Hacking ad impianti industriali: cronache recenti ed incidenti, noti e non noti
1. Hacking ad impianti industriali:
cronache recenti ed incidenti,
noti e non noti
noti.
Raoul Chiesa, OPST, OPSA
Board of Directors: CLUSIT, ISECOM, TSTF.net, OWASP Italy
M2M Building Automation
& Industrial Security
7 Aprile 2009
3. I relatori – Raoul Chiesa aka Nobody
Director of Communications at ISECOM
OSSTMM Key Contributor, Project Manager di HPP
Contributor
• Open Source Security Testing Methodology Manual
• Rilasciato nel gennaio 2001
• Più di 3 milioni di d
ili i downloads
ld
Direttore Tecnico presso @ Mediaservice.net Srl
Docente di IT Security presso varie Università e Master di IS
Speaker ad eventi di sicurezza nazionali ed internazionali
Membro dei Comitati Direttivi CLUSIT, ISECOM, Telecom Security Task Force
(TSTF.net), OWASP Italian Chapter
Consulente per le Nazioni Unite sul cybercrime presso l’UNICRI.
3
4. Le problematiche di sicurezza in
ambienti critici
bi ti iti i
Ho operato in questi ambienti nel corso degli ultimi
due anni, in Italia ed all’estero.
Mi sono principalmente occupato di:
Sicurezza organizzativa (standard, policy, …)
Verifiche di Sicurezza (Penetration Test, Security Audit)
Hardening (questo sconosciuto)
Quanto emerso è a dir poco sconvolgente.
E lo dice anche il NIST, lo US Cyber Defense, lo
US Homeland Security, la Commissione Europea…
4
5. Perché parlare di questi
argomenti ?
ti
Nel corso del 2008 insieme ad Alessio Pennasilico ho
2008,
compiuto azioni di “evangelism” in Italia ed all’estero.
I contesti erano i più diversi: dalle conferenze hacker
(IT Undeground, HITB, CONfidence, CCC, etc…) alle
Università ed agli eventi “classici” (BBF, IWCE, etc..)
classici
In tutti i casi, enorme è stato l’interesse dimostrato dal
pubblico.
pubblico
…ad onor del vero, il nostro talk era un mix di “sano
terrorismo
terrorismo” ed una “basic overview” di questi mondi
basic overview mondi…
Volevamo fare riflettere, ma senza entrare troppo nel
dettaglio.
dettaglio Nel mentre ci siamo formati Sul campo.
mentre, formati. campo
5
6. Infrastrutture critiche nazionali
Le NCIs hanno forti legami con i mondi SCADA
e di Industrial Automation
Nelle prossime tre slide ho cercato di
p
riassumere – secondo gli standard e le logiche
ad oggi esistenti, p
gg , primi tra tutti lo US Homeland
Security Department – le principali infrastrutture
critiche nazionali, organizzate per settori.
,g p
Il brutto è che, per ognuno di questi settori,
attacchi ed intrusioni sono già avvenuti con
avvenuti,
successo…
6
7. Infrastrutture critiche nazionali / 1
SECTOR Sample Target sub-sectors
Energy and Utilities Electrical power (generation,
transmission,
transmission nuclear)
Natural Gas
Oil production and tranmission systems
Communications and Information
C i ti dI f ti Telecommunications ( h
Tl i ti (phone, ffax, cable,
bl
Technology wireless & WiMax, satellite)
Broadcasting systems
Software
Hardware
Networks (Internet)
Finance Banking
Securities
Investment
Health Care Hospitals
Health-care facilities
Blood-supply facilities
Pharmaceuticals
7
8. Infrastrutture critiche nazionali / 2
SECTOR Sample Target sub-sectors
Food Food safety
Agriculture and Food Industry
Food distribution
Water Drinking Water
Wastewater management
Wt t t
Transportation Air
Rail
Marine
Surface
Safety
y Chemical, biological, radiological, and
, g , g ,
nuclear safety
Hazardous materials
Search and rescue
Emergency services (police, fire,
ambulance and others)
Dams
8
9. Infrastrutture critiche nazionali / 3
SECTOR Sample Target sub-sectors
Government Government facilities
Government services (i.e.,
meteorological services)
Government I f
G t Information N t
ti Networksk
Government Assets
Key national symbols (cultural
institutions,
instit tions national sites mon ments)
sites, monuments)
Manufacturing Chemical Industry
Defence industrial base
9
10. Esempi reali…
Un paio di “real examples”, per toccare con
real examples
mano ciò di cui stiamo parlando.
