SCADA In Pictures

SCADA In Pictures

SCADA 3 SCADA 4 SCADA

So SCADA are Supervisory Control and Data Acquisition systems.

They are a form of Industrial Control Systems (ICS) that monitor and control major industrial processes from power generation, transmission, and distribution, to water treatment, chemical production, air traffic control, traffic lights, building controls, and more.

These are part of our nation’s critical infrastructure.

In the lab, we are able to use tools to capture and analyze communication packets and edit and re-use them to:

– Turn on and off lights

– Open/close perimeter gates

– Control water and gas pipelines

– And even open and close a bridge

This was very scary!

No one, unauthorized, should be able to do this in real life, in the physical world.

This is a major security vulnerability for our nation:

– SCADA systems should not be openly available online, and instead they should be able to be controlled only either locally or remotely through an encrypted virtual private network (VPN).

– SCADA systems should not be available without proper access controls–there must be credentials for user id and passwords, and even two-step authentication required.

No one but vetted, cleared, authorized, and trained personnel should be able to monitor and control our critical infrastructure–otherwise, we are giving them the keys to disrupt it, destroy it, and use it for terror.

We owe our nation and families better, much better.

(Source Photos from lab: Andy Blumenthal)

Beware of Botnets

Interesting video demonstration of how botnets work and can literally take over your computer.

In essence, your computer becomes a zombie under the command and control of the botnet sender.

Computers get infected through a trojan or worm, and then the sender has you–they control your computer and information.

Generally, they do this to send spam, steal information, or send out other malware, all under anonymity.

Once infected, the sender has complete control over your computer and can exfiltrate, delete, or change your data, turn on the keyboard lights, add a tail to your mouse, and even format your hard drive.

The malware often can even disable your firewall.

The sender can turn on a keylogger and log your keystrokes, and capture your user ids and passwords to banking and financial institutions, and draw out your money.

The video demos an example of botnets with a variant of the Zeus trojan.

Worth a watch.

Makes me wonder whether our adversaries are infecting more and more computers, until they have almost everyone–eventually a virtual army.

Then at the time of their choosing, they can conduct one big massive attack, or incremental ones, logging into peoples accounts, stealing their identities and savings, sending out misinformation, destroying data and computers en masse.

We need to be aware of what’s possible, maybe even probable.

Is your computer infected and you don’t even know it yet?

Analyzing The Law

Analyzing The Law

So I am back in school AGAIN (I’m a life-long learner), augmenting my not so slow-paced job.

Let’s just say that at this point, I recognize that the more I know, the more I don’t know anything.

The class that I am taking now is Cyberlaw, and while I did take law in business school–many moons ago–that was more focused on contracts and business organizations.

This class looks interesting from the perspective of the legal and regulatory structure to deal with and fight cybercrime, -terrorism, and -war.

One interesting thing that I already learned was a technique for evaluating legal cases called IRAC, which stands for:

– Issues–the underlying legal matters that the case is addressing.

– Rules–what legal precedents can be applied.

– Analysis–whether those rules apply or not, in this case.

– Conclusion–rendering an opinion on the case.

This is a structured way to analyze any legal case.

Of course, before you do these, you have to look at the facts–so that is the very first section.

The problem with that is then you have F-IRAC and that can definitely be taken the wrong way. 😉

(Source Photo: Andy Blumenthal)

Getting To Swift Cyber Justice

Destroyed_computer

The first Department of Defense Strategy for Operating in Cyberspace is out (July 2011).

