The Lay of the Land

We know bad things can happen but we are not doing enough about it
By Sean Martin, a CISSP and the founder of imsmartin consulting, Network May 04, 2012 04:23 PM ET Cybercriminals have already figured out how to hack into enterprise infrastructure, and thecritical infrastructure that controls our nation's supply of water, gas, oil and electricity just mightbe next. With so many connections and shared vulnerabilities between the two infrastructures, theinevitability of this is unsettling. If the critical infrastructure is successfully penetrated, electricalgrids could be shut down, water supplies could be turned off, telecommunications channels couldbe severed, and transportation systems could come to a halt. Take the electrical grid offline andmassive numbers of power-reliant entities could grind to a halt, including everything from banksto hospitals. Each day brings media attention to yet another breach, but it seems we are unable to makeheadway on the security front. It's certainly not from a lack of resources; we have plenty oftechnology, standards, and regulations to draw upon. It seems to boil down to the fact that we continue to do stupid things. We still write insecurecode. We still don't patch our systems. We still don't control user rights properly. We still use thesame usernames and passwords across multiple accounts throughout both our personal andbusiness worlds. And, you guessed it -- these passwords we use aren't even managed well. It's nowonder corporations continue to get hacked. But what we should be most concerned about is that our two infrastructures -- theprivate/commercial/enterprise infrastructure and the critical/industrial/utility infrastructure -- areinterconnected in many ways, and security weaknesses within either therefore put both at risk. Approximately 85% of the nation's critical infrastructure is owned by the private sector,according to the U.S. Government Accountability Office. And, with pressure to increase profitsand reduce expenses, many utilities have combined their control system networks with theircommercial business networks, according to Arjen Zwaag of Cisco speaking at a PipelineTechnology Conference. By operating over a shared network, not only do the two environments now share the samevulnerabilities, but a hacker also now has a clear, direct and trusted path to get from oneenvironment to the other. Adding to this, these same business networks are also connected to other private and commercialnetworks designed to provide end-to-end business functions, including services such astelecommunications, research and development, IT help desk and support, and many more.For hackers, this means even more shortcuts to the critical infrastructure. Many sophisticated andtargeted attacks known as advanced persistent threats (APTs) don't go directly for the pot ofgold; instead they tend to find more easily accessible initial points of entry within less securesystems, and then once they're in, strategically and unobtrusively work their way through chainsof connected systems and networks to reach their end-targets. APTs are unavoidable by nature, and a compromise within the private/commercial infrastructurethat extends to a compromise within the critical infrastructure could lead to unfathomableamounts of damage. With the public utilities facing well-organized and sophisticated attacks on adaily basis, one must wonder if hackers are already taking this approach of attacking commercialenterprises first as a means to make their way into the critical infrastructure. It is inevitable thatthese cyber adversaries will someday attack the oil industry, the transportation sector, and theelectric grid via the commercial enterprise. "You don't know who is fingerprinting the critical infrastructure," said Francis Cianfrocca, CEOof Bayshore Networks, during an interview at the 2012 RSA Security Conference in SanFrancisco. Hackers "have found their way in -- you know they are in there -- you just don't knowhow they got in, where they are residing, and what they are doing there." ====Attack scenarios==== To better understand the national security implications, we have to take a look at how theindustrial control systems can be manipulated. As they first started to appear in wide use, theywere originally connected together via serial lines with no connection to the Internet, andtherefore physical security substituted logical security in most cases. However, in the mid-'90s,the control gear began to ship with Internet connectivity built in, thereby opening up thesedevices to all the risks associated with being connected to the Internet and other networkedsystems. We can look to the supervisory control and data acquisition (SCADA) system vulnerabilitieshighlighted at last year's Black Hat conference in Las Vegas to illustrate the possibleconsequences of an attack on the critical infrastructure. A hacker could feasibly leverage one ofthe SCADA system's numerous inherent vulnerabilities, such as a well-known hard-codedpassword on a power grid control system, in order to gain access to the system. [Also see:"Researchers expose flaws in popular industrial control systems"] Then the attacker could, for example, capture "stop" commands from one self-controlledprogrammable logic controller (PLC) and play them back to another remote-controlled PLC viaHTTP and telnet with the goal of shutting it down. The attacker could then further sabotage theenvironment by using the PLC to initiate other malicious commands. Such commands couldcause pipeline valves to open or close or centrifuge motor speeds to increase or decrease, any ofwhich could cause damage to the individual components of the supply chain or even force theentire connected environment to completely collapse, even physically