Incidenti di Cyber Security Industriale riferiti ad Infrastrutture

Incidenti di Cyber Security Industriale riferiti ad Infrastrutture
(aggiornato ad Agosto 2009)
a cura di Enzo M. Tieghi
(membro AIIC – Associazione Italiana Esperti in Infrastrutture Critiche – www.infrastrutturecritiche.it )
La storia degli incidenti informatici accaduti a reti e sistemi utilizzati in impianti industriali ed infrastrutture è
abbastanza recente, i primi incidenti risalgono alla prima metà degli anni ’90, ed il numero di eventi è limitato
per diversi motivi, sicuramente non per la mancanza di rischi dati da vulnerabilità e minacce informatiche.
Gli incidenti squisitamente “cyber” sono difficili da identificare se non si hanno strumenti di log ed analisi, che
sono presenti ed utilizzati su molte reti IT e sono raramente utilizzati in reti e sistemi di fabbrica. Molti
incidenti, soprattutto quelli relativi a interruzioni del funzionamento e/o DOS (Denial of Service) spesso
vengono quindi addebitati a “malfunzionamenti generici” e sono complessi da riprodurre: solo dopo attente
valutazioni si riesce a risalire a problemi ed eventi avversi relativi ad hardware e/o software.
Come per molti incidenti informatici, raramente ci sono evidenze e testimonianze dirette da parte delle
aziende e degli utenti per motivi di riserbo e per evidenti ragioni di non mettere a conoscenza clienti,
competitor o altri enti di eventuali informazioni o problemi interni all’azienda che oltre al danno causato ne
potrebbero in definitiva pregiudicare la reputazione.
Quelli qui di seguito riportati sono una serie di incidenti noti e soprattutto documentati, raccolti nel tempo:
non è sicuramente un elenco completo ed esaustivo. E’ una lista di eventi abbastanza composita e
soprattutto indicativa in quanto ogni singolo incidente è facilmente generalizzabile anche in altri contesti.
Il fatto che venga citata la fonte e siano presenti riferimenti e documentazione è importante in quanto spesso
in questo campo ci si imbatte nei cosiddetti “hoax” (secondo Wikipedia, bufala: indica un tentativo di
ingannare un pubblico presentando deliberatamente per reale qualcosa di falso o artefatto), fatti spesso
tramandati via rete ma lontani dalla realtà.
La maggior parte degli incidenti citati proviene dagli USA, in quanto vengono resi pubblici molto più
correntemente che in altri paesi, inclusi quelli europei ed il nostro.
Il progetto di un database degli incidenti informatici relativi alla cybersecurity era partito qualche anno fa
presso il BCIT, British Columbia Institute of Technology di Vancouver in Canada, con la sigla ISID
(Industrial Security Incidente Database) e curato dal team del professore e ricercatore Eric Byres. Nel 2008
il progetto è passato ad altra organizzazione, denominata RISI The Repository of Industrial Security
Incidents, ed è pubblicato e disponibile presso il sito www.securityincidents.org .
Alcuni degli incidenti qui riportati provengono dal RISI, altri sono stati raccolti nel tempo con i riferimenti alla
rete ed alle fonti citate.
Incidenti di Cyber Security Industriale riferiti ad Infrastrutture (aggiornato ad Agosto 2009)
Pagina 1
Data:
15/05/1994
Luogo: Arizona, USA
Titolo: Salt River Project, Arizona
Abstract: A hacker did break into the computers of an Arizona water facility, the Salt River Project in the
Phoenix area
Riferimenti: http://news.zdnet.co.uk/internet/0,1000000097,2121358,00.htm
Data:
17/08/1998
Luogo: N/A, USA
Titolo: Computer Flaw Makes Water Undrinkable
Abstract: A computer glitch shut down the chlorination system and caused the chlorine content of the city
water to drop below the safety threshold, affecting 40,000 residents.
