La construcción de la identidad El Yo narrado y la identidad de

2.3.2 Case study: Aramco

On 16 August 2012, Symantec and Kaspersky Lab [6], followed by several other vendors and researchers, described a novel, modular computer worm, which was dubbed Shamoon. The malware was part of a string of cyber espi- onage and sabotage attacks in the Middle East area (along with the previously described Stuxnet, see Section 2.3.1). It is not notable for its spreading mech- anisms which exploit shared drives and folders, but rather for its quite unique payload.

Once a system is infected, Shamoon gathers files from specific locations on the system, sends the collected information back to the attacker, and replaces the files and the master boot record of the system with an image cropped from a picture of an American flag in flames.

The self-styled Cutting Sword of Justice group claimed responsibility for using Shamoon against 30,000 Saudi Aramco workstations, causing the com- pany to spend a week restoring their services. Surprisingly, the attack did not hit any of the production control computers and networks, and was limited to the office and administration systems.

2.4

Remediation and protection approaches

The complexity, heterogeneity, adaptability, and mobility of critical infras- tructure impose novel challenges on the design of risk mitigation systems and security mechanisms. Indeed, structures evolve to improve the quality of the provided services as well as to manage possible threats caused by new methods of attack.

A fundamental task needed for protecting a system is the execution of vulnerability assessments. This process can help to identify, quantify and rank the vulnerabilities of a system and to implement the security controls required to mitigate such vulnerabilities. While this operation is well-suited to traditional information systems, it can result unsatisfactory and limited in scope for CIs. In fact, while the downtime caused by vulnerability assessment may be acceptable for traditional systems, it becomes unacceptable for CIs because it risks disrupting controlled processes and damaging expensive equip- ment [168]. Furthermore, when vulnerabilities are identified and resolved, patching CI components is problematic for both the availability requirements and the large-scale nature of the systems [134]. The presented issues highlight the extreme need to design and develop CI systems with particular attention to security properties. Researchers have been developing testbeds, composed of both physical and virtual devices, that can help to identify common vul- nerabilities and to verify the effectiveness of different protection approaches, without impacting on the operation of real CIs [168, 102].

A possible solution to avoid unauthorized access is represented by net- work segregation. In the CI scenario, this technique consists in separating the

control systems networks from the corporate networks, which are usually con- nected to the Internet. In this way unauthorized access from employees and remote intruders can be prevented. While it can be effective for enhancing sys- tem security, complete physical segregation is not a viable and future-proof solution for modern CI systems. The large-scale and distributed nature of these systems makes it necessary to remotely access them for management, monitoring and control purposes, even from mobile devices [134]. Nonethe- less, logical network segregation mechanisms have to be implemented in order to protect CIs from unauthorized access. Control networks must be isolated from corporate networks by using filtering security controls such as firewalls. Internal monitoring and administration traffic can be further separated from normal LAN traffic by using VLANs. This method ensures virtual isolation of users that access critical data from the rest of traffic [102]. Finally, only au- thorized and protected remote access must be allowed. This can be achieved by implementing Virtual Private Networks (VPNs) using, for instance, IPsec tunnels [19]. Obviously network segregation alone does not provide complete protection of CIs. For example, physical access to the control systems net- works, which might be achieved through social engineering attacks, overcomes any network segregation protection and can seriously threaten the whole sys- tem. For this reason other security mechanisms have to be implemented to further protect CIs.

A great improvement can result from a security-focused redesign of the

communication protocols. Designing secure protocols is a delicate, time-

consuming and costly task, but it must be seriously taken into account because unprotected protocols represent a major threat to CIs. However, designing new protocols from scratch may not be a satisfying solution in the short-term, because the adoption of these protocols could lead to unacceptable downtime and incompatibility with legacy systems. For this reason, researchers have been focusing their efforts in designing security solutions that respect exist- ing protocol specifications and standards. In particular, Chandia et al. [70] propose the adoption of unused function fields in standard SCADA protocols (Modbus and DNP3) to provide confidentiality and integrity. This approach enhances CI security without losing compatibility with legacy systems. An- other solution is represented by transparent tunneling techniques. By using these techniques, existing protocols can be wrapped in secure communication tunnels that provide fundamental security properties such as authentication, integrity and confidentiality. Tunnels can be implemented as an independent software layer in existing field devices or within special-purpose embedded components acting as gateways.

To further protect CI systems, traffic monitoring and anomaly detection mechanisms should be implemented. As in traditional information systems, these techniques can help to identify the data transported on the network, to monitor the transactions between the different components and to prevent or detect attack attempts. These techniques can also enhance CIs from a