Definition and normative framework

In order to understand how to protect and prevent any kind of attacks on critical infrastructures, from now on CI, we have to define the importance and the crucial role they have in any citizen’s daily life.

The European Commission defines CI as an “asset or system which is essential for the maintenance of vital societal functions” and considers that the damage to such infrastructure is the “destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviour”. Reducing the vulnerability of CI and increasing their resilience capacity are among the main objectives of the European Union.

The Department of Homeland Security (DHS) in the United States has a similar definition to delineate and point out the importance of this sector, as “the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety. The nation's critical infrastructure provides the essential services that underpin American society”.

Both, the EU and the US, have undertaken CI protection programs, such us the Cyber security and Infrastructure Security Agency Act signed by President Trump in 2018, that establishes a Cyber security and Infrastructure Security Agency (CISA) which “coordinates security and resilience efforts using trusted partnerships across the private and public sectors, and delivers technical assistance and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide” and the Critical Infrastructure Protection Directive 2008/114 / EC on European critical infrastructures. It establishes a procedure to identify and designate European Critical Infrastructures (ECI) and a common approach to assess the need to improve their protection [1].

The directive unfortunately has a sectorial purpose, applicable only to the energy and transport sectors. In the cyber security field the European Commission, considering that networks, information systems and related services play a vital role in society, has issued the Directive n. 2016/1148 which defines, for all the countries of the Union, the measures to guarantee a high common level of security of the networks and information systems: this is the so-called NIS directive of 6 July 2016 which constitutes a concrete element within of the European strategy to strengthen cyber security.

The directive aims to promote the improvement of the reliability and security of information systems whose use constitutes, among other things, a driving force of the EU internal market. On May 16th in reference to the NIS directive a Legislative Decree was approved by the Italian Council of Ministers. On June 9th it has been published to the Official Journal and has been in force since June 26th. Although the NIS Directive allowed Member States to extend the scope of their provisions to areas other than those listed in the Directive, the Italian government chose not to make use of this possibility. The sectors that fall within the scope of application of the implementing decree are in fact only those expressly provided for by the Directive (energy, transport, banks, financial markets, health, supply and distribution of drinking water and digital infrastructures; as well as search engines, cloud services and e-commerce platforms). It would perhaps have been advisable to extend the scope of application of the decree to at least the entire public administration, given the massive amount of data (even sensitive) that it deals with and the key role it plays in the economy and security of the country. In any case, public administrations that offer services in the sectors listed above (for example, transport, health and drinking water distribution) will still be subject to the NIS legislation, if identified as operators of essential services.

The implementing decree requires the adoption of a national cyber-security strategy by the President of the Council of Ministers. The strategy must include, in particular, the preparation, response and recovery of services following computer incidents, the definition of an IT risk assessment plan and training and awareness programs on IT security. Most of these elements have been already dealt with, in broad terms, in the current national cybernetic security strategy, outlined in the 2013 National Strategic Framework for cyber security and further developed by the 2017 National Cyber Security and IT Security Plan. It will, however, be necessary to update this strategy to ensure that all the elements referred to in Article 7 of the Directive are dealt with in a specific and detailed manner, in compliance with Community rules.

Open Source Intelligence

In order to understand the power and the possibilities that Open Source Intelligence (from now on OSINT) gives us it is mandatory to define and determine the exact definition of this discipline. As always, we have to take a look at the main Institutions which set the standards in the military field. While most of the public information about OSINT can be considered dated, a general and comprehensive definition from the 2001 NATO OSINT HANDBOOK describes OSINT as “information that has been deliberately discovered, discriminated, distilled, and disseminated to a select audience, generally the commander and their immediate staff, in order to address a specific question. OSINT, in other words, applies the proven process of intelligence to the broad diversity of open sources of information, and creates intelligence.” [2]

For the Central Intelligence Agency, the sources that can be used are the Internet, traditional mass media (e.g. television, radio, newspapers, magazines), specialized journals, conference proceedings, and think tank studies, photos and geospatial information (e.g. maps and commercial imagery products). In this paper we will focus our attention mostly on the Internet, giving a deeper look at two of the most famous tools in circulation; considering the extension of the internet and the magnitude of tools and techniques in circulation it is important to focus on the ones that could cause a big arm to CIs. Although generally undervalued, open source intelligence can be considered as a powerful tool, if well examined, crossed and analyzed, it can give specific answers, vital for the protection of assets and infrastructures. With the constant growth of the cyberspace and the continuous development of internet-dependent infrastructures, many times not well secured, it’s obvious that a new form of intelligence has to be taken under consideration. Open source intelligence covers a broader spectrum of information and is able, with specific algorithms and tools, to link many sources into a single output.

