New Technology = Better CI Protection

It’s on CNN
Watching a recent CNN video of a staged Cyber attack showing a large turbine generator self destructing, may have caused some to dismiss the story as yet another attempt to sensationalize and shock an increasingly desensitized TV audience. As the report unfolds, however, one learns that the video was created by the Department of Homeland Security (DHS) in a training experiment, code named Aurora. It’s time to pay closer attention.

Apparently, such an attack is not ­difficult to execute. The cyber holes that made this possible have now been plugged, we are told, but not “eliminated.”

There is more – industry analysts hypothesize that simultaneous cyber attacks on key electric facilities could knock out power to a large geographic area for months.

It gets worse – it would only take $5 million or so to mount such an attack. And such an attack could cause a third of the U.S to lose power for up to three months and be equivalent to 40-50 large hurricanes hitting the United States simultaneously. This in turn would result in the loss of $700 billion in economic activity. Do the quick math and evaluate a $70 billion equivalent for Canada. A disastrous hit indeed on the budgets of all levels of government!

In the U.S., everybody, from the DHS through the CIA to the White House, agrees that something needs to be done, quickly, to avoid such a national ­disaster – yet, apparently, very little has been done for the past five years.

Apart from wondering why we are identifying our vulnerabilities and giving ideas to people who do not need any ­further encouragement... two major questions leap to mind: How did we get into this situation and, more importantly, how do we get out of it?

Examples of Critical Infrastructures
To answer the first part of the question we need to agree on what is “Critical Infrastructure.” Wikipedia defines it is “a term used by governments to describe material assets that are essential for the functioning of a society and economy.” That sounds about right but what does it mean to the average person? Comparing a typical list of government-defined Critical Infra­structure with the levels in psychologist Abraham Maslow’s hierarchy of human needs (see the chart below), we can see how Critical Infra­structure maps to his framework.

CI supports our Basic Human Needs
The Critical Infrastructure (CI) that produces and delivers our food, water and energy is “critical” to meeting the foundational physiological needs of the individual.

The other parts of the Critical Infra­structure, emergency services, telecommunications, transportation, finance and banking, industrial processes and our postal and parcel systems, provide basic individual safety and our collective capabilities for creating wealth in a predictable and orderly world. These include security from crime, financial security and access to health care. It would be a different world indeed without these – even for a short time.

Clearly, interfering with our CI poses extremely serious consequences for all of our most basic human needs.

Physical Infrastructure Components are Globally Available
To comprehend why our Critical Infra­structure is vulnerable to cyber attacks, we need to understand how it has evolved, how it is managed, and it is operated.

Historically, Critical Infrastructure networks evolved and were developed and managed by civilian, special purpose, public organizations dedicated to the operations of that particular service. This included water, gas and electric utilities, national railways and, more recently, telecommunications companies. Unlike military infrastructure whose development and dissemination are strictly controlled, most civilian Critical Infrastructure components and technologies are manufactured and readily available around the world. The components used to manage our public and private critical infrastructure are essentially commercially available. In many instances, our CI has been designed, built and deployed through international engineering firms that also develop similar infrastructures worldwide, modeled mainly on North American and European designs. The documentation of the products that make up our Critical Infrastructure is often accessible in online catalogues and whitepapers. As a consequence, significant segments of such infrastructure are relatively easy to access and therefore vulnerable to malicious intent.

Despite its civilian role, Critical Infra­structure has always been a target during times of war. Bombing and sabotage have been used to damage the enemy’s CI and thereby reduce an opponent’s capacity to fight. In the past, this could only be done physically at the target location. This proved costly and difficult to disguise. Now, because of the very technologies that have made our society successful, our Critical Infrastructure is vulnerable – remotely and anonymously – to our foes.

Critical Infrastructure Protection is an Overlay
The segmentation of our CI into independent operational silos has served us well for economic efficiency and industrial development. Typically, such networks have been designed to be operationally ­efficient – protection and security from malicious intent was seldom an area for concern, and certainly not a priority. Therefore, they lack redundancy. Indeed, they exhibit the properties of scale-free ­networks in which a few major hubs are connected to many spokes. If the hubs fail, disastrous consequences cascade through­out the entire network.

While our Critical Infrastructure may be owned and operated as independent silos, they are also intertwined with, and highly reliant upon their shared energy and communications grids. A failure of a component in one silo can not only cause a catastrophic collapse of that particular silo network, but also has the potential to cause a cascading failure in another silo.

