Buy Tom's Books
  • Great Powers: America and the World After Bush
    Great Powers: America and the World After Bush
    by Thomas P.M. Barnett
  • Blueprint for Action: A Future Worth Creating
    Blueprint for Action: A Future Worth Creating
    by Thomas P.M. Barnett
  • The Pentagon's New Map: War and Peace in the Twenty-first Century
    The Pentagon's New Map: War and Peace in the Twenty-first Century
    by Thomas P.M. Barnett
  • Romanian and East German Policies in the Third World: Comparing the Strategies of Ceausescu and Honecker
    Romanian and East German Policies in the Third World: Comparing the Strategies of Ceausescu and Honecker
    by Thomas P.M. Barnett
  • The Emily Updates (Vol. 1): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    The Emily Updates (Vol. 1): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    by Vonne M. Meussling-Barnett, Thomas P.M. Barnett
  • The Emily Updates (Vol. 2): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    The Emily Updates (Vol. 2): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    by Thomas P.M. Barnett, Vonne M. Meussling-Barnett
  • The Emily Updates (Vol. 3): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    The Emily Updates (Vol. 3): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    by Thomas P.M. Barnett, Vonne M. Meussling-Barnett
  • The Emily Updates (Vol. 4): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    The Emily Updates (Vol. 4): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    by Thomas P.M. Barnett, Vonne M. Meussling-Barnett
  • The Emily Updates (Vol. 5): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    The Emily Updates (Vol. 5): One Year in the Life of the Girl Who Lived (The Emily Updates (Vols. 1-5))
    by Vonne M. Meussling-Barnett, Thomas P.M. Barnett, Emily V. Barnett
Search the Site
Powered by Squarespace
Monthly Archives

Entries in critical infrastructure (3)

3:56PM

The Internet of Things: Resistance Is Futile, But Resilience Is Fruitful

 

CONTINUING LAST FRIDAY'S THEME OF WHO'S-SPYING-ON-YOU, A DISTURBING ARTICLE FROM CBS NEWS HIGHLIGHTS HOW YOUR SMART PHONE CAN BE USED AGAINST YOU IN A VARIETY OF CRIMINAL/NEFARIOUS WAYS. What this reminds us is that, per the security expert cited in the story, we're all basically carrying around a mini personal computer in our pockets all day long, and that can be as disastrously hacked as any desk or laptop. Indeed, it can be far worse because of the camera, video, and recording capacities that we tend to view primarily as standard technologies kluged together in one unit, when they're all – to varying degrees –accessible to hackers via the software.

Some highlights from the piece:

Popular apps on your smartphone can be convenient and fun, but some also carry malicious software known as malware, which gives hackers easy access to your personal information.

A security firm found that between 75 and 80 percent of the top free apps on Android phones or iPhones were breached. The number jumps as high as 97 percent among the top paid apps on those devices.

Two caveats can be offered.

  1. There is the argument that mobile devices are more secure than personal computers and servers, because they're less open (a countering argument being that PCs and servers are targeted far more because that's where the good stuff is – i.e., the data).
  2. Many experts will also draw a distinction between Android phones and iPhones in terms of architecture and hence security.

With my limited technical knowledge, I'll buy both.  But here's the thing, with the blossoming Internet of Things, the number of devices grows fantastically, and the security features built into all those devices tends to be less comprehensive and robust, primarily because these devices are designed for consumers versus enterprises, meaning ease of use and access are paramount. Thus, as we rapidly build out the Internet of Things, we create sort of a wild-west frontier that surrounds all the critical infrastructure upon which these devices depend, allowing for a radical expansion of attack vectors by criminal and malicious actors.

That's certainly not an argument against pursuing the Internet of Things, but it does say that we need to build it out with more care and vision regarding the resilience of the critical infrastructure being increasingly exposed. In effect, our critical infrastructures are going to be subjected to an evolutionary leap of sorts, so we either adapt them in turn (keeping pace), or we suffer new and worse vulnerabilities.

Back to the story and quoted "cybersecurity expert Gary Miliefsky, whose company SnoopWall tracks malware."

Milifesky said when you download an app, you also give permission for it to access other parts of your phone, like an alarm clock app that can also track phone calls.

"You think an alarm clock needs all those permissions? Access to the Internet over wifi, your call information, calls you've made, call history, your device ID? This to me is not a safe alarm clock," Miliefsky said.

And there's the weather and flashlight apps that he says exploit legitimate banking apps to capture information, as he showed us in a demonstration of what could happen when someone takes a photo of a check to send to their bank.

"The flashlight app spies on the camera and noticed the check and grabbed a copy of it. Shipped it off to a server somewhere far away," Miliefsky said.

