Managing Security of the Grid in the Cloud Raoul Chiesa, Senior Advisor on Cybercrime ECU Emerging Crimes Unit, UNICRI United Nations Interregional Crime and Justice Research Institute (UNICRI)
Disclaimer The information contained in this presentation does not break any intellectual property, nor does it provide detailed information that may be in conflict with actual known laws. Registered brands and logos belong to their legitimate owners. The opinion here represented are our personal ones and do not necessary reflect the United Nations nor UNICRI views.
Agenda # whois What s all about A look inside SCADA & ICS The SOVEMA case study The Cloud and SCADA: shared issues The BAD news Be SECURE! To zoom in. Contacts, t Q&A
#whois
Raoul Nobody Chiesa Old-school Hacker from 1986 to 1995 Founder, @ Mediaservice.net (Est. 1997) Supporting UNICRI since 2004; Cybercrime Advisor since 2005 ENISA PSG, Advisor Italian MoD OSN/CASD CyberWorld WG: Group Leader OSSTMM Key Contributor; HPP Project Manager; ISECOM International a Trainer Member of CLUSIT, AIP/OPSI, TSTF.net (Telecom Security Task Force), APWG, ICANN, CyberDefcon, HostExploit, WINS, etc; I work worldwide (so I don t get bored ;) My areas of interest: Pentesting, SCADA/DCS/PLC, National Citi Critical linfrastructures, t Security R&D+Exploiting weird stuff,, Security People, X.25, PSTN/ISDN, Hackers Profiling, Cybercrime, Information Warfare & CyberWar, Security methodologies, vertical hard-core Trainings.
UNICRI UNICRI was created in 1968 to assist intergovernmental, governmental and non- governmental organizations in formulating and implementing improved policies in the field of crime prevention and criminal justice. WHQ is in Turin, Italy, inside the United Nations International Training i Campus (ITC/ILO). In a rapidly changing world, UNICRI s major goals today are advancing security, serving justice and building peace. Our key areas of focus: Applied Research Capacity Building Technical Co-operation Emerging Crimes Unit (ECU): deals with cyber crimes, counterfeiting, environmental crimes, trafficking in stolen works of art Fake Bvlgari &Rolex, but also Guess how they update each others? Water systems with sensors Viagra & Cialis (aka SPAM) Email, chat&im, Skype
Cybercrime turnover? 2011 Cybercrime financial turnover apparently scored up more than Drugs dealing, Human Trafficking and Weapons Trafficking turnovers Various sources (UN, USDOJ, INTERPOL -2010/2011) Financial Turnover, estimation: 6-12 BLN USD$/year Source: Group IB Report 2011
IEEE Hacking Matrix http://spectrum.ieee.org/static/hacker-matrix
NCIs and Nation State attacks "In the very near future many conflicts will not take place on the open field of battle, but rather in spaces on the Internet, fought with the aid of information soldiers, that is hackers. This means that t a small force of hackers is stronger than the multi-thousand force of the current armed forces. Former Duma speaker Nikolai Kuryanovich, 2007
What s all about
What s all about We ve got 3 different worlds here (just to make things easier ;) Logical Security Cloud SCADA/Industrial Automation
What s all about /2 Logical Security Since our today s society is (nearly) totally depending on IT, Security become a mandatory and strategic issue Thus, we re not able to rule it yet -> New challenges everyday, new trends (technologies) Public vulns (both Full or Responsible disclosure ones) 0-Days -> Black Market -> Underground Economy Cybercrime,, Information Warfare,, CyberWar (?) GOVs & MILs entering in the game Overall, already on its own it s a very complex world Cloud A really fresh, brand new technology. The InfoSec community & Industry is missing: Its backgrounds, history and field use -> InfoSec experts need time to learn from mistakes Incidents are already happening It calls for answers: best practices and security standards (CSA will help out here) SCADA/Industrial Automation Old technology Different views, needs and priorities when compared to InfoSec (i.e.: CIA vs AIC) Security aspects were not a priority A security bugs tsunami (i.e. 100 SCADA bugs in 100 days) Increasing attention from Bug Hunters (Security Researchers) and Hackers (crackers?) Much more will come Strategical asset -> Interest from the Information Warfare perspective
A look inside
What s this Cloud? The very official, serious term: Cloud Computing Wikipedia: Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet). Henry J. Sienkiewicz DISA (Defense Information Systems Agency) A style of computing where massively scalable (and elastic) IT-related capabilities are provided as a service to external customers using Internet technologies.
Cloud /2 IaaS: Infrastructure As-a-Service Processing, networking, storage, virtualization PaaS: Platform-As-a-Service Applications development, platforms to develop and test and study SaaS applications. Intended for sw developers communities. SaaS: Software-As-a-Service Pay-per-Use your application through the Web XaaS: Whatever-As-a-Service: Data-As-a-Service a (on-line storage or DaaS) Cracking-As-a-Service? DDoS-aaS?