Critical Infrastructure protection with OSINT tools and Techniques

Any tenacious attacker has a good chance of infiltrating a CI. Most of the times the hardest part of the attack is the amount of time needed to perform it, and not the difficulty or the sophistication of the systems. With the fast development of data innovation, an ever-increasing number of appliances are linked to the internet networks becoming a liability for the infrastructure’s security. Digital and physical security condition have turned out to be progressively complicated raising the bar of the necessary skills to achieve malicious goals.

While the main phases of a cyberattack can be analyzed from a technical point of view, there is one of the first steps of a cyber-attack that can be used to perform a stealthier exploit.

The reconnaissance phase can be considered as the one where an attacker studies the target and tries to find all the vulnerabilities that exploited would grant access to the target’s systems. The primary objective of the reconnaissance phase is therefore to map a “real-world” target (a company, corporation, government, or other organization) to a cyberworld target, where “cyberworld target” is defined as a set of reachable and relevant IP addresses.[3] Reaching a proper level of comprehension of the infrastructure means complying with one of the most famous saying in the history of war “Know your enemy” from Sun Tzu's The Art of War.

So, how is it possible to exploit a CI only with the use of open source information and OSINT techniques? Due to the fact that this discipline values open source information, most of the tools used to perform reconnaissance and attacks are free. Even though many commercial entities are also offering really interesting monitoring solutions, the concept behind the use of open source intelligence is the availability of these information, which means that the information are available to anyone, but the software to gather them sometimes is not free.

As it was said before there are many tools and techniques available on the market, customizable ones and proprietary software; among those, one of the most comprehensive and customizable is Maltego.

Maltego is an analysis tool developed by Paterva for forensic use, its main purpose is the collection of publicly available information based on link analysis and data mining. It allows you to generate a detailed map of the relationships that are created between domains, infrastructures, IPs, individuals, social networks and other affiliations with online services, such us telephone numbers and e-mails. One of the many strengths of this software is its graphical interface, data visualization is a powerful tool when hunting for threats and can come in handy if someone is trying to spot patterns or relations that wouldn’t emerge using a command-line interface. Maltego integrates two categories of searches that are known as Machines and Transforms. Machines refer to a sequence of codes that enable targeted data extractions from the public network, commonly referred as the Internet. Transforms are sequences of code that literally transform one type of entity to other types (Washington Almeida 2017). Among all the function that Maltego incudes, there is a special tool inside the software that could help analysts identify and prevent potential threats when talking about CIs, Shodan.

Shodan is the most generic and comprehensive search engine in circulation, can be used to find misconfigured routers, unprotected webcams and industrial control systems that still use default passwords. It is basically the Google of the Internet of Things, a fertile ground for hackers and terrorists but, perhaps, also a useful tool for companies that want to make their work environment safe. The idea behind this search engine, defined as "the most dangerous search engine in the world", is to prove that many devices are vulnerable if not properly configured and are publicly accessible via the internet; the search engine does not violate any security protocol or login, but limits itself to cataloging appliances such as webcams, routers, hard drives, printers or any sort of device reachable by a crawler by simply obtaining "banners" or basic information that the producer of the device itself provides in a public way.

The information available, even if purely for demonstration purposes, can be used by an attacker to enter cataloged systems and extract sensitive data using the default passwords of the indexed devices. Shodan also provides information on the services and versions of the software installed on the devices it finds; performs a search on web server, ftp, ssh, telnet, snmp and sip services.

Obviously, it is not easy for a regular user to use the search engine and steal sensitive information, but with the right amount of time and dedication it can be transformed form a simple internet crawler to a powerful weapon. Using Shodan means that any research conducted to acquire information about a target is completely undetectable and the usual lines of defense of a company or infrastructure are useless due to the fact that no attacks are performed but only reconnaissance, which many times is more powerful that the actual attack.

