Cyber Security Evaluation of Critical Infrastructures Systems

by Alecsandru PTRACU
1)
, Emil SIMION
2)
1,2)
Advanced Technologies Institute, Bucharest, Romania
Email:
1)
alecsandru.patrascu@gmail.com,
2)
ati@dcti.ro, esimion@fmi.unibuc.ro









Abstract. Over the last 25 years we have seen a massive change in how we manage and think
about information. The Internet is a rather new technology for us, but nevertheless it has become a
force that is working its way into all our lives and there is no doubt in this. However it is important to
realize the security issues involving it. In the 1980s the information was mostly stored and used in
analogue form, as it was stored on papers, binders, shelves and safes. Today almost all information is
digital. It is created and stored on individual computers and transmitted over computer networks.
From the security point of view, this means that the information sent, often secret or private, can now
be intercepted from anywhere over the planet. This has strong consequences because now we no
longer have to be physically where the data is.
Cyber security has emerged within the latest years as an issue of vital importance for
everyone as governments, businesses and individuals are under constant attack from other
governments, cyber criminals and hackers. These attacks steal large amount of money, in the form of
personal and business data, and compromise sensitive government operations. Industrial software
and equipment represents a new attack vector for our modern industry that involves both the risk of
unintentional employee errors as well as aimed attacks.
Attack types such as social engineering, port scanning, packet sniffing, password cracking,
denial of service attacks, machine bugs, server bugs and exploits are no longer targeted for the
desktop and server environments only as they are becoming a real threat for all non-IT industries.
This makes work harder even for security specialists and researchers, as these directions are new and
have not been yet properly evaluated. Since almost every critical infrastructure like transportations
systems, automotive factories, telecommunication, water supply and electricity generation has a
computer network for decision-making and control in the background, this is vulnerable to a series of
threats. This chapter is focused on these threats with accent on new forms of it, more exactly the
issues about industrial control systems like SCADA, which are configured to control and monitor
specific industrial processes, with a case study on Stuxnet. State of the art vulnerabilities like car
viruses are also covered. For in-depth understanding of the concept involved in cyber security we
have included some attack scenarios explained in detail.


Keywords. cyber security, cryptography, steganography, critical infrastructure, industrial
control systems, car viruses, information warfare, smart grid, malware, SCADA, transportation
network, intelligent transport systems












1. Introduction
In our days, Internet Technologies optimize the time needed for taking human and
organizational decisions. For example, we are using Internet for electronic communications,
electronic commerce, transactions and banking, for accessing different data bases in order to process
the information. All these actions, which interact with virtual activities, must be protected from
electronic fraud. Thus, we need to implement, in the virtual space, security measures similar to real
security measure. But there is a difference: behind real life thefts there are humans which interact with
the goods and in the virtual space the thefts are made by viruses, worms, malware applications which
interact and monitor the actives of the system. If we think that all these weapons (viruses, worms,
malware applications etc.) are produced by humans we can conclude that in the protection of the
system actives the human intelligence plays a definitive role and the critical decisions must be taken
by humans. The problem is how we can order these decisions, which are in large number, in such a
way that to be made, corrected and modified by a limited human intervention [1] [2].
In this chapter we are going to talk about a new and controversy topic, which is closely
related to the problems that affected until now only traditional computers and networks cyber
security of critical infrastructures and intelligent transport systems.
Traditionally, critical infrastructures represent the field of utilities and facilities that we are
using daily. These include among many other: electricity grids, gas, transport and transportation
systems. More recent actors are represented by the more and more involvement of computer systems
within all other classic actors that were presented earlier. And since we rely more and more on
computers for proper system function we open a new window of opportunity to the hackers and all
cyber warfare manifestations.
These manifestations had until recently only a single goal: to silently gather data and multiply
across all vulnerable devices reachable from an infection point. This was ended in 2010 when a
computer worm called Stuxnet was discovered across different critical infrastructures across the
globe. We can say for sure that everything that is linked to a traditional computer network can be
applied to modern intelligent transport systems, including the use of zero-days attacks, botnets and all
other malware.
Along with other specific tools and techniques that are currently used in traditional computer
networks we are going to present how can we use the same instruments for this specific field. In this
case, the use of scenarios is the main way in which people involved in incident response can be
trained. Often these scenarios are presented to the regular people in a masked form, and a good
example in this field is represented by an international challenge called Cyber MITRE, organized
by the Federal Bureau of Investigation and the Fordham University. We will present in this case seven
basic scenarios that can be used in real life transportation network security breach:
1. Identification of encrypted data in a file
2. Decrypted a piece of encrypted data;
3. Identification of steganography and revealing the hidden data;
4. Identification of a suspect communication between two computers and reveal the stolen
data;
5. Identification of the incorrect usage of cryptographic algorithms usage and finding the
private key used for signing.
6. Identification of host to host wireless communication
7. Interception of host to host communication

The chapter is organized as follows. Section 2 contains a brief introduction in critical
infrastructures; we talk about what is a critical infrastructure from the industry point of view, what are
the security problems that surround these infrastructures and we provide examples for problems and
solutions in this field. In section 3 we talk about the concept of intelligent transport systems and in
section 4 we talk about the concept of smart grids, a rather new topic which combines a classic
approach of electric grids with the new approach of information and communication technology.
Section 5 is dedicated entirely for the newer botnets and malware threats that are intended for
desktops and industrial computer networks. During section 6 we talk about cyber attacks on SCADA
systems; we present what are these systems, how they work and we provide real examples of attacks,
like the Stuxnet malware. In section 7 we present a new and controversy domain in the security of
automotive industry - the protection of the transportation networks from malware; we present the
main types of these new threats, how they affect our daily lives and as a case study we talk about a
subject that is gaining more and more attention to security specialists, the problem of car viruses. In
section 8 we briefly talk about some of the most used tools in case of cyber security investigations and
we present some practical scenarios used in cyber trainings. Section 9 is dedicated for presenting
different views about critical infrastructures in different countries, like United Kingdom, Germany,
and USA. Finally section 10 of the chapter contains conclusions and an outline of the directions for
future research.
2. Critical infrastructures
People and businesses today are connected using some kind of device or through the cellular
network, Wi-Fi or a local area network. Nevertheless, organizations have not yet fully understood that
endpoint security is vital. Saying this, we can define a critical infrastructure as a network or system
which is vital for an organization, society or economy day-to-day operations. Historically [3], critical
infrastructures have been gathered under terms like utilities and facilities that are commonly
associated with:
electricity, gas, oil products generation, transmission and distribution;
telecommunication;
water supply;
agriculture
food production and distribution;
public hospitals and ambulances;
transportation systems (like railways, airports, etc.);
banking and other financial services;
people security services.

The criteria that we can use to determine what asset is a critical infrastructure or not, have
been changing over time. According to a report created for the USA Congress in 2002 [4], originally
were considered as critical the infrastructures whose prolonged unavailability could cause significant
military and/or economic disruption. Today, the term expanded and covers even national monuments,
where an attack can lead to loss of life and affect the attacked nation morale, and chemical industry,
where an attack can alter the proper functioning of a factory and threaten the safety of surrounding
communities.
Its easy to see that in order to have means to deal with threats affecting these systems, the
governments across the globe are working together for a multi-purpose action [5]. Nevertheless, if we
find Interpol as the international agency for all criminal activity, for the cyber space there is no such
agency yet, with responsibility closer to its relative. This can be found in international statements,
such as the one made by Subhendu Sahu, director of Symantec Asia: the doctrine of national security
has to change. There is a need to be aware and to have the right intelligence. Security is not enough,
resilience is required. This means that entire economies must know about, understand and prioritize
what is important for their computer networks, especially for those part of the critical infrastructures.
In order to protect critical infrastructures from different cyber attacks, system administrators
can use many technologies and tools existing today. And since the lately emergence of central
computation nodes or cloud computing technologies are used more and more, new technologies and
tools must be developed if we want to migrate all or part of the computation made inside such
infrastructure to them. Current technologies, like secure access control, remote system management
and checking for system integrity help administrators and security expert to avoid unauthorized access
to information and data that is stored, processed and transported inside such infrastructures. We can
say that all these technologies should be gathered under a single cyber security framework for
Critical Infrastructure Protection, as presented in [6]. According to the authors of this document,
such a framework must include:
1. determining the business requirements for security;
2. performing risk assessments;
3. establishing a security policy;
4. implementing a cyber security solution that includes people, processes, and technologies
to mitigate identified security risks;
5. continuously monitoring and managing security.
Nevertheless, we must pay attention when implementing and using such frameworks because
they have great costs, which must be justified to the owners. In this entire process we must not neglect
two important factors.
The first one represents the fact that each used technology has a certain limitation and due the
fact that these are designed to work in pair with other technologies they must be used by professional
personnel.
The second one is the lack of international or standardized solutions for these problems.
When working in such environments we often state the fact that, in order to make security a first-class
element, we must be able to develop and impose a long-term plan that contains such standards and all
other practical solutions for the problems involved. In this part, a lot of help must be given by the
government and the designated authorities for it in deploying a national plan for critical
infrastructures protection and allowing agencies in charge with national security to intervene and
collaborate for all the matters involving cyber-security.
Lastly, as presented in [6], ultimately, the responsibility for protecting critical
infrastructures falls on the critical infrastructure owners. However, the governments have several
options at their disposals to manage and encourage the increased use of cyber security technologies,
research and develop new cyber security technologies, and generally improve the cyber security
posture of critical infrastructure sectors.
Of course, we can use a lot of technologies that can be used in regular computer networks, to
protect the networks contained in the critical infrastructures. In Table 1, we can find such
technologies, each grouped in separate domains, as presented by the United States General
Accounting Office(USGAO) [6].


