Sep
09

2014

Who’s Smarter, Hackers or Defenders?

I am sometimes befuddled at just how much press (negative and otherwise) hackers receive. Truth be told, perhaps my befuddlement contains just a twinge of jealousy (okay, maybe more than a twinge). Although hackers may not have attained the status of rock stars yet, I can imagine throngs of hacker groupies hanging around just outside the back door waiting to pounce on the clueless geeks as they emerge from an all-night hacking session.

Sure, I’ve done some white-hat hacking. I have had training through a university, SANS, and multiple visits to the Idaho National Laboratory. I’ve used many of the tools that are commonly available. What I have gathered in all this time is that hacking is easy. Let me explain. It’s easy in the sense that typically the hacker is not creating vulnerabilities (such can only be done by system designers and software developers), but taking advantage of vulnerabilities discovered. The adoration heaped on hackers strikes me as akin to admiring a clever thief because they found the back door unlocked. Granted, the thief may have scoured hundreds of neighborhoods with an advanced algorithm searching for this one unlocked door, but that is hardly a remarkable let alone admirable feat. Read more »

Sep
08

2014

Beyond AIC: Tom Clancy’s take on cyber-physical attacks

Too often, discussions on cyber-physical attack scenarios and how to prevent them are focused on the idea that a cyber attacker could disrupt or freeze process control, thereby causing downtime. This thinking is in alignment with the common misconception that cyber-physical security would be just another form of information security, with the major difference being that the basic protective priorities of confidentiality, integrity, availability (CIA) only need to be reordered to availability, integrity, confidentiality (AIC), and bingo!, we can secure process control by using otherwise identical concepts, products, and procedures from infosec.

The misconception is due to framing the problem within the conceptual space of information security, ignoring the physical side of process control – which shouldn’t surprise when infosec people are invited to lead the discussion. However, cybernetics is not the same as IT, and the availability of digital components (in infosec terms) is not necessarily the highest priority of cyber-physical defense.

Interestingly, fiction writer Tom Clancy had this insight intuitively when writing his thriller “Threat Vector” in which a Chinese state-owned hacker organization (the “Red Hacker Alliance”) cyber-attacks US critical infrastructure. In the following quote, the villain named “Tong” is a Chinese super-hacker that may have been modeled with characters like Ugly Gorilla in mind:

“During a public dispute between China’s state-owned petroleum organization and an American oil company over a pipeline contract in Brazil, Tong came before the leadership of the MSS [Ministry of State Security] and asked them, quite simply, if they would like his Red Hacker Alliance to destroy the oil company. He was asked by the ministers if he intended to destroy the American oil company’s dominance in the marketplace.

‘That is not what I mean. I mean, physically ruin them.’ – ‘Shut their computers down?’ (…) ‘Of course not. We need their computers. We have obtained command-level control of their pipelines and oil-drilling capacity. We have kinetic capabilities at their locations. We can cause actual real-world destruction.’”

(Tom Clancy, Threat Vector)

Malicious process control requires fully-functional control systems, making the digital disruption of SCADA and PLCs look like a foolish beginner’s mistake. A cyber-physical attack is not an attack against a control system, but an attack against the physical equipment or process that it controls. It is therefore a dangerous oversimplification to identify cyber-physical defense with ICS security or, even worse, SCADA security.

What we really have to be concerned about is digital process control security, which cannot be assured without understanding the physical process and equipment and their specific analog vulnerabilities, and which may even involve analog components such as last-line-of-defense analog safeguards for high-value targets. That’s the major reason why we include process and equipment engineering principles in Critical Penetration Analysis.

Sep
07

2014

IT vs. ICS: An Attacker’s Perspective

There are extensive treatments of the similarities and differences between information technology (IT) systems and industrial control systems (ICS), but these differences are more than just academic concerns. Many IT hacks as reported in the media seem to be opportunistic in the sense that the hackerverse exerts constant pressure on IT systems searching for targets of opportunity or weak links in the defense. In contrast, deploying effective cyber weapons intent on sabotage of critical infrastructure is not simply a matter of finding the latest vulnerability in an OPC server or a hard coded password in a PLC.

