EUCHARISTIE : DON DE DIEU ET MYSTERE DU CHRIST
DEVELOPPEMENT ET ROYAUME
2. Le pas que franchit Jon Sobrino : comprendre l’eucharistie comme libération
crescente importância, devido ao facto do SEE se encontrar atualmente, em países desenvolvidos, interconectado com diversas redes de comunicação. A implementação de tecnologias de informação trouxe vantagens de economia e eficiência de outra forma impossíveis de atingir, abrindo no entanto a possibilidade de acesso exterior ao coração do SEE – o SCADA.
É impossível a criação de um sistema 100% seguro. Ameaças inovadoras como o Stuxnet, criadas por equipas com recursos estatais, conseguem na maior parte dos casos comprometer o alvo para o qual foram desenhadas. Este tipo de ataques constitui uma classe à parte dos outros, ao qual não existe defesa efetiva, podendo contudo as suas consequências serem mitigadas através da adoção e implementação de medidas de cyber segurança. A grande maioria dos ataques ao SEE podem, no entanto, ser neutralizados recorrendo á abordagem descrita nesta dissertação, incluindo os ataques pouco sofisticados diários aos SEEs no mundo ocidental, e intrusões de médio nível provenientes de hackers e outras entidades.
A implementação destas medidas não é contudo uma questão trivial, tendo que ser adaptada conforme as particularidades do sistema em questão. Em muitas situações não será possível a atualização de software ou substituição de equipamentos. O custo económico implicado com a adoção de algumas das medidas pode impedir a sua implementação, deixando aberto um vetor de ataque que poderá um dia ser explorado. Ao operador do sistema cairá a responsabilidade de analisar os riscos e determinar se o reforço de cyber segurança é ou não justificado.
Desenvolvimentos futuros poderão tomar várias avenidas de estudo, por exemplo a modelização de riscos e o desenvolvimento de estratégias de prevenção baseadas em critérios económicos.
Outra alternativa é a utilização de ferramentas similares ao Shodan para mapear em Portugal o numero de dispositivos SCADA acessíveis a partir da internet. Através de queries devidamente preparadas é possível detetar um elevado número de dispositivos de sistemas de controlo, algo que neste trabalho foi abordado superficialmente, e detetar a posição geográfica aproximada dos dispositivos. Estes resultados podem servir como ferramenta de apoio à segurança do sistema, permitindo visualizar concentrações de equipamentos que preferencialmente deviam estar vedados de acesso ilegítimo via firewall.
79
Referências
[1] Mcafee, "McAfee® Labs Threats Report: Third Quarter 2013," 2013.
[2] REN, "CARACTERIZAÇÃO DA REDE NACIONAL DE TRANSPORTE PARA EFEITOS DE ACESSO À REDE," Publicação, 2014.
[3] E. distribuição, "Ordem dos Engenheiros–Região Centro
Ciclo Sessões técnicas," in Evolução QS da rede de distribuição MT em Portugal continental e próximos desafios, ed, 2012.
[4] ENTSO-E. (2010, Abril). ENTSO-E releases its Annual Report 2010: Towards a transmission system for 2020 and beyond Available: https://www.entsoe.eu/news- events/announcements/announcements-archive/Pages/News/entso-e-releases-its- annual-report-2010-towards-a-transmission-system-for-2020-and-beyond.aspx [5] R. international, "National Programme for Turkey 2010 under the Instrument for Pre-
Accession Assistance " in Technical Assistance for Harmonisation of TransmissionCode in line with ENTSO-E, ed, 2014, pp. 1-30.
[6] E. COMMISSION. (2015). ENERGY UNION PACKAGE. Available:
http://ec.europa.eu/priorities/energy-union/docs/interconnectors_en.pdf
[7] R. E. D. ESPAÑA. (2012, Electricity interconnections: a step forward towards a single integrated European energy market. 1-20. Available:
http://www.ree.es/sites/default/files/electricity_interconnections_eng_2.pdf [8] G. Clercq. (2015, Junho). France, Spain to ease Pyrenees power bottleneck.
Available: http://www.reuters.com/article/2015/02/13/france-spain-electricity- idUSL6N0VG3V020150213
[9] REE. (2015, Abril). Strengthening interconnections. Available: http://www.ree.es/en/red21/strengthening-interconnections [10] EDP. (2009, Março). O Sistema Eléctrico Nacional. Available:
https://www.edp.pt/pt/aedp/sectordeenergia/sistemaelectricoportugues/Pages/Sist ElectNacional.aspx
[11] ERSE. (2015, Março). Distribuição Available:
http://www.erse.pt/pt/electricidade/actividadesdosector/distribuicao/Paginas/defa ult.aspx
[12] J. Lopes, "Supervisão e Controlo de Sistemas Eléctricos ", Apontamentos da Disciplina de Supervisão e Controlo do SEE, MIEEC, FEUP.
