Author: Jay Lyman
The departure of Amit Yoran from the Department of Homeland Security’s (DHS) cyber security department earlier this month was viewed by some, including Vanguard Professionals’ founder and CTO Ronn Bailey, as the continuation of a troubling pattern of frustrated figureheads who have been unable to get the resources and reach necessary to batten America’s cyber hatches.
“I think it’s a dire report of what’s going on,” said Bailey, who earlier this year undertook an effort to organize security professionals and government officials.
Bailey likened the resignation of Yoran — who is a capable security expert but reportedly confided frustration to associates — to those of former terrorism and cyber security head Richard Clarke and Howard Schmidt, a former Microsoft security officer and eBay official who last week returned to DHS to chair CERT.
“It’s been going on a long time, and that’s a very bad report card,” Bailey said.
However, bureaucratic stagnation and lack of focus at the federal level is not Bailey’s biggest concern. Instead, the longtime government and cyber-security expert said attacks on the critical information infrastructure — meaning mostly mainframe computers — is being overlooked as a threat. Bailey claims that the removal of references to mainframes in the national cyber-security policy documents remains a mystery, and he indicated there is a lack of attention to the issue.
Proprietary protection lost
Justin Lowe, a principal consultant with PA Consulting Group — which just released a report on industrial cyber-security with the British Columbia Institute of Technology (BCIT) — said the dramatic increase in Internet-related vulnerabilities combined with a more vulnerable infrastructure amount to two troubling trends.
Lowe said a departure from proprietary operating systems to Windows, which while still proprietary is more accessible and universal than the real-time operating systems that were historically unique to different process control and automation systems, is introducing significant vulnerability to those systems. “There’s been a shift from real obscure technologies to Windows, and also a shift from Unix to Windows,” Lowe said, also referring to the movement of desktop and server software. “Some of the almost unintended protection is gone.”
While he said there are very few control systems based on Linux, the open source operating system would be ideal for reliable process control and automation because of its resistance to the worm attacks that have increasingly endangered Windows.
Lowe said the continued vulnerability in Windows — particularly to viruses and worms — has also made the Internet at large more susceptible to attack. At the same time, critical systems are increasingly connecting to that Internet via corporate networks, according to Lowe.
While he advises governments and industry that attacks and incidents are happening more frequently, are more destructive, and are impacting businesses’ bottom lines, Lowe said the U.S. and Canada are actually leading the way in the effort to secure cyberspace and control systems.
“DHS is doing quite a lot,” Lowe said. “A lot of budget and spending and a lot on getting up the learning curve. The U.K. and Europe seem to be behind the U.S. and Canada. There seems to be very little interest elsewhere.”
Many security experts have called for a more powerful cyber security czar — a move which is reportedly under consideration — and more funding for the defense of networks and critical infrastructure, but Lowe said other nationsÂ are struggling to achieve the level of spending currently occurring in the U.S.
Old protocols and the wrong priority
Paul Henry, senior vice president of information and network security provider CyberGuard, said the biggest cyber weakness in today’s infrastructure is the reliance on old and weak protocols and the prevalence of Windows human-machine interfaces (HMIs) — computers where data is communicated from worker to computer or vice versa. The security expert also said that encryption is not the answer to secured communications and transactions. “My concern is that most organizations — both federal and private — are looking to rely on cryptography to secure things, and I think it’s a mistake. That doesn’t secure the end points or the data,” he said, cautioning that simple buffer overruns could disrupt industrial protocols that are exposed through corporate networks and the Internet.
Henry said there are not many process control systems that are actually running on Windows, but nearly 90 percent of the HMIs that allow engineers to control and automate the large, complex systems are Windows-based. “And that is frightening based on the inherent insecurity of Windows,” Henry said.
Henry, who reported seeing Internet browsing on control system machines, also highlighted a lack of priority on network and control system security by companies and organizations that have put other issues, particularly avoiding downtime, before defense. Henry said the weaknesses could be used by attackers to amplify an attack by crippling emergency communications, cutting off water supplies, or flooding areas by compromising dam controls.
“They are taking steps, but the steps are slow,” Henry said of both companies and the government. “Much more needs to be done and it needs to be done much faster. We’ve seen it for reliability, but we haven’t seen the same level of effort for security.”
Henry said the only way to truly solicit the kind of effort needed from both government and industry appears to be legislation that is rolled out “quickly and accross the board for power, petro-chemical, waste management,” and other infrastructure industries.
Keeping quiet or hardening the floor?
The study from PA Consulting indicated that although computer insecurities come with significant costs and other environmental, reputational, and financial risks, few organizations come forward when systems are attacked. The study indicates the number of unreported industrial cyber-attacks are between 100 and 500 annually. Of the corporations that did report an incident and estimated the impact, half in the study experienced financial losses of more than $1 million.
Experts, such as study co-author and manager of critical infrastructure security research at BCIT Eric Byres, said organizations that are not taking advantage of information sharing resources such as the Instrumentation, Systems,and Automation (ISA) Society and other security industry forums are the ones struggling.
“When I go back and look at the events in our database [of incidents], people were doing the best they knew how, and it wasn’t good enough,” Byres said.
In addition to staying informed on security techniques and advances as well as the latest vulnerabilities, Byres said management must take up the cause of critical security. “Upper management really needs to drive this from the top down and drive it through the organization,” Byres said.
A third thing that is necessary in the face of insecure control systems and advanced attack methods, according to Byres, is a “zero configuration” alternative to firewalls, which have proven ineffective against attacks that now occur via telephone dialup modem, contractor lines, laptops corporate LANs, and other avenues.
“We can no longer have a security system that is crunchy on the outside and soft on the inside,” Byres said, referring to plant floors or control centers that are not hardened to attack the way networks are.
“There’s a lot to hardening equipment,” Byres said. “It means maintaining patch levels, looking at the equipment and asking, ‘Do we need Microsoft Exchange’ or ‘Do I really need Microsoft Outlook and Media Player?’ There’s a lot that can be done to harden the floor.”