCSO di una utility di distribuzione energia elettrica

18

Le tecniche di attaccoLe tecniche di attacco verso queste realtà nonLe tecniche di attacco verso queste realtà non differiscono di molto da quelle classiche del mondo IT:IT:

Old school hacking (password guessing, …)Port scanningPort scanningEavesdropping, ricostruzione dei flussiE l itiExploitingDoSWeb applications hacking

19

Esempio di intrusione – fonte INL (Id h N ti l L b DHS US(Idaho National Lab – DHS US

20

Incidenti del passatoAl contrario di quanto si potrebbe normalmenteAl contrario di quanto si potrebbe normalmente pensare, diversi sono gli incidenti avvenuti in questo mondo, partendo dai lontani anni ‘80 sino aquesto mondo, partendo dai lontani anni 80 sino a casi decisamente recenti.

21

Whatcom Falls Park“About 3:28 p.m., Pacific daylight time, on June 10, 1999, a p , y g , , ,16-inch-diameter steel pipeline owned by Olympic Pipe Line Company ruptured and released about 237,000 gallons of

li i t k th t fl d th h Wh t F llgasoline into a creek that flowed through Whatcom Falls Park in Bellingham, Washington. About 1.5 hours after the rupture, the gasoline ignited and burned approximately 1.5rupture, the gasoline ignited and burned approximately 1.5 miles along the creek. Two 10-year-old boys and an 18-year-old young man died as a result of the accident. Eight

ddi i l i j i d d A i l f iladditional injuries were documented. A single-family residence and the city of Bellinghamís water treatment plant were severely damaged As of January 2002plant were severely damaged. As of January 2002, Olympic estimated that total property damages were at least $45 million.”

22

23

Technical details“The Olympic Pipeline SCADA system consistedThe Olympic Pipeline SCADA system consisted of Teledyne Brown Engineering20 SCADA Vector software, version 3.6.1., running on two Digital , , g gEquipment Corporation (DEC) VAX Model 4000-300 computers with VMS operating system p p g yVersion 7.1. In addition to the two main SCADA computers (OLY01 and 02), a similarly configured DEC Alpha 300 computer running Alpha/VMS was used as a host for the separate ModisetteAssociates, Inc., pipeline leak detection system software package.”

24

SCADA can save lives

“5. If the supervisory control and data acquisition (SCADA) system computers had remained responsive to the commands of the Olympic controllers, the controller operating the accident pipeline probably would have been able to initiate actions that would have prevented the pressure increase that ruptured the pipeline.”

http://www.cob.org/press/pipeline/whatcomcreek.htm

25

Worms

“In August 2003 Slammer infected a private computer network at the idled Davis-Bessenuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly five hours.”

NIST, Guide to SCADA

26

nmap

“While a ping sweep was being performed on an active SCADA network that controlled 9-foot robotic arms, it was noticed that one arm became active and swung around 180 degrees. The controller for the arm was in standby mode before the ping sweep was initiated.”

NIST, Guide to SCADANIST, Guide to SCADA

27

Disgruntled employee

Vitek Boden, in 2000, was arrested, convicted and jailed because he released millions of liters of untreated sewage using his wireless laptop. It happened in Maroochy Shire, Queensland, may be as a revenge against his last former employer.

http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/

28

Sabotaggio

C SThomas C. Reed, Ronald Regan’s Secretary, described in his book “At the abyss” how the U.S. arranged for the Soviets to receive intentionally flawed SCADA software to manage theirreceive intentionally flawed SCADA software to manage their natural gas pipelines."The pipeline software that was to run the pumps, turbines, and values was programmed to go h i ft d t i t l t t d dhaywire, after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds." A 3 kiloton p p p jexplosion was the result, in 1982 in Siberia.

http://www.themoscowtimes.ru/stories/2004/03/18/014.html

29

Gazprom

“Russian authorities revealed this week that Gazprom, a state-run gas utility, came under the control of malicious hackers last year. […]The report said hackers used a Trojan horse program, which stashes lines of harmful computer code in a benign-looking program.”

http://findarticles.com/p/articles/mi_qa3739/is_200403/ai_n9360106

30

Incidenti recenti (2008/2009)Texas: warning, zombies aheadTransportation officials in Texas are

bli t t h k fscrambling to prevent hackers from changing messages on digital road signs after one sign in Austin was altered to read, "Zombies Ahead."Chris Lippincott, director of media relations for the Texas Department of Transportationthe Texas Department of Transportation, confirmed that a portable traffic sign at Lamar Boulevard and West 15th Street, near the University of Texas at Austin was hacked intoUniversity of Texas at Austin, was hacked into during the early hours of Jan. 19."It was clever, kind of cute, but not what it was intended for," said Lippincott, who saw the sign during his morning commute. "Those signs are deployed for a reason — to improve traffic p y pconditions, let folks know there's a road closure."