Last year the group FireEye discovered 11 malware apps being used on iPhones that gathered users' sensitive information and send it to a remote server, including text messages, Skype calls, contacts and photos Apple fought back by removing the apps and putting stricter security measures in place.

"They get at your GPS, your contacts list...to build a profile on you," Miliefsky said.

Some apps are simply collecting information for advertising purposes. In 2014, the Federal Trade Commission settled a lawsuit with a company over its popular Brightest Flashlight app, alleging it transmitted consumers' personal information to third parties without telling them.

But Miliefsky said he's found another flashlight app that can do much more troubling things.

"This one turns on your microphone in the background, listens in on you, and sends an encrypted tunnel to a server we discovered in Beijing," Miliefsky described.

That certainly gets your attention, yes?

Whether or not we buy into the darker, more geo-political aspects, it's clear that we're all being subjected to a game-changing degree of personal transparency, and that, in political terms, the question of who's watching the watchers is just starting to be explored.

Now, a lot of people will respond to these developments by attempting to reduce their exposure, just like a lot of enterprises have attempted over the years. But that approach typically comes with too big a price in terms of lost efficiency, convenience, and sheer opportunity. Building more firewalls as the Internet of Things comes into being is not the answer.

In short, while resistance is futile when it comes to the Internet of Things (and the Borg, of course), resilience becomes the new prime directive for individuals, families, enterprises, communities, governments, and nations.

 

 

2:55PM

A Squirrelly Argument Regarding Critical Infrastructure And Our Resilience In The Face Of Attacks

THE NATIONAL SECURITY COMMUNITY TENDS TO ATTRACT DOOMSDAY TYPES, WHILE THE UTILITIES SECTOR TENDS TO ATTRACT PRETERNATURALLY CALM ENGINEER TYPES - GO FIGURE! That's the just the nature of their respective businesses, so no big surprise that, when national security officials highlight the hacking threat to critical infrastructures (most frequently, electrical grids), plenty of practitioners in the utilities arena counter that "alarmism" with more prosaic examples of power outages - namely, those caused by rodents and birds. This is a classic argument between those who focus their professional attention on low-probability/high-impactevents (e.g., foreign military hackers attacking our critical infrastructure as a prelude to war-initiation) and those who must deal with high-probability/low-impact events - like a squirrel chewing through a wire and triggering a local blackout.

So, good on WAPO's The Switch column for running this story asking, "Are Squirrels a Bigger Threat to the Power Grid Than Hackers?" Yes, the use of the modifier "bigger" here is stunningly indiscrete (newspaper headlines tend to do that to pique your interest), but the author does provide a real-world threat "floor" to the notional threat "ceiling" routinely cited on WAPO's front page. On the latter score, I recall the near-constant drumbeat of fear-instigating stories (all presumably "leaked" by the Obama Administration), in the weeks leading up to the 2009 launching of US Cyber Command, about how seemingly everyone in the world was waging cyber-warfare against America, when, of course, we know full well that the U.S. Government itself is the preeminently offensive player in this arena - as it should be.

So, no, squirrels are not a "bigger threat." That's an idiotic notion (or - more politely - an imprecise notion). Significant cyber-warfare-capable nation-states and non-state actors are the bigger threat.  Squirrels are just the more common threat.

Another way to look at the difference: I am constantly subject to the common cold, but I still consider cancer to be the bigger threat to my health. Does that mean I ignore the cancer threat (lower probability but far higher impact) to focus more on the common cold? Hardly. Like everyone, I attempt to balance risk between the two.

I also most certainly do not discount the cancer threat merely because I find it stunningly hard to prevent my contracting the common cold on a regular basis, which is the implied argument here (Focus on real problems and don't believe the hype!). Wait long enough on today's national-security "hype" and eventually somebody nefarious will give that scenario a run for its money. And when they do?  The high-probability/low-impact skeptics will be nowhere to be found, while the public - and Congress - demands answers (and scapegoats) for this huge failure of national intelligence!

2:37PM

Ukraine's Electrical Grid Gets Knocked Down, But It Gets Up Again … In a Sign of Threats to Come

RUSSIA IS OFTEN CREDITED WITH EXPLORING THE SUB-THRESHOLDS OF TRADITIONAL STATE-ON-STATE WARFARE, OR WHAT ONE DEFENSE ACADEMIC HAS DUBBED "GREY-ZONE CONFLICTS."  In some ways, Moscow's experiments in interstate aggression represent a continuing acknowledgment of the overarching strategic reality of mutually assured destruction created by the still-formidable nuclear arsenals of the world's major military powers - i.e., Russia knows not to go there.  But great powers still want to act like great powers, so they meddle, they intervene, they topple governments, they support proxies in civil wars, they build artificial islands and militarize them, they insert computer viruses into other states' networks . . . and sometimes they merely send a signal like I can turn off your lights whenever I want.

