• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Raoul Chiesa   Hacking A Impianti Industriali

Raoul Chiesa Hacking A Impianti Industriali



Hacking A Impianti Industriali: cronache recenti, incidenti noti e non

Hacking A Impianti Industriali: cronache recenti, incidenti noti e non



Total Views
Views on SlideShare
Embed Views



1 Embed 7

http://www.m2mforum.com 7



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Raoul Chiesa   Hacking A Impianti Industriali Raoul Chiesa Hacking A Impianti Industriali Presentation Transcript

    • Hacking ad impianti industriali: cronache recenti ed incidenti, noti e non noti noti. Raoul Chiesa, OPST, OPSA Board of Directors: CLUSIT, ISECOM, TSTF.net, OWASP Italy M2M Building Automation & Industrial Security 7 Aprile 2009
    • I relatori – Raoul Chiesa aka Nobody Director of Communications at ISECOM OSSTMM Key Contributor, Project Manager di HPP Contributor • Open Source Security Testing Methodology Manual • Rilasciato nel gennaio 2001 • Più di 3 milioni di d ili i downloads ld Direttore Tecnico presso @ Mediaservice.net Srl Docente di IT Security presso varie Università e Master di IS Speaker ad eventi di sicurezza nazionali ed internazionali Membro dei Comitati Direttivi CLUSIT, ISECOM, Telecom Security Task Force (TSTF.net), OWASP Italian Chapter Consulente per le Nazioni Unite sul cybercrime presso l’UNICRI. 3
    • Le problematiche di sicurezza in ambienti critici bi ti iti i Ho operato in questi ambienti nel corso degli ultimi due anni, in Italia ed all’estero. Mi sono principalmente occupato di: Sicurezza organizzativa (standard, policy, …) Verifiche di Sicurezza (Penetration Test, Security Audit) Hardening (questo sconosciuto) Quanto emerso è a dir poco sconvolgente. E lo dice anche il NIST, lo US Cyber Defense, lo US Homeland Security, la Commissione Europea… 4
    • Perché parlare di questi argomenti ? ti Nel corso del 2008 insieme ad Alessio Pennasilico ho 2008, compiuto azioni di “evangelism” in Italia ed all’estero. I contesti erano i più diversi: dalle conferenze hacker (IT Undeground, HITB, CONfidence, CCC, etc…) alle Università ed agli eventi “classici” (BBF, IWCE, etc..) classici In tutti i casi, enorme è stato l’interesse dimostrato dal pubblico. pubblico …ad onor del vero, il nostro talk era un mix di “sano terrorismo terrorismo” ed una “basic overview” di questi mondi basic overview mondi… Volevamo fare riflettere, ma senza entrare troppo nel dettaglio. dettaglio Nel mentre ci siamo formati Sul campo. mentre, formati. campo 5
    • Infrastrutture critiche nazionali Le NCIs hanno forti legami con i mondi SCADA e di Industrial Automation Nelle prossime tre slide ho cercato di p riassumere – secondo gli standard e le logiche ad oggi esistenti, p gg , primi tra tutti lo US Homeland Security Department – le principali infrastrutture critiche nazionali, organizzate per settori. ,g p Il brutto è che, per ognuno di questi settori, attacchi ed intrusioni sono già avvenuti con avvenuti, successo… 6
    • Infrastrutture critiche nazionali / 1 SECTOR Sample Target sub-sectors Energy and Utilities Electrical power (generation, transmission, transmission nuclear) Natural Gas Oil production and tranmission systems Communications and Information C i ti dI f ti Telecommunications ( h Tl i ti (phone, ffax, cable, bl Technology wireless & WiMax, satellite) Broadcasting systems Software Hardware Networks (Internet) Finance Banking Securities Investment Health Care Hospitals Health-care facilities Blood-supply facilities Pharmaceuticals 7
    • Infrastrutture critiche nazionali / 2 SECTOR Sample Target sub-sectors Food Food safety Agriculture and Food Industry Food distribution Water Drinking Water Wastewater management Wt t t Transportation Air Rail Marine Surface Safety y Chemical, biological, radiological, and , g , g , nuclear safety Hazardous materials Search and rescue Emergency services (police, fire, ambulance and others) Dams 8
    • Infrastrutture critiche nazionali / 3 SECTOR Sample Target sub-sectors Government Government facilities Government services (i.e., meteorological services) Government I f G t Information N t ti Networksk Government Assets Key national symbols (cultural institutions, instit tions national sites mon ments) sites, monuments) Manufacturing Chemical Industry Defence industrial base 9
