Right Now It Is a Mess Who covers cyber-safety? –ENISA (yes but not yet) –EPCIP (yes but indirectly, so far) –EASA (maybe…?) –EUROCONTROL (maybe…?) –SESAR (partially/poorly?). Issues of cross-modal security. Copyright C.W. Johnson, 2012
Aim is to Provoke Discussion... Common software across European transport: –networks, Linux, VOIP, SBAS... Duqu, Stuxnet, Flame… –We have been very lucky so far. Partial Solutions: –1. Extension and enforcement of Article 13a; –2. ‘Telecoms inclusion’ for contingency planning; –3. Urgent need for digital forensics in policing. Copyright C.W. Johnson, 2012
What are the Threats? ‘Mass market’ viruses. You cannot disconnect the Internet. –Virtual channels from USB sticks. Contractors violate security policies. Many policies only exist on paper. Huge problem with complacency. Copyright C.W. Johnson, 2012
GAO Review of FAA CyberSecurity “FAA is similarly ineffective in managing systems security for its operational systems and is in violation of its own policy”. “performed the necessary analysis to determine system threats, vulnerabilities, and safeguards for only 3 of 90 operational ATC computer systems, or less than 4%”. Intrusion detection in 11 of 300 ATM facilities. Copyright C.W. Johnson, 2012
DoT Review of FAA CyberSecurity DoT "unless effective action is taken quickly, it is likely to be a matter of when, not if, ATC systems encounter attacks that do serious harm to ATC operations." “Attackers can take advantage of software vulnerabilities in commercial IP products to exploit ATC systems, when the Nation is facing increased threats from sophisticated nation- state-sponsored cyber attacks" Copyright C.W. Johnson, 2012
Air Navigation Service Provider ANSP label on13 switches from eBay: –Flash memory for configuration data; –Not erased prior to sale. Supervisor login for local area network; –Upstream switch addresses/configs; –VTP trunk info and password; –SNMP community strings… Damage more to public relations?
What are the Threats? NIST’s Industrial Control System Security –Angry worker attacks US SCADA sewage system. –46 radio orders to release 800k litres raw sewage. Arrested, found PC sewage application: –Connected to Motorola M120 two-way radio; –Serial numbers show ordered by the company; –Had PDS Compact 500 computer control device; –Address mimicked spoof pumping station; –Could test out the impact of his commands. Sub-contractor – disguised his attacks… Copyright C.W. Johnson, 2012
Estonia, April-May 2007 June 1940, Soviets annex Estonia. After independence: –Ethnic Russians lose Estonian citizenship; –Dispute over moves to Bronze Soldier of Tallinn; –Riots kill one and injur more than 150 people. Two phase attack: –Emotional ‘crowdsourcing’ (download scripts); –focused attacks using criminal infrastructures. Copyright C.W. Johnson, 2012
Estonia and Paranoia? Chatham House report: “The severity of the attacks on one of NATO’s most electronically connected members put the alliance on guard. If a highly wired small state could be brought to its knees then what type of havoc could be wrought upon larger states with more heterogeneous systems and critical infrastructure open to attack?” Copyright C.W. Johnson, 2012
Georgia, August 2008 Armed conflict between Georgia & Russia: –1922 North Ossetia in Russia, South in Georgia; –1990 S. Ossetia gains de facto independence.. Cyber-attacks prior to armed conflict: –ICMP floods/HTTP ‘GET’ requests in July. But Georgian infrastructure vulnerable: –half of 13 interconnections through Russia; –Only 5 ISPs, 75% use Caucasus Network Tbilisi; –Prior to war, began building link via Bulgaria… Copyright C.W. Johnson, 2012
“Go But You Will Never Work Here Again…” Copyright C.W. Johnson, 2012
China, GhostNet and Shadow, March 2009 Active defence and the attribution problem… –No definitive proof of Chinese state involvement Use of social media and Gmail: –Use of TOR annonymity server… Infection of Dalai Lama’s office: –Tailor email so recipient opens attachment; –Trojan horse onto victim’s machine; –Information forwarded to control servers. –Use genuine document on compromised machine? Copyright C.W. Johnson, 2012
Edsger W Dijkstra (1930-2002) Testing can prove the presence of errors, but not their absence.