explode. Another plausible scenario is one in which we could see a great deal of localized damage thataffects many peoples' lives. For example, by taking a power plant offline the attacker could leavescores of people in the dark, cause the water system pumps to go offline, force hospitals tofunction without critical equipment, and disable ATMs, fuel stations, and traffic signalingsystems. Consider the 2003 case in which a power grid failure affected roughly 55 million people in theU.S. and Canada, and showed how fragility within any of the nation's three electric regions --East, West and Texas -- can lead to extended trouble. As the balance between supply anddemand of electricity is extremely close, any significant stress to the system could take it offline(by design), and the damage could be experienced on a wide regional scale. All that is required to wreak some havoc is for a hacker to cause a generating station to gooffline. The transmission grid is quite fragile with respect to localized disruptions; the grids aredesigned to shut themselves down automatically if they suspect a failure pending. Therefore, anattacker would not need to do much to trigger such an event; a simple instruction telling thegenerating station that it is about to fail is all it would take. If the attacker is able to do this to afew stations, widespread impact could be experienced. Even though there are flow regulators and switches located within the oil and gas supply chainwhich make it vulnerable to similar attacks, there are a lot more points within this sector thatwould need to be attacked as well to cause much damage; thus the environment is somewhatlimited to localized failure. That said, the oil and gas industry is no stranger to attack. ABC Newsrecently reported that the "Iranian oil ministry's computer network came under attack fromhackers and a computer virus, prompting the Islamic Republic to disconnect the country's mainoil export terminal from the Internet." Somewhere between the oil and gas sector and the electrical grid lies the water sector. While thedamage would be limited to a specific locality such as a large city or multi-city district, it couldbecome a serious public health issue, or at least a public nuisance, if a water treatment plant orpumping station were taken offline. "The oil and gas sectors are thinking more organically than the others," Cianfrocca says. "Therest are pretty much wide open to compromise as they aren't being forced to implement norprove they have the right security in place, plus they simply don't have the budget to invest in allof the security layers required." ====Key weaknesses==== With all of this in mind, let's look at some of the security weakness that continue to enablehackers to break into the enterprise infrastructure which may ultimately lead them to criticalinfrastructure:*Application code vulnerabilities: With an average of 10% of code containing vulnerabilities,this is by far one of the more prevalent weaknesses that can be leveraged. The vulnerable systems don't have to be public-facing in order for an attacker to take over; access to an "internal" system could be gained using SQL injection, a cross-site script, or even a remote file include. A hacker that arrives within a trusted partner network could, from that system, scan and probe any connected critical infrastructure systems and networks for other known application vulnerabilities.
 * Weak and recycled account passwords: In 2011, according to Tim Brown, CTO of CSID, the team at CSID collected more than 10 million records containing compromised identity information exposed by data breaches, which is now in the wild and available for sale or trade on the black market. More than eight million of these records contain email addresses with passwords, and many of these compromised accounts are directly related to corporate accounts.
 * Gartner analyst John Pescatore says that "a lot of Anonymous' recent success has been in attacks where they have obtained users' passwords to external services and then found the same passwords in use at sensitive internal applications or in email systems. What I think we are seeing is really what I like to call 'the curse of the reusable password.'" Using an account list extracted from a compromised enterprise coupled with a black-market purchase of account, email, and login information, a hacker could match these two sets of data together and attempt logins to critical infrastructure systems which are now discoverable via the trusted connected network that was compromised.
 * Improperly managed account rights: Admin-level account privileges are often granted to commercial organizations' employees and partners to allow them to do their jobs without having to involve the IT help desk. Viewfinity CEO Leonid Shtilman warns that "most organizations are victims of 'privilege creep,' the situation where privileges are locked down initially by IT and are then increased little by little over time." Coupled with weak and/or recycled account passwords, hackers could gain access to sensitive or critical systems, applications and data within the critical infrastructure via an account that shouldn't have been accessible in the first place, or via an account that possesses too many user rights. This enables the hackers to do as they wish with these now-compromised resources with little probability of being detected.
 * Bring your own device (BYOD) trends: As more and more mobile technologies emerge, an increasing number of people within the commercial enterprise are bringing their own devices into the workplace. The security of these personal devices is often unregulated, therefore jeopardizing the security of an organization's entire network, plus that of any other networks that are connected to it.