    • Esempi reali… Un paio di “real examples”, per toccare con real examples mano ciò di cui stiamo parlando. “Managing p mps” (USA MN) pumps” (USA, The Gulf (Mexico) 10
    • 11
    • 12
    • Le problematiche tecniche 13
    • Ergonomia / 1 Donald A. Norman, La caffettiera del masochista James Reason, L’errore umano 14
    • Ergonomia / 2 Evitare di Confondersi… 15
    • Ergonomia / 3 Eravamo abituati a… http://www.metroland.org.uk/signal/amer01.jpg 16
    • Ergonomia / 4 Ora lavoriamo In modo diverso. http://www.ihcsystems.com/section_n/images/efficientdredgingnewsapril2005_Page_09_Image_0002.jpg 17
    • Blockbuster “Il sistema di gestione della centrale elettrica non g rispondeva. L’operatore stava guardando un DVD sul computer di gestione” g CSO di una utility di distribuzione energia elettrica 18
    • Le tecniche di attacco Le tecniche di attacco verso queste realtà non differiscono di molto da quelle classiche del mondo IT: Old school hacking (password guessing, …) Port scanning Eavesdropping, ricostruzione dei flussi Exploiting E l iti DoS Web applications hacking 19
    • Esempio di intrusione – fonte INL (Idaho National Lab (Id h N ti l L b – DHS US 20
    • Incidenti del passato Al contrario di quanto si potrebbe normalmente pensare, diversi sono gli incidenti avvenuti in questo mondo, partendo dai lontani anni ‘80 sino a 80 casi decisamente recenti. 21
    • Whatcom Falls Park “About 3:28 p.m., Pacific daylight time, on June 10, 1999, a p, yg , , , 16-inch-diameter steel pipeline owned by Olympic Pipe Line Company ruptured and released about 237,000 gallons of gasoline i t a creek that flowed th li into k th t fl d through Wh t h Whatcom F ll Falls Park in Bellingham, Washington. About 1.5 hours after the rupture, the gasoline ignited and burned approximately 1.5 miles along the creek. Two 10-year-old boys and an 18- year-old young man died as a result of the accident. Eight additional injuries were d ddi i li j i documented. A single-family d i l f il residence and the city of Bellinghamís water treatment plant were severely damaged. As of January 2002 damaged 2002, Olympic estimated that total property damages were at least $45 million.” 22
    • 23
    • Technical details “The Olympic Pipeline SCADA system consisted The of Teledyne Brown Engineering20 SCADA Vector software, version 3.6.1., running on two Digital , , g g Equipment Corporation (DEC) VAX Model 4000- 300 computers with VMS operating system p p gy Version 7.1. In addition to the two main SCADA computers (OLY01 and 02), a similarly configured DEC Alpha 300 computer running Alpha/VMS was used as a host for the separate Modisette Associates, Inc., pipeline leak detection system software package.” 24
    • SCADA can save lives “5. If the supervisory control and data acquisition (SCADA) system computers had remained responsive to the commands of the Olympic controllers, the controller operating the accident pipeline probably would have been able to initiate actions that would have prevented the pressure increase that ruptured the pipeline.” http://www.cob.org/press/pipeline/whatcomcreek.htm 25
    • Worms “In August 2003 Slammer infected a private computer network at the idled Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly five hours.” NIST, Guide to SCADA 26
    • nmap “While a ping sweep was being performed on an active SCADA network that controlled 9-foot robotic arms, it was noticed that one arm became active and swung around 180 degrees. The controller for the arm was in standby mode before the ping sweep was initiated.” NIST, Guide to SCADA 27
    • Disgruntled employee Vitek Boden, in 2000, was arrested, convicted and jailed because he released millions of liters of untreated sewage using his wireless laptop. It happened in Maroochy Shire, Queensland, may be as a revenge against his last former employer. 
 http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/ 28
    • Sabotaggio Thomas C Reed, Ronald Regan’s S C. Secretary, described in his book “At the abyss” how the U.S. arranged for the Soviets to receive intentionally flawed SCADA software to manage their natural gas pipelines.

