Fabrizio Baiardi

Fabrizio Baiardi

Fabrizio Baiardi is a Full Professor at Università di Pisa where he has chaired one of the first degree on security of ICT infrastructures. His main research interests are formal approaches to risk assessment and resilience of critical ICT infrastructures. Fabrizio Baiardi has been involved in the risk assessment and management of several systems and of industrial control systems with SCADA components. He has authored several papers on ICT security and currently teaches university courses on security related topics.

Three years ago a cyber attack was not an attack of war

Together with Stuxnet, NotPetya is one of the attacks that changed (or should have changed) people perspective on cybersecurity. Stuxnet was a target attack, and the target was fully described in the attack code. Furthermore, it was one of the first attacks with a physical impact as it destroyed some centrifuges in an uranium enriched plant. NotPetya, instead, was a massive attack, designed as any ransomware to have an impact on each system it could reach. Hence, while Stuxnet a large diffusion but a low impact, NotPetya had huge impacts because it was designed to encrypt critical areas on a disk to prevent systems from booting. This resulted in a complete stop of several companies. Furthermore, no way to pay a ransomware was specified and recovering any encrypted information was impossible. Several companies have been completely blocked for weeks and someone could restore the information only because some where not connected when the attack occurred. The White House estimated at 10 billion US dollars the global cost of damages due to NotPetya. In the days of the attack everyone was speaking about the power of the attackers, the fact that only a state could conceive and implement such an attack. As an example, some insurance companies refused to pay the damage by classifying the attack as an “act of war” from another, unknown, state. Luckily some years late a more equilibrate point of view is arising that attributes most of the success of the attacks to weaknesses of the target systems. As an example, patches where available for the vulnerabilities NotPetya exploited, but they were not applied due to the huge number of patches to deploy and the lack of an effective scheduling strategy. Another weakness is the missing adoption of defence in depth in favor of a flat architecture where every node can interact with any other node. The adoption of a security-by-design strategy. The main security lesson here is that system robustness should be assessed and improved before the attacks and that waiting three years to discover the weaknesses that have simplified the attacker works is not.



More to explorer

Leave a Comment

Your email address will not be published. Required fields are marked *

it_IT en_US