CDIS

Conceção e Devolvimento
de Infraestruturas Seguras

Advanced Persistent Threats on

ICS as a powerful cyber weapon

UNICV
Pós-Graduação em Segurança Informática

CDIS UNICV © Paulo Simões - DEI/FCTUC

 Outline
Ø Industrial Control Systems and SCADA systems
Ø Critical Infrastructure Security
Ø Advanced Persistent Threats – on the road to cyberwarfare

Credits: this slide set has been prepared together with Prof. Tiago Cruz,
in the scope of several talks on this subject.

CDIS UNICV © Paulo Simões - DEI/FCTUC 2

Introduction

CDIS UNICV © Paulo Simões - DEI/FCTUC

 ICSand
ICS and SCADA
SCADA
In the last few years, Industrial Control Systems (ICS), such as
SCADA (Supervisory Control and Data Acquisition) systems, have
evolved towards open architectures and standard technologies:

l Initially, ICS systems were isolated by nature (the airgap principle),

being limited to the process network – in those times, security was
guaranteed by both obscurity and isolation (a bad practice, anyway).
l Protocols were proprietary and its documentation was undisclosed,
creating a false sense of security.
l Only manufacturers and attackers knew of failures and
vulnerabilities, with both parts having no interest in their divulgation
(though for very different reasons).

This move, together with the use of ICT technologies and the
increasing adoption of open, documented protocols, exposed
serious weaknesses in SCADA architectures.

CDIS UNICV © Paulo Simões - DEI/FCTUC

 SCADA???
ICS and SCADA
Supervisory Control and Data Acquisition is defined as a
common process control application that collects data from sensors
on the shop floor or in remote locations and sends them to a central
computer for management and control.

l SCADA is a technology that enables a user to collect data from

one or more distant facilities and/or send limited control
instructions to those facilities – Ronald L. Kurtz

l There are several different (but somehow similar in purpose

and design) SCADA products and communication protocols.

CDIS UNICV © Paulo Simões - DEI/FCTUC

 Examples
ICS of SCADA…
and SCADA
HMI

HMI: Human-Machine Interface

Master
Slave 1 BD
rol
cont
p
Pum

i ng
ead
wr Slave 2
Flo

Water
pump

Water flow
sensor
so r
el sen
lev
ter
Wa

Water tank
rol
cont
e
V al v

Valve

CDIS UNICV © Paulo Simões - DEI/FCTUC

 Examples
ICS of SCADA…
and SCADA

CDIS UNICV © Paulo Simões - DEI/FCTUC

 Manufacturers of SCADA equipment
• Modicon/Schneider Electric
• Siemens
• Motorola
• VersaMax
• Micrologix
• Allen Bradley
• …

CDIS UNICV © Paulo Simões - DEI/FCTUC 8

A traditional 3-layered SCADA network
(way before the age of industry 4.0)

CDIS UNICV © Paulo Simões - DEI/FCTUC 9

 Then things started becoming weird…
(where did my network go?!)

CDIS UNICV © Paulo Simões - DEI/FCTUC 10

 A modern SCADA network
(where’s Wally?)

CDIS UNICV © Paulo Simões - DEI/FCTUC 11

 We went from this…
CDIS UNICV © Paulo Simões - DEI/FCTUC
...and this...

CDIS UNICV © Paulo Simões - DEI/FCTUC 13

 …to this.
CDIS UNICV © Paulo Simões - DEI/FCTUC
 ICS vs. ICT
IC(two converging breeds?)
As they evolve, SCADA architectures are becoming increasingly
similar to ICT systems:
l Widely available, low-cost Internet Protocol (IP) devices are
replacing proprietary solutions, which increases the possibility
of cyber security vulnerabilities and incidents.
l ICS are adopting ICT solutions to promote corporate connectivity
and remote access capabilities, and they are being designed and
implemented using industry standard computers, standard
operating systems (OS) and standard network protocols.

While this integration introduced new capabilities, “borrowed”

from the ICT world, it also left the ICS with significantly less
isolation from the outside world.

CDIS UNICV © Paulo Simões - DEI/FCTUC

Critical Infrastructure (in)Security

CDIS UNICV © Paulo Simões - DEI/FCTUC

 Is it that bad? What is out there?
ICS and SCADA
Verified
– Electrical generators
– Electrical meters
– Cameras
– Thermometers
– Ovens

Theorized
– Everything mechanical
– Water, waste, power, chemical, manufacturing, traffic control…

No more boundaries between cyber and physical world:

https://www.youtube.com/watch?v=fJyWngDco3g
(Toto, I have a feeling we're not in Kansas anymore)

CDIS UNICV © Paulo Simões - DEI/FCTUC

ICS
Is itand SCADA
that bad? What is out there?
Mapping a brave new world...

CDIS UNICV © Paulo Simões - DEI/FCTUC

ICS
Is itand SCADA
that bad? What is out there?
Mapping a brave new world...

CDIS UNICV © Paulo Simões - DEI/FCTUC

ICS
Is itand SCADA
that bad? What is out there?
Mapping a brave new world...

CDIS UNICV © Paulo Simões - DEI/FCTUC

ICS
Is itand SCADA
that bad? What is out there?
Mapping a brave new world...