Of course, like the plans that came before (e.g. Cyberspace Policy Review), it emphasizes the imperative for cyberspace protection. Some highlights:
  • DoD is particularly concerned with three areas of potential adversarial activity: theft or exploitation of data; disruption or denial or service of access or service…, and the destructive action–including corruption, manipulation, or direct activity that threatens to destroy or degrade network or connected systems.”
  • Cyber threats to U.S. national security go well beyond military targets and affects all aspects of society.  Hackers and foreign governments are increasingly able to launch sophisticated intrusions into the networks and systems that control civilian infrastructure.”
  • Every year, an amount of intellectual property larger than that contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government departments and agencies.”
The strategies for cyberspace protection in the DoD plan include treating cyberspace as an operational domain; innovation; partnership; and so on. But we need to leverage our strengths even more. 
As the Wall Street Journal pointed out on 15 July 2011: “The plan as described fails to engage on the hard issues, such as offense and attribution.”  If we can’t even identify who’s attacking us, and fight back with precision, then we’re flailing.
Some may express the concern that we would have all-out war by attacking those who attack us. However, what is the alternative besides confronting our aggressors? 
The concept of operations is straightforward: Any computer device that is used to attack us, would immediately be blocked and countered with equivalent or greater force and taken out of play.
This would mean that we are able to get past cyber-bot armies to the root computers that are initiating and controlling them, and dealing with them decisively. This would hold regardless of the source of the attack–individual or nation-state.
The DoD plan acknowledges our own unpreparedness: Our reliance on cyberspace stands in stark contrast to the inadequacy of our cybersecurity.”
As in the Cold War, there must be no doubt with Cyber Warfare (as with nuclear) of our ability to inflict devastating second-strike or preemptive attacks with deadly precision. 
Until we have unambiguous hunter-killer capability to identify and locate perpetrators of cyber attacks against us and the ability to impose swift justice, we are at the mercy of our aggressors. 
We can only have peace in cyberspace when we have the strength to stand up and defend it.  
Now we must move with cyber speed to build this capability and stand ready to execute our defenses.
Admiral Mike Mullen was quoted this week (18 July 2011) in Federal Times as saying: “The single biggest existential threat that’s out there is cyber...It’s a space that has no boundaries. It has no rules.”
We must become even better–much better!
(Source Photo: here)

Crashing The Internet–Are We Prepared?

Almost week after week, I read and hear about the dangers of cyber attacks and whether “the big one” is coming.
The big one is what some experts have called a pending “digital Pearl Harbor.
Just last week, the Federal Times (13 June 2011) wrote that the “U.S. government computer networks are attacked about 1.8 billion times per month.
The Center for New American Security (CNAS) states that deterring and preventing cyber attacks will require “stronger and more proactive leadership.”
Charles Dodd, a cyber security consultant in D.C. warns that “You’ve bought a stick to a gunfight, and you’re arrogant about your capabilities.” 
So the question is–are we really paying attention to and being realistic about the probability and magnitude of the impact of the cyber threat out there?
Certainly, with so much critical infrastructure–from government, military, and private industry–dependent on the Internet, the effects of a concerted or prolonged cyber attack on our country would be devastating as documented most recently in The Lipman Report (October 2010) on “Threats to the Information Highway: Cyber Warfare, Cyber Terrorism, and Cyber Crime” as follows:   
–“There is a great concern regarding the types of destructive attacks that are already occurring, but an even greater concern for the unknown that is yet to happen but is almost certainly even now in development. Cyberspace touches nearly every part of our daily lives.
It is in this regard that I read with serious concern today in ID Magazine (August 2011) that the University of Minnesota has “demonstrated in a simulation how an attack with a large botnet (a network of remotely-controlled PCs) could shut down the Internet.
And it took only 20 minutes to trigger the chain reaction in which “manipulated routers overloaded all other Internet routers worldwide…mak[ing] it impossible for Internet address to be found.”
Granted it would take around 250,000 computers to carry out such an attack, but with the billions of people online with computer devices of all sorts…that does not seem like an inordinate amount to press forward with for a coordinated attack. 
So the Internet in theory can be crashed!  
Just think for a moment about how that would impact you and what you do every day…would anything be the same?  Could we even function normally anymore? 
As we move more and more of our applications, data, and infrastructure online to the cloud, we need to consider what additional risks does this bring to the individual, the organization, and the nation and how we can respond and recover should something happen to the Internet.
In the Federal government there are many agencies, commands, task forces, and groups working to secure the Internet, and at the same time, there are separate efforts to modernize and reform IT and reduce unnecessary expenditures, so what we need to do is better integrate the drive to the cloud with the urgency of securing our data, so that these efforts are strong and unified. 
This is one of the things that I was trying to achieve when I created the CIO Support Services Framework in synthesizing the functions of IT Security with the other strategic CIO functions for Enterprise Architecture, IT Investment Management, Project Management, Customer Relationship Management, and Performance Management.  
If the Internet can indeed be crashed, we had all better be prepared and make the right IT investment decisions now, so that we won’t be sorry later. 
(All opinions are my own)
(Source Photo: Heritage and History.com)

