Enseñanzas desde el éxito en la enseñanza de la L2

Once the attacker has gained access to the compromised system, he can install a silent, hard to detect software that monitors, audits, or simply waits for the attacker’s commands before performing potentially disastrous actions. These threats are called Advanced Persistent Threats (APTs). APTs are particu- larly harmful because, even if discovered, it is very hard to assess the initial moment in which the threat was injected and what is its actual impact at the organizational level.

Cascading failures in interconnected systems. A cascading failure is a sequence of dependent failures that successively weaken a system. Due to

their structure and interdependencies among components, CIs (i.e. power

systems) are particularly subject to such type of failure. A common thing to see during a cascade failure is a walking failure, where sections go down, causing the next section to fail, after which the first section comes back up. This ripple can make several passes through the same sections or connecting

nodes before stability is restored. The threat of cascading failures across

critical infrastructure has been identified as a key challenge for governments. Cascading failure is seen as potentially catastrophic, extremely difficult to predict and increasingly likely to happen. Privatization of some CIs and the consequent profit-driven management can only increase the risk of such failures to happen.

2.3

Attacks

Starting from the vulnerabilities described in the previous sections, a list of possible violations is obtained. In particular, this document focuses on secu- rity properties related to maintaining confidentiality, integrity and availability. Examples of such kind of property are:

• Authorization properties stating which actions are allowed.

• Access-control properties that regulate the access to some resources. The decision can be taken according to the role of the user that requires the access, or to the usage of the required resource. Access control policies can also list the set of proscribed executions by stating the unacceptable operations.

• Bounded availability properties may be characterized as safety ones. An example is “one principal cannot be denied the use of a resource for more then D steps as a results of the use of that resource by other principals”. Here, the defining set of partial executions contains intervals that exceed D steps and during which a principal is denied use of a resource. • Chinese Wall policies regulate the access to resources that are classified

that if a user has access to information of one set, that user cannot have access to the information belonging to the other set. The Chinese Wall policy combines commercial discretion with legally enforceable manda- tory controls. It is required in the operation of many financial services organizations and is, therefore, perhaps as significant to the financial world as Bell-LaPadula’s policies [50] are to the military.

Referring to Bell-LaPadula’s policies, the set of information flow properties is introduced. In published works there are many definitions of these kind of properties. The basic idea is that the flow of information from high level users to low level users can be forbidden in such a way that the activity of high level users is transparent with respect to low level users. In terms of critical infrastructure, in which several components cooperate one another, the information flow policy could consist of a regulation of the flow of information among different components in such a way that sensitive information is not disclosed or leaked by a possible attacker.

2.3.1 Case study: Stuxnet

W32.Stuxnet [88], also simply known as Stuxnet, is a malware used in 2009- 2010 to implement a targeted attack. This attack gained a lot of attention, in both the media and research community. After three years there are still many obscure points but from what is known Stuxnet was crafted specifically to propagate into and compromise a Siemens-branded ICS network. Thanks to a 0-day vulnerability, a Windows rootkit, a PLC rootkit, and many other advanced evasion and replication techniques, Stuxnet managed to infect many ICS-managed facilities. The main explanation for the reaction of the media, industry, governments and researchers, is that Iran’s nuclear plants were the most infected target.

The goal of Stuxnet was to modify the functioning of PLCs (thanks to the first PLC rootkit ever found) in order to alter the operation of the equip- ment, possibly sabotaging the entire facility thus causing serious damage in the physical world (e.g., explosions, radiation).

A recent report by Symantec [123] describes that earlier versions of this sophisticated cyber weapon contained other known versions of the malicious code that were reportedly unleashed by the US and Israel several years ago, in an attempt to sabotage Iran’s nuclear program. This indicates that Stuxnet was active about two years before the main incident. It also implies that neither of the two campaigns of Stuxnet (in 2007 and 2009–2010) had a serious impact on Iran’s nuclear facilities, the avowed main target of the attack. Even though Stuxnet basically failed, an important fact remains true: Stuxnet was created (by nation states offices, as some experts argue) with careful planning and several resources.