[13] S. Sridhar, A. Hahn, and M. Govindarasu, "Cyber-Physical System Security for the Electric Power Grid," Proceedings of the IEEE, vol. 100, pp. 210-224, 2012. [14] E. Chikuni and M. Dondo, "Investigating the security of electrical power systems
SCADA," in AFRICON 2007, 2007, pp. 1-7.
[15] K. Stouffer, J. Falco, and K. Kent. (2006). Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security Available:
https://sm.asisonline.org/ASIS%20SM%20Documents/nist_scada0107.pdf [16] G. Clarke and D. Reynders, Modern SCADA Protocols: Newnes, 2004. [17] I. Triangle MicroWorks. DNP3 Overview. Available:
(http://trianglemicroworks.com/docs/default-source/referenced- documents/DNP3_Overview.pdf):
[18] Multitrode, "PROTOCOL Translator", DNP3 User Manual.
[19] Wikipedia. (Maio). IEC 60870-5 Available: https://en.wikipedia.org/wiki/IEC_60870-5 [20] D. Bailey and E. Wright, Practical SCADA for Industry: Newnes, 2003.
[21] NIST. (Maio). NIST Framework and Roadmap for Smart Grid Interoperability Standards Release 1.0 (Draft) Available:
http://www.nist.gov/public_affairs/releases/upload/smartgrid_interoperability.pdf [22] A. Suspiro. (2014, Maio). Relatório de Bruxelas responsabiliza fraude por derrapagem
no défice da eletricidade. Available: http://observador.pt/2014/12/22/relatorio-de- bruxelas-responsabiliza-fraude-por-derrapagem-no-defice-da-eletricidade
[23] R. Moleiro. (2013, Maio). Roubados 90 milhões de euros em eletricidade. Available: http://expresso.sapo.pt/sociedade/roubados-90-milhoes-de-euros-em-
eletricidade=f844983
[24] ANEEL. (Maio). Power Theft in Brazil. Available: http://www.aneel.gov.br/ [25] E. Commission. (Maio). The 2020 climate and energy package. Available:
http://ec.europa.eu/clima/policies/package/index_en.htm [26] GBC. (Maio). The Global Carbon Project. Available:
http://www.globalcarbonproject.org/
[27] IEA. (2012, Maio). World CO2 emissions by sector in 2012 Available:
https://www.iea.org/publications/freepublications/publication/CO2EmissionsFromFu elCombustionHighlights2014.pdf
[28] M. Stogsdill. (2011, Maio). Deploying Public, Private, and Hybrid Storage Clouds. Available:
http://www.snia.org/sites/default/education/tutorials/2011/fall/CloudTechnologies /MartyStogsdill_Deploying_Public_Private_Hybrid_Storage-v1-8.pdf
[29] ModernTech. (Maio). Datacenter - Cloud Computing. Available: http://www.moderntech.com.hk/en/solution/103
[30] MIT, "The Future of the Electric Grid," MIT2011.
[31] T. Lee. (2013, Maio). Here’s everything we know about PRISM to date. Available: http://www.washingtonpost.com/blogs/wonkblog/wp/2013/06/12/heres-everything- we-know-about-prism-to-date
[32] K. Hill. (Maio). When 'Smart Homes' Get Hacked: I Haunted A Complete Stranger's House Via The Internet. Available:
http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/
[33] D. Crowley, J. Savage, and D. Bryan, "Home Invasion v2.0," ed: blackhat USA 2013. [34] T. Holwerda. (2013, Maio). The second operating system hiding in every mobile
phone. Available:
http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_ever y_mobile_phone
[35] Spiegel. (2013, Maio). Privacy Scandal: NSA Can Spy on Smart Phone. Available: http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart- phone-data-a-920971.html
[36] S. Lee and S. Kim, in HACKING, SURVEILLING, AND DECEIVING VICTIMS ON SMART TV, ed: Korea University.