>What’s Lurking In The Update?

>

In defense, it is a well-known principle that you determine your critical infrastructure, and then harden those defenses—to protect it.

This is also called risk-based management, because you determine your high impact assets and the probability that they will be “hit” and deem those the high risks ones that need to be most protected.

In buttressing the defenses of our critical infrastructure, we make sure to only let in trusted agents. That’s what firewalls, anti-virus, spyware, and intrusion prevention systems are all about.

In so-called “social engineering” scams, we have become familiar with phony e-mails that contain links to devastating computer viruses. And we are on the lookout for whether these e-mails are coming from trusted agents or people we don’t know and are just trying to scam us.

What happens though when like the Trojan Horse in Greek times, the malware comes in from one of the very trusted agents that you know and rely on, for example, like from a software vendor sending you updates for your regular operating system or antivirus software?

ComputerWorld, 10 May 2010, reports that a “faulty update, released on April 21, [by McAfee] had corporate IT administrators scrambling when the new signatures [from a faulty antivirus update] quarantined a critical Windows systems file, causing some computers running Windows XP Service Pack 3 to crash and reboot repeatedly.”

While this particular flawed security file wasn’t the result of an action by a cyber-criminal, terrorist or hostile nation state, but rather a “failure of their quality control process,” it begs the question what if it was malicious rather than accidental?

The ultimate Trojan Horse for our corporate and personal computer systems are the regular updates we get from the vendors to “patch” or upgrade or systems. The doors of our systems are flung open to these updates. And the strategic placement of a virus into these updates that have open rein to our core systems could cause unbelievable havoc.

Statistics show that the greatest vulnerability to systems is by the “insider threat”—a disgruntled employee, a disturbed worker, or perhaps someone unscrupulous that has somehow circumvented or deceived their way past the security clearance process (or not) on employees and contractors and now has access from the inside.

Any well-placed “insider” in any of our major software providers could potentially place that Trojan Horse in the very updates that we embrace to keep our organizations secure.

Amrit Williams, the CTO of BIGFIX Inc. stated with regards to the faulty McAfee update last month, “You’re not talking about some obscure file from a random third party; you’re talking about a critical Windows file. The fact that it wasn’t found is extremely troubling.”

I too find this scenario unnerving and believe that our trusted software vendors must increase their quality assurance and security controls to ensure that we are not laid bare like the ancient city of Troy.

Additionally, we assume that the profit motive of our software vendors themselves will keep them as organizations “honest” and collaborative, but what if the “payoff” from crippling our systems is somehow greater than our annual license fees to them (e.g., terrorism)?

For those familiar with the science fiction television series BattleStar Galactica, what if there is a “Baltar” out there ready and willing to bring down our defenses to some lurking computer virus—whether for some distorted ideological reason, a fanatical drive to revenge, or a belief in some magnanimous payoff.

“Trust but verify” seems the operative principle for us all when it comes to the safety and security of our people, country and way of life—and this applies even to our software vendors who send us the updates we rely on.

Ideally, we need to get to the point where we have the time and resources to test the updates that we get prior to deploying them throughout our organizations.

>Overcoming the Obstacles to Cyber Security

>

There continues to be a significant shortfall in our cyber security capabilities, and this is something that needs our determined efforts to rectify.

