Managing Security of the Grid in the CloudRaoul Chiesa, Senior Advisor on Cybercrime

ECU – Emerging Crimes Unit, UNICRI

United Nations Interregional Crime and Justice Research Institute (UNICRI)United Nations Interregional Crime and Justice Research Institute (UNICRI)

Disclaimer

The information contained in this presentation does not breakany intellectual property, nor does it provide detailedinformation that may be in conflict with actual known lawsinformation that may be in conflict with actual known laws.

Registered brands and logos belong to their legitimateRegistered brands and logos belong to their legitimateowners.

The opinion here represented are our personal ones and donot necessary reflect the United Nations nor UNICRI views.

Agenda

# whoisWhat’s all aboutA look insideSCADA & ICS

The SOVEMA case studyThe Cloud and SCADA: shared issuesThe BAD newsBe SECURE!To zoom in….C t t Q&AContacts, Q&A

#whois

Raoul “Nobody” Chiesa

• Old-school Hacker from 1986 to 1995

• Founder, @ Mediaservice.net (Est. 1997)@ ( )

• Supporting UNICRI since 2004; Cybercrime Advisor since 2005

• ENISA PSG, Advisor• Italian MoD OSN/CASD “CyberWorld” WG: Group Leader

• OSSTMM Key Contributor; HPP Project Manager; ISECOM International Trainerte at o a a e

• Member of CLUSIT, AIP/OPSI, TSTF.net (Telecom Security Task Force), APWG, ICANN, CyberDefcon, HostExploit, WINS, etc;

• I work worldwide (so I don’t get bored ;)

• My areas of interest: Pentesting, SCADA/DCS/PLC, National C iti l I f t t S it R&D E l iti i d t ffCritical Infrastructures, Security R&D+Exploiting weird stuff, , Security People, X.25, PSTN/ISDN, Hackers Profiling, Cybercrime, Information Warfare & “CyberWar”, Security methodologies vertical “hard-core” Trainingsmethodologies, vertical hard-core Trainings.

UNICRI

• UNICRI was created in 1968 to assistintergovernmental, governmental and non-governmental organizations in formulating andgovernmental organizations in formulating andimplementing improved policies in the field of crimeprevention and criminal justice. WHQ is in Turin,Italy, inside the United Nations InternationalT i i C (ITC/ILO)Training Campus (ITC/ILO).

• In a rapidly changing world, UNICRI’s major goalstoday are advancing security serving justice andtoday are advancing security, serving justice andbuilding peace.

• Our key areas of focus:Applied ResearchApplied ResearchCapacity BuildingTechnical Co-operation

Emerging Crimes Unit (ECU): deals with cyber• Emerging Crimes Unit (ECU): deals with cyber crimes, counterfeiting, environmental crimes, trafficking in stolen works of art…

Fake Bvlgari &Rolex, but also Viagra & Cialis (aka SPAM)Water systems with “sensors”…Guess how they update each others?

Email, chat&IM, Skype…

Cybercrime turnover?

“2011 Cybercrime financial turnover apparently scored up more thanappa e t y sco ed up o e t a

Drugs dealing, Human Trafficking and Weapons Trafficking turnovers”

Various sources (UN, USDOJ, INTERPOL -2010/2011)

Financial Turnover, estimation: 6-12 BLN USD$/year

Source: Group IB Report 2011Source: Group IB Report 2011

IEEE “Hacking Matrix”

http://spectrum.ieee.org/static/hacker-matrix

NCIs and Nation State attacks…

"In the very near future many conflicts will not take place on theopen field of battle, but rather in spaces on the Internet, fought

with the aid of information soldiers, that is hackers.Thi th t ll f f h k i t th thThis means that a small force of hackers is stronger than the

multi-thousand force of the current armed forces.“

Former D ma speaker Nikolai K r ano ich 2007Former Duma speaker Nikolai Kuryanovich, 2007

What’s all about

What’s all about

• We’ve got 3 different worlds here (just to make things “easier” ;)