Table 1. Common cyber security technologies classification after USGAO.
Category Technology What it does
Boundary protection
Firewalls Controls access to and from a network or computer.
Content management
Monitors Web and messaging applications for
inappropriate content, including spam, banned file types,
and proprietary information.
Authentication Biometrics
Uses human characteristics, such as fingerprints, irises, and
voices to establish the identity of the user.
Smart tokens
Establish identity of users through an integrated circuit chip
in a portable device such as a smart card or time
synchronized token.
Authorization
User rights and
privileges
Allow or prevent access to data and systems and actions of
users based on the established policies of an organization.
System integrity
Antivirus software
Provides protection against malicious code, such as viruses,
worms, and Trojan horses.
Integrity checkers
Monitor alterations to files on a system that are considered
critical to the organization.
Cryptography
Digital signatures and
certificates
Uses public key cryptography to provide:
assurance that both the sender and the
recipient of a message or transaction will be uniquely
identified;
assurance that the data have not been accidentally or
deliberately altered;
verifiable proof of the integrity and origin of the data
Virtual private
networks
Allow organizations or individuals in two or more physical
locations to establish network connections over a shared or
public network, such as the Internet, with functionality that
is similar to that of a private network using cryptography.
Audit and monitoring
Intrusion detection
systems
Detect inappropriate, incorrect, or anomalous activity on a
network or computer system.
Intrusion prevention
systems
Build on intrusion detection systems to detect attacks on a
network and take action to prevent them from being
successful.
Security event
correlation tools
Monitor and document actions on network devices and
analyze the actions to determine if an attack is ongoing or
has occurred. Enable an organization to determine if
ongoing system activities are operating according to its
security policy.
Computer forensics
tools
Identify, preserve, extract, and document computer-based
evidence.
Configuration
management and
assurance
Policy enforcement
Applications
Enable system administrators to engage in centralized
monitoring and enforcement of an organizations security
policies.
Network management
Allow for the control and monitoring of networks, including
management of faults, configurations, performance, and
security.
Continuity of
operations tools
Provide a complete backup infrastructure to maintain
availability in the event of an emergency or during planned
maintenance.
Scanners Analyze computers or networks for security vulnerabilities
Patch management
Acquires, tests, and applies multiple patches to one or more
computer systems.

3. Intelligent transport systems

Intelligent transport systems, or ITS for short, are systems designed to provide solutions to
modern transportation modes. We can see them as an automatic traffic management system that uses
modern technology such as sensors and computers to make safer, coordinated and smarter decisions
that affect transport systems.
Why we have need for such ITS? The problem appeared together with the exponential
increase in number of cars and humans on the globe: traffic congestion. To be more efficient,
computing technology was used, both on the field and in dedicated laboratories, for simulations and
models. Of course, along with traffic congestion comes a lot more problems like pollution, fuel
consumption and large travelling times.
Over time, the concept of ITS has become larger, covering more transportation fields than
cars. For example railroads, water and air transport, and all other means of transportation for both
critical and non-critical infrastructures, benefits from this technologies.
Since ITS are very complex systems, they are designed to use multiple technologies for
different modules management. We can find some basic management for cars like traffic lights,
number plate recognition, speed cameras, etc. up to advanced guidance and monitoring systems, like
parking guidance, weather monitor, etc.
In order for these systems to communicate with each other, ITS use different communication
channels such as wireless communication. Wireless communication is a good alternative to wired
communication because it can cover a lot more areas with much less impact over the environments. In
this type we can find technologies used for short-range or long-range communication.
In case of short-range communications we find the standard wireless IEEE 802.11 protocols.
These come along with all their advantages and disadvantages. As advantages we can mention the fact
that they are flexible, as with radio coverage, the nodes can communicate without many restrictions
and furthermore, radio waves can pass through walls. Of course, a deployment for such technology
does not require so much planning as in case of a wired network. As a downside, a major problem is
given by the fact that a lot of devices and interfere with this kind of communication.
In case of long-range communications we find standards like IEEE 802.16 (WiMAX), GSM,
3G or satellite. The problem when using such technologies is the cost for the infrastructure that is
going to be used and the response time for the sub-systems.
The development of ITS was marked substantially by the evolving technologies. If ten years
ago a medium priced car contained several tens of chips and microcontrollers for controlling all
important car functions, like braking, todays cars contains fewer, but more powerful processing units,
with dedicated memory, sensors and operating system.
We can find applications for ITS all over the world, starting from the notification systems
existing on highways, up to dynamic semaphore lights and ending with those used for collision
avoidance.
4. Smart Grids
In the context of critical infrastructure systems we consider a smart grid an evolution from the
classic electrical grid. It is smart because it uses the latest evolvements in information technology
and computer network communications in order to automate its internal work queues. This leads
directly to an improved efficiency, lower maintenance costs and lower effort used for electricity
distribution to end clients.
The term of smart grids is considered new, since it is used broadly since 2005. It was first
mentioned officially in an article written by Amin and Wollenberg [7] called Toward a Smart Grid.
Nevertheless we can trace back this concept, in a primitive form, as far back as the early 2000. We
can give many definitions to this term, from a functional and/or technological perspective, but all of
them have the same central idea: the involvement of computation technologies to create a centralized
managed electric grid.
Currently there are a lot of technologies that we can use in the context of smart grids.
Technically, we can see the entire picture split in two distinct layers. The first one is composed from
the technologies and physical computing resources that are used, and the second one, relative to the
classical electric grid, is composed from the business management units, which are responsible with
the interaction with the end clients.
The main threats surrounding these infrastructures are represented by attacks to the first layer
presented in the previous paragraph. As presented in [8] by the US Council on Foreign Relations,
concerns chiefly center around the communications technology at the heart of the smart grid.
Designed to allow real-time contact between utilities and meters in customers homes and businesses,
there is a very real risk that these capabilities could be exploited for criminal or even terrorist
actions. One of the key capabilities of this connectivity is the ability to remotely switch off power
supplies, enabling utilities to quickly and easily cease or modify supplies to customers who default on
payment. This undoubtedly a massive boon for energy providers, but also raises some significant
security issues.
But what are those security issues mentioned before? To answer this question we must first
try and put ourselves in the place of a cyber attacker. The first thing he would try is to paralyze the
entire activity of a chosen target. And since all their equipment is running on electric power, we find
that attacking a smart grid can be very attractive. We can make a parallel with a classic war, meaning
that this kind of attack can be compared with dropping an atomic bomb over a targeted region
nothing will stand in its way.
Looking back into our history we can find clear examples, like the one from the Kosovo war
in the late 90s in which electric grids were key targets for fighting the enemies. This is the main
reason for which these infrastructures are critical and a great deal of attention and money are spent to
secure it. This also leads to a psychological war because people panic once they see they do not have
electricity to power their utilities, like cooling or heating devices.
The concepts behind smart grids were always on the first page on the standardization
institutes. On the US infrastructure website we can find some interesting paragraphs regarding our
topic. In their vision [9], over the next 10 years there will be an opportunity for ill-intentioned
foreign governments to have their own agents inserted in key facilities. This is generally outside the
system of national vetting and clearances in most countries. Second, it is straightforward to install
malware on peoples PCs. Social engineering, spear phishing can be used easily.
Furthermore, in the same declaration we can see that there are other ways in which the smart
grid revolution could bring unwelcome side effects. In the rush to implement security standards on a
national scale a number of organizations are getting involved, including NIST, the Department of
Homeland Security and even the Securities Exchange Committee. With new standards come new
compliance rules, along with all their associated costs. The desire to circumvent that compliance
burden is already having negative impacts. For example, the recent requirement that any piece of
infrastructure deemed critical must have information security measures installed. The definition of
critical includes power generating facilities described as black start, meaning they can still be fired
up should the grid be compromised. This description applies to hydroelectric plants, which only need
open the gates to get the turbines spinning, and coal fired plants, but only if they have an auxiliary
diesel generator to fire up the furnaces in the event of an outage.
5. Cyber threats targeting critical infrastructures
Todays critical infrastructures and all its parts, including intelligent transport systems, suffer
the same weaknesses that can be found, for example, in a computer operating system. And since more
and more infrastructures migrate to using operating systems and other software programs the same or
derived from personal computers software, we consider this a great threat to all infrastructures and its
components.
In this following subchapter we will talk about the most important and most often
encountered cyber threats. We will present the concept of zero-day attacks, that stands the ground for
every great cyber attack, and continue with botnets and malware.
5.1. Zero day attacks
A zero-day attack or threat is an attack that aims to exploit previously unknown
vulnerabilities in software applications. The term comes for the fact that the attack occurs on day
zero of awareness of the vulnerability and the developers of the affected application had no days
available for patching it.
These attacks come in a large number. Malware, viruses and Trojans all represent attacks
vectors that target modern software and delivery networks. In this equation the web browsers and the
operating systems on top, which they are running, represent the most widely targets because they are
widespread on all devices, starting with mobile phones and ending with desktops. Mail delivery
networks are also targeted because they can carry to a potential victim an infected e-mail attachment.
To cope with these threats organizations like US-CERT [2] and Zero Day Initiative [10] dedicate
their work in providing users cyber security.
Since the vulnerabilities havent been yet reported and fixed there is no way to protect
ourselves from it before it happens. Of course, methods and procedures for early detection exists, like:
The use of VLANs with IPsec to protect the content of an individual transmission
The use of Intrusion Detection Systems
The use of network access control to protect from rogue machines that connect to a
certain network
5.2. Botnets
A botnet is a number of Internet computers that, although their owners are unaware of it, have
been mangled and have been set up to send and forward different types of transmissions, including
spam or viruses, to the other computers on the Internet. The term comes from the fact that any
infected computer becomes a robot, or bot for short, that serves an attacker. Reports from well
knows security companies like Symantec and Kaspersky Labs reach a common conclusion: botnets
currently are the biggest threat to the Internet.
Computers that are used inside a botnet are those whose owners fail to provide effective
firewalls or other safeguards from the Internet. Furthermore, we see that an increasing number of
home computers benefit from high speed Internet connections, thus aiding the efforts of the attackers.
A bot is a program attached to one of the computer ports that is left open and through this port a
remote program can connect to it.
One example is the usage of a botnet to redirect HTTP traffic to another specific computer or
website, in a Distributed Denial-Of-Service (DDoS) attack. The remote website will be closed down
because it cannot handle all the traffic.
Another example is the DNSChanger bot. This is a Domain Name System (DNS) hijacking
Trojan and it was distributed over the Internet as a download claiming to be a video codec needed to
view video content on bait pornography sites. Once installed it modifies the target DNS configuration
to point to bogus servers over the Internet operated by an Estonian company called Rove Digital and
its hosting subsidiary Esthost. By now it is estimated that it infected over 4 million computers
worldwide, many of them being at government agencies and large companies like NASA, because the
botnet can affect both PCs and Apple computers. The scheme this botnet implements makes use of its
linked Trojans to divert Web traffic from its intended destination to that of advertisers who paid for
traffic delivery, thinking that it was provided through paid links. This traffic was made to IP addresses
falling into the following ranges:
85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255
5.3. Malware
Malware represents the software used or created by hackers to alter computer and system
operations. The goal is to gather sensitive information or to gain access to private computer systems.
Its form varies from a full software program to a script. It is a general term that is used to refer to all
forms of hostile and intrusive software, like computer viruses, Internet worms, Trojan horses,
spyware, adware, and rootkits.
In the evolution of malware we can establish two big periods: before 2010 and after 2010.
Malware before 2010 was mainly targeted to single computers or medium-sized computer networks.
Since 2010 we can find the so-called modern malware, which now has migrated from personal
computers to large systems, even critical industrial systems.
We will present on the following paragraphs one of the main treats in this field, responsible
with industrial systems malfunction called Flame.
Flame, also known as Flamer or sKyWiper [11] is a computer malware that attacks computer
and industrial systems running Microsoft Windows operating system. It was used for regular and
critical infrastructure penetration in several countries around the world [12].
This malware is capable of spreading to other systems over a local area network (LAN) or
through USB sticks. It can record audio, screenshots, keyboard activity and network traffic.
Furthermore it can record instant messaging conversations and can turn mobile infected computers
and auxiliary wireless modules, into Bluetooth beacons which attempt to connect and download
information from other Bluetooth devices nearby. This data was then sent to one of the several master
servers existing in the Internet.
What is interesting on this malware is its built-in capability to suicide. The creators of
Flame implemented a kill command that automatically removed itself from the infected computers.
This command was caught by the Symantec Security Company using computers set up to watch the
malwares actions. More exactly, when it received that command, Flame located every file existing on
the victim PC, deleted it and then overwrote its memory location with random data to prevent a
forensic examination.
According to cryptographic experts [13] [14], Flame was the first malware to use a rather
obscure cryptographic technique called prefix collision attack. This allowed it to fake digital
credentials that had helped it to spread. The exact method for this kind of attack was demonstrated in
2008, but the creators of Flame implemented their own variant. This determined Marc Stevens to state
that the design of this new variant required world-class cryptanalysis. All these findings give
support to claims that Flame must have been built by a nation state rather than cybercriminals due to
the large amount of time, effort and resources that have been put into its creation.