Riferimenti: © 2009 The Repository of Industrial Security Incidents #87 www.securityincidents.org
Data: 11/01/1999
Luogo: San Diego, CA, USA
Titolo: Navy Radar Shuts Down SCADA Systems
Abstract: The San Diego County Water Authority (SDCWA) and the San Diego Gas and Electric (SDGE)
Companies were unable to remotely actuate critical value openings and closings as a result
Riferimenti: Jeff Dagle, "Recent Control System Cyber Incidents" Kema Conference, Denver, April 2003 ‐
Credited to John Latess of Naval Surface Warfare Center, Dahlgren
Data: 10/06/1999
Luogo: Bellingham, WA, USA
Titolo: Bellingham, Washington Gasoline Pipeline Failure
Abstract: The pipeline failure was exacerbated by control systems not able to perform control and
monitoring functions
Riferimenti: www.ntsb.gov/publictn/2002/PAR0202.pdf
http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Bellingham_Case_Study_report%2020Sep071.pdf
Data: 13/06/2001
Luogo: California, USA
Titolo: Hack raises fears of unsafe energy networks
Abstract: An intruder cracked the security of two Web servers at the California Independent Power System
Operator (ISO)
Riferimenti: http://news.cnet.com/2100-1001-268400.html
Incidenti di Cyber Security Industriale riferiti ad Infrastrutture (aggiornato ad Agosto 2009)
Pagina 2
Data: 30/01/2002
Luogo: N/A, USA e CA
Titolo: Terrorist Interest in Water Supply and SCADA Systems
Abstract: The U.S. National Infrastructure Protection Center has issued an Information Bulletin relating
terrorist interest in water supply and Supervisory Control And Data Acquisition (SCADA) systems.
Riferimenti: http://www.publicsafety.gc.ca/prg/em/ccirc/2002/in02-002-eng.aspx
Data: 25/01/2003
Luogo: Oak Harbor, OH, Usa
Titolo: Davis-Besse nuclear power plant in Oak Harbor, Ohio
Abstract: the Microsoft SQL Server worm known as Slammer infected a private computer network,
disabling a safety monitoring system for nearly five hours
Riferimenti: http://www.securityfocus.com/news/6767
Data: 14/08/2003
Luogo: East Coast,USA
Titolo: SCADA defect contributes to August 2003 US East Coast blackout
Abstract: A previously-unknown software flaw in a widely-deployed energy management system
contributed to the devastating scope of the August 14th northeastern U.S. blackout
Riferimenti: http://www.securityfocus.com/news/8016
Data: 21/08/2003
Luogo: Jacksonville, Florida, USA
Titolo: CSX Train Signaling System
Abstract: the Sobig computer virus was blamed for shutting down train signaling systems throughout the
east coast of the U.S.
Riferimenti: http://www.cbsnews.com/stories/2003/08/21/tech/main569418.shtml
http://www.informationweek.com/story/showArticle.jhtml?articleID=13100807
Data: 09/09/2003
Luogo: BCIT, Vancouver, BC, CA
Titolo: Baseline Audit Causes Water Control System Crash
Abstract: Water Control system was performing poorly and database errors were suspected, patches and
antivirus were not current. The system crashed while checking.
Riferimenti: © 2009 The Repository of Industrial Security Incidents #81 www.securityincidents.org
Incidenti di Cyber Security Industriale riferiti ad Infrastrutture (aggiornato ad Agosto 2009)
Pagina 3
Data: 04/10/2003
Luogo: UK, Europe
Titolo: Proposed Hack of UK Water Systems
Abstract: Detailed breakdown of RF systems that are used by water management authorities in the UK and
how these systems can be acused, interfered with and generally messed up
Riferimenti: http://www.theregister.co.uk/2003/10/20/we_have_your_water_supply/
Data: 19/11/2003
Luogo: N/A, USA
Titolo: Foxboro DCS I/A UNIX host contracts worm
Abstract: control systems integrator contracted a variant of the sadmin/IIS worm on a DCS
Riferimenti: http://www.freelists.org/post/foxboro/foxboro-Our-AW51-Solaris-Got-a-VirusWorm
Data: 15/10/2004
Luogo: Victoria, BC, CA
Titolo: Trojan Backdoor on Water SCADA System
Abstract: During a security audit of the SCADA system, a trojan backdoor was located on a human
machine interface (HMI) computer.