• Logical Security

Cl d• Cloud

• SCADA/Industrial Automation

What’s all about /2

• Logical SecuritySince our today’s society is (nearly) totally depending on IT, Security become a mandatoryand strategic issueand strategic issueThus, we’re not able to rule it yet -> New challenges everyday, new “trends” (technologies)

Public vulns (both Full or Responsible disclosure ones)0-Days -> Black Market -> Underground EconomyCybercrime, Information Warfare, CyberWar (?)y , , y ( )GOVs & MILs entering in the game

Overall, already on its own it’s a very complex world…• Cloud

A really “fresh” brand new technologyA really fresh , brand new technology.The InfoSec community & Industry is missing:

Its backgrounds, history and field use -> InfoSec experts need time to learn from mistakesIncidents are already happeningIt calls for answers: best practices and security standards (CSA will help out here)It calls for answers: best practices and security standards (CSA will help out here)

• SCADA/Industrial AutomationOld technology Different views, needs and priorities when compared to InfoSec (i.e.: CIA vs AIC)Sec rit aspects ere not a prioritSecurity aspects were not a priorityA security bugs’ tsunami (i.e. 100 SCADA bugs in 100 days)

Increasing attention from Bug Hunters (Security Researchers) and Hackers (crackers?)Much more will come

Strategical asset > Interest from the Information Warfare perspectiveStrategical asset -> Interest from the Information Warfare perspective

A look inside

What’s this Cloud?

The very official, “serious” term: CloudComputing

• Wikipedia:Cloud computing is the delivery of computing as a service rather than acomputing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet).

• Henry J Sienkiewicz – DISA (DefenseHenry J. Sienkiewicz DISA (DefenseInformation Systems Agency)

A style of computing where massively scalable (and elastic) IT-related capabilities are provided “as a service” to external customers using Internet technologies.

“Cloud” /2

IaaS: Infrastructure As-a-ServiceProcessing, networking, storage,

virtualizationvirtualization

PaaS: Platform-As-a-Service• Applications development, pp p ,

platforms to develop and test and study SaaS applications. Intended for sw developerscommunitiescommunities.

SaaS: Software-As-a-Service• Pay-per-Use your applicationy p y pp

through the Web

XaaS: Whatever-As-a-Service:• Data As a Service (on line• Data-As-a-Service (on-line

storage or DaaS)• Cracking-As-a-Service?• DDoS-aaS?

History played back

Cloud’s fans and opponents (PROs/CONs)( / )

☺

Cloud sucks because...

It doesn’t have security

Cloud is cool because...

IDC/Gartner/whoever said it’s the

I want to manage my stuff on my own

I don’t go for cloud ‘cause I don’t have

future

It’s SO trendyI save moneyany stuff on cloud and I never will

I don’t cloud ‘cause I already have my

cloud: it’s my datacenter close to my

I save moneyThe son of a friend of mine runs a Facebook page with +1000 friends

d t ld th t l d i “ tcloud: it’s my datacenter, close to my

town

If it’s gonna rain, I’ll lose my data

and told me that cloud is a “must-have”

Because “everything is on the I t t”If it s gonna rain, I ll lose my data

On cloud they would steal my data and

the USA would read my emails

Internet”

SCADA & ICS

The Cloud and SCADA: shared issues

Known issues /1

Recording• Logging?

Whi h t f l ?• Which type of logs? • And what about the data-retention and privacy laws? • Where’s my data, in which country?

Access• Who can access my data?• What if I CAN’T access my own data??• What if I CAN T access my own data??

Backups and safeties• What is backuped?• What is backuped?• When?• How long (data retention, again)

Compliance• Which kind of Security Audits are allowed to be run?• What about Penetration Tests? Who will legally authorise the pentesters?g y p

Known issues /2

Lawful Interception• TLC Service providers must be compliance with LIS laws

L tt i il b th i t UE d t EU t i• Laws are pretty similar, both into UE and extra-EU countries

Legal• Where is the datacenter located?e e s t e datace te ocated• Local laws (i.e. Privacy)• Cloud Provider VS data management (privacy, once again)• Transferring this data abroad….?g

DLP (Data Loss Prevention)• How can I monitor what is happening to my boxes/applications/services?• what about Digital Forensics ?!? Insurance’s aspect (break ins)??• …what about Digital Forensics ?!? Insurance s aspect (break-ins)??