6. Cyber attacks on SCADA systems

Supervisory Control and Data Acquisition (SCADA) systems, created by Siemens, represent
an industrial large scale control system used to automate different industrial processes existing in
facilities such as power generation, water supply, etc. One of its main advantages is that this
technology can be used in more delicate fields, where precision is vital, such as nuclear fusion
facilities. Their main purpose is to monitor and control all the operation inside such facility using a
large network of sensors and computers for central decision making.
Since SCADA systems are designed to be used as a control system, they must be complex and
safe. This is one of the main strength points for this system, as it can manage up to million subsystems
input and output channels.
As a brief description, we will present the main components of a SCADA system. The main
parts are represented by the signaling hardware for input and output process lines, the network
between subsystems, the control devices, the user interface to the subsystems (Human-Machine
Interface, or HMI), communication equipment and modules, and, of course, the operating system and
all the software for the modules and subsystems. The measurement and control modules of a SCADA
system has one so-called Master Terminal Unit (MTU), which is considered the central management
node. The chosen operating system for it is Microsoft Windows. This MTU handles a series of
Remote Terminal Units (RTU), which are responsible with local data gathering.
In this current form, SCADA systems use open-loop control systems with a series of some
closed-loop characteristics built in. Because of this, SCADA systems cannot use feedback from
remote modules to check the final results. In other words, in SCADA we cannot use machine-learning
software and algorithms.
Because SCADA is a complex system that can be used with success even in critical
infrastructures, it represented an attraction to cybercriminals. In the following subchapter we will talk
about Stuxnet, a computer worm that targeted Siemens industrial software and equipment running on
Microsoft Windows. The analysis bellow represents a compilation of information that has been
gathered from different international sources [15], [16] regarding Stuxnet.
6.1 Stuxnet
Stuxnet is a computer worm discovered in June 2010. It is the first publicly known worm to
target Siemens based industrial control systems, referred to as SCADA systems [15]. Not only did
Stuxnet include malicious STL (Statement List) code, an assembly-like programming language, which
is used to control industrial control systems, it included the first ever PLC (programmable logic
controller) rootkit hiding the STL code. It also included a zero-day vulnerability to spread via USB
drives, a Windows rootkit to hide its Windows binary components, and it signed its files with
certificates stolen from other unrelated third-party companies.
Researchers at Symantec have cracked Stuxnet cryptographic system, and they say it is the
first worm built not only to spy on industrial systems, but also to reprogram them. Once installed on a
PC, Stuxnet uses Siemens default passwords to seek out and try to gain access to systems that run the
WinCC and PCS 7 programs, the PLCs that are used to manage large-scale industrial systems on
factory floors and in military installations and chemical and power plants. The software operates in
two stages following infection. First it uploads configuration information about the Siemens system to
a command-and-control server. Then the attackers are able to pick a target and actually reprogram
the way it works.
Stuxnet comes with a rootkit, designed to hide any commands it downloads from operators of
the Siemens systems. Because of that, Symantec warns that even if the worms Windows components
are removed, the Siemens software might still contain hidden commands. Symantec advises
companies that have been infected to thoroughly audit the code on their PLCs or restore the system
from a secure backup, in order to be safe.
When Symantec researchers analyzed the worm they discovered that the malware used the
Profibus standard to communicate with the target hardware. They also noticed that it searched for a
specific value, before deciding to attack its target PLC: 2C CB 00 01. They thought this might be
some kind of ID the Step7 system assigned to a hardware part, so they set up a simulated Step7 PLC
environment, and began plugging in parts. The reference value finally popped up when they attached
a Profibus network card. But there were two numbers Stuxnet sought that were still a mystery: 9500h
and 7050h. Neither showed up when they plugged in hardware parts to their simulated system, nor
did Google searches on the numbers produce anything.
In order to progress further, the researchers had put out a request on their blog asking for
anyone with experience in Profibus and critical infrastructures to contact them, and a Dutch
programmer named Rob Hulsebos wrote back. Most of his e-mail discussed information the
researchers already knew, but one line stood out: every Profibus component had to have a unique ID
that was a word long.
Then, they searched online for Profibus documentation and found a PDF with a list of specs
for devices used with Profibus network cards. At the bottom of the list were the two mystery numbers
Stuxnet sought. They were product IDs for two types of frequency converters. The first, 9500h,
referred to Vacon NX frequency converters, and the second, 7050h, referred to an unspecified
frequency converter.
Frequency converters modulate the speed of motors and rotors in things like high-speed drills
that are used to cut metal parts in factories and in paper mills to force pulp through a grate. Increase
the frequency of the drive, and the rotor increases its spin. In the Profibus documentation the
researchers found online, they discovered a list of commands to control frequencies; they matched
exactly the commands that were written in Stuxnet.
Based on information in the code, Stuxnet was targeting a facility that had 33 or more of the
frequency converter drives installed, all operating at between 807Hz and 1210Hz. The malware
would sit quietly on the system doing reconnaissance for about two weeks, then launch its attack
swiftly and quietly, increasing the frequency of the converters to 1,410Hz for 15 minutes, before
restoring them to a normal frequency of 1,064Hz. The frequency would remain at this level for 27
days, before Stuxnet would kick in again and drop the frequency down to 2Hz for 50 minutes.
The drives would remain untouched for another 27 days, before Stuxnet would attack again
with the same sequence. The extreme range of frequencies suggested Stuxnet was trying to destroy
whatever was on the other end of the converters.
Next, we will present in detail the actual live cycle of Stuxnet on a Windows operating
system.
6.1.1 The main malware dropper
The dropper can be found in the form of ~WTR4132.TMP file. This file is a dynamic link
library file loaded into explorer.exe. It begins its execution by searching for a section in its executable
named .stub, that contains the main Stuxnet DLL file, which contains all the worms functions,
mechanisms, files and rootkits.
This .stub section includes also the configuration data of Stuxnet which is so important on the
spreading mechanism, updating mechanism and many other things. After finding this section, it loads
the DLL file in a special way. First, it allocates a memory buffer for the DLL file to be loaded. Then, it
patches 6 ntdll.dll APIs with these names:
ZwMapViewOfSection
ZwCreateSection
ZwOpenFile
ZwClose
ZwQueryAttributesFile
ZwQuerySection
To force these APIs to make .stub section like the file which you need to open with
ZwOpenFile and to read from this section as its a file on the hard disk. These patches make
LoadLibraryA load a DLL file not from the hard disk (as usual) but from a place in the memory. It
calls LoadLibraryA with the DLLName like KERNEL32.DLL.ASLR.XXXX to load the Main DLL File
as we described above and at the end, it calls to a function in the main Stuxnet DLL.
6.1.2 The main Stuxnet DLL
When the main DLL begins the execution, it decompresses and decrypts itself and then
checks its configuration data and checks the environment to choose if it will continue or exit from the
beginning. It checks if the configuration data is correct and recent and then it checks the admin
rights. If its not running on administrator level, it uses one of two zero-day vulnerabilities to escalate
the privileges and run in the administrator level: CVE-2010-2743(MS-10-073)-Win32K.sys
Keyboard Layout Vulnerability and CVE-xxxx-xxxx(MS-xx-xxx)-Windows Task Scheduler
Vulnerability.
These two vulnerabilities allow the worm to escalate the privileges and run in a new process,
called csrss.exe in case of Win32K.sys, or as a new task in the Task Scheduler case. It makes also
some other checks like checking if it is running on 64bits or 32bits architecture. After everything goes
right and the environment is prepared to be infected, it injects itself into another process to install
itself from that process. The injection begins by searching for an Antivirus application installed in the
machine. Depending on the antivirus application, Stuxnet chooses the process to inject itself into. If
theres no antivirus program it chooses lsass.exe.
It doesnt search for that process in the task manager to inject itself into, but it creates a new
process, using the CreateProcess API call, of the chosen application in the suspended form:
ESP ==> > 0006F4F8 |ModuleFileName = C:\WINDOWS\\system32\\lsass.exe
ESP+4 > 00000000 |CommandLine = NULL
ESP+8 > 00000000 |pProcessSecurity = NULL
ESP+C > 00000000 |pThreadSecurity = NULL
ESP+10 > 00000001 |InheritHandles = TRUE
ESP+14 > 0800000C |CreationFlags =
CREATE_SUSPENDED|DETACHED_PROCESS|CREATE_NO_WINDOW
ESP+18 > 00000000 |pEnvironment = NULL
ESP+1C > 00000000 |CurrentDir = NULL
ESP+20 > 0006F13C |pStartupInfo = 0006F13C
ESP+24 > 0006F730 \pProcessInfo = 0006F730.
After creating this process, it injects itself by a special way. This special way is to unload the
program from its memory (ex. unload lsass.exe module from its memory) and load another PE file
from Stuxnet DLL resources in the same place of the previously unloaded module. Before loading this
new PE File, it makes some modifications to the file by adding new section (in the beginning) named
.verif. This section makes the PE file size equal to the size of the previously unloaded module. And at
the place of the entry point of the unloaded module, it writes a jmp instruction to this PE file.
The last step, the worm copies the .stub section and the main DLL to the memory of the
infected process and writes on .bin section the pointer to this memory buffer and at the end, it resumes
the main thread of this infected process. The PE file reloads the main Stuxnet DLL and calls to
another internal function.
This function begins by checking the configuration data and be sure that everything is ready
to begin the installation. And also, it checks if the theres a value in the registry with the name
NTVDM TRACE in SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation. And then,
it checks if this value equal to 19790509. This special number seems to be a date, May 9, 1979, and
this date has a historical meaning for the Jewish community.
After this, Stuxnet installs itself with writing 6 files in the Windows directory 4 encrypted
files:
C:\WINDOWS\inf\oem7A.PNF
C:\WINDOWS\inf\oem6C.PNF
C:\WINDOWS\inf\mdmcpq3.PNF
C:\WINDOWS\inf\mdmeric3.PNF
and 2 device drivers:
C:\WINDOWS\system32\Drivers\mrxnet.sys
C:\WINDOWS\system32\Drivers\mrxcls.sys
After that, it installs the device drivers into the registry to be sure that they will run every time
the computer boots and it forces them to be loaded in the beginning before most of Windows system
applications.
After the installation, it loads the mrxnet driver by calling ZwLoadDriver. It calls to this
function after adjusting its privileges by AdjustTokenPrivileges to add the SeLoadDriverPrivilege to
its privileges. At the end, it modifies the Windows Firewall or Windows Defender setting to avoid
being stopped by this firewall. It some values in the registry key SOFTWARE\Microsoft\Windows
Defender\Real-Time Protection:
EnableUnknownPrompts
EnableKnownGoodPrompts
ServicesAndDriversAgent
It sets them all to zero and disables the firewall for Stuxnet. Now the installation ends and
now we will talk about the spreading mechanisms.
6.1.3 Spreading Mechanism
In order to infect USB Flash memory, Stuxnet creates a new hidden window called
AFX64c313 and gets notified of any new USB flash memory inserted to the computer by waiting for
the WM_DEVICECHANGE Windows Message. After getting notified of a new USB Flash drive added
to the computer, it writes 6 files into the drive:
Copy of Shortcut to.lnk
Copy of Copy of Shortcut to.lnk
Copy of Copy of Copy of Shortcut to.lnk
Copy of Copy of Copy of Copy of Shortcut to.lnk
and 2 executable files (DLL files):
~WTR4141.tmp
~WTR4132.tmp
These malformed shortcut files use vulnerability in Windows Shell named CVE-2010-
2568(MS-10-046)-Windows Shell LNK Vulnerability. This vulnerability is not a buffer-overflow
vulnerability, but its due to a bad way for windows to load icons for LNK files. These shortcuts are
special shortcuts for an unknown type of files named CPL Files. These files are the Control Panel
applications like datetime.cpl located in the Windows directory.
If we analyze the shortcut, we will see that all shortcuts contain the following sections:
1. Header
2. Shell Item Id List
3. File Location Info
4. Description
5. Relative Path
6. Working Directory
7. Command Line Arguments
8. Icon Filename
9. Additional Info
The Stuxnet shortcut has only the first 2 sections. The header is presented in Table 2:

