SlideShare a Scribd company logo

ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andrea Zapparoli Manzoni

Cyber Security Alliance
Cyber Security Alliance

Threats, risks, actors, trends, attack techniques, defense issues and possible future scenarios for Critical Infrastructures in the age of cyber insecurity.

1 of 31
Download to read offline
Critical Infrastructures in the Age of Cyber Insecurity Andrea Zapparoli Manzoni General Manager / Security Brokers Application Security Forum - 2013 Western Switzerland 15-16 octobre 2013 - Y-Parc / Yverdon-les-Bains http://www.appsec-forum.ch
2 Agenda “Critical Infrastructures in the Age of Cyber Insecurity” Who am I Cyber Insecurity is the new norm Why are we here Impacts of Cyber Insecurity on Critical Infrastructures Latest Incidents Remediations ? Conclusions
3 Who am I Founder, General Manager, Security Brokers Founder, CEO, iDIALOGHI «Cyberworld» WG Member at OSN/Ce.Mi.S.S. APASS Board Member / Information Warfare lead res. Assintel Board Member / ICT Security WG leader Clusit Board Member / lecturer (SCADA, Social Media Sec, Anti-fraud, DLP…) Co-author of the Clusit Report (2012 and 2013)
4 Cyber Insecurity is the new norm “It’s a Jungle Out There” Private Organizations spent USD 20B for “advanced” ICT Security systems in 2012, out of a USD 60B budget for ICT Security spending. Nothwistanding these efforts, Cyber Insecurity is becoming the norm. From our analyses, which are in line with those made by other observers (private and institutional), the rate of attacks against Companies and Government bodies in 2012 grew by 154% on average compared to 2011 (which was the worst year on record, until then). In 2013 the speed of this growth is clearly accelerating. Why? International Serious Cyber Attacks 800 700 600 500 400 300 200 100 0 1 H 2011 2 H 2011 1 H 2012 2 H 2012 1 H 2013 © Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia – June 2013 Update
5 Why are we here #1. ICT Products are not as secure as you may think (= insecure by design) != The Fiat on the right was my first car, back in 1987 (it was built in 1971). I was very proud of it and, after all, it worked well. But it had NO built-in security whatsoever. No brakes, no seat belts, no ABS, ESP, airbag, headrests, no passive security – nothing. Today’s ICT is somewhat like my 1971 Fiat, in terms of built-in security. Really. As a consequence, in 2012 this inherent cyber insecurity had a global (direct and indirect) estimated cost of USD 388 Billions (that is, Denmark’s GDP).
6 Why are we here # 2. Cybercrime is the “best” investment on the planet != And attack techniques developed by cybercrime are quickly adopted by other actors…
7 Why are we here # 3. There is a huge, growing market for 0-days, that is becoming “mainstream” We receive this kind of offers almost daily… on LinkedIn!
8 Why are we here Cybercrime is extremely profitable. But there also hackitivists, spies, mercenaries… Attackers Distribution % - 1H 2011 - 1H 2013 60% 54% 52% 50% 40% 38% 36% 32% 31% 30% 2011 24% 2012 1H 2013 20% 10% 9% 7% 5% 2% 3% 4% 3% 0% 0% CYBERCRIME HACKTIVISM ESPIONAGE CYBER WAR. UNKNOWN © Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia – June 2013 Update CI, being a valuable target, are under attack from many different actors, for different reasons (blackmailing, espionage, sabotage, information warfare…)
9 So, in a nutshell 2012: + 150% serious cyberattacks in the world vs 2011 Huge growth of evil doers and of offensive capabilities Everyone is now a target (Citizens, Corporations, Institutions, Gov/Mil) All platforms are now a target (PCs, Mobile, Social, Cloud, SCADA…) Traditional defenses are not working anymore Return of Investment (ROI) for attackers is extremely high Risks for attackers are still extremely low Growing risk of systemic “Black Swans” (HILP) Lack of effective legislation and tools for LEAs How do we handle all these issues and mitigate these threats? How do we (re)shape our CIs to prevent these attacks?
10 Known, noisy attacks to CIs are growing… Victims distribution (from a sample of 2.200 known attacks from the last 36 months) © Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia – June 2013 Update But stealth, slow, naughtiest attacks are spreading faster…
11 Impacts of Cyber Insecurity on CI In the last 5 years, Information and Cyber Warfare have become a reality. Many actors are developing these capabilities, and many of them are not Nation States.
12 Impacts of Cyber Insecurity on CI Sorry. You should have attended the Conference to see this slide.