The Real Impact "The problem here is that you have an autonomous semi-state monopoly which doesn't care about its customers or the disruption to passengers," Michael O'Leary, CEO Ryanair
The Real Impact "The problem here is that you have an autonomous semi-state monopoly which doesn't care about its customers or the disruption to passengers," "Send the buggers to Shannon, if it was a commercial company they would have done so,“ Michael O'Leary, CEO Ryanair
The Real Impact "The problem here is that you have an autonomous semi-state monopoly which doesn't care about its customers or the disruption to passengers," "Send the buggers to Shannon, if it was a commercial company they would have done so,“ “They're not on top of the job. We're talking about 25 arrivals and departures per hour. The air traffic controllers should be capable of handling this volume of flights”. Michael O'Leary, CEO Ryanair http://www.herald.ie/news/oleary-more-disruption-if-iaa-doesnt-clean-up-act-1431408.html
W32.STUXNET, March 2010 W32.Stuxnet multi-component malware –Attacks Programmable Logic Controllers (PLCs); Stuxnet has up to 4 zero-day exploits: –ATM very vulnerable to this… –Unusual range of languages (C/C++) team? –Used 2 legit Taiwanese digital signatures… Command & control servers identified: –Located in Malaysia and Denmark; –155 countries, 40,000 IP addresses. Copyright C.W. Johnson, 2012
Recap: W32.STUXNET Triggers a state machine to hide ‘sabotage’; 1.Wait13 days; 2.Set maximum frequency to 1410 Hz; 3.Wait 27 days 4.Set maximum frequency to 2 Hz; 5.Set maximum frequency to 1064 Hz; 6.Go to 1. Copyright C.W. Johnson, 2012
W32.Duqu Written by the same ‘team’ as STUXNET? –Remote Access Trojan (RAT). Duqu will inject malware into: –Internet Explorer; Firefox; –Trend Micro PC-cillin AntiVirus Real-time Monitor. Checks for anti-viral products: –avp.exe, Mcshield.exe, avguard.exe, bdagent.exe, UmxCfg.exe, fsdfwd.exe, rtvscan.exe, ccSvcHst.exe, ekrn.exe, tmproxy.exe, RavMonD.exe.
Edsger W Dijkstra (1930-2002) Testing can prove the presence of errors, but not their absence. Copyright C.W. Johnson, 2013 Must Learn About Recovery Actions…
Solution 2: Key Issues Cannot predict future modes of attack; –Can use previous incidents following 13a. Simulating an optimum level of challenge: –Too many vulnerabilities, disillusionment? When is it safe to resume operations? Involvement of different stakeholders: –CERTs; Regulators, Govt; Press; Public…
Solution 3: Digital Forensics for Safety US Department of Justice (2008) –“Immediately secure all electronic devices, including personal devices. –Ensure that no unauthorized person has access to any electronic devices at the crime scene. –Refuse offers of help or technical assistance from any unauthorized persons. –Remove all persons from the crime scene or the immediate area from which evidence is to be collected. –Ensure that condition of any electronic device is not altered. –STOP! Leave a computer or electronic device off if it is already turned off”.
Solution 3: Digital Forensics for Safety UK Association of Chief Police Officers: –No action taken by law enforcement agencies should change data on a computer or storage which may be relied on in court; –If a person has to access original data on a computer or storage media, they must be competent to do so and give evidence explaining their actions; –An audit trail or record of all processes applied to computer- electronic evidence should be preserved. Independent 3rd party should examine those processes and achieve same result; –Person in charge of investigation (the case officer) has overall responsibility for ensuring the law and these principles are followed.
Summary of Second Talk... Common software across European transport: –networks, Linux, VOIP, SBAS... Duqu, Stuxnet, Flame… –We have been very lucky so far. Partial Solutions: –1. Extension and enforcement of Article 13a; –2. ‘Telecoms inclusion’ for contingency planning; –3. Urgent need for digital forensics in policing. Copyright C.W. Johnson, 2012