Table 2. Stuxnet shortcut format
Magic 4C 00 00 00
GUID 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46
Shortcut flags 0x0000001 : Shell Item ID List present
Target File flags 00 00 00 00
Creation Time 00 00 00 00 00 00 00 00
Last access time: 00 00 00 00 00 00 00 00
Modified time 00 00 00 00 00 00 00 00
File length 00 00 00 00 (the target is not a file)
Icon Number 00 00 00 00
Show Window 01 00 00 00 == 1 (Normal Window)
Hot Key 00 00 00 00
Reserved 00 00 00 00
Reserved 00 00 00 00

The Shell Item ID List begins by an unsigned short represent the size of the whole section.
After that, this unsigned short is followed by a size of an ID and then the ID of an item in the list then
the next size and item and so on until reach the end of this section. This section ends by an item its
size equal to zero.
In the malformed shortcut, this section begins with the pid of the Control Panel and then some
other PIDs until reach an item contains the path and the filename of stuxnet DLL (~WTR4141.TMP),
like \\.\STORAGE#RemovableMedia#7&364cf31c&0&RM#{53f5630d-b6bf-11d0-94f2-
00a0c91efb8b}\~WTR4141.tmp.
The creators of the malware used four shortcut files because every file of them contains a
different form of the path to wtr4141.tmp file to ensure that Stuxnet is compatible with all versions of
windows OS that have this vulnerability. The paths are presented in Table 3:

Table 3. Stuxnet shortcut paths
Windows7
\\.\STORAGE#Volume#_??_USBSTOR#Disk&Ven_____USB&Pr
od_FLASH_DRIVE&Rev_#12345000100000000173&0#{53f56307-b6bf-
11d0-94f2-00a0c91efb8b}#{53f5630d-b6bf-11d0-94f2-
00a0c91efb8b}\~WTR4141.tmp
Windows Vista
\\.\STORAGE#Volume#1&19f7e59c&0&_??_USBSTOR#Disk&V
en_____USB&Prod_FLASH_DRIVE&Rev_#12345000100000000173&0#{
53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{53f5630d-b6bf-11d0-94f2-
00a0c91efb8b}\~WTR4141.tmp
Windows XP,
Windows Server 2003,
Windows 2000
\\.\STORAGE#RemovableMedia#8&1c5235dc&0&RM#{53f5630d
-b6bf-11d0-94f2-00a0c91efb8b}\~WTR4141.tmp
These paths force explorer.exe to load Stuxnet and execute its code. The Explorer calls to an
API named Shell32.LoadCPLModule to load the icon for this shortcut which calls to LoadLibraryA
API which executes the main function of ~Wtr4141.tmp.
6.1.4 Spreading using the local area network
Stuxnet spreads via Network using one of vulnerabilities: CVE-2008-4250(MS-08-067)-
Windows Server Service NetPathCanonicalize() Vulnerability and CVE-2010-2729(MS-10-061)-
Windows Print Spooler Service Vulnerability.
The first vulnerability is not a zero-day vulnerability, its already known. This vulnerability
was used before by Conficker. In this vulnerability, stuxnet looks for C$ and Admin$ shares on remote
systems. Then, it copies itself as a file named DEFRAGxxxxx.TMP in the first writable directory found
on the share. And then, it tries to execute a command:
rundll32.exe DEFRAGxxxxx.TMP,DllGetClassObjectEx.
The second vulnerability is a zero-day vulnerability. This vulnerability was first described by
Carsten Kohler in Hackin9 Security Magazine 04-2009 in an article named Print Your Shell .
This vulnerability wasnt used in the wild until Stuxnet; it allows a guest user account to communicate
to a machine with a shared printer and writes a file to the system directory in it. The windows APIs
for printing allows to choose the directory that you wish to copy your file to and with an API named
GetSpoolFileHandle you can get the file handle of the newly created file in the target machine and
then you can easily with ReadFile & WriteFile APIs you can copy your file into the target machine.
For Stuxnet, it copies 2 files into the target machine:
Windows\System32\winsta.exe
Windows\System32\wbem\mof\sysnullevnt.mof
The first file is the Stuxnet dropper and the second is a Managed Object Format file. This file,
under some conditions, executes winsta.exe the Stuxnet dropper.