“Managing p mps” (USA MN)
pumps” (USA,
The Gulf (Mexico)
10
17. Ergonomia / 4
Ora lavoriamo
In modo diverso.
http://www.ihcsystems.com/section_n/images/efficientdredgingnewsapril2005_Page_09_Image_0002.jpg
17
18. Blockbuster
“Il sistema di gestione della centrale elettrica non
g
rispondeva. L’operatore stava guardando un
DVD sul computer di gestione”
g
CSO di una utility di distribuzione energia elettrica
18
19. Le tecniche di attacco
Le tecniche di attacco verso queste realtà non
differiscono di molto da quelle classiche del mondo
IT:
Old school hacking (password guessing, …)
Port scanning
Eavesdropping, ricostruzione dei flussi
Exploiting
E l iti
DoS
Web applications hacking
19
21. Incidenti del passato
Al contrario di quanto si potrebbe normalmente
pensare, diversi sono gli incidenti avvenuti in
questo mondo, partendo dai lontani anni ‘80 sino a
80
casi decisamente recenti.
21
22. Whatcom Falls Park
“About 3:28 p.m., Pacific daylight time, on June 10, 1999, a
p, yg , , ,
16-inch-diameter steel pipeline owned by Olympic Pipe Line
Company ruptured and released about 237,000 gallons of
gasoline i t a creek that flowed th
li into k th t fl d through Wh t
h Whatcom F ll
Falls
Park in Bellingham, Washington. About 1.5 hours after the
rupture, the gasoline ignited and burned approximately 1.5
miles along the creek. Two 10-year-old boys and an 18-
year-old young man died as a result of the accident. Eight
additional injuries were d
ddi i li j i documented. A single-family
d i l f il
residence and the city of Bellinghamís water treatment
plant were severely damaged. As of January 2002
damaged 2002,
Olympic estimated that total property damages were at
least $45 million.”
22
24. Technical details
“The Olympic Pipeline SCADA system consisted
The
of Teledyne Brown Engineering20 SCADA Vector
software, version 3.6.1., running on two Digital
, , g g
Equipment Corporation (DEC) VAX Model 4000-
300 computers with VMS operating system
p p gy
Version 7.1. In addition to the two main SCADA
computers (OLY01 and 02), a similarly configured
DEC Alpha 300 computer running Alpha/VMS was
used as a host for the separate Modisette
Associates, Inc., pipeline leak detection system
software package.”
24
25. SCADA can save lives
“5. If the supervisory control and data acquisition
(SCADA) system computers had remained
responsive to the commands of the Olympic
controllers, the controller operating the accident
pipeline probably would have been able to
initiate actions that would have prevented the
pressure increase that ruptured the pipeline.”
http://www.cob.org/press/pipeline/whatcomcreek.htm
25
26. Worms
“In August 2003 Slammer infected a private
computer network at the idled Davis-Besse
nuclear power plant in Oak Harbor, Ohio,
disabling a safety monitoring system for nearly
five hours.”
NIST, Guide to SCADA
26
27. nmap
“While a ping sweep was being performed on an
active SCADA network that controlled 9-foot
robotic arms, it was noticed that one arm
became active and swung around 180 degrees.
The controller for the arm was in standby mode
before the ping sweep was initiated.”
NIST, Guide to SCADA
27
28. Disgruntled employee
Vitek Boden, in 2000, was arrested, convicted
and jailed because he released millions of liters
of untreated sewage using his wireless laptop. It
happened in Maroochy Shire, Queensland, may
be as a revenge against his last former
employer.
http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/
28
29. Sabotaggio
Thomas C Reed, Ronald Regan’s S
C. Secretary, described in his
book “At the abyss” how the U.S. arranged for the Soviets to
receive intentionally flawed SCADA software to manage their
natural gas pipelines. quot;The pipeline software that was to run
the pumps, turbines, and values was programmed to go
haywire, after a d
h i ft decent i t
t interval, t reset pump speeds and
l to t d d
valve settings to produce pressures far beyond those
acceptable to p p
p pipeline jjoints and welds.quot; A 3 kiloton
explosion was the result, in 1982 in Siberia.
http://www.themoscowtimes.ru/stories/2004/03/18/014.html
29
30. Gazprom
“Russian authorities revealed this week that
Gazprom, a state-run gas utility, came under the
control of malicious hackers last year. […]The
report said hackers used a Trojan horse
program, which stashes lines of harmful
computer code in a benign-looking program.”
http://findarticles.com/p/articles/mi_qa3739/is_200403/ai_n9360106
30
31. Incidenti recenti (2008/2009)
Texas: warning, zombies ahead
Transportation officials in Texas are
scrambling to prevent hackers from
bli t th k f
changing messages on digital road signs
after one sign in Austin was altered to read,
quot;Zombies Ahead.quot;
Chris Lippincott, director of media relations for
the Texas Department of Transportation
Transportation,
confirmed that a portable traffic sign at Lamar
Boulevard and West 15th Street, near the
University of Texas at Austin, was hacked into
Austin
during the early hours of Jan. 19.
quot;It was clever, kind of cute, but not what it was
intended for,quot; said Lippincott, who saw the sign
during his morning commute. quot;Those signs are
deployed for a reason — to improve traffic
py p
conditions, let folks know there's a road closure.quot;
31
32. Incidenti recenti (2008/2009)
Final Super Bowl Moments
Interrupted By Porn
Yesterday’s television broadcast of the Super Bowl in
Tucson, Arizona, was interrupted for some viewers by
about 10 seconds of pornographic material.
