Critical infrastructure protection, StuxNet, exploding computers, blackouts, collapsing banking systems, and cyber war!! None of us have escaped the headlines warning of impending cyber doom, but this is just sensationalism, right? How bad is the situation really? If we have a serious security problem, how do we get ourselves out of this mess? In particular, what can I do to improve my situation and protect those I care about? Each week, this easy to understand Cyber Security Awareness Series will quote cyber security insiders to progressively answer these important questions. In last week’s article, we learnt that according to the US National Security Agency (NSA): “There is no such thing as `secure’ anymore.” Worse, critical aspects of today’s mainstream civilian cyber security ecosystem foundations are fundamentally flawed at the conceptual design, architecture and implementation levels.(See Synaptic Labs’ free 2012 Annual Cyber Security Reports online for the full blow-by-blow disclosure.) Weak cyber security is one of the most serious economic and (inter)national security challenges we face today. In fact, it is argued by many world-leading experts that today’s cyber security risks place the stability of entire nations at risk. The US government position is: “It’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation. It’s also clear that we’re not as prepared as we should be, as a government, or as a country.” The UK government position, articulated in a rare public statement by Ian Lobban, Director General of the UK Government Communications Headquarters (GCHQ), is: “The UK’s critical infrastructure faces a ‘real and credible’ threat of cyber attack. It goes to the heart of our economic well-being and national interest.” To quote Brian Snow, former Technical Director of the US NSA’s Information Assurance Directorate: “No (person or) organisation is immune and it is no longer credible to say: Not my problem!” Unfortunately, cyber attacks can disrupt and destroy our critical infrastructure. For example, cyber attacks can cause extensive physical damage, leading to significant economic losses, social losses, and even loss of life. If you are not familiar with cyber-physical systems (computer systems that regulate the operation of industrial equipment), then you might just look at your iPhone or Desktop and think such statements are dubious at best! For the benefit of those readers imagining a million exploding iPhones wiping out the upper middle-class population of a country, we will quote Dr James Andrew Lewis, Director and Senior Fellow, US Centre for Strategic & International Studies (CSIS): “The electrical grid… A popular target in the military… If you go back 30 years like in Warsaw Pact planning, one of the first things they are going to strike is the electrical grid. Very vulnerable. So blackouts, and more importantly, physical destruction, which we know they can do. [sic] In 2007, there was a test at the Idaho National Labs by Michael Assante, in which he asked: “If I was a hacker, and I hacked into the control system, kinda like Stuxnet, of one of these big huge room-sized generators, what could I do to it? “ The answer is: “you can make it jump up and down, emit smoke, and shake itself to pieces. So we know the ability to do physical destruction is there.” To quote Prof. Isaac Ben-Israel, Cyber Security adviser to Israel’s Prime Minister and Director of the Defence Research & Development Directorate in the Israel Ministry of Defence: “If you want to hit a country severely you hit its power and water supplies. Cyber technology can do this without shooting a single bullet.” O. Sami Saydjari, formerly a Director’s Fellow at the US NSA, testified that a cyber attack could take down the power grid, taking ~6 months to restore. Consequently, the Internet and telephone system would stop, banks close, looting would occur, food production cease. The US would go from “being a super power to a third-world nation practically overnight”. There are also other industrial control systems, like those controlling chemical plants, refineries, nuclear power generators, and so on. The Stuxnet virus, which is believed to have caused physical damage in the Iran nuclear facilities, has since been found in hundreds of plants around the world. Today, the urgency to protect critical infrastructures in countries around the world remains extremely high. According to Cisco 2Q11 Global Threat Report: “Among the top 10 fields affected by cyber-crime, companies in the pharmaceutical and chemical industries were at the highest risk of malware attacks.” To quote the 2nd Annual Critical Infrastructure Protection Report (March 2011): “Nearly two-thirds of critical infrastructure companies report regularly finding malware designed to sabotage their systems.” Recent security failures, like the data breach of Global Payments Inc., demonstrate how vulnerable the banking and financial sector is to cyber