quot;The pipeline software that was to run the pumps, turbines, and values was programmed to go haywire, after a d h i ft decent i t t interval, t reset pump speeds and l to t d d valve settings to produce pressures far beyond those acceptable to p p p pipeline jjoints and welds.quot; A 3 kiloton explosion was the result, in 1982 in Siberia.
 http://www.themoscowtimes.ru/stories/2004/03/18/014.html 29
    • Gazprom “Russian authorities revealed this week that Gazprom, a state-run gas utility, came under the control of malicious hackers last year. […]The report said hackers used a Trojan horse program, which stashes lines of harmful computer code in a benign-looking program.” http://findarticles.com/p/articles/mi_qa3739/is_200403/ai_n9360106 30
    • Incidenti recenti (2008/2009) Texas: warning, zombies ahead Transportation officials in Texas are scrambling to prevent hackers from bli t th k f changing messages on digital road signs after one sign in Austin was altered to read, quot;Zombies Ahead.quot; Chris Lippincott, director of media relations for the Texas Department of Transportation Transportation, confirmed that a portable traffic sign at Lamar Boulevard and West 15th Street, near the University of Texas at Austin, was hacked into Austin during the early hours of Jan. 19. quot;It was clever, kind of cute, but not what it was intended for,quot; said Lippincott, who saw the sign during his morning commute. quot;Those signs are deployed for a reason — to improve traffic py p conditions, let folks know there's a road closure.quot; 31
    • Incidenti recenti (2008/2009) Final Super Bowl Moments Interrupted By Porn Yesterday’s television broadcast of the Super Bowl in Tucson, Arizona, was interrupted for some viewers by about 10 seconds of pornographic material. According to a statement from KVOA TV in Tucson, the only viewers who saw the material were those who receive the channel through Comcast cable. Officials g UPDATED (2 at Comcast said they had “no idea” at the time it febbraio 2009): happened how the porn may have gotten into its feed. Comcast offers $10 $ credit to Tucson Apparently, the SD signal was hacked and a ten- second porn clip was inserted into the feed. The customers who saw station received hoards of complaints from families Super B l porn S Bowl who were watching the game and saw the clip, which showed a woman unzipping a man's pants, followed by a graphic act between the two. ygp 32
    • Previews… 1 ASCE – American Society of Civil Engineers e la loro Report Card: 2009 Report Card for America's Infrastructure Category 2009 2005 Changed? Better or worse? Aviation D D+ Yes; worse Bridges C C Dams D D Drinking Water D- D- Energy D+ D Yes; better Hazardous Waste D D Inland Waterways D D- D D- Levees D- NA Yes; worse Public Parks & Recreation C- C- Rail C- C- Roads D- D Yes; worse School D D Security NA I Removed Solid Waste C+ C+ A = Exceptional Transit D D+ Yes; worse B = Good Wastewater D- D- C = Mediocre Overall GPA grade D D D = Poor Cost $2.2T $1.6T $2 2 $1 6 F = Failing 33
    • Previews… 2 World's power grids infested with (more) SCADA bugs Areva Inc. - a Paris-based company that serves nuclear, wind, and fossil- fuel power companies - is warning customers to upgrade a key piece of energy management software following the discovery of security bugs that leaves it vulnerable to hijacking. The vulnerabilities affect multiple versions of Areva's e-terrahabitat package, which allows operators in power plants to monitor gas and electric levels, adjust transmission and distribution devices, and automate ,j , other core functions. Areva markets itself as one of the top three global players in the transmission and distribution of energy. http://www.theregister.co.uk/2009/02/05/areva_scada_security_bugs/ http://www.kb.cert.org/vuls/id/337569 p g 34
    • Conclusioni 35
    • Conclusioni La storia, le ottiche ed il background della sicurezza IT ed ICT sono assolutamente differenti nel mondo dell’automazione industriale e delle infrastrutture critiche. Gli standard ci sono: bisogna rispettarli Con cognizione di rispettarli. causa e buon senso. Manca una metodologia per l’esecuzione di Verifiche di l esecuzione Sicurezza, al fine di prevenire quanto già oggi potrebbe accadere. E’ necessario l’impegno ed il supporto di tutti, dai vendor agli utilizzatori finali, passando ovviamente per il mondo della sicurezza logica. 36
    • web-o-grafia http://csrc.nist.gov/publications/drafts/800-82/Draft-SP800-82.pdf h // i / bli i /d f /800 82/D f SP800 82 df https://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06- Maynor-Graham-up.pdf y pp http://cansecwest.com/slides06/csw06-byres.pdf http://www.mayhem.hk/docs/scada_univr.pdf http://darkwing.uoregon.edu/~joe/scada/ http://www.physorg.com/news94025004.html http://ethernet.industrial- http://ethernet industrial networking.com/articles/articledisplay.asp?id=206 http://www.apogeonline.com/libri/88-503-1042-0/ebook/libro http://www.sans.org/reading_room/whitepapers/warfare/1644.php http://www.digitalbond.com/SCADA_Blog/SCADA_blog.htm 37
    • web-o-grafia http://www.securityfocus.com/news/11402 http://www.ea.doe.gov/pdfs/21stepsbooklet.pdf http://www.visionautomation.it/modules/AMS/article.php? storyid=32 http://www.cob.org/press/pipeline/whatcomcreek.htm htt // b / / i li / h t k ht http://www.securityfocus.com/news/6767 http://www.iscom.istsupcti.it/index.php?option=com_cont h // i i i i /i d h? i ent&task=view&id=16&Itemid=1 http://books.google.it/books?id=xL3Ye3ZORbgC htt //b k l it/b k ?id L3Y 3ZORb C 38
    • Contatti Per ulteriori informazioni, per aderire al CLUSIT e partecipare alle sue attività: http://www.clusit.it http://www clusit it Raoul Chiesa rchiesa@clusit.it Grazie per l’attenzione! 39