According to a statement from KVOA TV in Tucson,
the only viewers who saw the material were those who
receive the channel through Comcast cable. Officials
g
UPDATED (2
at Comcast said they had “no idea” at the time it
febbraio 2009):
happened how the porn may have gotten into its feed.
Comcast offers $10
$
credit to Tucson
Apparently, the SD signal was hacked and a ten-
second porn clip was inserted into the feed. The customers who saw
station received hoards of complaints from families
Super B l porn
S Bowl
who were watching the game and saw the clip, which
showed a woman unzipping a man's pants, followed
by a graphic act between the two.
ygp
32
33. Previews… 1
ASCE – American Society of Civil Engineers e la loro Report Card:
2009 Report Card for America's Infrastructure
Category 2009 2005 Changed? Better or worse?
Aviation D D+ Yes; worse
Bridges C C
Dams D D
Drinking Water D- D-
Energy D+ D Yes; better
Hazardous Waste D D
Inland Waterways D
D- D
D-
Levees D- NA Yes; worse
Public Parks & Recreation C- C-
Rail C- C-
Roads D- D Yes; worse
School D D
Security NA I Removed
Solid Waste C+ C+
A = Exceptional
Transit D D+ Yes; worse
B = Good
Wastewater D- D- C = Mediocre
Overall GPA grade D D D = Poor
Cost $2.2T $1.6T
$2 2 $1 6 F = Failing
33
34. Previews… 2
World's power grids infested with (more) SCADA bugs
Areva Inc. - a Paris-based company that serves nuclear, wind, and fossil-
fuel power companies - is warning customers to upgrade a key piece of
energy management software following the discovery of security bugs that
leaves it vulnerable to hijacking.
The vulnerabilities affect multiple versions of Areva's e-terrahabitat
package, which allows operators in power plants to monitor gas and
electric levels, adjust transmission and distribution devices, and automate
,j ,
other core functions. Areva markets itself as one of the top three global
players in the transmission and distribution of energy.
http://www.theregister.co.uk/2009/02/05/areva_scada_security_bugs/
http://www.kb.cert.org/vuls/id/337569
p g
34
36. Conclusioni
La storia, le ottiche ed il background della sicurezza IT ed
ICT sono assolutamente differenti nel mondo
dell’automazione industriale e delle infrastrutture critiche.
Gli standard ci sono: bisogna rispettarli Con cognizione di
rispettarli.
causa e buon senso.
Manca una metodologia per l’esecuzione di Verifiche di
l esecuzione
Sicurezza, al fine di prevenire quanto già oggi potrebbe
accadere.
E’ necessario l’impegno ed il supporto di tutti, dai vendor agli
utilizzatori finali, passando ovviamente per il mondo della
sicurezza logica.
36
37. web-o-grafia
http://csrc.nist.gov/publications/drafts/800-82/Draft-SP800-82.pdf
h // i / bli i /d f /800 82/D f SP800 82 df
https://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-
Maynor-Graham-up.pdf
y pp
http://cansecwest.com/slides06/csw06-byres.pdf
http://www.mayhem.hk/docs/scada_univr.pdf
http://darkwing.uoregon.edu/~joe/scada/
http://www.physorg.com/news94025004.html
http://ethernet.industrial-
http://ethernet industrial
networking.com/articles/articledisplay.asp?id=206
http://www.apogeonline.com/libri/88-503-1042-0/ebook/libro
http://www.sans.org/reading_room/whitepapers/warfare/1644.php
http://www.digitalbond.com/SCADA_Blog/SCADA_blog.htm
37
38. web-o-grafia
http://www.securityfocus.com/news/11402
http://www.ea.doe.gov/pdfs/21stepsbooklet.pdf
http://www.visionautomation.it/modules/AMS/article.php?
storyid=32
http://www.cob.org/press/pipeline/whatcomcreek.htm
htt // b / / i li / h t k ht
http://www.securityfocus.com/news/6767
http://www.iscom.istsupcti.it/index.php?option=com_cont
h // i i i i /i d h? i
ent&task=view&id=16&Itemid=1
http://books.google.it/books?id=xL3Ye3ZORbgC
htt //b k l it/b k ?id L3Y 3ZORb C
38
39. Contatti
Per ulteriori informazioni, per aderire al CLUSIT e
partecipare alle sue attività:
http://www.clusit.it
http://www clusit it
Raoul Chiesa
rchiesa@clusit.it
Grazie per l’attenzione!
39