Riferimenti: Critical Infrastructure Security ‐ Privacy and Security: Synergies in an e‐Society, Victoria, BC,
February 11, 2005
Data: 12/02/2005
Luogo: BCIT, Vancouver, BC, CA
Titolo: Routine Audit of SCADA Laptop Identifies Virus
Abstract: A routine audit of dial in Laptop's was conducted. Staff were reluctant to bring in laptops regularly
to allow patches and upgrades. Three virus types were found
Riferimenti: © 2009 The Repository of Industrial Security Incidents #80 www.securityincidents.org
Data: 07/03/2005
Luogo: Sandia Nat.Lab., USA
Titolo: Penetration Testing Incident
Abstract: penetration test locked up the SCADA system and the Gas utility was not able to send gas
through its pipelines for four hours
Riferimenti: http://www.sandia.gov/scada/documents/sand_2005_2846p.pdf
Incidenti di Cyber Security Industriale riferiti ad Infrastrutture (aggiornato ad Agosto 2009)
Pagina 4
Data: 27/07/2005
Luogo: Big Lake, Alberta, CA
Titolo: Spill Dumps a Million Litres of Sewage Into Riparian Area
Abstract: Sewage being pumped had escaped from a hole in the sewage line running along the south
shore of the lake. It is not manned but does have a SCADA (Supervisory Control and Data Acquisition)
system that enables remote monitoring
Riferimenti: http://www.bless.ab.ca/Documents/2005SewageSpill.html
Data: 05/09/2005
Luogo: N/A, USA
Titolo: Attempted Cover‐Up of Sewage Spillage
Abstract: A pump station inlet control valve after being routinely serviced failed normal operation and
closed partially after service personnel left site. The valve opening was subsequently blocked by a large
piece of wood and cloth like material
Riferimenti: http© 2009 The Repository of Industrial Security Incidents #116 www.securityincidents.org
Data: 14/12/2005
Luogo: Lesterville, Missouri, USA
Titolo: Taum Sauk Water Storage Dam Failure
Abstract: the reservoir's berm was overtopped when the routine nightly pump-back operation failed to
cease when the reservoir was filled.
Riferimenti: http://en.wikipedia.org/wiki/Taum_Sauk_Dam_Failure
http://washingtontechnology.com/articles/2008/04/09/water-water-everywhere-under-attack.aspx
Data: 30/10/2006
Luogo: Harrisburg, Pa, USA
Titolo: Pennsylvania Water Company Hack
Abstract: A foreign hacker penetrated security at a water filtering plant near Harrisburg, Pa., for planting
malicious software capable of affecting the plant's water treatment operations
Riferimenti: http://blogs.abcnews.com/theblotter/2006/10/hackers_penetra.html
http://www.infoworld.com/d/security-central/hackers-break-water-system-network-679?page=0,0
Data: 03/04/2007
Luogo: N/A, USA
Titolo: Phishing Attack Exposed an Energy Company to Hackers
Abstract: Using a Microsoft zero-day vulnerability and a bit of social engineering, hackers compromised a
workstation and threatened critical SCADA systems
Riferimenti: http://www.eweek.com/c/a/Security/How-a-Phishing-Attack-Exposed-an-Energy-Company-toHackers-183328/
Incidenti di Cyber Security Industriale riferiti ad Infrastrutture (aggiornato ad Agosto 2009)
Pagina 5
Data: 15/08/2007
Luogo: Willows, CA, USA
Titolo: California Tehama Colusa Canal Authority computer Hack
Abstract: Former fired employee intentionally accessed and damaged the computer used to divert water
from the Sacramento River
Riferimenti: http://pcworld.about.com/od/hackers/California-Canal-Management-Sy.htm
Data: 11/01/2008
Luogo: Lodtz, Poland, Europe
Titolo: Polish boy derails tram after hacking train network
Abstract: A Polish teenager allegedly turned the tram system in the city of Lodz into his own personal train
set, triggering chaos and derailing four vehicles in the process. Twelve people were injured in one of the
incidents.