13 Impacts of Cyber Insecurity on CI Cyber warfare includes a very broad spectrum of digital attack techniques originally developed by cyber criminals but within the reach of a growing number of actors, which are used for different purposes, variable intensity and against any kind of target (critical infrastructures, government systems, military systems, companies of all sizes, banking, media, private citizens, ...) Nation States IC / LEAs Organized Cybercrime Hacktivists Industrial Spies Terrorists Corporations Mercenaries all against all
14 Impacts of Cyber Insecurity on CI
15 Latest Attacks The number of known SCADA vulnerabilities has increased by 25 times (since 2010). 50% of vulnerabilities allow to execute code. There are exploits for 35% of vulnerabilities. 41% of vulnerabilities are critical. More than 40% of systems available from the Internet can be hacked by unprofessional attackers. (Metasploit, anyone?) 54% and 39% of systems available from the Internet in Europe and North America respectively are vulnerable. ……Search yourself on Shodan
16 Latest Attacks Attack techniques distribution (from a sample of 2.200 known attacks in the last 36 months) TECNICHE PER TIPOLOGIA 1 2011 SQL Injection Unknown DDoS Known Vulnerabilities / Misconfig. Malware Account Cracking Phishing / Social Engineering Multiple Techniques / APT2 0-day3 Phone Hacking 2012 Variazioni 2012 su 2011 2H 2012 1H 2013 1H 2013 su 2H 2012 197 73 27 107 34 10 10 6 5 0 435 294 165 142 61 41 21 13 8 3 120,81% 302,74% 511,11% 32,71% 79,41% 310,00% 110,00% 116,67% 60,00% - 212 120 67 56 30 17 5 6 3 0 162 106 97 78 8 46 2 61 2 0 -23,58% -11,67% 44,78% 39,29% -73,33% 170,59% -60,00% 916,67% -33,33% - © Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia – June 2013 Update Again in 2013 the majority of attacks were made with well known techniques, exploiting bugs and/or the lack of patching, misconfigurations, organizational flaws, lack of awareness by users, etc. All these vulnerabilities could and should be mitigated with a certain ease, still in the first half of 2013 accounted for 69% of the total. Within this (grim) scenario, DDoS attacks increased by +44% and APTs by +900%.
17 Latest Attacks How an APT works in a CI / SCADA-DCS environment (example)
18 Latest Attacks But good old web based attacks can do the trick, too….
19 Latest Attacks
20 Latest Attacks
21 Latest Attacks
22 Latest Attacks
23 Latest Attacks
24 Latest Attacks
25 Remediations ? #1. Update your risk perception. It’s not 2003 anymore…
26 Remediations ? #2. Assume compromise. 94% of the 7200 known web based interfaces connected to CIs in the US where attacked in 2012. Several of them where breached.
27 Remediations ? #3. “Defense in-depth” must become your new mantra. Firewalls are cool, but… ☺ Then repeat to yourself several times a day: “Air gapping doesn’t work anymore”….
28 Remediations ? #4. Monitor everything. Evaluate risks in real time. Manage your vulnerabilities 365/7/24. Adopt a Secure Development Life Cycle. Develop and test your BC/DR processes.
29 Conclusions • The“recent” convergence and standardization of previously closed, proprietary systems and the growing adoption of OTS hw and sw parts has opened Critical Infrastructures up to security threats traditionally only found in the IT sector. Expecially when connected to the Internet, these systems are in great danger. • We are witnessing the widespread usage of sneaky, customized malicious software that specifically targets SCADA systems and, and the rise of a huge 0-day market. • Due to high availability and performance requirements, combined with legacy technologies, SCADA systems often lack the capability to support forensic analysis during / after an incident or system failure. Even when technically possible, many organizations don't have the real time monitoring and the post-incident cyber analysis tools to distinguish between a normal system failure or malicious activity. • This is why CI administrators are unable to determine if their systems experienced a normal failure or a cyber attack. This uncertainty is being actively leveraged by attackers and (IMHO) is the BIGGEST issue in CI / industrial automation environments. • Last but not least, specific skills are lacking in terms of quality and quantity. We need more experts asap (both on the end user / customer side and on the consulting firms side).
30 Questions?
31 Merci/Thank you! Contact: Andrea Zapparoli Manzoni azm@security-brokers.com http://www.security-brokers.com Slides: http://slideshare.net/ASF-WS/presentations

