Protecting Against Stupid
Advances in mobile technology and computing power now enable many work activities to be done remotely and even on the move. This means people now try to make use of their previously wasted travel time. However, these same people seem blissfully unaware of the potential for visual hacking (prying eyes reading your data) and prying ears listening to your conversations. At the same time, the commercial value of data has been rising exponentially. We now see a whole raft of people and organizations looking to extract data from individuals and their employers. These range from individuals hacking for profit and/or fun, through to hacking organizations and even government sponsored hacking. So today we have a perfect storm; data is becoming more and more valuable, sensitive data is becoming more vulnerable due to peoples behaviors, and sophisticated hacking organizations are being set-up to extract sensitive data for profit or other reasons.
On recent travels in planes, trains and automobiles I have heard and seen many, many, confidential pieces of information. These range from who is about to be fired from an organization, confidential information on a companies (poor) performance, a company’s new competitive positioning, the list goes on and on.
Following a recent presentation which covered security I have seen people happily pick-up “freebie” USB flash drives and plug them directly into their pcs. The presentation had even spent some time talking about Stuxnet and how the virus was introduced via an infected USB flash drive!
But help is at hand.
We all know of advances in cyber protection in the IT domain. With SIEMs (security information and event management systems), threat databases, two factor authentication, hardened encryption passwords, facial recognition, fingerprint id etc all introduced to help secure the IT network.
What is less well known is that there is also help in securing the operating technology (OT) providing the command and control information used to manage critical infrastructures for utilities, power, transportation and even government and defense.
These networks generally consist of a combination of unmanaged and managed sites (think substations), remotely located with long, exposed connection networks (e.g trackside, roadside, pipelines, powerlines, etc) and centralized control locations. Intelligent electronic devices (IEDs) like sensors and actuators provide network operators with information about the network behavior and mechanisms to remotely control this behavior, in most cases using a communications architecture called SCADA. Unfortunately the SCADA architecture and the traditional IEDs were in the days before data security was as important as it is today and so most of these devices have little or no security built in. In addition, as networks modernize there is a need for more and more remote command and control information and hence an exponential increase in the number of IEDs. These traditional architectures, the need to modernize and the impact of infiltrating these networks mean that these strategic and utility networks are particularly attractive targets for hackers.
And then along comes stupid, reading the planned maintenance schedule for a remote site on a train on his way home. Pretty innocent you might think, however when I read this information, over their shoulder, I have now have all the information I need to send someone into the network under the disguise of an official maintenance activity. I could use this information to introduce a fiber tap on the line and/or introduce malicious sensors and actuators into the site. I have now compromised the network, and like Stuxnet I can sit there dormant collecting information ready to make an attack in the time frame I decide, and because the network was compromised during a maintenance activity no-one even knows the network has been compromised.
Depending on what I want to achieve, I can now attack the network in many ways.
- Bring the network down to cause wide scale disruption
- Look at the data or eavesdrop on communications, to sell the data to third parties
- Change the data to show a different view of what’s happening than what is happening in reality and use this to destroy parts of the network
So how can new technology help in securing the OT network?
With advances in communications technology, a comprehensive set of multilayer security mechanisms now exist to help the network operator protect their OT network and the data transported on it.
Modern encryption techniques, now make it possible to encrypt the data at all the transport layers (layers 1, 2 and 3) and it is even being possible to encrypt the management (DCN) information. This means that if a fiber-tap is applied, the data is of little use without the encryption keys. In addition, physical measurements and analytics now provide mechanisms to identify potential fiber taps if they are applied.
Point of access security tools like IDS, IPS and firewalls provide security for the data from remote sites. If these IDS/IPS and firewalls are deployed as virtual network functions (VNFs) hosted on NFV hardware at the edge of the network, they can be rapidly and comprehensively upgraded, as new security threats are identified.
In my opinion, anomaly detection is the most exciting tool for the OT network. With anomaly detection network operators have the tools to determine if rogue elements have compromised their network. A map of “expected” communications is built-up for all the IEDs in the network. There is an anomaly raised if communications from the IEDs deviate from the expected behavior. This means network operators can identify, in real-time, if their network is behaving in an unexpected way. This then gives them the opportunity to identify and mitigate the impact of any rogue agents before they can cause damage to the network.
Whilst technology cannot stop bad individual behaviors making the network more vulnerable to attack. It does provide many tools to help mitigate the impact of such an attack.