 

Vladimir Putin's regime has an established reputation for this sort of international cyber-bullying, launching somewhat impressive online attacks against Estonia in 2007, Georgia in 2008 (as part of its land grab there), and more recently against Ukraine in 2014.  Western security reviews of such incidents typically find little-to-no evidence of official government involvement, and this is the central characteristic of the maskirovka approach (an old Soviet-era term that equates to covert military operations - i.e., masked).  So yeah, the whole point of such shenanigans is to be hide your tracks even as you are rather overtly signaling both capability and intent.

As we used to say about the Soviets during the Cold War, they will try every door and every window until they find one that's unlocked.

Thus, the world is meant to take notice of what recently happened in Ukraine, per WAPO:

Hackers caused a power outage in Ukraine during holiday season, researchers say, signalling a potentially troubling new escalation in digital attacks.

"This is the first incident we know of where an attack caused a blackout," said John Hultquist, head of iSIGHT Partner's cyberespionage intelligence practice. "It's always been the scenario we've been worried about for years because it has ramifications across broad sectors."

Indeed, the hackers-taking-down-electrical-grids is the sine qua non of the "cyber Pearl Harbor" or cybergeddon attack scenario that worries owners and operators of critical infrastructures around the world - but particularly in the US, where 88% of them are private-sector firms.

More details ...

Half of the homes in Ukraine's Ivano-Frankivsk region were left without power for several hours on December 23rd, according to a local report that attributed the blackout to a virus that disconnected electrical substations from the grid. Researchers at iSight on Monday said their analysis of malware found on the systems of at least three regional electrical operators confirmed that a "destructive" cyberattack led to the power outage.

Impression made ...

Why it matters for critical infrastructure writ large:

Electrical outages can lead to ripple effects that leave communities struggling with things like transportation and communication, according to security experts who have long warned about the potential for cyberattacks on the power grid.

Here the attack almost veers into clandestine mode, meaning the actor in question doesn't worry all that much about its identity being revealed:

In this case, the attackers used a kind of malware that wiped files off computer systems, shutting them down and resulting in the blackout, Hultquist said. At least one of the power systems was also infected with a type of malware known as BlackEnergy. A similar combination was used against some Ukrainian media organizations during local elections last year, he said.

So just imagine who was messing with Ukrainian media during local elections last year, and then realize that that same actor didn't bother changing up his cyber pitch this time around because . . . hey, that's not the point here.

Here we get to the true signaling:

While [cybersecurity company] ESET's analysis showed the destructive element was "theoretically capable of shutting down critical systems," it said BlackEnergy malware's ability to take control of a system would give attackers enough access to take down the computers. In that case, the destructive element may have been a way to make it harder to get the systems up and running again, according to ESET. (bolding mine)

That is what should grab the attention of any nation's critical infrastructure operators - not just the takedown capability but the suggested keepdown capacity.

Yes, the fingerpointing is eastward . . .

Hultquist believes the attacks that caused the blackout were the work of a group iSight dubs "Sandworm" that the company previously observed using BlackEnergy. In a 2014 report, iSight said the group was targeting NATO, energy sector firms and U.S. academic institutions as well as government organizations in Ukraine, Poland  and Western Europe.

"Operators who have previously targeted American and European sensitive systems look to have actually carried out a successful attack that turned the lights out," Hultquist said.

He described the group as "Russian," but declined to connect it to a specific government or group . . .

Such is the nature of maskirovka, remembering, of course, that Putin began his career in the KGB.

Now the part that most clearly matters to us here at Resilient Corporation:

The picture can often become clearer as more information trickles out, but the public and even some of those investigating may not be operating with all the facts, according to Cross.

"When a plane crashes, the FAA publishes all of the details about the incident. That makes sense because we pilots want to know what to do to avoid the next crash," he said. "In our industry, when something like this  happens, some information comes out and some doesn't."

Great analogy, suggesting that the lack of industry transparency here can cost us in the long run.  One doesn't counter maskirovka with "proprietary" concealment but with information-sharing.

Not everyone necessarily has an interest in fully disclosing the attacks because it might embarrass them or give new information to attackers, Cross said. But he argues that the more people  know the details about the attack, the better the security industry can prepare for the next one.

"People should operate with an abundance of caution and assume the threat  is real while demanding technical detail and evidence," he said.

Bingo!

As for Ukraine, the final bit of news was heartening:

Assuming that the hackers did take out the power in Ukraine, there was a silver lining, according to Cross: The grid seems to have rebounded quickly.

"The world didn't end here - they did get power back up," Cross said.

This time, yes.  But this scenario will grow less exotic over time, and that's why our resilience still-set must keep pace .