Security of Cyber-Physical SystemsStefano Zanero, PhDAssistant Professor, Politecnico di Milano
Stefano ZaneroBuongiorno!Im an assistant professorat Politecnico di Milano,My laboratory deals withNovel, EmergingComputing SystemTechnologies, andencompasses the systemsecurity research effortsBlack Hat review boardmemberAIPSI/ISSA Internationalmember & ISSAInternational Director
Stefano Zanero08/12/123Scope of this talkThis talk deals with security of cyber-physicalsystemsIn particular, with the vulnerabilities at theseparation layer of such systems
Stefano Zanero08/12/124Cyber-physical systemsEvolution of thetraditional embeddedsystems for controlE.g. SCADA systems,avionics, vehicularcontrol andinfotainment, “smartgrid”Do you know whats the“naked” CPS on theleft?
Stefano ZaneroVulnerabilitiesIn information security, a vulnerability is a weaknesswhich allows to reduce a systems informationassuranceMore generally, a vulnerability is a weakness in asystem that makes it susceptible to being damaged,or more generally makes it unfit to withstand someexternal conditionWe should not confuse the existence of avulnerability with the existence of a threat (e.g. anattacker), or with the existence of one or morespecific exploits for that vulnerability
Stefano ZaneroSecurity as managing risksAll (information) systems are vulnerableThis is not a self-justifying mantra, its a basic fact oflife: invulnerability, just like perfection, is but anillusionVulnerabilities, their exploitability and the existenceand prevalence of threats combine with the potentialof damage to create risksSecurity is the discipline of managing risk reducing itto a tolerable level, balancing the costsThe issue of securing critical systems is that it isvery difficult to gauge the product of very lowprobabilities times very high potential damage
Stefano ZaneroFact checkWant to check with you some factsFact 1: CPS are increasingly involved in criticalinfrastructures and safety-critical systemsFact 2: CPS are increasingly becoming controlloops closed without humans in the middleFact 3: CPS are evolving towards complexnetworks of complex systems, rather than single,embedded, simple systemsFact 4: threat level by actors likely to act againstthese systems is constantly on the rise
Stefano ZaneroFact 1: critical systems“… potential (cyber)attacks againstnetwork infrastructures may havewidespread and devastatingconsequences on our daily life: no moreelectricity or water at home, rail and planeaccidents, hospitals out of service”Viviane RedingVP of European Commission
Stefano ZaneroAlgorithmic trading fails~40% of share orders in Europe by algorithmic trading; 5yrs ago, 20%. In the U.S. 37%. (src: Tabb Group)Knight trading is just the latest failureSvend Egil Larsen (Norwegian trader) in 2007 reversedthe trading algorithm of Timber Hill, a unit of US-basedInteractive Brokers, found a flaw and exploited it for$50,000 (U.S.) in a few months. Not guilty, btw.Deutsche Bank’s trading algorithms in Japan took out a$182-billion stock position by mistake in 2010“Flash crash” in 2010, Dow Jones Industrial Averageswung hundreds of points in 20 minutes – exacerbatedby trading algorithms kicking in
Stefano ZaneroInterconnection (too much of it)
Stefano Zanero08/12/1220Fact 4: rising threatsAll the data comesfrom the InternetSecurity Threat Report2011
Stefano ZaneroFind the differences...Chinas Chengdu J-20 fighter (circa oct.2010) vs. NorthropYF-23 (1994)Remember thatNorthrop was one ofthe first targets of theAPT (AdvancedPersistent Threat)campaign in 2009Suggestive, isnt it?
Stefano ZaneroThe slippery slope of cyberwarStuxnet: designed tosabotage Irans nuclearfacilitiesDuqu: discovered a fewmonths later, possiblycreated earlier, sameplatform as Stuxnet;uses zero-day;designed to collect dataon the Iranian nuclearprogram (which endedup in the ends of UN)
Stefano ZaneroAnd then came the flameFlamer: enormous malwarespecimen discovered in2012 by ITU; intelligencegathering; encryption zeroday (!); component link toStuxnet (!!)Gauss: similar to the othersin many way, includesbanking trojan and anencrypted payload whichwasnt cracked yetNo comment to theabove image (detailingdiffusion of Flame) isprobably needed.
Stefano ZaneroWhat next?Shamoon: a very differentbeast, targeting critical filesfrom a specific company(Saudi Aramco)Still, a targeted attack withusage of signed drivercomponent like FlamerOverwrote critical files on30.000 machines (¾) on thecorporate network with aburning American flagClaimed by unknown“Cutting Sword of Justice”group on PastebinWhats next?
Stefano ZaneroFacts checked!Fact 1: CPS are increasingly involved in criticalinfrastructures and safety-critical systemsFact 2: CPS are increasingly becoming control loopsclosed without humans in the middleFact 3: CPS are evolving towards complex networksof complex systemsFact 4: threat level by (state/nonstate)-actors likelyto act against these systems is constantly on the riseAll of this leads, at the same time, to increasingattack surfaces, vulnerability exposure, threatprevalence, potential damageWhat about defense then?
Stefano ZaneroForever day bugsZero-day: an unknownvulnerability exploited by anattackerForever day: an old,beaten-to-deathvulnerability still aroundMost CPS are changeaverse, and thus prone toforever day bugsRuggedCom is in goodcompany with ABB,Schneider Electric, andSiemensRuggedCom forever day:Known username,fixed password easy to crack,impossible to disable
Stefano ZaneroWhere we are going: hardware attacksRakshasa is a fully functional bootkitresident in RAM and invoked by aseemingly sane BIOS/firmware
Stefano ZaneroThe perfect stormVulnerabilities arising atthe boundary wheredigital and physicalconnectThe trading algorithmsare a first exampleSmart gridvulnerabilities areanother excellentexample of possiblepositive feedback loopsbetween the two realms
Stefano ZaneroConclusionsWe are brewing a perfect digital storm with unfathomableconsequencesWe are using complex networks of digital systems tocontrol critical infrastructures and safety-critical systems,without humans in the loopThreat level by (state/nonstate)-actors likely to actagainst these systems is constantly on the rise, and weare actively contributing to legitimize thisWe have issues with zero-days as well as forever-days,and we have significant upcoming threats (malicioushardware and interstitial layer threats)We need significant engineering and research effortsto get this done and avert the storm
Stefano ZaneroQuestions?Thank you for yourattention!You can reach me email@example.comOr just tweet @raistoloOur research on these topics hasbeen partially funded by theEuropean Commission under FP7project SysSec, and by ItalysPRIN project TENACE