More than a year ago, we’ve learned that Stuxnet would be a game changer. Indeed, no advisor in all things security missed to mention that the alleged U.S.-Israel (Langner) originated hack and blow-up of Iranian Uranium enrichment facilities posed a show-case of future attacks on our beloved infrastructures and industrial production sites. While one might argue that the transfer of the world’s production sites to China serves as a mediator to scare going wild, there are still some Industrial Control Systems implemented and running within, say, the EU or the U.S. With Stuxnet discussed ad nauseam both at security conferences and in global mainstream media, with policy awareness increased up to the level of the leaders of the universe, with calls for decisive policy responses on all policy levels, calls for cyber-defense programmes against prospective attacks in cyber-warfare (by non U.S.-Israel) for national and international critical infrastructure protection programmes – with all that stuff one would assume that at least some of the most obvious steps have been accomplished.
And then you read an update by the commercial community of technical experts on Industrial Control Systems. According to their assessment, the ICS industry acts deaf and akin to the automotive industry in “Fight Club” (mentioned in the scene in which the automotive white-collar insomniac protagonists meets Tyler Durden on the airplane): it’s cheaper to let systems go bust occasionally and pay for some clean-up than to preventively fix the systems. Industrial control systems are still highly buggy, a group of ICS security researchers around the consultancy Digitalbond have tried to showcase at their SCADA Security Scientific Symposium (S4). For experts in the field, this is common knowledge for more than a decade.
The technical ICS geniuses at the S4 conference put all the blame to the vendors, such as Siemens, General Electric, Schneider Modicon, Rockwell Automation, SEL, or Koyo Automation. But is that easy? My experience from general IT, not ICS admittedly, tells me that life is more complicated. Independent consultancies, which are bound to specific vendors, have certainly no incentive to blame existing or prospective customers. More substantially, while there might be customers with inadequate security procedures out there, I highly doubt that knowledge about notorious insecurity of a particular set of artefacts doesn’t exist somewhere in customer companies and doesn’t climb up the communication ladder to the CIOs or CSOs. If owners are not interested in getting their 20-years old ICS fixed, a vendor interested in subsequent orders wouldn’t want to embarrass itself and its clients by being utterly explicit about the risks or the security hick-ups of the installed base of legacy systems.
The financial sector and the nuclear industry serve as nice role models for dealing with, as we institutional-economics-infected researchers call it, negative externalities of societal or technical systems. For both system vendors and owners of such infrastructures, inactivity is a viable option to respond to publication of vulnerabilities. Why would you want to spend millions on hardening your chemical facilities against a rather hostile hack into its control systems? If shit hits the fan, writing off your production site and transferring the external costs to the public is probably the most economic approach. Just make sure that the downfall of one site doesn’t bring down the complete parent group as with this TEPCO guys who failed to install proper economic firewalls inside their group. There are no columns or rows for the rhetoric of cyber-warfare in the Excel sheets on which executive boards of infrastructure owners rely in their decision making. The ongoing installation of insecure systems and components is certainly is worrying.
The great potential realigner of incentives aka public authorities have have remained rather calm on this issue, too. For Europe, Kroes is gunning for “providing the right incentives“, but we don’t know yet what the Commission will come up with eventually. Hohlmaier, rapporteur of the European Parliament on Cybersecurity issues and with a constituency in Siemens land, has been likewise silent on this, Google tells us. Inaction by incompetent or unwilling operators of information and industrial infrastructures might pose risks for the public at large. The public might want to live with some risks. Or prefer to have incentives realigned, i.e. get regulations installed that force vendors, customers or third parties to invest into security measures. For the last couple of years, policy makers, researchers and public authorities have been obsessed with “incentivising” third parties such as ISPs to make up for the failures of vendors and customers of ICT systems. For industrial control systems, I don’t see this option. It’s either the vendors and/or the customers (owners of infrastructures) that need to take the bill. Or learn to live with the risks. Just like we did with financial and nuclear systems.
Fouché is enjoying #Occupy for a snack. The Committee of Public Safety announces:
Hippie global meliorism is Marxism without the House of War. It wills an end that can only be realized through means of violence. Yet they refuse to will the means. If laughter could be projected from an ocean and half a continent away, they’d hear Marx’s disembodied laughter drumming from the British Museum and echoing down their spine with Teutonic clarity. A classical Marxist revolutionary would do something revolutionary. They’d mass at the park, loot the city’s financial district, and then storm the state capital. The hippies did everything backwards: they retreated from the center of political power, abstained from seizing the center of economic power, and massed in an out-of-the-way outdoor drug/farmers market.
Old Karl would die of laughter.