threats. Like most other industries, their information systems suffer from conceptual design and implementation security flaws. Search: “Chip And Pin is Broken” and “Practices and Difficulties of key management on the credit card market” for starters. Yet, all these problems are just the tip of the iceberg. To quote US Vice Admiral J. Mike McConnel (Rtd), former Director of the US NSA, and adviser to US President Obama: “The world cannot function without an effective banking system, and it is possible to contaminate the database upon which banking operates. There is no gold standard, no dollar bills, so if you can just contaminate the data in one large bank, you could cause global banking to collapse.” (Dec 2010) These examples illustrate how critical good cyber-security is to the economic and social well being of our community. Most of the tactics used to attack critical infrastructure are also used against the rest of us! In fact, it is common practice to attack “soft targets”, such as computers used by non-technical office staff, and then use them to launch further attacks. It follows that each of us has the response-ability to be proactive right now to protect our collective interests. In our last article we talked about the importance of installing anti-virus tools and getting into the daily routine of software patching to reduce your exposure to known cyber attacks. In this article we talk about “Cyber Trust” and the importance of “Digital Provenance” to reduce our exposure to both known and unknown cyber attacks. In the physical world, provenance matters. We only trust food and beverages supplied from reputable vendors and handed to us from trustworthy people. We may trust an unknown bartender to make us a mixed drink, but we typically will not trust a person we just met at a nightclub to bring that drink to us. Why? In the former we assume that the nightclub is monitoring employees’ behaviour. The chances of the bartender tampering with our beverage is low. However, in the later case, we have no assurances that our mixed drink will not be tampered with a drug or poison before we receive it. Just like things in the physical world, software can be tampered with. In this case, instead of a drug or poison, malware is injected into software to add malicious features. Unfortunately, this tampering is nearly impossible for the untrained expert to detect before it is too late. Furthermore, anti-virus tools are not perfect, malware can, and does, get through. For this reason, only trust software created by reputable (commercial and open-source) vendors, and which has been supplied to you through trustworthy channels. It is essential to get into the routine of asking yourself: What assurance do I have that this software will behave in my best interest? Who manufactured it? Could it have been tampered with before I got it? Unfortunately, in today’s online climate, if you don’t know a programme’s provenance, chances are very high that it has been tampered with. Installing compromised software exposes your computer and sensitive data to unknown malicious third parties. Your hacked computer can also be used to attack other systems without your knowledge or consent. If you are concerned your computer may already have been compromised, talk immediately to a computer technician about getting all your personal data safely backed up, your system cleaned, all your favourite software sourced from reputable authorised distributors, and your computer system back in top shape! If your software is causing you security headaches, then write to the vendor telling them “You must do better.” Be cyber smart, be cyber safe, and remember Brian Snows’ advice that “it is no longer credible to say: Not my problem!” Take what action you can and be sure to read the next article in this series and join us in taking the next steps to secure (y)our world!
by Ron Kelson, Pierluigi Paganini
You can find full citations to all materials referenced in this article, and related cyber security materials including Brian Snow’s presentation, at tinyurl.com/SynapticLabsAnnualReports2012 . Co-author Pierluigi Paganini, Director and CISO of Bit4ID, Italy has 20+ years of security experience and has many years of in-depth investigative cyber security journalism on important cyber events. Find his blog at: securityaffairs.co . ICT Gozo Malta is a joint collaboration between the Gozo Business Chamber and Synaptic Labs, part funded by the Ministry for Gozo, Eco Gozo Project, and a prize winner in the 2012 Malta Government National Enterprise Innovation Awards. www.ictgozomalta.eu has links to free cyber awareness resources for all age groups. To promote Maltese ICT to the world, we encourage all ICT Professionals to register on the ICT GM Skills Register and keep aware of developments, both in Cyber Security and other ICT R&D initiatives in Malta and Gozo. For further details contact David Pace at firstname.lastname@example.org .