It’s a Security Competition

Wednesday, April 14, 2010 @ 07:04 PM gHale


By Bob Felton

Even as American manufacturers eye offshore competitors and wonder what the looming overhaul of the financial system means for capital investments in industrial productivity, computer security experts warn cyber attacks cost the United States $6 million per day – and that it’s going to get worse.

“We’re in the Wild West right now,” says Eric Byres, an industrial security consultant from Byres Security, adding an unprotected computer connected to the Internet is typically compromised in just 5-minutes. The nerdy kids joyriding around cyberspace have quit the field, Byres says, displaced by nation-states seeking a competitive edge and organized computer criminals who operate much the same way as the community luminaries at Rotary, with formal RFPs, price lists and, when it’s useful, joint ventures. They need to operate efficiently; it’s a competitive business. The cost of e-mail addresses is down to a mere 1-cent per 1000 addresses, 85% deliverable; a botnet with 1000-nodes might go for as little as $100; credit card information, excepting CVV2, can be had for $1 (all US).

At prices like those, criminals must troll relentlessly for unprotected data.

Worse, though movie fantasies imagine great cities abruptly gone dark and rockets launched silos, the humdrum reality is that a compromise may go unnoticed; a small bit of code may be parked inconspicuously amongst thousands of cryptically-named files, waiting for activation years in the future; the system may have been surreptitiously enlisted in a global criminal conspiracy to deliver child pornography or launder money; confidential data may have been stolen and sold; embarrassing or confidential data may be on its way to a hostile Web site.

Under attack

The possibilities are as wide-ranging as global business itself. According to a study commissioned by McAfee, the anti-virus software giant, In the Crossfire: Critical Infrastructure in the age of Cyber War:

  • Critical infrastructure owners and operators report their networks and control systems are under repeated cyber attack, often from high-level adversaries like foreign nation-states. Assaults run the gamut from massive distributed denial of service (DDOS) attacks designed to shut down systems all the way to stealthy efforts to enter networks undetected.
  • Although attribution is always a challenge in cyber attacks, most owners and operators believe foreign governments are already engaged in attacks on critical infrastructure in their country. Other cyber attackers range from vandals to organized crime enterprises. Financially motivated attacks like extortion and theft-of-service are widespread.

The good news: The experts contacted by ISSSource are not expecting exotic new attacks. They are expecting the familiar attacks, albeit raised to new levels of sophistication and subtlety, and most of those are repelled by good, alert business practices.

“Attacks,” says Invensys’ Ernie Rakaczky, portfolio program manager for Control Systems – Cyber Security, “are more sophisticated, but better practices would have prevented them.” Cybersecurity, he continues, should be “embedded into the culture, like safety.” The place to begin is with an audit of a system’s ports to the outside world; there often are more than even the IT group thinks. Byres recalls a plant audit where he was told there was only one connection, but in fact there were 17.

One often neglected opening? The company’s Web site; if invested with search capability it may be possible to access a database and change user permissions by inputting an SQL command instead of a search term.

Superfluous connections, says Rakaczky, must be eliminated. Those that remain must be defended and, what is more, access to individual nodes on the system sharply circumscribed. An instrument, he notes, rarely has the capacity to recognize an illicit command, so protection must limit those empowered to issue a command. This means, inevitably, fine-tuning the permissions available to individuals throughout the organization, on every node across the system, ranging from instruments to databases to files to applications. Byres seconds those recommendations, adding containment should be part of the system design, so the effects of a surreptitious entry in one part of the system are unable to cascade to others, likening the concept to isolating leaks on a ship using bulkheads.

Investigators in rolodex

Andrew MacPherson, Director of the Technical Analysis Group at the University of New Hampshire’s Justiceworks, suggests plant computer security requires an extra step: Getting to know the local CERT, Computer Emergency Readiness Team. It’s the best way to find out whether an overt attack against a system is specific to a particular installation, or part of a general, more widespread regional disruption.

Noting that attacks range from hardly noticeable criminal activity ‑ quietly hijacking a bit of processor capability and storage space, for instance ‑ to corporate espionage, to economic disruption, MacPherson draws attention to the difficulty of gaming attack scenarios in a world where easy, widespread connections are becoming the norm; companies don’t like to talk about security breaches, and “we have little experience with long, concerted attacks.” It’s possible, too, that cheap, barely noticeable penetrations could be much more damaging that expensive, protracted efforts to disable a system: “Suppose,” he speculates, “the formula for Coke was stolen and published on the Web?”

The bottom line?

ISSSource’s contacts are unanimous in saying the greatest threats are not exotic pieces of code brewing in underground computer laboratories, but local practices and personnel: A culture which fails to embed computer security as a staple of “how it’s done here,” the disgruntled employee with needless permissions, the contractor with flexible, ad hoc loyalties.

Jim Pinto, a long-time and leading observer of the automation industry, noting that wireless traffic is relatively easy to disrupt, wonders if the widespread switch to wireless is a good thing. No matter. The security battle, he judges, will go on forever: “It’s an interesting game.”

Bob Felton is an engineer and freelance writer in North Carolina. You can contact him at BobFelton@gmail.com.



Leave a Reply

You must be logged in to post a comment.