History played back
Cloud s fans and opponents (PROs/CONs) Cloud sucks because... Cloud is cool because... It doesn t have security IDC/Gartner/whoever said it s the I want to manage my stuff on my own future I don t go for cloud cause I don t have It s SO trendy any stuff on cloud and I never will I don t cloud cause I already have my I save money The son of a friend of mine runs a Facebook page with +1000 friends cloud: it s my datacenter, close to my and dtold me that tcloud di is a must- town If it s gonna rain, I ll lose my data have Because everything is on the Internet t On cloud they would steal my data and the USA would read my emails
SCADA & ICS
The Cloud and SCADA: shared issues
Known issues /1 Recording Logging? Which h type of fl logs? And what about the data-retention and privacy laws? Where s my data, in which country? Access Who can access my data? What if ICAN T access my own data?? Backups and safeties What is backuped? When? How long (data retention, again) Compliance Which kind of Security Audits are allowed to be run? What about Penetration Tests? Who will legally authorise the pentesters?
Known issues /2 Lawful Interception TLC Service providers must be compliance with LIS laws Laws are pretty similar, il both into UE and extra-eu countries ti Legal Where eest is the edatacenter te located? Local laws (i.e. Privacy) Cloud Provider VS data management (privacy, once again) Transferring this data abroad.? DLP (Data Loss Prevention) How can I monitor what is happening to my boxes/applications/services? what about Digital Forensics?!? Insurance ss aspect (break-ins)?? Hidden costs Is there anything billed in an hidden way? CPU? Data Traffic? Disk space & Backups quotas?
The bad news
First, fresh problems September 8th, 2001 Google Docs stopped working. 30 minutes black-out Those data people was working on, got lost And, people wasn t able to work btw!! While this news is from 2001, in the last 10 years a lot of similar incidents have happened
Unknown issues DDoS attacks Running on cloud can be extremely helpful when mitigating DDoS attacks These attacks would not be as much easy to mitigate within your standard infrastructure On the other hand, from an attacker s point of view, the cloud infrastructure itself would represent a very powerful shotgun
Unknown issues /2 Password cracking Attackers already have abused Cloud s ISPs resources in order to run password cracking software: https://www.infosecisland.com/blogview/11018-cracking- WPA-Protected-WiFi-in-Six-Minutes.html Roth was able to crack 400000 passwords per second http://www.darkreading.com/authentication/167901072/security/clie nt-security/229301362/researcher-overcomes-legal-setback-over- cloud-cracking-suite.html Apparent mis-translation by a German newspaper of English-speaking reports on researcher's Amazon EC2- based password-cracking tool led to raid, frozen bank account 11 Jan 2011 Researcher cracks Wi-Fi passwords with Amazon cloud... computers available for 28 cents per minute, the cost of the crack came to just $1.68. http://www.theregister.co.uk/2011/01/11/amazon_cloud_wifi_crackin g/
Be SECURE!
Be SECURE! A good start from the folks at NIST & ENISA NIST Releases Secure Cloud Computing Guidelines (September 15, 2011) Read the article on Infosec Island! (http://www.infosecisland.com) NIST Cloud Computing Standards Roadmap (NIST SP-500-291): http://www.nist.gov/manuscript-publication- search.cfm?pub_id=909024 The full document: http://collaborate.nist.gov/twiki-cloud- computing/pub/cloudcomputing/standardsroadmap/nist_sp_500-291_jul5a.pdf ENISA, Cloud Computing - Benefits, risks and recommendations for information security, November 2009 http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing- risk-assessment ENISA, Cloud Computing - SME Survey, November 2009 http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computingsme-survey survey ENISA, Cloud Computing Information Assurance Framework, November 2009 http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing- information-assuranceframework f
To zoom in
A gift for you all here! Get your own, FREE copy of F3 (Freedom from Fear, the United Nations magazine) issue #7, totally focused on Cybercrimes! DOWNLOAD: www.freedomfromfearmagazine.org Or, email me and I will send you the full PDF (10MB)
Know your Enemy Profiling Hackers: the Science of Criminal Profiling as applied to the World of Hacking ISBN: 978-1-4200-8693-5-90000
Questions? Contacts, Q&A Raoul Chiesa E-mail: chiesa@unicri.it Thanks folks! http://www.unicri.it UNICRI Cybercrime Home Page: http://www.unicri.it/emerging_crimes/cybercrime/ UNICRI Cybercrime Initiatives: http://www.unicri.it/emerging_crimes/cybercrime/initiatives/ i it/ i i / i /i iti ti /