CDIS UNICV © Paulo Simões - DEI/FCTUC

ICS
Is itand SCADA
that bad? What is out there?
Mapping a brave new world...
Modbus default port is TCP 502

IP port 502 is used by Modbus

CDIS UNICV © Paulo Simões - DEI/FCTUC
ICS
Is itand SCADA
that bad? What is out there?
Mapping a brave new world...

CDIS UNICV © Paulo Simões - DEI/FCTUC

ICS
Is itand SCADA
that bad? What is out there?
Mapping a brave new world...

CDIS UNICV © Paulo Simões - DEI/FCTUC

ICS
We and SCADA
all see where this is going…
(and it ain’t nice!)

CDIS UNICV © Paulo Simões - DEI/FCTUC

ICS andScenarios
Attack SCADA

MTU: master terminal unit

RTU: remote terminal unit
CDIS UNICV © Paulo Simões - DEI/FCTUC FEP: Front-end processor
IED: Intelligent electronic device
Advanced Persistent Threats
(from cybersecurity to cyberwarfare)

CDIS UNICV © Paulo Simões - DEI/FCTUC

 Is doomsday one click away?
IC(almost!)
l The Estonia cyber attacks that began 27 April 2007 and swamped websites
of Estonian organizations such as banks, the parliament, ministries,
newspapers and broadcasters, amid the country's disagreement with Russia
about relocating war graves and Bronze Soldier of Tallinn, an elaborate
Soviet-era grave marker.
https://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia
https://www.researchgate.net/publication/264418820_The_Estonian_Cyberattacks
l The South Florida blackout, in 2008, left almost 4 million customers without
electricity. Some experts blame this event on a cyber-attack.
http://blogs.edf.org/energyexchange/2013/08/20/u-s-electric-grid-under-cyber-attack/
l In 2010, Stuxnet, a trojan designed to attack Siemens Step7 HMI software
and S7 PLCs temporarily set back Iran’s nuclear program. It almost ruined
one-fifth of the Iranian nuclear centrifuge by spinning out of control while
simultaneously replaying recorded system values to fake normal system
behavior during the attack.
https://en.wikipedia.org/wiki/Stuxnet
https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
CDIS UNICV © Paulo Simões - DEI/FCTUC
 Vulnerabilities as Cyberweapons
IC

For Stuxnet to be effective and penetrate the highly guarded installations where
Iran was developing its nuclear program, the attackers had a dilemma to solve:
how to sneak the malicious code into a place with no direct internet connections?
The (probably successful) solution was targeting "high profile" companies.
CDIS UNICV © Paulo Simões - DEI/FCTUC
 The APT lifecycle
(APT: Advanced Persistent Threat)
IC
A few examples:

l Duqu
https://en.wikipedia.org/wiki/Duqu
http://www.crysys.hu/publications/files/bencsathPBF11duqu.pdf

l Careto
https://en.wikipedia.org/wiki/Careto_(malware)

l Stuxnet

l …

Image Source and nice introduction: SecureWorks

CDIS UNICV © Paulo Simões - DEI/FCTUC https://www.secureworks.com/blog/advanced-persistent-threats-apt-a
ICS and SCADA
2007

CDIS UNICV © Paulo Simões - DEI/FCTUC

 2013

CDIS UNICV © Paulo Simões - DEI/FCTUC

 December 2015 – Ukraine blackout
(Most likely) state-sponsored cyber attack on Ukraine power grid, based on a
carefully planned and patiently executed cyberattack:
l prior compromise of corporate networks using spear-phishing emails

l Taking SCADA under control with credentials from outsourced contractors

l remotely switching high-to-medium voltage substations off

l disabling/destroying IT infrastructure components (UPS, modems, RTUs)

l destruction of files stored on servers and workstations

l DoS attack on call-center, so that operators loose situational awareness

https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

And, in 2016, it just got more sophisticated and more automated!

https://www.wired.com/story/crash-override-malware/

CDIS UNICV © Paulo Simões - DEI/FCTUC

 2019

CDIS UNICV © Paulo Simões - DEI/FCTUC 34

 2021

CDIS UNICV © Paulo Simões - DEI/FCTUC 35

ICS and SCADA
Cyberwarfare
Some are still doing it wrong...

CDIS UNICV © Paulo Simões - DEI/FCTUC

 ICS and SCADA
Cyberwarfare

C5I: Command, Control, Communication, Computer, Cyber and Intelligence

Some are doing it right
C5I (command, control, communications, computers, combat
systems, and intelligence) units are being set-up everywhere.

Tactically speaking, C5I capabilities

are an operational force multiplier.
CDIS UNICV © Paulo Simões - DEI/FCTUC
ICS and SCADA
Cyberwarfare

CDIS UNICV © Paulo Simões - DEI/FCTUC

 Not just a military warfare
IC(CIP - Critical Infrastructure Protection)

l Critical infrastructure protection (CIP) addresses the preparedness and

response to serious incidents on national or regional critical infrastructures.
l Driven by the public authorities but also involving private stakeholders
l On the USA:
l Presidential directive sets up the national program of "Critical
Infrastructure Protection". (2008)
l NIST Cybersecurity Framework (2014)
https://www.nist.gov/cyberframework
l In Europe:
l European Programme for Critical Infrastructure Protection (EPCIP, 2006)
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52006DC0786&from=EN
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32008L0114&from=EN

l Critical Infrastructure Warning Information Network (CIWIN)

CDIS UNICV © Paulo Simões - DEI/FCTUC

Thank you for your attention

CDIS UNICV © Paulo Simões - DEI/FCTUC