History, but anyhow. Jon Baumgartner, “Computers as Weapons of War”, IO Journal, May 2010, pp. 5-8:
Similar IO attacks could be conducted against nation states that have violated international treaties in order to carry out as uranium enrichment for nuclear weapons. Most of the unauthorized enrichment facilities in these cases are constructed deep underground. Conventional munitions, including bunker busters, could have difficulty penetrating and damaging these hardened structures. Cyber munitions, however, could be used to destroy key equipment used in the enrichment process. One of the primary IO targets would be the gas centrifuges used to create weapons grade uranium. The rotors within these centrifuges operate at extremely high speeds (e.g. 50,000 RPM). A cyber attack that increased the RPMs beyond normal safely levels could result in a catastrophic failure of a single centri- fuge. Implementing this IO attack across thousands of centri- fuges has the potential to disrupt enrichment operations for considerable periods of time.
A couple of months before Stuxnet broke news.
Dan Kaplan, SC Magazine:
In my eyes, this seems to be another step by U.S. officials, without exactly coming out and saying it, to label Anonymous as a cyber terrorist organization, bent on indiscriminate destruction of digital property and infrastructure.
The DHS in the “National Cybersecurity and Communications Integrations Center Bulletin”, A-0020-NCCIC / ICS-CERT –120020110916:
“The loosely organized hacking collective known as Anonymous has recently expressed an interest in targeting industrial control systems (ICS). (…) Anonymous’ increased interest may indicate intent to develop an offensive ICS capability in the future.”
Kaplan continues, on Duqu, the alleged Stuxnet offspring:
Which reminds me: I’m waiting for DHS to publish a warning based on a potential real critical infrastructure issue that popped up just yesterday — evidence that the Stuxnet authors are back with new malware. I’m sure the bulletin will arrive any minute now.
Even a year after, Langner sticks to his assessment:
Thinking about it for another minute, if it’s not aliens, it’s got to be the United States.
The European Commissioner for the Digital Agenda from the Dutch conservative-liberal VVD party, Neelie Kroes, announces an “ambitious EU Open Data Strategy“. It seeks to “encourage more openness and re-use of public sector data” by a Public Sector Information Directive. The Commission is planning to set up an “Open Data portal” for the European Commission, later to be supplemented by a “pan-European Open Data portal”.
This is indeed going to be huge, potentially at least. We have seen plenty of these geeky apps and web sites that make use of publicly available data and create some clever mashups. The usual meme of Open Data advocacy is that it fosters transparency, openness, enhances citizens’ say in public matters and thereby strengthens democracy and what else. For all this open data hipness and siren songs, it remains to be seen whether the advantages will be evenly distributed among citizens, who might receive enhanced or innovative public and non-public services, entrepreneurs entering the markets with some fresh and bright ideas bureaucrats haven’t thought of and ICT behemoths, which most likely will seize the opportunity and kick outtasking into new spheres to sell software, iron and services.
A litmus test to the openness and transparency rhetoric is, as always, the area of security. Will there be a section in COM’s portal labelled “internet security” or “cyber security”? In Brussels, the draft Directive on “judicial cooperation … on combatting attacks against information systems” is still under consideration. Article 15, paragraph 3 states:
Member States shall transmit the data collected according to this Article to the Commission. They shall also ensure that a consolidated review of these statistical reports is published.
Here we have a perfect opportunity for the EC to display its willingness for openness of public sector data. In addition to merely releasing consolidated statistics about the internet-based crimes, a more open approach appears to be perfectly feasible. We still lack reliable, deep knowledge about the scale of the internet security problem. Publicly accessible data will be very helpful to overcome this deficiency and thus to provide the knowledge base for sound political decisions.
Open Data often tends to focus on low-hanging fruits such as geographic data, administrative documents and similar kinds of public service raw data. The one and only area however that truly impacts transparency of governmental action is security. Security is often is grotesquely secretive, security organisation shielded from public scrutiny. With legitimate force entirely concentrated in their hands, these institutions both protect citizens and society, but also, by definition, pose a threat once organisational culture, political oversight and political independence become non-optimal. Hence, democratic governance requires security organisations that are open to public oversight to the maximum degree possible without endangering societal security interests.
While Open Data “merely” requires to add public interfaces to existing data warehouses, Open Security Data admittedly needs a thorough analysis on which data is safe for publication and which isn’t. It shouldn’t be that hard though to make statistical cyber-crime databases public. For a start.
How could I miss that line in Michael J. Gross’ Stuxnet article in the April edition of Vanity Fair:
Stuxnet is the Hiroshima of cyber-war. That is its true significance, and all the speculation about its target and its source should not blind us to that larger reality. We have crossed a threshold, and there is no turning back.