For the purpose of discussion, a cyber-weapon is a software artifact designed to cause physical harm to objects, people, or the environment. Turning machines into weapons is not a new idea and the notion has been made apparent by entities such as the Chinese PLA, “The new concept of weapons will cause ordinary people and military men alike to be greatly astonished at the fact that commonplace things that are close to them can also become weapons with which to engage in war.” Read more »

Sep
06

2014

Five Steps to Critical Penetration Analysis

Penetration tests (pentests) have gained recognition as a legitimate approach to identifying and then in theory, mitigating discovered weaknesses. The pentest industry even has a magazine (PenTest Magazine) and there are some tools out there that you, as an industrial control systems (ICS) cyber security professional, ought to have in your tool set like the PWN Phone or Metasploit modules from Digital Bond. With the various tools of the trade you will undoubtedly discover at least one vulnerability in your network and with that information in-hand, you may then get the resources to fix that problem. Read more »

Sep
03

2014

RIPE brochure available for download

Our new RIPE brochure, highlighting the characteristics and benefits of the RIPE Cyber Security and Robustness Program, is available for download (PDF):

English language version

German language version

Aug
11

2014

Attacking critical infrastructure with chainsaws and rifles

As reported by the German Frankfurter Allgemeine Zeitung, unidentified attackers had broken into a cable duct of Germany’s telecommunications provider Kabel Deutschland (a Vodafone subsidiary) and cut fiber optic cables, thereby causing Internet, TV and telephony blackout for parts of Berlin. The attack is noteworthy because according to the reporting, the attackers acted professionally and knew exactly where and how to strike in order to cause significant damage, bypassing physical access control and alarms. We don’t know if they actually used chainsaws to cut the cables, but they obviously didn’t need zero-day exploits. Read more »

Aug
07

2014

Nationalize Cyber Security for Critical Infrastructure: Seven Points to Ponder

We have touched on the subject of regulation before in the blog post Nothing to Fear but Fear (i.e., Regulation) Itself. It is a complicated issue with multiple stakeholders (unfortunately, some of those stakeholders never get a seat at the table). We should have a reasoned debate over nationalizing cyber security for critical infrastructure and that debate ought to include more voices than just corporations (I know, corporations are supposed to be people too. I will believe that when a corporation goes to jail for breaking the law). Although the perspective herein is U.S.-centric, the issue is clearly not confined to any geographic location.   Read more »

Aug
06

2014

Quote of the day — On system understanding (or the lack thereof)

“No one realized that the pumps that delivered fuel to the emergency generators were electric.”

Angel Feliciano
Representative of Verizon, explaining why Verizon’s backup power failed during the August 13, 2003 blackout causing disruption to the 911 service

Aug
05

2014

The Trouble with Threat Thinking

The world seems to be fixated on the cyber threat. There are exceedingly elaborate methods used to capture, characterize, and share the signatures of emerging threats in real-time. In an effort to stay one step ahead of the threat (or at least not too far behind) are public and private efforts that include machine-to-machine exchanges of threat information. We have STIX and TAXII, we have threat analytics, threat collaboration, and even threat managed services. Our ability to identify threat actors has advanced to the point where the federal government has issued arrest warrants for citizens of other countries. Going after the threat actors does seem like a good use of all this threat information. However, the question remains as to just how much this helps the defenders of critical infrastructure. Read more »

Aug
01

2014

Quote of the day — on the non-technical reasons for cyber insecurity

“The underlying reason that cybersecurity is so poorly done is not that there is a crying need for more research and development, or that it is impossible to secure these systems. It is that we fail as a society to apply the lessons of the past. Indeed we fail to even review the past and seek to understand how it applies to the present and future.”

Fred Cohen

Older posts «