7. Protection of transportation networks
The area of intelligent transport systems and intelligent cars is becoming more and more a
reality surrounding us. And since we rely more on more on technology to make our daily tasks easier,
we tend to forget about security involving these kind of systems.
The topic of protection transportation network and attacks that can be made to a car is a new
and emerging field of research and more and more scientists are joining every day. This is important
because, as we have seen until now, securing critical infrastructures require mixing many of the
technologies existing for regular computer or networks.
We can use a brief introduction in this topic from Zhang and Levinsons document,
Investing for reliability and security in transportation networks [30]. They consider that
transportation networks support various vital human activities, and their performance affects the
efficiency of virtually all economic transactions. The design of an effective transportation network has
thus become an important task for planners. Traditionally, the desirability of a transportation network
is assessed by its efficiency under prevailing conditions, for example, the total travel cost of moving a
subject from an origin to a destination. More recently, several measures of transportation network
reliability have explicitly considered the probabilistic nature of network performance. The uncertainty
may be created by one or more of the following sources: demand fluctuation, random link failures
because of congestion or accidents, natural disasters, or targeted attacks. Decision makers need to
consider the potential trade-off between network efficiency and reliability when they forge policies
that could shape future transportation networks.
Checkoway, McCoy and Kantor present in their paper entitled Comprehensive experimental
analyses of automotive attack surface [17], how a modern car is built, what electronics does it have,
and most important, how can someone hack into them. According to them, a modern automobile is
controlled by tens of distinct computers physically interconnected with each other via internal (wired)
buses and thus exposed to one another. A non-trivial number of these components are also externally
accessible via a variety of I/O interfaces. Previous research showed that an adversary can seriously
impact the safety of a vehicle if he is capable of sending packets on the cars internal wired network,
and numerous other papers have discussed potential security risks with future wired and wireless
automobiles.
Current automotive systems can be considered as a network of embedded systems, like
Electronic Control Units (ECUs) and sensors, which are connected to each other via different bus
systems and thus, exhibit a considerable complexity. Moreover, in the recent years, automotive
systems became more and more software intensive systems. This is caused by the fact that more and
more functionality of a car is implemented by software functions.
Of course we must not neglect the software modules existing in these embedded systems. In
this direction we must agree with Schulze et al in their work IT security in automotive software
development [18] saying that in order to develop software in an efficient way and to overcome the
still increasing complexity anyway, techniques and concepts from the field of software engineering
(SE) and requirements engineering (RE) have been proposed and applied to the development process.
Although the software should contribute, amongst others, to the reliability of the system, one aspect
has been neglected so far in the development process: holistic concepts for IT security. Successful
attacks on an automotive IT system can have negative implications on the safety of its human users or
on the reliability of the system itself. However, today it is common that the mostly generated code is
retrofitted at the end of the development process in order to satisfy security concerns. This, in turn,
counteracts the effort of reducing complexity by using modern concepts of SE and RE. Furthermore,
this process is prone to simply ignore serious vulnerabilities and thus, allows for security leaks
remaining in the system.
This is the main reason why we must not concentrate only on hardware, and we must pay
more attention to the particular software engineering problems that appear when developing for cars.
As Shulze continues, along with the mentioned fundamental changes within automotive systems, the
IT security becomes an important issue. Per definition, IT security means reliability in terms of
preserving security aspects of information, namely integrity, availability, authenticity, non-
repudiability, confidentiality and privacy. Because of its networked character, automotive systems
exhibit vulnerabilities to malicious attacks, which, in turn, can violate one or more aspects of IT
security. The access for the execution of an attack on the system can take place in multiple forms from
outside or inside the car. Regardless of how access is achieved by the user, the basic attack principle
is always the same: it aims at influencing a certain behavior or state of the automotive system. Since
this is done by manipulating the respective functionality (e.g., by introducing malicious code,
communication or manipulating data), it directly addresses the software responsible for this
functionality. Subsequently, it is reasonable to ensure the IT security of the respective software in
order to increase the security of the overall system.
7.1 Car viruses
In the last years there was a lot of debate regarding the concept of car viruses. The reason is
because, as we can see in [19] and [20], in the past, car viruses were rare because one of the only
ways to infect a vehicle was by a mechanic and via the computer or software he used to diagnose
problems with the car.
A good definition of this concept can be extracted from [21]. In this article we are introduced
to the idea of car viruses and what they require. As the authors stated, modern cars are full of
computers and they seem more the realm of an IT expert than a regular car mechanic. And it certainly
is true that modern vehicles have plenty of computers, although theyre not exactly like PCs. Cars
have much simpler processors than a home computer and are designed to do simple, dedicated
tasks, says Cameron Camp, a researcher at ESET, a technology security company.
Indeed, most cars today have numerous embedded systems, which are small computers
controlling very specific aspects of the cars functioning, such as air bag deployment, cruise control,
anti-lock braking systems and power seating. While these embedded systems share the same
architecture as a PC - they utilize hardware, software, memory and a processor - they are more akin
to a smartphone in sophistication than a laptop. Automotive computers have been more or less
immune to hackers and viruses because, unlike PCs, there have been few ways for outside computers
or people to connect with vehicle computers.
In general, introducing a virus required physical control of the car. In the past this would
have been difficult as the only way to access a cars computer was through the use of a
manufacturers diagnostic or reprogramming equipment, says Robert Hills, senior education
program manager at the Universal Technical Institute USA, which specializes in technical education
and training for the automotive industry. In other words, it would require a mechanic introducing a
virus through the computer or software used to diagnose a problem with the car.
According to Aryeh Goretsky, another researcher at ESET, it is also expensive to develop
viruses for many cars because there is a lack of hardware, software and protocol standardization
which in turn would make it difficult for an attacker to target more than a few models of an
automobile at a time.
But vulnerability to hacking and viruses grows as car computers become more connected to
the outside world. As more and more cars are getting interfaces with Internet sites such as Pandora
and even Facebook, cars get two-way communication and are therefore by definition more
vulnerable. With more entertainment and communication devices, including MP3 and iPod adapters
and USB ports, come more channels for viruses to potentially enter a car.
The advent of communication and entertainment devices is not yet a big problem. As long as
the multimedia interface is separated from the cars control computers, the worst that could happen is
a malfunction of the multimedia equipment. However, as soon as these two components are
connected, the door is wide open and it is only a matter of time for a smart hacker to find a way to
cross over and then we will have a problem.
Not surprisingly, automakers are said to be working on ways to prevent hackers from
introducing viruses into cars and otherwise making mischief, although details of their efforts are not
readily available. Still, opinions are mixed about how much of a concern this really is for future
drivers.

7.2. Protecting the transportation network from other types of software attacks. Solutions
Schulze et al also present in [18] the connection between automotive systems and software.
As already stated, automotive systems more and more rely on software to fulfill certain
functionalities. Furthermore, the complexity of such systems steadily increases, while the reliability
has to be ensured. Altogether, this is a challenging task to be managed during the software
development process of such systems. Hence, different approaches of software development found
their way into the systems engineering domain in order to overcome these challenges. For instance,
software product lines (SPL) as a special concept of software engineering are used to manage
commonalities and variability of automotive software. Another common practice is model-based
development (MBD) of software for automotive systems, where functionality is described by models.
Afterwards, the code is generated automatically based on these models. Finally, requirements
engineering gains more and more importance within automotive systems since a good requirements
analysis is inevitable for all other stages of the development process.
However, since all mentioned techniques and concepts address the complexity of the system,
they often omit one issue, which is important for the reliability: the IT Security. Although the IT
security could be integrated into these concepts, it is either considered sparingly or even ignored at
all. This, in turn, not only endangers the reliability of the system but also counteracts the effort which
is invested for decreasing the complexity.