Riferimenti: http://www.theregister.co.uk/2008/01/11/tram_hack/
Data: 18/01/2008
Luogo: N/A, USA
Titolo: CIA Confirms Cyber Attack Caused Multi-City Power Outage
Abstract: cyberattacks have been used to disrupt power equipment in several regions outside the U.S.
Riferimenti: http://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=5
http://news.cnet.com/CIA-Cyberattack-caused-multiple-city-blackout/2100-7349_3-6227090.html
Data: 07/03/2008
Luogo: Baxley, Georgia, USA
Titolo: Cyber Incident Blamed for Nuclear Power Plant Shutdown
Abstract: A nuclear power plant in Georgia was recently forced into an emergency shutdown for 48 hours
after a software update was installed on a single computer.
Riferimenti: http://www.washingtonpost.com/wp-dyn/content/article/2008/06/05/AR2008060501958.html
Data: 05/05/2008
Luogo: N/A, USA
Titolo: Wonderware SuiteLink Denial of Service vulnerability
Abstract: A vulnerability was found that could allow an un-authenticated remote attacker with the ability to
connect to the TCP port to shutdown the service abnormally by sending a malformed packet.
Riferimenti: http://blog.clusit.it/sicuramente/2008/05/ora-anche-vulne.html
http://www.coresecurity.com/content/wonderware
Incidenti di Cyber Security Industriale riferiti ad Infrastrutture (aggiornato ad Agosto 2009)
Pagina 6
Data: 30/05/2008
Luogo: Trail, British Columbia, CA
Titolo: Teck Cominco lead refinery spills chemicals into Columbia River
Abstract: A leak in a lead refinery pipe triggered an alarm late Wednesday afternoon and led to shutdown
of the electrolytic refining plant at the smelter complex on the banks of the Columbia. Some acid, which
contained lead, ended up in the river.
Riferimenti: http://www.publicsafety.gc.ca/dir/dir08-105-eng.aspx
http://www2.news.gov.bc.ca/news_releases_2005-2009/2008ENV0063-000833.htm
http://blog.oregonlive.com/breakingnews/2008/05/29/
Data: 02/06/2008
Luogo: New Brunswick, CA
Titolo: Boil water order for Saint John, New Brunswick
Abstract: The water for people living east of the Reversing Falls Bridge is not receiving proper chlorine
treatment at Latimer Lake Water Treatment Facility, the municipal water supply may not be completely
disinfected
Riferimenti: http://www.publicsafety.gc.ca/dir/dir08-107-eng.aspx
http://www.canadaeast.com/news/article/780754
http://www.cbc.ca/canada/new-brunswick/story/2008/06/02/nb-boil-order.html
Data: 11/06/2008
Luogo: San Francisco, CA, USA
Titolo: Security hole exposes utilities to Internet attack, Citect SCADA ODBC service vulnerability
Abstract: Attackers could gain control of water treatment plants, natural gas pipelines and other critical
utilities because of a vulnerability in the software that runs some of those facilities
Riferimenti: http://www.usatoday.com/tech/products/2008-06-11-4111787945_x.htm
http://www.coresecurity.com/content/citect-scada-odbc-service-vulnerability
Data: 12/09/2008
Luogo: CERN, Ginevra
Titolo: Hackers attack Large Hadron Collider
Abstract: Hackers have mounted an attack on the Large Hadron Collider, raising concerns about the
security of the biggest experiment in the world as it passes an important new milestone
Riferimenti: http://blog.clusit.it/sicuramente/2008/09/hacking-al-lhc.html
http://www.telegraph.co.uk/scienceandtechnology/science/sciencetopics/largehadroncollider/3351691/Hacke
rs-attack-Large-Hadron-Collider.html
