Introduction to Cyber-Warfare - Proiect SEMPER FIDELIS

More documents

Recommendations

Info

CYBER ATTACKS DIRECTED AGAINST POWER GRIDS211Wei et al. divide the major functions of the power grid into three different levels: corporate,control center, and substation. Business management and operations management functionsare performed at the corporate level. Monitoring, forecasting, and other real-time operationsare performed at the control center level. At the substation level, primarily real-time monitoringassociated with normal operations is performed. IT systems are used in various capacitiesat these three levels. At the corporate level, IT systems are relied on in planningthe amount of electricity that must be generated the next day as well as performing assetmanagement—predicting when certain substations may experience maintenance—whichwould lead to a decision to reroute power from that substation. At the control level, automationsystems such as energy management systems (EMS), human-machine interfaces (HMIs),and a Front End Processor (FEP) are primarily used for the purposes of regulating andmonitoring the power transmitted to the substations. Finally, at the substation level, IT isprimarily used for monitoring the power distributed to consumers. Devices such as remoteterminal units (RTUs) and programmable logic controllers (PLCs) can be found at this level.Cyber attacks against power grids can be broadly categorized into three categories: componentwise, protocol wise, and topology wise. Component-wise attacks focus on a specific partof the power-grid IT infrastructure. An example for a component-wise attack described in thischapter is the Aurora Test—where a breaker switch was opened and closed in a manner to puta power generator out of synchronization with the rest of the power grid—causing damage.We describe this attack later in the chapter. Other examples of component-wise attacks include(but are not limited to) the following and their combinations:• Attacks designed to mislead the data presented to an operator (i.e., a violation ofnonrepudiation)• Attacks designed to damage power-grid equipment (i.e., the Aurora Test which we shalldescribe later in this chapter)• Attacks designed to shut-down a piece of power-grid equipmentIn protocol-wise attacks, the perpetrator targets the protocol used to transmit informationabout the power grid. As stated earlier, power-grid control centers and substations oftenuse protocols not typical to normal IT equipment such as Inter Control Center Protocol (ICCP)and DNP (Distributed Network Protocol). However, these protocols are somewhat commonamong electrical power automation equipment. For example, Wei et al. point out that the DNPspecification can be obtained for a nominal fee. The main type of attack accomplishedprotocol-wise is a Man-In-the-Middle attack where the attacker is able to manipulate communicationsbetween two parties. Some potential results of this type of attack could include• Financial loss to power generation companies due to excessive power output• Safety issues (i.e., energizing a line when electrical personnel are attempting to repair it)• Equipment damage resulting from power overloadsOne example of a very rudimentary protocol-wise attack was discussed in the previouschapter—the attack on Maroochy Water Services. In this incident, the attacker was able to leveragea vulnerability common to virtually every unsecured wireless communication schemeto take control of the sewage pumping stations.The third type of attack deals with the topology of the power-grid network. This type ofattack could have multiple goals. For instance, a denial-of-service (DoS) attack against a
212 12. CYBER ATTACKS AGAINST POWER GRID INFRASTRUCTUREsystem at a substation level would then lead to an incorrect decision at the control level, etc.Another example of a topology attack would be to create a cascading power failure—which weshall discuss in detail later in this chapter.The last part of the paper of Wei et al. that we will summarize is the typical methodologyfor a cyber attack against a power grid. They view it as a three-step process: access, discovery,and control. They also note that a sophisticated attacker will add a fourth step—concealingof the action (i.e., deleting entries on log files, etc.) in order to make it difficult for the systemadministrator to determine the intruder’s presence on the system (this is similar to theactions of the hackers in Operation X of Chapter 6). We discuss each of the three componentsin turn.AccessThe hacker must first gain access to a SCADA system used to monitor or control an elementof the power grid. Wei et al. describe three common methods for obtaining unauthorized accessto such a system: corporate network to SCADA communication, virtual private network(VPN) links, and remote site communication to the SCADA system. We briefly discuss each inturn here. Users at the corporate level regularly require information from the various