[37] K. Zetter. (2014, Abril). How to Keep the NSA From Spying Through Your Webcam. Available: http://www.wired.com/2014/03/webcams-mics/
[38] N. Anderson. (2013, Abril). Meet the men who spy on women through their webcams. Available: http://arstechnica.com/tech-policy/2013/03/rat-breeders-meet-the-men- who-spy-on-women-through-their-webcams/
[39] C. Ciufo. Modular Choices Simplify and Future-Proof M2M, Wi-Fi, and ZigBee Connectivity Available:
http://www.digikey.com/en/articles/techzone/2012/apr/modular-choices-simplify- and-futureproof-m2m-wifi-and-zigbee-connectivity
[40] R. Stallman. (2015, Maio). Malware is not only about viruses – companies preinstall it all the time. Available:
http://www.theguardian.com/technology/2015/may/22/malware-viruses-companies- preinstall
81
[42] D. Campbell. (Maio). How NSA access was built into Windows. Available: http://www.heise.de/tp/artikel/5/5263/1.html
[43] F. S. Foundation. (2015, Maio). Proprietary Software Is Often Malware. Available: https://gnu.org/proprietary/
[44] T. Chen, "Intrusion Detection for Viruses and Worm," Southern Methodist University. [45] F. Dickman, "Hacking The Industrial SCADA Network," Pipeline & Gas Journal, 2009. [46] P. Bocij, The Dark Side of the Internet: Protecting Yourself and Your Family From
Online Criminals: Praeger, 2006.
[47] S. Gorman, "Electricity Grid in U.S. Penetrated By Spies," The Wall Street Journal, 2009.
[48] K. Zetter, "Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target," Wired, 2010.
[49] R. Langner, "To Kill a Centrifuge," The Langner Group Report, 2013.
[50] N. Falliere, L. Murchu, and E. Chien, "Symantec Security Response," Symantec Corporation2011.
[51] McAfee. (2011). Global Energy Cyberattacks:“Night Dragon”. Available: http://www.mcafee.com/us/resources/white-papers/wp-global-energy- cyberattacks-night-dragon.pdf
[52] S. Corporation. (2014, Maio). Advanced Persistent Threats: How They Work. Available: https://www.symantec.com/theme.jsp?themeid=apt-infographic-1 [53] T. Zoller, "The Rise of Vulnerability Markets - History, Impacts, Mitigations,"
Verizon2011.
[54] P. Institute©, "2014 Global Report on the Cost of Cyber Crime," 2014.
[55] B. Wingfield, "Power-Grid Cyber Attack Seen Leaving Millions in Dark for Months," BloomberBusiness, 2012.
[56] J. John. (2013, Junho). Report: US Smart Grid Cybersecurity Spending to Reach $7.25B by 2020. Available: https://www.greentechmedia.com/articles/read/report- u.s.-smart-grid-cybersecurity-spending-to-reach-7.25b-by-2020
[57] R. Lemos. (2012, Maio). Private market growing for zero-day exploits and
vulnerabilities. Available: http://searchsecurity.techtarget.com/feature/Private- market-growing-for-zero-day-exploits-and-vulnerabilities
[58] M. Riley and A. Vance, "Cyber Weapons: The New Arms Race," BloomberBusiness, 2011.
[59] R. Lemos. (2012). Private market growing for zero-day exploits and vulnerabilities. Available: http://searchsecurity.techtarget.com/feature/Private-market-growing- for-zero-day-exploits-and-vulnerabilities
[60] T. Armerding. (2013, Abril). Dire warnings don't yield better critical infrastructure security. Available: http://www.networkworld.com/article/2162785/byod/dire- warnings-don-t-yield-better-critical-infrastructure-security.html
[61] ICS-CERT. (2013, Maio ). Alert (ICS-ALERT-12-046-01A). Available: https://ics-cert.us- cert.gov/alerts/ICS-ALERT-12-046-01A
[62] E. Byres. (2013, Abril). Project SHINE – Are Control Systems REALLY Connected to the Internet? Available: http://www.belden.com/blog/industrialsecurity/Project-SHINE- Are-Control-Systems-REALLY-Connected-to-the-Internet.cfm
[63] É. Leverett, "Quantitatively Assessing and Visualising Industrial System Attack Surfaces," Computer Laboratory, University of Cambridge, 2011.
[64] K. Zetter. (2012, Abril). 10K Reasons to Worry About Critical Infrastructure. Available: http://www.wired.com/2012/01/10000-control-systems-online/ [65] C. Doctorow. (2015, Maio). Italy's Hacking Team allegedly sold Ethiopia's despots
cyberweapons used to attack journalists. Available:
http://boingboing.net/2015/03/09/italys-hacking-team-allegedl.html
[66] T. Simonite. (2012, Maio). Stuxnet Tricks Copied by Computer Criminals. Available: http://www.technologyreview.com/news/429173/stuxnet-tricks-copied-by-
[67] E. J. Byres and A. Creery, "Industrial Cybersecurity for Power System and SCADA Networks," IEEE, 2005.