Fighting back
To properly combat cross-infrastructure attacks, the following things need to occur:*Interconnected network security and assessment: Communications and network channels between the enterprise and the critical infrastructures need to be routinely assessed to ensure the proper security mechanisms are in place and functioning properly. "The community is realizing that monitoring may not go far enough and that continuous risk assessment -- actually proving what is exploitable before your hackers do -- is a longstanding practice found in many government cybersecurity programs that can and should be extended to the critical infrastructure and the commercial enterprises that support them," says Seema Sheth-Voss, director of solutions marketing at CORE Security. We must also remember that at the core of the critical infrastructure lies the platform; systemsdeveloped by industrial goods vendors such as GE, Emerson and Siemens. These companiesneed to be incented and/or required to build in and provide better security technologies as part oftheir devices, systems and services so they are not only more robust, but also not subject to therisks faced by enterprise infrastructure. One thing is for sure, policy, regulations, penalties and fines are not enough; this is the nation'scritical infrastructure we are talking about. It's time we stop ignoring the risk that our profitdrivenprivate sector enterprises pose to the critical infrastructure. Sean Martin is a CISSP and the founder of imsmartin consulting. Document transcribed from PDF and formatted for Wiki. Original article can be found here.
 * Employ integrated security management: Security management solutions need to become more than just antivirus protection and log-management mechanisms. Security systems also need to address the applications themselves, leveraging Layer 5 firewalls. The security systems must employ constant monitoring of vulnerabilities and patches, understand and respond to anomalies in system, application, and user behaviors within and across the connected networks, and engage in big data security analytics across multiple sectors to develop industrywide threat intelligence. "Security leaders really need to take a step back and reconsider the option of security consolidation where threat information from multiple vectors can provide deeper end-to-end threat intelligence," Sheth-Voss adds. [Also see: "Fast-forwarding firewall faceoff"]
 * Develop regulations with accountability: Regulations and best practices need to be defined, created, mandated, applied and enforced such that they cross over both the enterprise and the critical infrastructure entities. The Department of Homeland Security, the Department of Defense (DOD) and the Department of Energy (DOE) need to be at the forefront of fostering best practices and standards. The appropriate government entities should consider making funds for such purposes available to institutions farther down the chain beyond the capital goods vendors - - such as the local/state entities that put the industrial control systems in place. In the end, the value of security must be described and demonstrated. "The North American Electric Reliability Corporation (NERC) CIP5 set of cybersecurity standards, as one example, is being defined to focus on security as opposed to just compliance, but it will be a few years before we can see it in action," Cianfrocca says.
 * Manage identities as humans: Security must focus on human behavior. Human-centric security is about recognizing that a digital identity is actually a human being; humans have patterns and behaviors that can be modeled and risk can be adjusted based on a number of factors. "Humans tend to make more mistakes on Mondays and when they work more than 12 hours," says Brown. "Humans are more vulnerable to coercion when they have recently been divorced or have money issues; this can't be ignored." Of course, the human factor is present in the critical infrastructure and many safeguards are in place to manage the physical aspects of humans. These same human-oriented safeguards need to be extended to the enterprise infrastructure as well.
 * Establish cross-sector communications: Critical infrastructure entities, government institutions and the private sectors that enable them need to share threat intelligence, working together as a common force to track down these would-be attackers. U.S. Secretary of Homeland Security Janet Napolitano recently told the Senate Homeland Security and Governmental Affairs Committee that "we need the information-sharing, and it needs to be real-time. It makes commons sense." Organizations and government agencies need to get over their hangups on sharing information, no longer treating existing and emerging threats as information that requires clearance levels above top secret. It needs to be done in a way that doesn't tip off the bad guys, so maybe some legislative work coupled with a neutral third-party entity could help to build and share this cross-entity threat intelligence.
 * Identify new technologies: One example of critical infrastructure protection is to utilize technologies that reduce (if not eliminate) vulnerabilities altogether. One such example is use of BAE's STOP OS -- built especially for the DOD -- which does not require patches, thereby eliminating the need for staff and security experts to patch the infrastructure systems. Another option for secure virtual operating systems is Joyent's GuardTime-enabled SmartMachine, which prevents independently verified operating system modules and third-party applications from executing if they have been compromised in any way.