The protection of our CI has also traditionally been delegated to each silo. Today’s stringent security requirements are being overlaid on existing operations – they are being retrofitted. Unfortunately, we have discovered that the sum of measures taken by each silo do not ensure an effective protection of the whole.

Our combined integrated and interdependent Critical Infrastructure system has been, largely, left unattended. This is the fundamental cause of our vulnerability.

CI network Characteristics
Critical Infrastructure networks require control systems to manage them. Supervisory Control and Data Acquisition Systems (SCADA) provide the data necessary to manage the control of transportation traffic networks, electric power grids, water delivery networks and sewage networks to control pumps, valves and switches. Telecommunications are used to link these network components, usually to a Network Operations Centre (NOC). Initially the communications networks were internal. This has led to the misperception that SCADA systems are obscure and irrelevant to our general well-being.

With the rapid evolution of the internet, there has been an increasing tendency to connect and manage the control systems through internet-based technologies. In ­particular, owners and operators of Critical Infrastructure have been using Virtual Private Networks (VPN) to secure communications tunneled through the public Internet. The proliferation of the Internet and Wi-Fi technologies has inadvertently created many opportunities for intrusions. Even though these networks are virtually separated from the outside world through firewalls, access gateways, and other devices, hackers can use their knowledge of lax security practices in order to gain access to user names and passwords to impersonate an authorized user. Once inside the NOC, hackers have access to the control systems and can compromise operations.

How CI Networks Can be Compromised
There are a few generic ways that Critical Infrastructure can be compromised. These are shown in the following table. Not all of the compromises need be due to action of someone intent on causing harm; some occur as a result of acts of nature or unintended component malfunctions. There are all too frequent examples of catastrophic electric grid failures caused by the collapse of a single transmission line. The fact that some of these failures have occurred is an indication of the inherent susceptibility of some of our Critical Infrastructure to failure. We will get to that next.

Despite growing awareness of these susceptibilities, there is continuing evidence of documented penetrations of such networks. Fortunately, most of these result from staged penetration tests, as the DHS Aurora hack has shown.

The sheer complexity and dynamic nature of the communications networks controlling our Critical Infrastructure, combined with the difficulty of maintaining appropriate security practices, has created a permanent state of vulnerability. Is there a simple and cost effective way to break this cycle of vulnerability?

New Technologies to Secure CI Networks
As you might expect, there is no silver bullet to eliminate all of our CI security vulnerabilities. There are, however, emerging technologies that will significantly raise the bar for preventing Cyber intrusions. These innovations focus on new capabilities to “fingerprint” or “DNA” individual computers and use this information, in combination with standard security practices, to control access to the network.

In the past, unless a computer was located in a secure facility it was difficult to authenticate its identity. A hacker who had gained access to the right security profile could use any computer to anonymously access the network. In the future this may get a little harder.

For instance, Uniloc USA Inc., an innovative company specializing in electronic device recognition initially used for software copy control and information security, developed Physical Device Fingerprinting, a patented method of uniquely identifying a user device, such as a PC, game console, smart phone or cell phone. This technology identifies the inherent physical imperfections of a device, and then incorporates that “fingerprint” into the licenses and access credentials of the user.

A new product designed to restrict SCADA network access to designated PCs at the Network Operations Center (NOC), also limits access to designated computers used by field engineering staff logging into the NOC Virtual Private Network (VPN). With this technology deployed, a hacker must be on an authorized PC to impersonate an authorized user. The technology also provides intrusion detection, location and notification at the NOC.

In addition to making the work of the hacker a little more difficult, there are technological developments that also make it a little less anonymous. A few years ago (2005) promising work by Tadayoshi Kohno, a PhD student at the University of California, described research based on unique clock skews of processors to fingerprint a physical device remotely without the fingerprinted device’s known cooperation. The technique did not require any modification to the fingerprinted device. It worked with devices thousands of miles away, from different locations and via different access technologies. This research provided a basis for new forensics applications: investigators could use his techniques “to argue whether a given laptop was connected to the Internet from a given access location at a particular time”.

Some new developments exploiting this research could make a would-be intruder’s foray into our CI a lot less ­anonymous. For now, in the interest of ­leveling the playing field, some of those details should remain a mystery.

___
Giulio Maffini, based in Ottawa, is President of a + i2 Inc. and a member of the National Security Group.
© FrontLine Security 2008