Often I hear a refrain from IT specialists that we can’t wait with security until the end of a project, but rather we need to “bake it into it” from the beginning. And while this is good advice, it is not enough to address the second-class status that we hold for IT security versus other IT disciplines such as applications development or IT infrastructure provision. Cyber Security must be elevated to safeguard our national security interests.

Here are some recent statements from some our most respected leaders in our defense establishment demonstrating the dire strait of our IT security posture:

· “We’re the most vulnerable, we’re the most connected, we have the most to lose, so if we went to war today in a cyber war, we would lose.”- Retired Vice Admiral Mike Mullen (Federal Computer Week 24 February 2010)

· The United States is “under cyber-attack virtually all the time, every day” – Defense Secretary Robert Gates: (CBS, 21 April 2009)

· “The globally-interconnected digital information and communications infrastructure known as “cyberspace” underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security. This technology has transformed the global economy and connected people in ways never imagined. Yet, cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century.” (White House CyberSpace Policy Review, 2009)

Further, the number of attacks is increasing; for example, SC Magazine 20 November 2009 reported that the number of cyber attacks against the Department of Defense was increasing year-over-year 2009 to 2008 by some 60%!

And the penetration of our critical systems spans our industrial, civilian, and defense establishment and even crosses international boundaries. Most recently reported, these included the following:

· F-35 Joint Strike Fighter $300B program at Lockheed Martin,

· The Space Shuttle designs at NASA

· The joint U.S. South Korean defense strategy

· The Predator feeds from Iraq and Afghanistan and more.

Thankfully, these events have not translated down en-masse and with great pain to the individuals in the public domain. However this is a double-edged sword, because on one had, as citizens we are not yet really “feeling the pain” from these cyber attacks. On the other hand, the issue is not taking center stage to prevent further and future damage.

This past week, I had the honor to hear Mr. James Gossler, a security expert from Sandia National Labs speak about the significant cyber security threats that we face at MeriTalk Innovation Nation 2010 on the Edge Computing panel that I was moderating.

For example, Mr. Gossler spoke about how our adversaries were circumventing our efforts to secure our critical cyber security infrastructure by being adept and agile at:

· Playing strength to weakness

· Developing surprising partners (in crime/terror)

· Changing the rules (“of the game”)

· Attacking against our defenses that are “naïve or challenged”

In short, Mr. Gossler stated that “the current state-of-the-art in information assurance [today] is significantly outmatched” by our adversaries.

And with all the capabilities that we have riding on and depending on the Internet now a days from financial services to health and transportation to defense, we do not want to be outgunned by cyber criminals, terrorists, or hostile nation states threatening and acting in ways to send us back to the proverbial “stone-age.”

Unfortunately, as a nation we are not moving quickly enough to address these concerns as retired Navy vice admiral Mike McConnell was quoted in Federal Computer Week: “We’re not going to do what we need to do; we’re going to have a catastrophic event [and] the government’s role is going to change dramatically and then we’re going to go to a new infrastructure.”

Why wait for a cyber Pearl Harbor to act? We stand forewarned by our experts, so let us act now as a nation to defend cyber space as a free and safe domain for us to live and thrive in.

There are a number of critical obstacles that we need to overcome:

1) Culture of CYA—we wait for disaster, because no one wants to come out first—it’s too difficult to justify.

2) Security is seen as an impediment, rather than a facilitator—security is often viewed by some as annoying and expensive with a undefined payback, and that it “gets in our way” of delivering for our customers, rather than as a necessity for our system to work

3) We’ve become immune from being in a state of perpetual bombardment—similar to after 9-11, we tire as human beings to living in a state of fear and maintaining a constant state of vigilance.

Moreover, to increase our cyber security capabilities, we need to elevate the role of cyber security by increasing our commitment to it, funding for it, staffing of it, training in it, tools to support it, and establishing aggressive, but achievable goals to advance our capabilities and conducting ongoing performance measurement on our initiatives to drive results.