Hidden costs• Is there anything billed in an “hidden” way?• CPU?• Data Traffic?• Disk space & Backups quotas?

The bad news

First, “fresh” problems

September 8th, 2001

Google Docs stopped working….

30 minutes “black-out”30 minutes black out

Those data people was working on, got lost

And, people wasn’t able to work btw!!

While this news is from 2001, in the last 10 years a lot of similar incidents have happened

Unknown issues

DDoS attacks• Running on cloud can be extremely helpful when

mitigating DDoS attacksmitigating DDoS attacks • These attacks would not be “as much easy” to mitigate

within your standard infrastructure• On the other hand from an attacker’s point of viewOn the other hand, from an attacker s point of view,

the cloud infrastructure itself would represent a very powerful “shotgun”

Unknown issues /2

Password cracking• Attackers already have abused Cloud’s ISPs resourcesin order to run password cracking software:in order to run password cracking software:https://www.infosecisland.com/blogview/11018-Cracking-WPA-Protected-WiFi-in-Six-Minutes.html

• “Roth was able to crack 400000 passwords perRoth was able to crack 400000 passwords persecond”

http://www.darkreading.com/authentication/167901072/security/client-security/229301362/researcher-overcomes-legal-setback-over-y gcloud-cracking-suite.html

• “Apparent mis-translation by a German newspaper of English-speaking reports on researcher's Amazon EC2-

fbased password-cracking tool led to raid, frozen bank account”

• 11 Jan 2011 – Researcher cracks Wi-Fi passwords with A l d t il bl f 28 tAmazon cloud ... computers available for 28 cents perminute, the cost of the crack came to just $1.68.

http://www.theregister.co.uk/2011/01/11/amazon_cloud_wifi_cracking/g/

Be SECURE!

Be SECURE!

A good start from the folks at NIST & ENISA• NIST Releases Secure Cloud Computing Guidelines (September 15, 2011)2011)• Read the article on Infosec Island! (http://www.infosecisland.com)• NIST Cloud Computing Standards Roadmap

(NIST SP-500-291): http://www.nist.gov/manuscript-publication-f ?search.cfm?pub_id=909024

• The full document: http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/StandardsRoadmap/NIST_SP_500-291 Jul5A pdf291_Jul5A.pdf• ENISA, Cloud Computing - Benefits, risks and recommendations for information security, November 2009

http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-i k trisk-assessment

• ENISA, Cloud Computing - SME Survey, November 2009http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-

sme-surveysme survey• ENISA, Cloud Computing Information Assurance Framework, November 2009

http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-i f ti f kinformation-assuranceframework

To zoom in…

A gift for you all here! ☺

Get your own, FREE copy of “F3” (Freedom from Fear, the United Nations magazine) issue #7, totally focused on Cybercrimes!totally focused on Cybercrimes!

DOWNLOADDOWNLOAD:

www.FreedomFromFearMagazine.org

Or, email me and I will send you the full PDF (10MB)

Know your Enemy

Profiling Hackers: the Science of Criminal Profiling as applied to the World of Hacking

ISBN: 978-1-4200-8693-5-90000

Questions?

Contacts, Q&A

Raoul Chiesa

Thanks folks!

E-mail: chiesa@UNICRI.it

Thanks folks!

http://www.unicri.it

UNICRI Cybercrime Home Page:y ghttp://www.unicri.it/emerging_crimes/cybercrime/

UNICRI Cybercrime Initiatives:htt // i i it/ i i / b i /i iti ti /http://www.unicri.it/emerging_crimes/cybercrime/initiatives/