Posts tagged ‘cybersecurity’

November 18, 2011

Commander Adama’s Simple Rules for ICS Protection

Normal morning, I log into Twitter and start to browse through my stream. I quickly came across an article posted by CNN’s Security Clearance blog. In it, the author reveals that the Federal government is investigating whether an Illinois water treatment plant’s burned out pump was caused by a cyberattack. “What the what?” says I, as I read further:

Joe Weiss, a noted cyber security expert, disclosed the possible cyber attack on his blog Thursday. Weiss said he had obtained a state government report, dated Nov. 10 and titled “Public Water District Cyber Intrusion,” which gave details of the alleged cyber attack culminating in the “burn out of a water pump.”

Such an attack would be noteworthy because, while cyber attacks on businesses are commonplace, attacks that penetrate industrial control systems and intentionally destroy equipment are virtually unknown in the U.S.

Well. This could be interesting. The protection of industrial control systems (ICS) has been a worry of cybersecurity analysts . What makes this story even more fascinating? Weiss claims that the “attack” came from somewhere within the territory of the Russian Federation.

My initial assumption that the attack was funneled in through some external source seems to have been proven wrong in these Washington Post and CNET articles on the topic. It turns out, the ICS in question was managed using software developed by an company that provides supervisory control and data acquisition. This company, unnamed in the articles due to the nature of the report the articles were based around, was itself was hacked several months earlier with dozens of users information and passwords absconded with. The power plant in question has been powering up and down remotely at random, the overall effect of which led to the burning out of a water pump.

So, first of all, whoa. Second, while an important event in the history of American cybersecurity, I don’t think that this is quite on the level of bad that I’m sure many will assign to it. Comparisons to the Stuxnet virus that struck Iran, targeting the programmable logic controllers in its uranium-spinning centrifuges, are inevitable to be sure. But the level of sophistication displayed here is nowhere near on the level of Stuxnet. That attack was clearly designed for a specific purpose, with a specific goal. The Illinois case is much more likely the result of a hacker who has obtained this information playing around with their new capabilities, leading to the burnout in question. If this was a state-based attack, I highly doubt that a single water station in Springfield would be their target.

Further, the two-step process displayed in this attack makes it all the more important, in my book, that proper cybersecurity measures are taken in the private sector. The intruder obtaining the passwords to the control systems certainly made the actual penetration of the system easier. Even with that advantage, though, the hacker should not have been able to gain the remote access that was required to utilize that data. Which brings me to the title of this piece.

In the mini-series that launched the revamped Battlestar: Galactica, the Cylons manage to take out the entirety of the Colonial Fleet, save the titular Battlestar, by deploying a virus across the networked Colonial system. What saved the Galactica, you ask? Commander Adama’s near fanatical resistance to having any networks on his ship’s computers. Period. He knew that computers were necessary, but he’d be damned if they were allowed to talk to each other. It even went so far that in a situation where the Galactica was forced to network its computers together or face destruction, the Commander had to think long and hard on the subject before allowing it. To his credit, the Cylons immediately launched a cyberattack once the networking was completed, so there you go.

Edward James Olmos can teach us a lot through his steely glare. The vast majority of ICS networks are actually very secure, so long as they aren’t connected to the Internet. I understand that remote access is sometimes necessary for the monitoring and management of vital processes when nobody is available in person. But monitoring and actually being able to control and update those systems should be on different networks, the latter of which goes nowhere near the public interwebs. Even those plants that are segregated face danger not from clever ways to sneak in through the vastness of the intertubes, but through the mistakes of those humans who are charged with maintaining and operating these systems. An earlier published Washington Times article concerned with hackers being able to open jail cells remotely was panned, but still holds some truths in its pages:

“But in our experience, there were often connections” to other networks or devices, which were in turn connected to the Internet, making them potentially accessible to hackers, [Teague Newman, Department of Homeland Security] said.

In some of the facilities the team visited for their research, guards had used the same computer that controls the prison’s security systems to check their personal email, exposing it directly to potential hackers, Mr. Teague said.

In many prisons, technical support staff would add connections to enable them to update the system’s software remotely after the ICS systems were installed by security specialists.

Also of concern: the use of flashdrives and portable hard drives. We all have looked from our flashdrive to a computer and thought “Eh, whatever” before plugging it in. Doing so with a system that controls vital elements of key infrastructure, though? That’s insanely risky, even if you are the sort who runs ZoneAlarm on your personal PC. It’s highly likely that Stuxnet itself was first introduced into the Iranian nuclear plants through not through breaking through a firewall in a case of extreme hackery, but through getting passed along until some schmuck stuck his thumbdrive somewhere it doesn’t belong. If we’re actually serious about making sure that Richard Clarke’s declaring that cyberwar is the biggest threat that our country faces is false, we really should start acting like it. For our inspiration, I think we should look no further than the Old Man himself.