31

Incidenti recenti (2008/2009)Final Super Bowl Moments Interrupted By PornYesterday’s television broadcast of the Super Bowl in Tucson, Arizona, was interrupted for some viewers by about 10 seconds of pornographic material. According to a statement from KVOA TV in Tucson, the only viewers who saw the material were those who receive the channel through Comcast cable. Officials

UPDATED (2g

at Comcast said they had “no idea” at the time it happened how the porn may have gotten into its feed.

UPDATED (2 febbraio 2009):

Comcast offers $10 Apparently, the SD signal was hacked and a ten-second porn clip was inserted into the feed. The station received hoards of complaints from families

$credit to Tucson

customers who saw S B lstation received hoards of complaints from families

who were watching the game and saw the clip, which showed a woman unzipping a man's pants, followed by a graphic act between the two.

Super Bowl porn

y g p

32

Previews… 1 ASCE – American Society of Civil Engineers e la loro Report Card: 2009 Report Card for America's InfrastructureCategory 2009 2005 Changed? Better or worse?Category 2009 2005 Changed? Better or worse? Aviation D D+ Yes; worseBridges C CDams D DDrinking Water D- D-Energy D+ D Yes; betterHazardous Waste D DInland Waterways D- D-Inland Waterways D DLevees D- NA Yes; worsePublic Parks & Recreation C- C-Rail C- C-Roads D- D Yes; worseSchool D DSecurity NA I RemovedSolid Waste C+ C+Solid Waste C+ C+Transit D D+ Yes; worseWastewater D- D-Overall GPA grade D D

$2 2 $1 6

A = Exceptional B = Good

C = MediocreD = Poor

Cost $2.2T $1.6T

33

F = Failing

Previews… 2World's power grids infested with (more) SCADA bugsAreva Inc. - a Paris-based company that serves nuclear, wind, and fossil-fuel power companies is warning customers to upgrade a key piece offuel power companies - is warning customers to upgrade a key piece of energy management software following the discovery of security bugs that leaves it vulnerable to hijacking.The vulnerabilities affect multiple versions of Areva's e-terrahabitatpackage, which allows operators in power plants to monitor gas and electric levels, adjust transmission and distribution devices, and automate , j ,other core functions. Areva markets itself as one of the top three global players in the transmission and distribution of energy.

http://www.theregister.co.uk/2009/02/05/areva_scada_security_bugs/http://www.kb.cert.org/vuls/id/337569p g

34

Conclusioni

35

ConclusioniLa storia, le ottiche ed il background della sicurezza IT edICT sono assolutamente differenti nel mondoICT sono assolutamente differenti nel mondodell’automazione industriale e delle infrastrutture critiche.Gli standard ci sono: bisogna rispettarli Con cognizione diGli standard ci sono: bisogna rispettarli. Con cognizione dicausa e buon senso.Manca una metodologia per l’esecuzione di Verifiche diManca una metodologia per l esecuzione di Verifiche diSicurezza, al fine di prevenire quanto già oggi potrebbeaccadere.E’ necessario l’impegno ed il supporto di tutti, dai vendor agliutilizzatori finali, passando ovviamente per il mondo dellasicurezza logica.

36

web-o-grafia

h // i / bli i /d f /800 82/D f SP800 82 dfhttp://csrc.nist.gov/publications/drafts/800-82/Draft-SP800-82.pdfhttps://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdfy p phttp://cansecwest.com/slides06/csw06-byres.pdf http://www.mayhem.hk/docs/scada_univr.pdfhttp://darkwing.uoregon.edu/~joe/scada/http://www.physorg.com/news94025004.htmlhttp://ethernet industrialhttp://ethernet.industrial-networking.com/articles/articledisplay.asp?id=206http://www.apogeonline.com/libri/88-503-1042-0/ebook/librohttp://www.sans.org/reading_room/whitepapers/warfare/1644.phphttp://www.digitalbond.com/SCADA_Blog/SCADA_blog.htm

37

web-o-grafia

http://www.securityfocus.com/news/11402http://www.ea.doe.gov/pdfs/21stepsbooklet.pdfhttp://www.visionautomation.it/modules/AMS/article.php?storyid=32htt // b / / i li / h t k hthttp://www.cob.org/press/pipeline/whatcomcreek.htmhttp://www.securityfocus.com/news/6767 h // i i i i /i d h ? ihttp://www.iscom.istsupcti.it/index.php?option=com_content&task=view&id=16&Itemid=1htt //b k l it/b k ?id L3Y 3ZORb Chttp://books.google.it/books?id=xL3Ye3ZORbgC

38

ContattiPer ulteriori informazioni, per aderire al CLUSIT e

partecipare alle sue attività:

http://www clusit ithttp://www.clusit.it

Raoul Chiesarchiesa@clusit.it

Grazie per l’attenzione!

39