Cyber Threats to SCADA Systems - Roma Tre University

Cyber Threats to SCADA Systems

Prof. Roberto Setola Università CAMPUS BioMedico di Roma

Critical Infrastructure Protection

A Real Time Alerting System: Tools & Models

Roma, 28 February 2011

02/03/2011 2Roberto Setola – r.setola@unicampus.it 2

• Associeted Professor at CAMPUS Biomedico of Rome (Control Systems)

• Expert of CIP (on topic from 2002)– Italian Government WG on CIIP (2003/04)– G8 CIIP group and G8 High Tech Crime (2003/05)

• Coordinator EU CIPs project SecuFood• Editor of the magazine Safety&Security (2008‐

10) 

• Editor of the magazine Information Security(from 2011)

• Co‐Editor of 6 books on CIIP, HS and Matlab• Co‐Guest editors of 3 special issue on CIP • Associated editor of IJSSE• Founder, Secretary of AIIC (from 2006)

• Member IFIP 11.10, EuroSCSIE, MNE7

The author – Roberto Setola

Cyber Threat to Scada System, is it real ?

There are evidences about effective cyber‐attacks to SCADA system

02/03/2011 4Roberto Setola – r.setola@unicampus.it 4

02/03/2011 5Roberto Setola – r.setola@unicampus.it 55

Overall Incident Trends 

5

1 2 3 24 4

1

6

13

27

17

1982

- 199

3

1994

1995

1996

1997

1998

1999

2000

2001

2002

2003

2004

Something Changes Here

BCIT Industrial Security Incident Database (ISID) tracks network cyber incidents that directly impact industrial and SCADA operations.Both malicious and accidental incidents are tracked.

02/03/2011 6Roberto Setola – r.setola@unicampus.it 66

Something Happens in 2001…

13

13

1214

1

6

39

1982 - 1993 1994 - 2001 2002 - 2004

InternalAccidentalExternalExpon. (External)

Accidental58%

Internal15%

External27%

1982 ‐2001

External67%

Accidental25%

Internal2%

Audit4%

Other2%

2002 ‐2004

02/03/2011 7Roberto Setola – r.setola@unicampus.it 77

Threats to IT and CII

some source but different consequences …

Infrastr

uttura Corporate

(amministrativo

-gestionale)

Infrastr

uttura IC

S

(Scada difesa,

controllo,

conduzione)

02/03/2011 8Roberto Setola – r.setola@unicampus.it 8

Cyber crime

Cyber espionage

Cyber terrorism

Cyber war

Cyber ThreatsOn the base of the motivation of the attackers we can catalogue in:

Cyber ‐ crime

02/03/2011 10Roberto Setola – r.setola@unicampus.it 10

2003 ‐ Slammer

Sourcebug into a common used software (Microsoft SQL server)

Consequences (some…)• Finance: in USA 13.000 ATM out-of-work; in Italy

11.000 postal office off-line• Emergency: 911 in Seattle stopped• Transportation: many flights delayed or canceled in

Huston• Electricity: SCADA of two US utilities stopped

DDoS

02/03/2011 11Roberto Setola – r.setola@unicampus.it 11

2000 – Maroochy ShireSourceAn ex‐employer used a wireless Internet connection to penetrate into SCADA of sewage treatment plantConsequences 47 “abnormal” accidents in January-

April 2000 1.200.000 liters of raw sewage

dispersed in the environment Potable water compromised in the

area

Cyber ‐ espionage

… nothing of new

02/03/2011 13Roberto Setola – r.setola@unicampus.it 13

Terrorist use largely the net to• Communicate• Proselytism• Fund raising• Training• Etc.

Cyber Terrorism

… but until today, there are no evidence that they are planning any type of cyber attack

Cyber war

02/03/2011 15Roberto Setola – r.setola@unicampus.it 15

• Cyber attack to Estonia (27 April – 19 May 2007) – a DDOS attack blocked several governmental and finance web cite

• Before military imitative of Russia in Ossetia, the cyberspace of the Georgia was subject to a DDOS attack

Cyber (experiments) war ?