[68] GAO, "Critical Infrastructure Protection " United States General Accounting Office GAO-04-354, 2004.
[69] P. Oman, E. Schweitzer, and J. Roberts, "SAFEGUARDING IEDS, SUBSTATIONS, AND SCADA SYSTEMS AGAINST ELECTRONIC INTRUSIONS " Schweitzer Engineering Laboratories, Inc2001.
[70] L. Ning and M. Reiter, "False Data Injection Attacks against State Estimation in Electric Power Grids," North Carolina State University.
[71] N. White. (2013, Maio). Wireless networks exposed as electricity grid weakest link. Available: http://phys.org/news/2013-12-wireless-networks-exposed-electricity- grid.html
[72] D. Zovi. (Maio). KARMA Attacks Radioed Machines Automatically. Available: KARMA Attacks Radioed Machines Automatically
[73] A. Brown, "SCADA vs. the Hackers", Mechanical Engineering Magazine Online, 2002. [74] G. Smith. (Maio). Access Point (AP). Available: http://www.smithonvoip.com/voip-
terminology/access-point-ap/
[75] M. Choi, R. Robles, C. Hong, and T. Kim, "Wireless Network Security: Vulnerabilities, Threats and Countermeasures " International Journal of Multimedia and Ubiquitous Engineering vol. vol 3, 2008.
[76] Y. Wang, "sSCADA: Securing SCADA infrastructure communications," International Journal, vol. 6, pp. 1-20, 2011.
[77] K. Zetter. (2010, Maio). SCADA System’s Hard-Coded Password Circulated Online for Years. Available: http://www.wired.com/2010/07/siemens-scada/
[78] N. DuPaul. (Maio). Man in the Middle (MITM) Attack. Available: http://www.veracode.com/security/man-middle-attack
[79] E. Simard. (Maio). Protecting Your DNS Server Against DDoS Attacks. Available: http://www.gtcomm.net/blog/protecting-your-dns-server-against-ddos-attacks/ [80] E. o. E. L. Power. Europe's power grid hit with denial-of-service cyber attack.
Available: http://www.elp.com/articles/2012/12/europes-power-grid-hit-with- denial-of-service-cyber-attack.html
[81] ICS-CERT, "Common Cybersecurity Vulnerabilities in Industrial Control Systems ", US Homeland Security Report, 2011.
[82] J. Larson. (2013). Revealed: The NSA’s Secret Campaign to Crack, Undermine Internet Security. Available: https://www.propublica.org/article/the-nsas-secret- campaign-to-crack-undermine-internet-encryption
[83] M. Lee. (2013, Maio). UK, US able to crack most encryption used online. Available: http://www.zdnet.com/article/uk-us-able-to-crack-most-encryption-used-online/ [84] G. Greenwald, J. Borger, and J. Ball. (2013, Maio). Revealed: how US and UK spy
agencies defeat internet privacy and security Available:
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes- security
[85] M. Arora. (2012, Junho). How secure is AES against brute force attacks? Available: http://www.eetimes.com/document.asp?doc_id=1279619
[86] I. N. L. N. program. (2009, Junho). Advanced SCADA Security Red/Blue Team (5 days) - National SCADA Test Bed Program. Available:
https://www.sgiclearinghouse.org/CyberSecurity?q=node/1275&lb=1
[87] R. Bobba, K. Rogers, Q. Wang, H. Khurana, K. Nahrstedt, and T. Overbye, "Detecting False Data Injection Attacks on DC State Estimation," pp. 1-9.
[88] A. Tsitroulis, D. Lampoudis, and E. Tsekleves, "Exposing WPA2 security protocol vulnerabilities," Inderscience Enterprises2014.
[89] Microsoft. (2015, Junho). Injeção SQL. Available: https://technet.microsoft.com/pt- br/library/ms161953%28v=sql.105%29.aspx
[90] M. Ferreira. (2015, Junho). 5 formas para prevenir os ataques XSS. Available: http://imasters.com.br/infra/seguranca/5-formas-para-prevenir-os-ataques-xss/ [91] Cisco. (2013, Junho ). A Cisco Guide to Defending Against Distributed Denial of
83 National Laboratory Report, 2011.