SCADAsystems. Often the SCADA systems interface with a SQL (or sometimes a customized) database—which,in turn, corporate users query for business purposes. This juncture—wheredata is passed from the SCADA system to the database server—may provide a hacker theopportunity to attack. Virtual Private Network (VPN) connections to SCADA systemsare another common method for obtaining unauthorized access. Normally used for vendorsupport or users requiring access to SCADA systems from an office, these connections can behacked if a client system running VPN software is compromised. A third method of obtainingaccess is through remote site communication. This is due to implicit trust relationships amongcertain power-grid components that may be physically separated. If the communication linkbetween two such systems is compromised, access may be obtained. Examples of such remotesites include backup facilities, quality systems, and substations.DiscoveryOnce the hacker has obtained access to the system, he or she needs to understand how itfunctions in order to properly conduct the attack intended. Unless the hacker has access to anadditional source of intelligence (as suspected in the case of the Stuxnet worm, described in alater chapter), he or she must scour the power-grid automation systems for information todecipher the inner workings of the targeted SCADA system. As Wei et al. point out: “the complexityof SCADA systems is one of the best defenses against attack” which results in the attackerinvesting a good deal of time to decipher. The attacker’s methods for doing so may alsoinclude passive monitoring of traffic to and from a SCADA system to identify the communicationsprotocol in use (and, in turn, possibly the vendor) as well as active scanning—whichmay be of high risk to the attacker as scanning activities may be noticed by a securityadministrator.
Page 2 and 3:
INTRODUCTION TOCYBER-WARFARE
Page 4 and 5:
INTRODUCTIONTO CYBER-WARFAREA Multi
Page 6 and 7:
ContentsPreface ixForeword xiIntrod
Page 8 and 9:
CONTENTSviiHow Real-World Dependenc
Page 10 and 11:
PrefaceSince Stuxnet emerged in 201
Page 12 and 13:
ForewordThe concept of cyber warfar
Page 14 and 15:
IntroductionIt is 2006. An American
Page 16 and 17:
INTRODUCTIONxvinfamous hacking grou
Page 18 and 19:
BiographyPaulo Shakarian, Ph.D. is
Page 20 and 21:
C H A P T E R1Cyber Warfare: Here a
Page 22 and 23:
IS CYBER WAR A CREDIBLE THREAT?3sec
Page 24 and 25:
ATTRIBUTION, DECEPTION, AND INTELLI
Page 26 and 27:
INFORMATION ASSURANCE74. Time: Temp
Page 28 and 29:
P A R T ICYBER ATTACKInformation ha
Page 30 and 31:
C H A P T E R2Political Cyber Attac
Page 32 and 33:
RUDIMENTARY BUT EFFECTIVE: DENIAL O
Page 34 and 35:
THE DIFFICULTY OF ASSIGNING BLAME:
Page 36 and 37:
ESTONIA IS HIT BY CYBER ATTACKS17FI
Page 38:
ESTONIA IS HIT BY CYBER ATTACKS19Th
Page 41 and 42:
22 2. POLITICAL CYBER ATTACK COMES
Page 43 and 44:
24 3. HOW CYBER ATTACKS AUGMENTED R
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
34 4. CYBER AND INFORMATION OPERATI
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
44 5. CYBER ATTACK AGAINST INTERNAL
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
68 6. CYBER ATTACKS BY NONSTATE HAC
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
100 6. CYBER ATTACKS BY NONSTATE HA
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Intentionally left as blank
Page 133 and 134:
114 7. WHY CYBER ESPIONAGE IS A KEY
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
Page 177 and 178:
Page 179 and 180: 160 8. DUQU, FLAME, GAUSS, THE NEXT
Page 191 and 192: 172 9. LOSING TRUST IN YOUR FRIENDS
Page 203 and 204: Intentionally left as blank
Page 205 and 206: 186 10. INFORMATION THEFT ON THE TA
Page 219 and 220: 200 11. CYBER WARFARE AGAINST INDUS
Page 229: 210 12. CYBER ATTACKS AGAINST POWER
Page 233 and 234: 214 12. CYBER ATTACKS AGAINST POWER
Page 243 and 244: 224 13. ATTACKING IRANIAN NUCLEAR F
Page 261 and 262: 242 CONCLUSION AND THE FUTURE OF CY
Page 265 and 266: 246 APPENDIX I. CHAPTER 6: LULZSEC
Page 277 and 278: 258 APPENDIX II. CHAPTER 6: ANONYMO
Page 279 and 280: 260 APPENDIX II. CHAPTER 6: ANONYMO
Page 281 and 282:
262 APPENDIX II. CHAPTER 6: ANONYMO
Page 283 and 284:
Page 285 and 286:
Page 287 and 288:
Page 289 and 290:
Page 291 and 292:
Page 293 and 294:
Page 295 and 296:
Page 297 and 298:
Page 299 and 300:
Page 301 and 302:
Page 303 and 304:
Page 305 and 306:
Page 307 and 308:
Page 309 and 310:
Page 311 and 312:
Page 313 and 314:
Page 315 and 316:
Page 317 and 318:
Page 319 and 320:
Page 321 and 322:
Page 323 and 324:
Page 325 and 326:
Page 327 and 328:
308 GLOSSARYDDoS distributed denial
Page 329 and 330:
310 GLOSSARYNIST National Institute
Page 331 and 332:
Page 333 and 334:
314 INDEXCyber exploitation (Contin
Page 335 and 336:
316 INDEXNATO (Continued)high-level
Page 337:
318 INDEXTechnical intelligence (TE
show all

Introduction to Cyber-Warfare - Proiect SEMPER FIDELIS

Create successful ePaper yourself

Delete template?

Save as template?