Critical Infrastructure Security In A Hostile World

At MEI Security we frequently cover the Ukrainian power grid attack in our work with clients. This successful attack clearly demonstrates vulnerabilities in critical infrastructure. Whether it is electrical power, water treatment and delivery or communications including telephones and internet service, reliable functionality of infrastructure is critical to the smooth function of our society. This infrastructure is managed through Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems. The Ukrainian power grid attack took advantage of well-known weaknesses in humans and in ICS & SCADA hardware to succeed. Once in, the attackers planned to disrupt the system and simultaneously increase the difficulty of recovery.

The attack began with spear phishing email campaign to administrators. The malicious traffic exploited a well known feature of Microsoft Word to deliver malware and gain an initial foothold in the target network. With this foothold the attackers pivoted to other systems, spending months exploring the network environment and harvesting credentials undetected. Among these credentials were those used by staff to connect remotely by VPN to the SCADA networks. Once in the SCADA networks, the attackers were able to overwrite control system firmware making recovery much more difficult when the trap was finally sprung. This attack even included a denial of service phase which flooded telephone lines with bogus calls, thus impeding swift, cohesive incident response. Based on the scope and sophistication of the attack, many security professionals suspect the attackers were at least aided by (if not fully supported and directed by) a hostile nation state.

There are lessons to be learned from this and other attacks. As our environments become more and more digital, as our infrastructure controls become more networked, they are simultaneously exposed to additional risk. While private industry is often quick to adjust their budgeting, Federal, State and Municipal organizations often exhibit a more measured approach to change. A recent story in SC Magazine1 highlighting the failure of the US Department of the Interior’s to comply with respected industry standards illustrates the point. Regardless of this example, it is clear that we have a long way to go to achieve a more robust and resilient cyber security posture – especially for our critical infrastructure.




Apple vs FBI – Infosec Failure for San Bernadino

While much of the argument about the iPhone data centers on whether Apple should comply with an order to break their own protections, companies which own phones should note that the real failure is that of San Bernadino County’s information security policies and procedures.  They permitted their property ( the iPhone ) to be used in such a way that they no longer had control of it.  In effect, they provided their employee with a safe, a cyber space safe, and they did so without maintaining their own key to the safe.  Now that they want access to their own property (the iPhone ) , they find that their information security policies and procedures have failed.  In cases where an organization provides a safe (especially a safe inside a phone) they should consider carefully what will happen if the employee does not provide access to the safe, whether that’s because the employee has won the lottery, been terminated, or passed away.

Thinking about such events may not always be easy or comfortable, but considering such risks is critical to a complete, mature information security stance.  In this case having a plan in place would have made it possible to provide assistance to law enforcement in a potentially serious matter, and that would have been better San Bernadino County, the families of those affected, and indeed all good people who want to prevent such cowardly attacks in the future.  Have a tested plan in place.  Hope you never need it, but have it in place ahead of time.  It makes all the difference.

Apple vs FBI – Not About Just One Phone

There seems to be some question about Apple refusing access to a single phone.  First of all, let’s be clear.  The failure is that of San Bernadino County.  They own a device, the phone, which might contain information useful for a federal investigation.  They can’t get into their own phone.  Consider that the phone is like a safe.  San Bernadino County bought a safe, and they let their employee take it home.  The employee changed the password.  Now the employee is dead, and they want access to the safe.  Now, if I had lost the combination to a safe, I’d hire a safe cracker.  I would not blame the safe company for building a good safe.  Furthermore, if the FBI wanted access to the property of San Bernadino County then they’d be ordering San Bernadino County to unlock the phone.  Then the owner of the property, San Bernadino County, could hire a hardware hacker to break into the phone.

But instead of going after a single phone, the federal government has ordered a manufacturer to subvert the security of their product.  Again, if they wanted access to a single phone they’d hire an expert to break in.  If this were to happen in China, I’d expect the government to command its citizens to do what it says.  Here in the U.S. I don’t understand how the government can order someone in this way.

The terrorists hate us because we treat people as individuals.  We have gender, racial and other equality written into our laws.  They consider women to be property.  We educate all children, boys and girls.  They kill girls who try to go do school.  We encourage freedom of speech.  They kill those who speak out against the government.  We have freedom.  They do not. They want us to become a place where people fear the government.  We need to be better than that.

There are other reasons that the government should not break the encryption of iPhones, but that’s a topic for another post.