More Related Content

ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andrea Zapparoli Manzoni

  • 1. Critical Infrastructures in the Age of Cyber Insecurity Andrea Zapparoli Manzoni General Manager / Security Brokers Application Security Forum - 2013 Western Switzerland 15-16 octobre 2013 - Y-Parc / Yverdon-les-Bains http://www.appsec-forum.ch
  • 2. 2 Agenda “Critical Infrastructures in the Age of Cyber Insecurity” Who am I Cyber Insecurity is the new norm Why are we here Impacts of Cyber Insecurity on Critical Infrastructures Latest Incidents Remediations ? Conclusions
  • 3. 3 Who am I Founder, General Manager, Security Brokers Founder, CEO, iDIALOGHI «Cyberworld» WG Member at OSN/Ce.Mi.S.S. APASS Board Member / Information Warfare lead res. Assintel Board Member / ICT Security WG leader Clusit Board Member / lecturer (SCADA, Social Media Sec, Anti-fraud, DLP…) Co-author of the Clusit Report (2012 and 2013)
  • 4. 4 Cyber Insecurity is the new norm “It’s a Jungle Out There” Private Organizations spent USD 20B for “advanced” ICT Security systems in 2012, out of a USD 60B budget for ICT Security spending. Nothwistanding these efforts, Cyber Insecurity is becoming the norm. From our analyses, which are in line with those made by other observers (private and institutional), the rate of attacks against Companies and Government bodies in 2012 grew by 154% on average compared to 2011 (which was the worst year on record, until then). In 2013 the speed of this growth is clearly accelerating. Why? International Serious Cyber Attacks 800 700 600 500 400 300 200 100 0 1 H 2011 2 H 2011 1 H 2012 2 H 2012 1 H 2013 © Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia – June 2013 Update
  • 5. 5 Why are we here #1. ICT Products are not as secure as you may think (= insecure by design) != The Fiat on the right was my first car, back in 1987 (it was built in 1971). I was very proud of it and, after all, it worked well. But it had NO built-in security whatsoever. No brakes, no seat belts, no ABS, ESP, airbag, headrests, no passive security – nothing. Today’s ICT is somewhat like my 1971 Fiat, in terms of built-in security. Really. As a consequence, in 2012 this inherent cyber insecurity had a global (direct and indirect) estimated cost of USD 388 Billions (that is, Denmark’s GDP).
  • 6. 6 Why are we here # 2. Cybercrime is the “best” investment on the planet != And attack techniques developed by cybercrime are quickly adopted by other actors…
  • 7. 7 Why are we here # 3. There is a huge, growing market for 0-days, that is becoming “mainstream” We receive this kind of offers almost daily… on LinkedIn!
  • 8. 8 Why are we here Cybercrime is extremely profitable. But there also hackitivists, spies, mercenaries… Attackers Distribution % - 1H 2011 - 1H 2013 60% 54% 52% 50% 40% 38% 36% 32% 31% 30% 2011 24% 2012 1H 2013 20% 10% 9% 7% 5% 2% 3% 4% 3% 0% 0% CYBERCRIME HACKTIVISM ESPIONAGE CYBER WAR. UNKNOWN © Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia – June 2013 Update CI, being a valuable target, are under attack from many different actors, for different reasons (blackmailing, espionage, sabotage, information warfare…)
  • 9. 9 So, in a nutshell 2012: + 150% serious cyberattacks in the world vs 2011 Huge growth of evil doers and of offensive capabilities Everyone is now a target (Citizens, Corporations, Institutions, Gov/Mil) All platforms are now a target (PCs, Mobile, Social, Cloud, SCADA…) Traditional defenses are not working anymore Return of Investment (ROI) for attackers is extremely high Risks for attackers are still extremely low Growing risk of systemic “Black Swans” (HILP) Lack of effective legislation and tools for LEAs How do we handle all these issues and mitigate these threats? How do we (re)shape our CIs to prevent these attacks?
  • 10. 10 Known, noisy attacks to CIs are growing… Victims distribution (from a sample of 2.200 known attacks from the last 36 months) © Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia – June 2013 Update But stealth, slow, naughtiest attacks are spreading faster…
  • 11. 11 Impacts of Cyber Insecurity on CI In the last 5 years, Information and Cyber Warfare have become a reality. Many actors are developing these capabilities, and many of them are not Nation States.
  • 12. 12 Impacts of Cyber Insecurity on CI Sorry. You should have attended the Conference to see this slide.