Also as can we see in [17],past work has illuminated specific classes of threats to automotive
systems, such as the technical security properties of their internal networks; we believe that it is
critical for future work to place specific threats and defenses in the context of the entire automotive
platform. Technical capabilities describe the assumptions concerning what the adversary knows
about its target vehicles as well as her ability to analyze these systems to develop malicious inputs for
various I/O channels. For example, we assume that the adversary has access to an instance of
technical capabilities that describe our assumptions concerning about what the adversary knows
about its target vehicles as well as his ability to analyze these systems to develop malicious inputs for
various I/O channels. For example, we assume that the adversary has access to an instance of the
automobile model being targeted and has the technical skill to reverse engineer the appropriate
subsystems and protocols, or is able to purchase such information from a third-party. Moreover, we
assume he is able to obtain the appropriate hardware or medium to transmit messages whose
encoding is appropriate for any given channel. When encountering cryptographic controls, we also
assume that the adversary is computationally bounded and cannot efficiently brute force large shared
secrets, such as large symmetric encryption keys. In general, we assume that the attacker only has
access to information that can be directly gleaned from examining the systems of a vehicle similar to
the one being targeted. By contrast, operational capabilities characterize the adversarys
requirements in delivering a malicious input to a particular access vector in the field. In considering
the full range of I/O capabilities present in a modern vehicle, we identify the qualitative differences in
the challenges required to access each channel. These in turn can be roughly classified into three
categories: indirect physical access, short-range wireless access, and long-range wireless access.
In the following four subchapters we have presented also some interesting parts from
Checkoways et al [17] research regarding the vulnerabilities surrounding a car along with means to
physical or wireless access it.
7.2.1. Indirect physical access
Modern automobiles provide several physical interfaces that either directly or indirectly
access the cars internal networks. We consider the full physical attack surface here, under the
constraint that the adversary may not directly access these physical interfaces herself but must
instead work through some intermediary.
A. OBD-II. The most significant automotive interface is the OBD-II port, federally mandated
in the U.S., which typically provides direct access to the automobiles key CAN buses and can provide
sufficient access to compromise the full range of automotive systems. While our threat model forbids
the adversary from direct access herself, we note that the OBD-II port is commonly accessed by
service personnel during routine maintenance for both diagnostics and ECU programming.
Historically this access is achieved using dedicated handheld scan tools such as Fords NGS,
Nissans Consult II and Toyotas Diagnostic Tester which are themselves programmed via Windows-
based personal computers. For modern vehicles, most manufacturers have adopted an approach that
is PC-centric. Under this model, a laptop computer interfaces with a PassThru device (typically
directly via USB or WiFi) that in turn is plugged into the cars OBD-II port. Software on the laptop
computer can then interrogate or program the cars ECUs via this device (typically using the
standard SAE J2534 API). Examples of such tools include Toyotas TIS, Fords VCM, Nissans
Consult 3 and Hondas HDS among others.
In both situations Windows-based computers directly or indirectly control the data to be sent
to the automobile. Thus, if an adversary were able to compromise such systems at the dealership she
could amplify this access to attack any cars under service. Such laptop computers are typically
Internet-connected, so traditional means of personal computer compromise could be employed.
Further afield, electric vehicles may also communicate with external chargers via the charging cable.
An adversary able to compromise the external charging infrastructure may thus be able to leverage
that access to subsequently attack any connected automobile.
B. Entertainment: Disc, USB and iPod. The other important classes of physical interfaces are
focused on entertainment systems. Virtually all automobiles shipped today provide a CD player able
to interpret a wide variety of audio formats like raw Red Book audio, MP3, WMA, and so on.
Similarly, vehicle manufacturers also provide some kind of external digital multimedia port, typically
either a USB port or an iPod/iPhone docking port, for allowing users to control their cars media
system using their personal audio player or phone. Some manufacturers have widened this interface
further; BMW and Mini recently announced their support for iPod Out, a scheme whereby Apple
media devices will be able to control the display on the cars console.
Consequently, an adversary might deliver malicious input by encoding it onto a CD or as a
song file and using social engineering to convince the user to play it. Alternatively, she might
compromise the users phone or iPod out of band and install software onto it that attacks the cars
media system when connected.
Taking over a CD player alone is a limited threat; but, for a variety of reasons, automotive
media systems are not standalone devices. Indeed, many such systems are now CAN bus
interconnected, either to directly interface with other automotive systems, for example to support
chimes, certain hands-free features, or to display messages on the console, or simply to support a
common maintenance path for updating all ECU firmware. Thus, counter intuitively, a compromised
CD player can offer an effective vector for attacking other automotive components.
7.2.2 Short-range wireless access
Indirect physical access has a range of drawbacks including its operational complexity,
challenges in precise targeting, and the inability to control the time of compromise. Here we weaken
the operational requirements on the attacker and consider the attack surface for automotive wireless
interfaces that operate over short ranges. These include Bluetooth, Remote Keyless Entry, RFIDs,
Tire Pressure Monitoring Systems, WiFi, and Dedicated Short-Range Communications. For this
portion of the attack surface we assume that the adversary is able to place a wireless transmitter in
proximity to the cars receiver, between 5 and 300 meters depending on the channel.
A. Bluetooth. Bluetooth has become the de facto standard for supporting hands-free calling in
automobiles and is standard in mainstream vehicles sold by all major automobile manufacturers.
While the lowest level of the Bluetooth protocol is typically implemented in hardware, the
management and services component of the Bluetooth stack is often implemented in software. In
normal usage, the Class 2 devices used in automotive implementations have a range of 10 meters, but
others have demonstrated that this range can be extended through amplifiers and directional
antennas.
B. Remote Keyless Entry. Today, all but entry-level automobiles shipped in the U.S. use RF-
based remote keyless entry (RKE) systems to remotely open doors, activate alarms, flash lights and, in
some cases, start the ignition, all typically using digital signals encoded over 315 MHz in the U.S. and
433 MHz in Europe.
C. Emerging short-range channels. A number of manufacturers have started to discuss
providing 802.11 WiFi access in their automobiles, typically to provide hotspot Internet access via
bridging to a cellular 3G data link. In particular, Ford offers this capability in the 2012 Ford Focus.
Several 2011 models also provided WiFi receivers, but they were used primarily for assembly line
programming. Finally, while not currently deployed, an emerging wireless channel is defined in the
Dedicated Short-Range Communications (DSRC) standard, which is being incorporated into
proposed standards for Cooperative
D. Collision Warning/Avoidance and Cooperative Cruise Control. Representative programs
in the U.S. include the Department of Transportations Cooperative Intersection Collision Avoidance
Systems (CICAS-V) and the Vehicle Safety Communications Consortiums VSC-A project. In such
systems, forward vehicles communicate digitally to trailing cars to inform them of sudden changes in
acceleration to support improved collision avoidance and harm reduction.
7.2.3. Long-range wireless
Finally, automobiles increasingly include long distance (greater than 1 km) digital access
channels as well. These tend to fall into two categories: broadcast channels and addressable
channels.
A. Broadcast channels. Broadcast channels are channels that are not specifically directed
towards a given automobile but can be tuned into by receivers on demand. In addition to being part of
the external attack surface, long-range broadcast mediums can be appealing as control channels,
because they are difficult to attribute, can command multiple receivers at once, and do not require
attackers to obtain precise addressing for their victims.
The modern automobile includes a plethora of broadcast receivers for long-range signals:
Global Positioning System (GPS), Satellite Radio like SiriusXM receivers common to late-model
vehicles from Honda/Accura, GM, Toyota, Saab, Ford, Kia, BMW and Audi, Digital Radio including
the U.S. HD Radio system, standard on 2011 Ford and Volvo models, and Europes DAB offered in
Ford, Audi, Mercedes, Volvo and Toyota among others, and the Radio Data System (RDS) and Traffic
Message Channel (TMC) signals transmitted as digital subcarriers on existing FM-bands.
The range of such signals depends on transmitter power, modulation, terrain, and
interference. As an example, a 5W RDS transmitter can be expected to deliver its 1.2 kbps signal
reliably over distances up to 10 km. In general, these channels are implemented in an automobiles
media system which, as mentioned previously, frequently provides access via internal automotive
networks to other key automotive ECUs.
B. Addressable channels. Perhaps the most important part of the long-range wireless attack
surface is that exposed by the remote telematics systems, like Fords Sync, GMs OnStar, Toyotas
SafetyConnect, Lexus Enform, BMWs BMW Assist, and Mercedes-Benz Mbrace, that provide
continuous connectivity via cellular voice and data networks. These systems provide a broad range of
features supporting safety (crash reporting), diagnostics (early alert of mechanical issues), anti-theft
(remote track and disable), and convenience (hands-free data access such as driving directions or
weather).
These cellular channels offer many advantages for attackers. They can be accessed over
arbitrary distance (due to the wide coverage of cellular data infrastructure) in a largely anonymous
fashion, typically have relatively high bandwidth, are two-way channels (supporting interactive
control and data exfiltration), and are individually addressable.
7.2.4. Vulnerability analysis
All the work in the field focuses on a moderately priced late model sedan with the standard
options and components. Between 100,000 and 200,000 of this model were produced in the year of
manufacture. The car includes less than 30 ECUs comprising both critical drivetrain components as
well as less critical components such as windshield wipers, door locks and entertainment functions.
These ECUs are interconnected via multiple CAN buses, bridged where necessary. The car exposes a
number of external vectors including the OBD-II port, media player, Bluetooth, wireless TPMS
sensors, keyless entry, satellite radio, RDS, and a telematics unit. The last provides voice and data
access via cellular networks, connects to all CAN buses, and has access to Bluetooth, GPS and
independent hands-free audio functionality via an embedded microphone in the passenger cabin. We
also obtained the manufacturers standard PassThru device used by dealerships and service
stations for ECU diagnosis and reprogramming, as well as the associated programming software.
Most vehicles implement multiple buses, each of which host a subset of the ECUs. However,
for functionality reasons these buses must be interconnected to support the complex coupling between
pairs of ECUs and thus a small number of ECUs are physically connected to multiple buses and act
as logical bridges. Consequently, by modifying the bridge ECUs, either via a vulnerability or
simply by re-flashing them over the CAN bus as they are designed to be, an attacker can amplify an
attack on one bus to gain access to components on another. Consequently, the result is that
compromising any ECU with access to some CAN bus on our vehicle is sufficient to compromise the
entire vehicle.
Having the firmware in hand, an attacker can perform three basic types of analysis: raw code
analysis, in site observations, and interactive debugging with controlled inputs on the bench. In the
first case, the microprocessor can be identified. Different components existing in a car use System on
Chip (SoC) variants of the PowerPC, ARM, Super-H and other architectures. In site observation with
logging enabled leads the attacker to understanding the normal operation of the ECU. Finally, ECUs
can be removed from the car and placed into a test harness on the bench from which they could
carefully control all inputs and monitor outputs. In this environment, interactive debuggers can be
used to examine memory and single step through vulnerable code under repeatable conditions.

8. Tools and scenarios that help investigating intelligent transport systems incidents
Attacks on intelligent transport systems can be handled using tools and methods common to
the field of classic computer networks and regular computing systems. As stated in the first section, it
is common in this field to use of scenarios. These scenarios represent the main way in which people
involved in incident response can be trained. Often these scenarios are presented to the regular people
in a masked form. This means that an expert handling a modern transport system can use in case of
incident handling and response the same tools as an expert in computer networks.
In this part we will present some of these tools, along with their capabilities. Also, in order to
be more relevant to the reader, we present these tools in action, applied to the Cyber MITRE
international challenge mentioned before.

8.1. Tools
In general, the tools used in incident response tools are designed as a general application,
which can have multiple other uses. We are going to briefly talk about three main representative
categories: stand-alone tools, statistical tools and security oriented distributions.
8.1.1. Stand-alone tools
Stand-alone tools represent tools that can be used independently over an operating system.
Representative to this field is CrypTool. This is a software package dedicated to cryptographic
simulation, analysis and cracking which has a user graphic interface.
CrypTool has been developed in cooperation with prestigious universities and thus has
become excellent educational software and also a tool for learning cryptology. CrypTool covers both
branches of cryptology: cryptography and cryptanalysis. Thus, the product has implement facilities of
each field, such as classic cryptography (Caesar and Vigenre ciphers, mono-alphabetic substitution,
etc.), symmetric cryptography (IDEA, RC2, AES, etc.), asymmetric cryptography (RSA and elliptic
curves, etc.), hash functions (MD2, MD5, SHA-1, etc.), cypher text attacks, plaintext attacks, adaptive
attacks, side channel attacks.
8.1.2. Statistical tools
In order to test the degree of randomness for input or output for such transportation systems,
we need a set of different tools, tests and theoretical models we need statistical tools. Using this
kind of tools we can test for true randomness of functions that are part of the software implementation
of these systems. Good examples in this direction are:

- A Statistical Test Suite for Random and Pseudorandom Number Generators for
Cryptographic Applications [22],is a publication of sixteen statistical tests. The
authors provide also an implementation for it.
- The Art of Computer Programming, Seminumerical algorithms, Volume 2, by
Donald Knuth [23] contains the theoretical description for some of these tools, that
are based on permutations, birthday spacing, serial correlations, etc.
- The Crypt-XS suite developed by the researchers from Queensland University of
Technology, Australia. This suite contains the implementation for some tools
described by Knuth, along with other custom ones for binary derivative, sequence and
linear complexity measurement, etc.
- The DIEHARD suite [24] developed by George Marsaglia adds to the tools
mentioned before, tests such as random spheres, overlapping sums, etc.