Put the Flash Drive DOWN

The face of pure badassery

In that vein, Congress is looking for bipartisan solutions in troubled times, and I think I have one for them. This could be a simple insert into any of the pending cybersecurity legislation on the Hill, or a quick bill to pass. Congress: we should mandate that all workers who interact with ICS should be forced to wear wristbands that read “WWCAD?” or “What would Commander Adama Do?” The picture at left should also be hung in all Federally regulated sites that use ICS to manage their daily affairs. You can thank me later, Congress. You can thank me later.

November 8, 2011

Memo to Richard Clarke: China does not have a “US Internet On/Off” switch

Gulliver, of the Inkspots blog, tweet earlier today an article published in the Boston Globe. In said article, Richard Clarke, also known as the Man Who Knew Too Much in the pre-September 11 days, predictor of the bin Laden attacks and ignored by the Administration, has a few recommendations about the readiness of our nation’s digital defenses. I was excited, until I saw the headline: Cyber weaknesses should deter US from waging war

…What.

Clarke said if he was advising the president he would warn against attacking other countries because so many of them — including China, North Korea, Iran and Russia — could retaliate by launching devastating cyberattacks that could destroy power grids, banking networks or transportation systems.

The U.S. military, he said, is entirely dependent on computer systems and could end up in a future conflict in which troops trot out onto a battlefield “and nothing works.”

Clarke said a good national security adviser would tell the president that the U.S. might be able to blow up a nuclear plant somewhere, or a terrorist training center somewhere, but a number of countries could strike back with a cyberattack and “the entire us economic system could be crashed in retaliation … because we can’t defend it today.”

“I really don’t know to what extent the weapon systems that have been developed over the last 10 years have been penetrated, to what extent the chips are compromised, to what extent the code is compromised,” Clarke said. “I can’t assure you that as you go to war with a cybersecurity-conscious, cybersecurity-capable enemy that any of our stuff is going to work.”

Oh my stars and garters. First of all, usual disclaimers that these are my personal opinions, not those of anyone I may be employed by. Now. Do I really need to explain to Mr. Clarke why his statement makes no sense? The use of computers has made our armed forces more mobile, agile, and accurate. It has not made them deadlier in my opinion. In fact, taking away the ability of our systems to, say, precisely pinpoint a target would probably be the dumbest thing an enemy could do. It’s not like we’ve lost the ability to just carpetbomb areas into submission, it’s just something that we honestly prefer not to do these days.

Also, it sounds like Mr. Clarke is vastly inflating the capabilities of the states he lists. Yes, China and Russia were called out recently for hacking into our systems to gain access to sensitive data for economic gain. But if you honestly think that there aren’t white hats on our side doing the same thing, then your dream world sounds like a lovely place to visit. Espionage is something that exists and always will exist so long as there are secrets that need to be protected. Why do you think we even have a Central Intelligence Agency?

But seriously. If the United States or one of our allies were to strike against an Iranian nuclear plant, which I am by the by not in favor of, I am extremely skeptical that Iran’s first thought will be “shut down the Interwebs in the U.S.” As Dan Trombly points out, Iran’s proxy capabilities are much more impressive than anything it has in the digital domain, and further, the entirety of the cybercapability we’ve seen from them has been in regards to domestic communication, not widespread hacking into infrastructure. China using it’s legion of “Netizen hackers” to counterbalance the offensive edge that we so clearly have on them would make sense and is the most credible of the states Clarke lists, but the PRC is light-years away from having that ability, no matter how lacking our defenses are.

Cyber-capabilities are impressive. Nobody is denying that fact. The hype around them though is stunning. I love science-fiction as much as the next person, and the future is in fact awesome as I find myself thinking every day. But the wild-mass guessing that goes into attempting to predict the full abilities that can and will be brought to bear in a conflict is more than a little ridiculous. The way that many writers and analysts put it, there’s a switch somewhere in various states that can be flipped in the event of war, where the various Trojan horses and malware on American systems can suddenly shut. down. everything. I can assure you that any use of cyberconflict in the coming years will look nothing like that. Disrupting communications, sending out false information and corrupting data, various levels of enhanced espionage, that’s what’s facing us, not preventing bombs from deploying or somehow crashing the US economy.

Further, this is a huge pet-peeve of mine, the acting like any instance of a cyber or digital attack would be completely beyond the conventional norms of warfare and that the US has absolutely no past models to draw on. Bull. Saying that we shouldn’t attack a country because they might retaliate against our digital infrastructure is akin to saying that we shouldn’t attack them because any of our assets may in turn be targeted. Which would make no sense, because that is how war is conducted: you strike, you attempt to block the oncoming counterstrike. If your defenses are lagging in one point? Then you build them up, but that doesn’t mean that your weakpoint completely negates your offensive capabilities. There are plenty of reasons to not launch a military strike, but concern over our computer networks is not one of them. Mr. Clarke needs to take it down a notch; advocating for more robust defense is fine, but hyperbole just weakens your arguments.