02/03/2011 16Roberto Setola – r.setola@unicampus.it 16

China‐ USA

In March 2010 a young Chinese researcher has been indicated to the US Congress as a dangerous enemy, because he wrote a scientific paper on the vulnerability of the US electric grid to cyber attack

Go to have a look to US strategies about CIP

02/03/2011 18Roberto Setola – r.setola@unicampus.it 18

US  StrategyPolicy Inputs Federal and Private Roles

Sector Roadmaps

Vision/Goals

Roles &Responsibilities

Sector Needs

CoordinationStrategies

GAO RecommendationsSector-Specific Plans

Drivers/Needs

02/03/2011 19Roberto Setola – r.setola@unicampus.it 19

Control Systems Security Program

www.us‐cert.gov/control_systems

02/03/2011 20Roberto Setola – r.setola@unicampus.it 20

Building Security into Control SystemsProvides sample or recommended languagefor control systems security requirements– New SCADA / control systems– Legacy systems– Maintenance contracts

Risk Reduction Products Cyber Security Procurement Language for Control Systems

02/03/2011 21Roberto Setola – r.setola@unicampus.it 21

Key Program AreasAssess and mitigate energy control

systems vulnerabilitiesDevelop advanced secure control

systems technologiesSupport development of standards

and best practicesConduct outreach and awareness

DOE multi‐laboratory program designed to:

Support industry and government efforts to enhance control systems cyber security across the energy infrastructure

INL

NIST

SNL

PNL

ANL

National SCADA Test Bed – Office of Electricity Delivery and Energy Reliability (DOE-OE)

02/03/2011 22Roberto Setola – r.setola@unicampus.it 22

ESTEC Feasibility Study

TESTINGACTIVITY

ASSET OWNERS RESEARCHERS

REGULATION BODIESVENDORS

KEY STAKEHOLDERS

Design a network of test center to analyse security issue of SCADA system in the energy framework

Two Sectors• Electricity (Power plants, Transmission lines, Distribution lines)• Oil and Gas (Extraction, Refining, Treatment, Storage, Pipelines, Dispatching centres)

StuxNet

The change !

The «first» cyber‐attack to a SCADA system

Until 2010… great attention, but no evidences

02/03/2011 24Roberto Setola – r.setola@unicampus.it 24

StuxNet• Stuxnet is a very big project, very well planned and very well funded”.

• Liam O’ Murchu, Supervisor NAM Security Response, Symantec

• Complex design and not common skillset required• Specific Siemens automation control technology expertise

• 3 millions $ cost‐estimation• Frank Rieger, CTO, GSMK

• It uses 4 different “0‐days attack” 

• It has a double digital signature stolen to JMicron e alla Realtek

02/03/2011 25Roberto Setola – r.setola@unicampus.it 25

StuxNet

Source  trend micro 2010

It has a very sophisticated architecture and has been developed using several languages 

It uses sevaral mechanisms to propapgate but …..

02/03/2011 26Roberto Setola – r.setola@unicampus.it 26

StuxNet

Country Infected PCIran 62,867Indonesia 13,336India 6,552United States 2,913Australia 2,436Britain 1,038Malaysia 1,013Pakistan 993Germany 5 [but no cnsequences]Italy ?

Stuxnet is a complex‐design threat, targeting specific industrial controlsystems vulnerabilities.

02/03/2011 27Roberto Setola – r.setola@unicampus.it 27

The cyber threat to SCADA system (and to critical infrastructure) is real

One Obiviousness

02/03/2011 28Roberto Setola – r.setola@unicampus.it 28

How are SCADA system ready to Stuxnet like threats ?

02/03/2011 29Roberto Setola – r.setola@unicampus.it 29

Associazione Italiana esperti Infrastrutture Critiche

A no-profit association to promote safety&securityculture inside critical infrastructures

www.InfrastruttureCritiche.it

AIIC = Italian Association of Critical Infrastructures’

experts

02/03/2011 30Roberto Setola – r.setola@unicampus.it 30

Systems, methods and toolsfor the security and the  crisis management

IV editionDecember 2011

Master in Homeland Security

02/03/2011 31Roberto Setola – r.setola@unicampus.it 31

SafeComp 2011

18 -21 September 2011Naples (Italy)

Key ThemeSafety and security of computer-basedsystems and infrastructures:from risk assessment to threat mitigation

The 30th International Conference on

Computer Safety, Reliability and Security

02/03/2011 32

r.setola@unicampus.it