8.1.3. Security oriented distributions
Penetration testing [25] and security auditing are now part of every system administrators
other duties as assigned. In this direction, BackTrack Linux (BTL) [26] comes to help. BTL is a
custom distribution build on top of Debian Linux, designed for security testing for all skill levels from
novice to expert. It is the largest collection of wireless hacking, server exploiting, web application
assessing and social-engineering tools available in a single Linux distribution.
It is a fine example of a specialized Linux distribution because its only purpose is to test a
network, a device and systems for security vulnerabilities. BTL contains every security and hacking
tool used by security professionals and professional hackers. It contains mostly command line tools,
but it does contain a few graphical tools, such as zenmap and wireshark.
BTL contains more than 300 security tools and utilities that are all open source, grouped in
major categories like: information gathering, vulnerability assessment, exploitation tools, privilege
escalation, maintaining access, reverse engineering, RFID tools, stress testing, forensics, reporting
tools, services.

8.2. Practical scenarios
Of course, to use such tool, the incident response experts must know how to use them, and
especially what tool fits better in a context. In order to cross this border different sets of tests have
been created. Next we will present five of the most important and most used one, that have also a
great impact on todays intelligent transport systems: finding what kind of encryption is used over a
system, identifying what data is leaked from or into our system computer network, identifying and
intercepting eventually live transmissions between an infected host from our network and its
malicious command and control servers over the Internet, identifying and recognizing fake or
mangled signatures keys for public certificate access and finally, in case of using large transport
system deployments with many nodes and a lot of intermediary wireless communication, identifying
the weakest points that can be used by attacker to gain unauthorized access to the system.

8.2.1. Identification of encryption systems
In this scenario the investigator finds a suspect file on the system or computer. This file
represents an encrypted data with a classical encryption system. We need to recognize encryption
system, decrypt the data and find the password hidden in the encrypted file. The investigator will need
this password in solving the second task.
To solve this scenario we will use CrypTool. If we take a look at the encrypted file we see
that this file contains only 26 characters A to Z. If we perform a statistics of these letters we see that
the characters A-Z appears to be random. Thus, we can think that there is a classic encryption such as
substitution (Playfair, Caeser, Vigenre etc.). Using cipher text only attack on a Vigenre cipher we
find the encryption password <<SQUARE>>. If we take a look at the end of the decrypted file we
find the text THEPASSWORDFORTOMMOROWISSTRONGPASSWORDSAREGOOD. Thus, we conclude
that the password we are looking for is: STRONGPASSWORDSAREGOOD.

8.2.2. Identification of hidden data inside other files
Over the investigated system network have been intercepted some images. One of these
images has a huge size reported to its format. We need to find the data founded in the image and
decrypt it if necessary.
We start by analyzing the intercepted image. It is in gif format but has a huge size, approx.
13 MB. If we investigate this image with a hex editor like UltraEdit we can see at the end of the file a
zip file header (PK). Thus, if we exchange the extension of gif file to zip file and open it with a
supported archiver like WinZip we find an encrypted archive. After cracking the password, we find
three gif files. Opening each file we can see that one of these one has the content: hollenger.dll.
Thus, the malicious file name that the attacker are trying to access is hollenger.dll.

8.2.3. Identifying a suspect communication between two computers and reveal the stolen
data
By analyzing our system network we find regular traffic between a node and another host
over Internet. The local administrator gives to the investigator a traffic capture between the node and
an outside unknown source. The task is to find what information is stolen.
Using the Wireshark application we are opening the target file. This tool is used for network
traffic analysis or any other general network troubleshooting. Using Follow TCP stream option
we locate within the capture a file found on the source node and dump it into a file. Opening the
dumped file with a hex editor like UltraEdit we see the zip file header (PK); thus we change the
extension of the dumped file into zip and open it. This archive contains a file and after a visual
inspection with UltraEdit we find that it contains the magic header GIF. Thus, if we exchange the
extension of the file into gif and open it with an image viewer we can see an image which has the
content The Root Password is Pengu1nsR0ck.

8.2.4. Identifying and recovering mangled signature keys
In this scenario we are given two ECDSA (Elliptic Curve Digital Signature Algorithm)
signatures. After a close inspection we find out that something about them looks strange. Using the
known public key and its public parameters we must find a way to recover the private key used to
generate the signatures.
Before presenting how an investigator can resolve the scenario, we will present briefly the
concept behind ECDSA. Basically, ECDSA is a variant of DSA algorithms that use elliptic curve
cryptography in order to be more reliable. The public parameters are the prime number p, an elliptic
curve E[F
p
], a point G E[F
p
] with ord (G)=q, q prime number. The public key V E[F
p
] is derived
from the signing key 1dq-1: V=dG. The signature of the hash h is computed using the ephemeral
key k mod q is the pair (r,s)=(x
kG
mod q,(h+dr)k
-1
mod q), where x
eG
is the first component of the
point eGE[F
p
]. To verify the signature (r,s) of the hash h we need to check if x
v1G+v2V
mod q=r,
where v
1
=hs
-1
mod q and v
2
=rs
-1
mod q. It is essential to have for different signatures (r
1
,s
1
) and (r
2
,s
2
)
different ephemeral keys k
1
k
2
. If this two keys are equal then the signatures of the two hashes looks
like (r,s
1
) and (r,s
2
). Thus, we can derive s
1
-s
2
=k
-1
(h
1
-h
2
) mod q and find the ephemeral key k=(h
1
-
h
2
)(s
1
-s
2
)
-1

mod q. Since s
1
=k
-1
(h+dr) mod q we derive the private key d=(s
1
k-h
1
)r
-1
mod q.

The investigator receives three files. The first file contains the hash, in hex codification, of
two messages h
1
, h
2
and their ECDSA signatures (r
1
,s
1
) respectively (r
2
,s
2
) :
h
1
=DE37B3145DB7359A0ACC13F0A4AFBD67EB496903
r
1
=ACB2C1F5898E7578A8A861BDF1CA39E7EF41EAC0B6AAA49468DD70E2
s
1
=BE4FA99C9D261C5F387A3ACE025702F6FB7884DD07CE18CAD48654B8
h
2
=28469B02BF0D2CFC86FF43CB612EE8FC05A5DBAA
r
2
=ACB2C1F5898E7578A8A861BDF1CA39E7EF41EAC0B6AAA49468DD70E2
s
2
=D3540E2B13E51605F5FEB8C87EE8E176E59213F31EA8B8FFDAD077E2

The second file parameters.der contains, in der codification, the public parameters of
the EC. This file can be interpreted using OpenSSL:
openssl ecparam -inform DER -in /cygdrive/e/parameters.der -
outform PEM -out /cygdrive/e/parameters.pem
openssl ecparam -text -in /cygdrive/e/parameters.pem -noout
Field Type: prime-field
Prime:
00:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:fe:ff:ff:e5:6d
A: 0
B: 5 (0x5)
Generator (uncompressed):
04:a1:45:5b:33:4d:f0:99:df:30:fc:28:a1:69:a4:
67:e9:e4:70:75:a9:0f:7e:65:0e:b6:b7:a4:5c:7e:
08:9f:ed:7f:ba:34:42:82:ca:fb:d6:f7:e3:19:f7:
c0:b0:bd:59:e2:ca:4b:db:55:6d:61:a5
Order:
01:00:00:00:00:00:00:00:00:00:00:00:00:00:01:
dc:e8:d2:ec:61:84:ca:f0:a9:71:76:9f:b1:f7
Cofactor: 1 (0x1)

The third file, public.oct, contains the public key:
X
V
=85CEEE9C98EFDFDFCF64CB522A773F1435D568173677D1D28FC00643
Y
V
=58A105CC1AB1A53D77B278850776E144197F3FA4E27AA676408DFE22

At this point, because the two signatures collide on the first half, we have all the elements to
finalize the investigation. The only thing we need to do is to compute the private key using the
formula:
d=(s
1
k-h
1
)r
-1
mod q,
where k=(h
1
-h
2
)(s
1
-s
2
)
-1

mod q. We can perform these computations using, for example,
MAPLE:
> h1:=convert(DE37B3145DB7359A0ACC13F0A4AFBD67EB496903,decimal,hex);
> h2:=convert(28469B02BF0D2CFC86FF43CB612EE8FC05A5DBAA,decimal,hex);
r:=convert(ACB2C1F5898E7578A8A861BDF1CA39E7EF41EAC0B6AAA49468DD70E2,decima
l,hex);
s1:=convert(BE4FA99C9D261C5F387A3ACE025702F6FB7884DD07CE18CAD48654B8,decim
al,hex);
>s2:=convert(D3540E2B13E51605F5FEB8C87EE8E176E59213F31EA8B8FFDAD077E2,deci
mal,hex);
>q:=convert(010000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7,dec
imal,hex);
> d:=(-h2*s1+h1*s2)*(r*(s1-s2))^(-1) mod q;
> convert(d,hex,decimal);
After the compilation of the program we find the private key:
d=8E88B0433C87D1269173487795C81553AD819A1123AE54854B3C0DA7