Incidenti di Cyber Security Industriale riferiti ad Infrastrutture (aggiornato ad Agosto 2009)
Pagina 7
Data:
27/01/2009
Luogo: Texas, USA
Titolo: Hacking programmable road signs
Abstract: Digital road signs (remotely controlled) on the side of the road while driving, indicating important
information such as road closures or traffic delays, but what if the sign included information such as
"Zombies ahead" or "this sign has been hacked"
Riferimenti: http://blog.clusit.it/sicuramente/2009/01/pannelli-a-messaggio-variabile-da-hacker.html
http://www.neowin.net/news/main/09/01/27/hacking-programmable-road-signs
Data:
18/02/2009
Luogo: Foxboro, MA, USA
Titolo: CERT Reported Vulnerabilities in iFIX Security
Abstract: Some security issues have been reported in GE Fanuc SCADA software iFIX, which can be
exploited by malicious users to disclose sensitive information and bypass certain security restrictions, and by
malicious people to disclose sensitive information
Riferimenti: http://support.gefanuc.com/support/index?page=kbchannel&id=S:KB13253&actp=search
http://loftyperch.com/index/page/405/use_lang/EN/cnt_id/41.html
http://www.f-secure.com/vulnerabilities/SA200900818
Data: 07/04/2009
Luogo: NY, USA
Titolo: Usa, cyberterroristi all'attacco "E' stata minata la rete elettrica"
Abstract: La rete elettrica americana 'minata' da sofisticati software, acquedotti, impianti di depurazione e
altre infrastrutture a rischio, 'cyberspie' russe e cinesi in azione negli States
Riferimenti: http://blog.clusit.it/sicuramente/2009/04/e-stata-minata-la-rete-elettrica.html
http://www.repubblica.it/2009/04/sezioni/esteri/cyberpirati-usa/cyberpirati-usa/cyberpirati-usa.html
Data: 22/06/2009
Luogo: Washington, DC, USA
Titolo: Washington Metro Crash
Abstract: Failure of the signal system and operator error as likely causes of yesterday's fatal Red Line
crash
Riferimenti: http://www.washingtonpost.com/wp-dyn/content/article/2009/06/22/AR2009062203261.html
Incidenti di Cyber Security Industriale riferiti ad Infrastrutture (aggiornato ad Agosto 2009)
Pagina 8
Data: 30/06/2009
Luogo: Dallas, TX, USA
Titolo: Arlington Security Guard Arrested on Federal Charges for Hacking into Hospital's Computer System
Abstract: Computer intrusions of several computers in the Carrell Clinic hospital building, including the
Heating, Ventilation and Air Conditioning (HVAC) system and computers containing confidential patient
information.
Riferimenti: http://dallas.fbi.gov/dojpressrel/pressrel09/dl063009.htm
http://blog.clusit.it/sicuramente/2009/07/preso-di-mira-dallhacker-anche-il-sistema-di-controllo-hvacdellospedale.html
Data: 24/08/2009
Luogo: Azerbaijan
Titolo: Russian hackers vandalized BTC pipeline data servers
Abstract: Russian hackers are long attacking Baku-Tbilisi-Ceyhan (BTC) pipeline data server, through the
agency of Russian Special Service vandalized servers of energy pipe, carrying gas from Azerbaijan to
Europe bypassing Russia,
Riferimenti: http://news.am/en/news/2963.html
http://www.aviationweek.com/aw/blogs/defense/index.jsp?plckController=Blog&plckScript=blogScript&plckEl
ementId=blogDest&plckBlogPage=BlogViewPost&plckPostId=Blog%3a27ec4a53-dcc8-42d0-bd3a01329aef79a7Post%3a9e21ed93-400c-4f43-a976-c377cd661ae2
Incidenti di Cyber Security Industriale riferiti ad Infrastrutture (aggiornato ad Agosto 2009)
Pagina 9