  • 13. 13 Impacts of Cyber Insecurity on CI Cyber warfare includes a very broad spectrum of digital attack techniques originally developed by cyber criminals but within the reach of a growing number of actors, which are used for different purposes, variable intensity and against any kind of target (critical infrastructures, government systems, military systems, companies of all sizes, banking, media, private citizens, ...) Nation States IC / LEAs Organized Cybercrime Hacktivists Industrial Spies Terrorists Corporations Mercenaries all against all
  • 14. 14 Impacts of Cyber Insecurity on CI
  • 15. 15 Latest Attacks The number of known SCADA vulnerabilities has increased by 25 times (since 2010). 50% of vulnerabilities allow to execute code. There are exploits for 35% of vulnerabilities. 41% of vulnerabilities are critical. More than 40% of systems available from the Internet can be hacked by unprofessional attackers. (Metasploit, anyone?) 54% and 39% of systems available from the Internet in Europe and North America respectively are vulnerable. ……Search yourself on Shodan
  • 16. 16 Latest Attacks Attack techniques distribution (from a sample of 2.200 known attacks in the last 36 months) TECNICHE PER TIPOLOGIA 1 2011 SQL Injection Unknown DDoS Known Vulnerabilities / Misconfig. Malware Account Cracking Phishing / Social Engineering Multiple Techniques / APT2 0-day3 Phone Hacking 2012 Variazioni 2012 su 2011 2H 2012 1H 2013 1H 2013 su 2H 2012 197 73 27 107 34 10 10 6 5 0 435 294 165 142 61 41 21 13 8 3 120,81% 302,74% 511,11% 32,71% 79,41% 310,00% 110,00% 116,67% 60,00% - 212 120 67 56 30 17 5 6 3 0 162 106 97 78 8 46 2 61 2 0 -23,58% -11,67% 44,78% 39,29% -73,33% 170,59% -60,00% 916,67% -33,33% - © Clusit - Rapporto 2013 sulla Sicurezza ICT in Italia – June 2013 Update Again in 2013 the majority of attacks were made with well known techniques, exploiting bugs and/or the lack of patching, misconfigurations, organizational flaws, lack of awareness by users, etc. All these vulnerabilities could and should be mitigated with a certain ease, still in the first half of 2013 accounted for 69% of the total. Within this (grim) scenario, DDoS attacks increased by +44% and APTs by +900%.
  • 17. 17 Latest Attacks How an APT works in a CI / SCADA-DCS environment (example)
  • 18. 18 Latest Attacks But good old web based attacks can do the trick, too….
  • 25. 25 Remediations ? #1. Update your risk perception. It’s not 2003 anymore…
  • 26. 26 Remediations ? #2. Assume compromise. 94% of the 7200 known web based interfaces connected to CIs in the US where attacked in 2012. Several of them where breached.
  • 27. 27 Remediations ? #3. “Defense in-depth” must become your new mantra. Firewalls are cool, but… ☺ Then repeat to yourself several times a day: “Air gapping doesn’t work anymore”….
  • 28. 28 Remediations ? #4. Monitor everything. Evaluate risks in real time. Manage your vulnerabilities 365/7/24. Adopt a Secure Development Life Cycle. Develop and test your BC/DR processes.
  • 29. 29 Conclusions • The“recent” convergence and standardization of previously closed, proprietary systems and the growing adoption of OTS hw and sw parts has opened Critical Infrastructures up to security threats traditionally only found in the IT sector. Expecially when connected to the Internet, these systems are in great danger. • We are witnessing the widespread usage of sneaky, customized malicious software that specifically targets SCADA systems and, and the rise of a huge 0-day market. • Due to high availability and performance requirements, combined with legacy technologies, SCADA systems often lack the capability to support forensic analysis during / after an incident or system failure. Even when technically possible, many organizations don't have the real time monitoring and the post-incident cyber analysis tools to distinguish between a normal system failure or malicious activity. • This is why CI administrators are unable to determine if their systems experienced a normal failure or a cyber attack. This uncertainty is being actively leveraged by attackers and (IMHO) is the BIGGEST issue in CI / industrial automation environments. • Last but not least, specific skills are lacking in terms of quality and quantity. We need more experts asap (both on the end user / customer side and on the consulting firms side).
  • 31. 31 Merci/Thank you! Contact: Andrea Zapparoli Manzoni azm@security-brokers.com http://www.security-brokers.com Slides: http://slideshare.net/ASF-WS/presentations