Nice alteration to recently excavated rhetoric corpse of the Digital Pearl Harbour by the Washington Post. “Hiroshima of cyber-war” is an allegory conveying ideas and association probably not intended by the author:
- The dawn of a new age of geopolitics defined by control over certain technological artefacts.
- The assumption by US security circles that unilateral and sole control over these artefacts equals incontestable geopolitical power, a truly “unipolar moment” (Charles Krauthammer) that should have lasted considerably longer than 1949 when the Soviets managed to assemble their “Fat Man” equivalent.
- The militarisation and secretisation of a potentially benevolent technology.
- The institution of a nuclear umbrella which served as a foreign policy instrument and “provided a cooperative structure, linking the United States in a mutually beneficial way to a wide range of friends, allies, and neutral nations.” (Nye/Owens 1996, p. 26)
A Hiroshima of cyberwar?
The Telegraph:
The Foreign Secretary revealed that Britain has developed new weapons to counter the threat from computer hackers and is prepared to strike first to defend the nation’s infrastructure and businesses. … The Government is investing an extra £650 million to develop deterrents to hostile viruses and hackers.
Joe Grand, grandideastudio.com:
My idealistic view of hacker is someone that is always asking questions, learning and has a thirst for knowledge. A hacker tries things that other people think are impossible and it’s someone that solves problems in a clever way.
Frankfurt Allgemeine Zeitung:
Wie der Staatstrojaner zerlegt wurde: Die Hacker vom Chaos Computer Club haben die Überwachungssoftware gefunden, analysiert – und gehackt.
(Reverse engineering a state trojan: Hackers of the CCC found, analysed and hacked the surveillance software.)
Not much of a surprise, the Occupy Wall Street movement has been infiltrated. A New York-based security consultant called Thomas Ryan and a team of IT security professionals managed to access systems used by the movement.
As part of their intelligence-gathering operation, the group gained access to a listserv used by Occupy Wall Street organizers called September17discuss. On September17discuss, organizers hash out tactics and plan events, conduct post-mortems of media appearances, and trade the latest protest gossip. On Friday, Ryan leaked thousands of September17discuss emails to conservative blogger Andrew Breitbart, who is now using them to try to smear Occupy Wall Street as an anarchist conspiracy to disrupt global markets.
What may much more alarming to Occupy Wall Street organizers is that while Ryan was monitoring September17discuss, he was forwarding interesting email threads to contacts at the NYPD and FBI, including special agent Jordan T. Loyd, a member of the FBI’s New York-based cyber security team. (…) …Loyd cited Occupy Wall Street as an example of a “newly emerging threat to U.S. information systems.”
The incident highlights structural weaknesses of open collaborative platforms in social environments with detrimental perceptions and interests. A group that wants to become a mass movement doesn’t have the choice of operating and planning in secrecy. Nor does it have the means to sanction – from the perspective of the group – anti-social behaviour. At yet another frontier, Generation Openness is learning the hard way that sharing can come with costs. It’ll be interesting to observe the institutional innovations, the OWS movement will inevitably come up with.
The Epoch Times reports:
Although the attacks on Estonia—one of the world’s most wired countries—did not involve physical attack, virtually the whole country came to a standstill as banks, communications, and government fell victim to cyberattacks.
It did not come to a standstill. Whenever an article starts with this meme, enjoy the line of argument ahead. Like this one:
“Just as organized crime groups have hired hackers, it is possible that nation states could hire or distantly support jihad networks and launch cyber-attacks through them,” states an April 17 report from Project Cyber Dawn, part of The Cyber Security Forum Initiative.
I guess the story the author wants to convey is: Botnets can bring down a country (Estonia, Georgia), there is an underground market for botnets, you can rent a botnet from a criminal group or person, you can “weaponize” a botnet, elite hacker groups can consist of jihadists. Hence you can bring down the US or one of its allies by renting a botnet from jihadists.
What you could read is: Estonia was not brought down to a standstill – thanks to the intervention of some capable, mostly local IT experts –, even though it’s a small country with just 1.3 m inhabitants.
Fourteen years ago, the Clinton administration launched the Presidential Commission on Critical Infrastructure Commission. Its 1997 report “Critical Foundations – Protecting America’s Infrastructure” states (Appendix A, Section Summary Report, p. A-26):
Vulnerabilities facing the energy industries include:
* Those created in the operating environment by the rapid proliferation of industry-wide information systems based on open-system architectures, centralized operations, increased communications over public telecommunications networks and remote maintenance
Earlier this week, Terry Zink quoted the following in a blog post:
Despite investments into state of the art technology, a majority of the oil and gas industry remain blissfully unaware of the vulnerabilities, threats and capability of a malicious cyber attack on control systems.