October 18, 2011

Bazooka v. Fly: Why I’m glad the US didn’t launch a cyberattack on Libya

In a story that came out yesterday that made my inner nerd very gleeful, but my outer IR type extremely wary, the New York Times broke that the US was considering using cyberwarfare against Libya during the outset of NATO’s intervention campaign. To get a sense for just what that would entail:

Just before the American-led strikes against Libya in March, the Obama administration intensely debated whether to open the mission with a new kind of warfare: a cyberoffensive to disrupt and even disable the Qaddafi government’s air-defense system, which threatened allied warplanes.

While the exact techniques under consideration remain classified, the goal would have been to break through the firewalls of the Libyan government’s computer networks to sever military communications links and prevent the early-warning radars from gathering information and relaying it to missile batteries aiming at NATO warplanes.

I dare you to try to reread that and not have your mind go to a dark room filled with faces inaccurately-lit in green and blue, pounding away at their keyboards, attempting to exploit the weaknesses of the Qadaffi regime’s command and control systems. I’ll wait. I can already see the Hollywood pitch for the revised version of history where our brave cyberwarriors actually were the ones to take down the dreaded dictator. Daft Punk would provide the soundtrack. While the thought of using this advanced technological capability in an actual military operation is intriguing and would make for a wicked movie, there are a number of reasons why going through with such an action would have been a Very Bad Idea.

First and foremost, giving the United States’ cyber-capabilities a test spin against the Libyan Armed Forces would have been a breathtaking waste of a U.S. trump card for future conflicts. While the Libyan air defenses had the potential to be a thorn in the side of the NATO warplanes, there was precisely zero need to use capabilities that are officially still under-wraps against the Jamahiriya. Our bombers easily sought out and destroyed ground-to-air missile sites within the first few weeks of NATO sorties, rendering the overkill that a cyberattack would have been in bright flashing explosions. If and when digital attacks become fully necessary for the achievement of a critical mission, the United States will deploy such methods, and in doing so command not only the tactical advantage that launching such an attack would bring, but would benefit from the psychological factor inherit in utilizing new technologies in unexpected ways. The raid that took out Osama bin Laden was notable not just for the actually death of the terrorist mastermind, but the unveiling of the previously secret stealth helicopter that the United States now possesses, which in turn led to a race by other capable nations to begin researching similar technology. It was a mission packed with significance, where the operational capability provided by the technology matched the goal at hand.

Which brings us to the second reason that launching such as strike as US officials also rightfully concluded, having the United States launch the first public salvo in the war for the digital domain would set an irreversible precedent. Much like the United States’ officially non-existent drones campaign against Pakistan, the fact that states are currently utilizing various hacking methods against one another is an unspoken but quietly acknowledged axiom in this day and age. So far, the use of state-to-state digital attacks have been through proxies or focused on enhancing espionage capabilities; no attack has yet to be made on the level that would allow it to be dubbed ‘warfare’, in my opinion including attacks against command controls of critical infrastructure or operating military systems. Were the US to be the first to commit such an attack, it would open a whole new can of worms in terms of conflict, with other states that have similar capacities to inflict cyberstrikes, though not of the same magnitude as the US while still possessing the potential to wreak havoc, to readily seize the opportunity to openly incorporate similar cyber-initiatives into their own tactical planning. To wit: we would see a massive surge of data skirmishes between us and China, among others, and veritable digital onslaughts by more capable states against lesser neighbors or challengers across the globe. Think the darkest days of realist theory played out over ethernet cables.

Finally, the legal implications of the US military being the wielder of cyber-force against Libya are stunning. President Obama had enough trouble making the case that the Operation: Unified Protector did not fall under the War Powers Act of 1973 and didn’t require Congressional approval, a point that even the top lawyers at Defense and Justice had a difficult time acquiescing to. On a sidebar, I think that the United Nations Participation Act gave all the coverage needed after the passage of UNSC Resolution 1973, but I digress. Back on point, the use of cyber-capabilities would have muddied the water even further; while the War Powers act doesn’t define “hostilities”, it also was drafted before it was ever assumed that cyberoffensives would ever be possible. Since an attack using computers wouldn’t be physical in nature, it’s unsure whether launching a cyberattack would start the clock on Congressional notification, or require any notification at all, and now to start that debate surrounding Libya would be inopportune at best.

In any case, the Administration made the right call on this one. There will come a day where the United States faces an enemy that requires bringing out the big (digital) guns, but taking down Libya was certainly not it. Now if you’ll excuse me, I have to go re-watch The Matrix.