Talking about numbers, based on a Shodan.io research we can see that only in Italy there are 8,929,5858 appliances connected to the Internet [Fig.1]

and not correctly configured, and this number changes every day because the crawler (scanner) finds other appliances; out of those using as keyword:

· ICS Industrial Control System

· SCADA Supervisory Control and Data Acquisition

· PLC Programmable Logic Controller

· DCS Distributed Control System

· RTU Remote Terminal Unit

These keywords are the main industrial systems that control our lives. There is a big percentage of misconfigured appliances, form industrial plant to supermarkets’ refrigerators, exposing vulnerabilities that could be exploited to cause actual physical damages.

The Shodan Transform is completely integrated in the Maltego software which means that out of a single domain such us “criticalinfrastructure.com”, that could be the external website of the infrastructure, first it’s possible to analyze its origin looking for the IP address; many times the website is hosted in the same servers of the internal systems giving the attacker the opportunity to map and define the target’s network. From the IP address an attacker could query Maltego for all the DNS records [4], many times one of the weakest points of access is the email server, that is also showed in the dns query form Maltego; and then querying Shodan, from Maltego, is it possible to have all the information about the IP, such us installed and misconfigured services on the servers, information about the version of appliances that is used and also the vulnerabilities which have not been patched and that could be used to exploit the systems.

The Figure below [Fig. 2] illustrates a small portion of the transforms available on Maltego, being the graphical interface the main strength of this software it’s easy to understand the power and the eases of it. It is able to connect IPs, people, email addresses and social networks crawling the internet and giving back formidable outputs.

Surely the search engines have improved the lives of many people; having so much information in just a few seconds is a point of reflection for anyone. Unfortunately, from an open source intelligence point of view Google can be a powerful liability to the systems, due to the fact that malicious actors can find and exploit many misconfigurations, thus making private information available to the public domain.

The last technique we will talk about in this paper is the use of Google Dorks.

The dorks are defined as research texts, prepared in a specific and limited way for a definite purpose, composed of different keywords, which are entered into a search engine to have certain results. Dorks are mainly used to refine search results, in order to have more specific links, but in the case of malicious actors they are used to find vulnerabilities caused by system errors or not properly programmed by system administrators.

In the Google case, dorks follow a specific syntax, which is a licit one even though it can be used by any attacker. Among the most popular keyword there are:

- site: It is used to restrict the search to a specific domain. Used together with a domain it returns approximately all the indexed pages of that domain.

- inurl: and allinurl: These two operators (analogous in their function) are used to restrict the search to all those pages that have one or more keywords in the URL.

- intitle: and allintitle: these two operators (analogous in their function) are used to restrict the search to all those pages that contain the word after the "intitle" dork in the title.

- intext: gives us all the pages that have one or more keywords in the body of the page.

- ext: and filetype: equivalent as functionality are very useful for identifying all those online resources that have a particular file extension. More precisely the recognized extensions are: .pdf (Adobe Portable Document Format) .html or .htm (Hypertext Markup Language) .xlsx (Microsoft Excel) .pptx (Microsoft PowerPoint) .docx (Microsoft Word).

Those are only a small part of the dorks available on the internet and the combination of two or more creates specific and dangerous outputs able to help attackers or terrorists. The ability of cyber criminals to circumvent traditional protection techniques is radically changing the security world. The fact that open source intelligence combined with data mining can examine huge amounts of data, analyze statistics and with the help of machine learning generate new algorithms very quickly, makes OSINT the solution for all those realities that thanks to use of new technologies are revolutionizing the future of security.

Thanks to new technologies, those who manage CI can curb the damage of a cyber-attack or even avoid it. But complex systems correspond to complex protection technologies that can be managed only by realities structured towards constant technological development. The use of this discipline allows the analysis of potential security threats to very complex entities, not only in data protection but also in making information system security a variable of physical security.

1. COUNCIL DIRECTIVE 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, Official Journal of the European Union.

2. NATO OPEN SOURCE INTELLIGENCE HANDBOOK, NOVEMBER 2001.

3. Jeremy Faircloth, in Penetration Tester's Open Source Toolkit (Fourth Edition), 2017.

4. DNS stands for Domain Name System and is used to point an incoming domain towards the IP address of the server. (https://www.cloudwards.net/what-are-dns-records/)