8.2.5. Identification of insecure wireless connection points
In this scenario the investigators are trying to find what wireless access points are unsafe in
public use and they are trying to gain access to a private Wi-Fi network that is secured using the WPA
(Wi-Fi Protected Access) protocol. WPA is a security protocol and security certification program
developed by the Wi-Fi Alliance. It is known as the IEEE 802.11i standard. More exactly a Temporal
Key Integrity Protocol (TKIP) is used, that involves using a dynamic 128 bit key for every packet
transmitted. The newest version, WPA2 also includes Counter Cipher Mode with Block Chaining
Message Authentication Code Protocol (CCMP), a new AES based encryption mode with strong
security.
In order to solve this scenario, the investigators will use a series of intercept nodes that will
have a single goal: to continuously scan the entire wireless networks available and try to crack their
password. For this, all the intercept nodes will run two tools called Reaver and Airmon-ng.
Reaver implements a brute force attack against Wi-Fi Protected Setup (WPS) registrar PINs
in order to recover WPA/WPA2 passphrases. The algorithm behind this tool is described in detail in
http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf. Currently there is no wide-spread
solution for this and it affects even big network vendors like Linksys and Cisco.
Reaver has been designed to be a robust and practical attack against WPS, and has been tested
against a wide variety of access points and WPS implementations. On average Reaver will recover the
target APs plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. As mentioned
before, this tool takes advantage of a vulnerability existing in WPS. WPS is a feature that exists on
many modern routers and its intention is to provide to the users an easy setup process. The problem is
that it is tied to a PIN that is hard-coded into the device.
The first step is to set our node into a monitor mode using the command airmon-ng
start wlan0. After this, we need to find the BSSID of the target node that we want to test. The
BSSID is a unique series of letters and numbers that identifies a target router. We find it by using the
command airodump-ng wlan0. In the list shown inside the terminal we copy the one for our
network. We will assume the following made up BSSID: 8D:AE:9D:65:1F:B2.
Now, with the BSSID and the monitor interface name in hand we have everything we need to
startup Reaver. Inside a terminal we issue the command reaver i mon0 b
8D:AE:9D:65:1F:B2 vv After this, Reaver will try a series of PINs on the router in a brute
force attack, one after another. After cracking is complete we will have the output of the total time
needed to crack the password, the router PIN and its password.


9. Practical issues and experiences in different countries
As we have seen until now, the field of critical infrastructure protection, including the most
important of them - water, gas, and electricity providers, and especially the area of intelligent
transport systems, is very important for a country, mainly for those that have strong industries and big
population. As we can see in national reports such as those from United Kingdom [27] or Germany
[28], [29] these infrastructure represent important assets.
On one side we have the technological requirements and on the other side we have the public
opinion in case of cybercrime, such as banking fraud, identity and content theft. A warning signal was
triggered with the discovery of Stuxnet malware as it offered the level of progress made by the
cybercriminals. We can say for sure that every country in this world must pay attention to all its
infrastructures and do something about cyber security.
For a better image we have briefly presented the situation existing in three different countries
around the world. They have been chosen because they are representative for their power and
importance.

9.1 United Kingdom
In the United Kingdom we can find the National Security Strategy (NSS) and the Strategic
Defense and Security Review (SDSR) documents that specify the need for critical infrastructures
protection. These documents were released in 2010, and we can see how in the late years this problem
has become more and more important. This is also supported by the fact that their annual budget for
cyber security is around 650 million pounds.
In charge with applying these documents is the Center for Protection of Critical National
Infrastructure (CPCNI) and since their publishing, it has implemented many incident response
services, such as energy, economies, health, etc.

9.2 Germany
In Germany we can see a good example of a secure critical infrastructure deployment. They
have all their important infrastructures connected through a full mesh network. This means that any
failure is covered thoroughly. As examples we can give health, industries, water supplies, IT and food
supplies.
This implementation was possible thanks to the mature legal environment existing in this
country that threats security as a vital element. For example, we can analyze their power distribution
infrastructures; both public and private companies are obligated by the law to have an internal failure
and recovery system.
Of course all these implementation are monitored constantly by different enforcers, such as
Energiewirtschaftsgesetz the Act on the Supply of Electricity and Gas and the
Bundesnetzagentur the Federal Network Agency in the field of smart grids and power
distribution. Telecom services also have their own procedures and laws regarding protection from
network penetration, unknown call interception and any other form of unauthorized access.

9.3 USA
In the USA, a lot of effort has been put in order to secure their critical infrastructures since the
terrorist attacks from 11th September 2001. Since then, an unauthorized access to this kind of
infrastructure was never spotted.
In charge with this field is the Department of Homeland Security (DHS). It has the means to
coordinate the cyber activity to all these systems and it also can use the help from the other
governmental agencies in case something happens.
The entire plan can be found in the USA Critical Infrastructure Protection Plan which
enforces each agency with a specific task. For them, these infrastructures represent a top priority.

10. Conclusions
As we can see from this chapter the problem of critical infrastructures represents a current and
menacing threat, which involves strong knowledge of computer communications techniques, secure
programming techniques, algorithm and software implementation analysis, cryptography,
steganography, probability and finally applied mathematics. The process of high level of assurance of
cyber security must take into account all the above-specified domains.
Fast advances in cybercrime technology and techniques have resulted since the beginning of
2012 in an unprecedented rise in data breaches. We think that planning to ensure that our critical
infrastructures and intelligent transport systems are trustworthy and secure we need to consider the
fundamental changes that are occurring in the cyberspace and try to adapt to them. In our opinion,
looking forward into the future of more than 3 billion Internet users existing today we can see four big
directions for resolving the cyber security issues: online users security education, cryptography,
online data obfuscation and cloud services transparency and security.

11. References
1. Hough P.; Understanding Global Security, Routledge, 2009
2. http://www.us-cert.gov/ [accessed on February 28, 2012]
3. http://www.expresscomputeronline.com/index.php/sections/events/796-critical-infrastructure-protecting-
the-heartbeat-of-the-nation [accessed on February 28, 2012]
4. Report for Congress (2003). Critical Infrastructures: What makes an Infrastructure Critical?,
http://fpc.state.gov/documents/organization/13839.pdf
5. Kramer F. D.; Starr S. H., Wentz L.; Cyberpower and National Security, Potomac Books Inc, 2009
6. United States General Accounting Office, Cybersecurity for Critical Infrastructure protection, (accessed on
February 28, 2012 on http://www.gao.gov/new.items/d04321.pdf)
7. Massoud Amin S.; Wollenberg B. F.; Toward a Smart Grid, IEEE P&E Magazine, 2005
8. U.S. Infrastructure: Smart Grid, Renewing America. Council on Foreign Relations. 16.
9. http://www.americainfra.com/article/Smart-grid-security/ [accessed on February 28, 2012]
10. http://www.zerodayinitiative.com/ [accessed on February 28, 2012]
11. http://www.crysys.hu/skywiper/skywiper.pdf [accessed on February 28, 2012]
12. http://www.certcc.ir/index.php?name=news&file=article&sid=1894&newlang=eng [accessed on February
28, 2012]
13. https://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers [accessed on
February 28, 2012]
14. http://www.bbc.co.uk/news/technology-18365844 [accessed on February 28, 2012]
15. http://www.codeproject.com/Articles/246545/Stuxnet-Malware-Analysis-Paper [accessed on February 28,
2012]
16. Zhang L.; Levinson D.; Investing for Reliability and Security in Transportation Networks, 2008
17. Checkoway S.; McCoy D.; Kantor B.; Comprehensive experimental analyses of automotive attack surface,
Autosec, 2011
18. Schulze S.; Pukall M.; Hoppe T.; IT security in automotive software development, University of
Magdeburg
19. Clayton M; Scientists hack into car computers - control brakes, engine, The Christian Science Monitor
(accessed on February 28, 2012 on http://www.csmonitor.com/USA/2010/0813/Scientists-hack-into-cars-
computers-control-brakes-engine)
20. Goretsky A.; Researcher at ESET, a technology security company. Personal correspondence, 2011
21. http://auto.howstuffworks.com/car-computer-virus.htm [accessed on February 28, 2012]
22. A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic
Applications, 800-22, NIST Special Publication, 2010
23. Knuth, D; The Art of Computer Programming, Seminumerical Algorithms (3rd ed., Vol. 2). Addison
Wesley, Reading, Massachusetts, 1998.
24. Marsaglia, G.; DIEHARD Statistical Tests (accessed on February 28, 2012 on
http://stst.fsu.edu/geo/diehard.html)
25. Patrick Engebretson; The Basics of Hacking and Penetration Testing, Syngress, 2012
26. http://www.backtrack-linux.org/ [accessed on February 28, 2012]
27. http://www.chathamhouse.org/sites/default/files/public/Research/International%20Security/r0911cyber.pdf
[accessed on February 28, 2012]
28. http://www.bmi.bund.de/SharedDocs/Downloads/EN/Broschueren/cip_stategy.pdf?__blob=publicationFile
[accessed on February 28, 2012]
29. https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Kritis/paper_studie_en_pdf.pdf?__blob=publicati
onFile [accessed on February 28, 2012]
30. http://www.pcworld.idg.com.au/article/360645/siemens_stuxnet_worm_hit_industrial_systems/ [accessed
on February 28, 2012]
31. Hills R.; Senior education program manager at Universal Technical Institute. Personal correspondence,
2011.
32. Mills E.; Hacking a car (Q&A), CNET. (accessed on February 28, 2012 on http://news.cnet.com/8301-
27080_3-20005047-245.html)
33. Mollien C.; Information and communication technology strategist at Bazic Blue. Personal correspondence.
Sept. 14, 2011.
34. Petraglia D.; Director of forensic and information security services at Chartstone Consulting. Personal
correspondence, 2011.
35. Shaer M.; Disgruntled hacker remotely disables 100 cars, The Christian Science Monitor (accessed on
February 28, 2012 on http://www.csmonitor.com/Innovation/Horizons/2010/0318/Disgruntled-hacker-
remotely-disables-100-cars)
36. http://www.cfr.org/united-states/us-infrastructure-smart-grid-security/p26842 [accessed on February 28,
2012]
37. http://wwwiti.cs.uni-magdeburg.de/~sanschul/papers/GI-WS_regensburg2009.pdf [accessed on February
28, 2012]
38. http://www.autosec.org/pubs/cars-usenixsec2011.pdf [accessed on February 28, 2012]
39. http://nastfenews.org/index.php?option=com_content&view=article&id=107:making-automotive-software-
safe&catid=27:features&Itemid=49 [accessed on February 28, 2012]
40. http://www.isticom.it/documenti/news/pub_003_eng.pdf [accessed on February 28, 2012]