Tag Archives: critical infrastructure

Some thoughts on „A Cyberattack on the U.S. Power Grid“ by Robert K. Knake

15 April 2017

The Contingency Planning Memorandum No. 31 „A Cyberattack on the U.S. Power Grid“, published by Robert K. Knake at the Council on Foreign Relations (CFR) in April 2017, illustrates very clearly how vulnerable critical infrastructures like the U.S. power grid are. This memorandum is really worth reading.

Ultimately, for effective protection of the society in the case of a breakdown of the power grid we need something like a nation wide operated ISMS, with hundreds of stakeholders from the private and public sector. This is a Herculean task in the U.S., and needs a miracle in Europe.

But the discussion of attack vectors is characterized by the traditional ISA 95 paradigm:

Regardless of which part of the power grid is targeted, attackers would need to conduct extensive research, gain initial access to utility business networks (likely through spearphishing), work to move through the business networks to gain access to control systems, and then identify targeted systems and develop the capability to disable them.

In the era of the IIoT, the network perimeter with all its high sophisticated security controls is no longer existent. For example, a lot of Industrial Control Systems are already connected directly to the internet today. With this, the effort for attacking critical infrastructures is decreasing, as well as the likelihood of detection.

From my point of view, it is of crucial need to take this paradigm change into account in risk management.

Happy Easter!

The IoT brings down the Internet

29 October 2016

Last Friday, a large botnet, which was powered by the Mirai malware, caused a significant outage of Internet in the United States. This headline in MOTHERBOARD sums it up: ‘Blame the Internet of Things for Destroying the Internet Today’.

IoT devices are inherently insecure.

  • IoT devices are, for instance, very often secured by default passwords, which need not be necessarily changed during startup. And for ease of startup WLAN is powered on by default.
  • A software life-cycle concept, e.g. patching of critical vulnerabilities, is in general not provided. With this, the devices become vulnerable to the exploitation of new critical software bugs during operating time.

A single compromised IoT device creates no significant impact on the internet. But if attackers exploit the vulnerabilities of millions of devices and join them to a botnet, it is very likely that this will have a major impact even on well secured critical infrastructures.

We need to save the Internet from the IoT. Strict statutory guidelines are required to prevent the collapse of critical infrastructures. Some easy to implement technical rules are for example:

  • WLAN is by default off.
  • WLAN can only be activated through an out-of-bound connection.
  • WLAN is activated only after the default password has been changed.

A security label for IoT devices is required to support consumers. The European Commission already established the basis for a security label in the ‘Cybersecurity Strategy of the European Union’, published February 6, 2013:

‘Develop industry-led standards for companies’ performance on cybersecurity and improve the information available to the public by developing security labels or kite marks helping the consumer navigate the market.’

Devices which do not comply with the basic requirements should be labeled accordingly. In addition, the vendors of such devices are obliged to take out a cyber insurance to mitigate the impact posed by insecure devices.

In ‘We Need to Save the Internet from the Internet of Things’ published on October 6, 2016 in MOTHERBOARD, Bruce Schneier states:

The IoT will remain insecure unless government steps in and fixes the problem.

Let’s start!

Have a good weekend.

A risked-based approach to SIEM rollout hardly makes sense

25 July 2015

I had a lot of discussions about SIEM rollout in the past weeks. One approach is to watch only Windows server systems that store business critical information or provide critical infrastructure services. Why should we waste time and effort on information not critical for business? That sounds convincing, in particular with a risk based approach in mind.

My approach goes far beyond this. I strongly recommend to watch all windows server system through SIEM.

The reason is quite simple: In a Windows server network lots of user accounts and technical accounts are used for administrative tasks. In general, this accounts are globally defined (in the Windows Active Directory) and member of the individual server’s administrators group. And, in general, this accounts are used for all systems, even for those storing business critical information.

If one assumes the about 10% of a company’s servers manage business critical information, hacking attempts on 90% of the servers will remain undetected. An attacker who hijacks one of the non-critical systems, and starts a DLL injection attack on the Windows Local Security Service lsass.exe to extract plain text passwords from memory, will have access to all of your systems within minutes.

But if you watch all servers through your SIEM system you will get a security incident within seconds after the hacking attempt takes place. With well-defined security incident processes in place you may be able to prevent the worst.

This reminds me of the report ‘Dissecting the Top Five Network Attack Methods: A Thief’s Perspective’ I read this week:

I love breaching a company that spends tons of money on gear but can’t get it working together. I know I leave traces, but by the time the admins connect all the dots, I’m long gone.

In the case above the admins do not even have the chance to connect all the dots because they are almost blind.

Have a good weekend!

Hacking the Nike+ Fuelband

5 February 2015

Ethan Zonca’s report ‘Hacking the Nike+ Fuelband‘ published on HACKADAY some days ago is somewhat alarming, although the device is just an electronic gadget that makes our daily life hopefully not more complex.

But this hack should make us really worried, if we consider devices in safety relevant systems or devices connected to critical infrastructure.

Consider a mobile phone that connects via Bluetooth to your CAR’s audio system. Today, a car is a computer on 4 wheels, and the audio system is an interface to this computer. Now think about a malware on your phone that shuts down this computer at 200 km/h.
Ok, only crazy guys drive at this speed, and only in Germany. But the impact of a completely uncontrolled crash on other road users and the environment might be catastrophic.

The Internet of Things offers us sheer unlimited opportunities. But IT security comes first, because it’s the basis for safety. The developers of this fuel band didn’t waste a thought on IT security. I bet threat modeling is completely unknown to them. Hopefully they tried harder in the case of your car’s computer, or in the case of sensors controlling the temperature in power plants…

Don’t panic!