Government Technology

Common Sense Cybersecurity



January 9, 2013 By

I am now on my 27th article focusing on critical infrastructure security starting back in May of 2010, so I thought it time for a little New Year review.

I wrote and interviewed from the perspective of actually being in the business as a recognized cybersecurity expert, advisor and speaker. Digital Communities' publishing of my articles has allowed me to disclose the problems we face and work with the best in the business, which I want to share with you.

This cybersecurity summary contains comments and quotes from past articles and is a collaboration of the real problems we face with expert opinions on how we are to rapidly obtain true cybersecurity for our critical infrastructure.

The Problem with Securing the Internet is the Internet

Photo: Larry Karisny

We start with one big problem. Internet architecture was never made for security. One of my earliest articles quoted the father of the Internet Vint Cerf by saying, "One of things incumbent on all of us is to introduce strong authentication into the fabric of the smart grid. We did not do that with the Internet." The Internet was built as one big open collaboration messaging system using a series of numbers (IP addresses) as identifiers. Great for sharing information when there were a few hundred Internet users -- as in the early days -- but not the architecture you want to use with today's volume of Internet transactions. Even under this design, there were some amiable efforts toward security, but it has become kind of like putting a finger in the dam -- and the dam is ready to break. The biggest wake up call hit us after 9/11 when we started to review the security of our critical infrastructure and took an in-depth look at upgrading our power grid to smart networked technologies. The security vulnerabilities were shocking, and connecting them to the open Internet using legacy security technologies is not an option. It is broken and we need to fix it.

Targeted Cyber Attacks are not Hype, They are Real

I have been accused in my past articles of hyping the problems of smart-grid security. As I have attended conferences and closed-door meetings, what I have found is just the opposite. Frankly, many cyber breaches have not been disclosed due to business reasons or national security concerns. This stuff happening now is not some cute virus that might take your family pictures. Speaking at a panel at the RSA Security Conference in San Francisco in 2010, I quoted Matthew Carpenter, senior security analyst of InGuardian as saying, "The cost factor here is what's turned on its head. We lose control of our grid, that's far worse than a botnet taking over my home PC." Cybersecurity in critical infrastructure is a whole new ballgame with the potential of unimaginable devastation.

In a later article, Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, calculated the value of smart-grid security compared to the expense of a power-grid security breach. He compared it to plunging into the Dark Ages with the first few days being essentially inconsequential from an economic standpoint. "As you approach the fifth day, however, things change quickly. There is a precipitous drop in economic activity, and by the seventh day, the economy is at 30 percent capacity. This was quite startling… emphasizing the importance of not underestimating the consequences of a prolonged failure in the grid."

Cyber War has Started

Early on, I was reprimanded for calling this Cyber War because a real declaration of war needs to be approved by Congress. Call it what you want. It is real and occurring, and has the potential of stealing billions and killing millions. Leon Panetta earlier warned the Senate by stating, “The next Pearl Harbor we confront could very well be a cyber attack that cripples our grid, our security systems, our financial systems, our governmental systems. ... If you shut down our power grid.”

If targeted cybersecurity breaches are not war, then they certainly are the perfect weapons. Minimal collateral damage while being able to specifically target what you want to take down. You can't beat that as an offensive weapon or even as a retaliatory attack method. The super viruses Stuxnet and Flame proved this, although the capability of morphing it and throwing it back at an adversary is a bit concerning. The fact of the matter is that the first shot has been fired and retaliatory responses are occurring. Sounds a lot like war to me.

Stimulus Grants Vs Stimulus Smart Grid Grants

I followed both broadband stimulus grants and the smart grid grants. The interesting byproduct of both grants was the realization of the terrible problem we have in securing the network systems and business processes that control our critical infrastructure. Viewing our power grid was like seeing a relative you haven't seen in 50 years, finding that they're exactly the same as they were 50 years ago, and then giving them an iPad as a gift. This is the same thing that happened when hundreds of companies started to deluge power companies with their high technology solutions that could be used upgrade the power grid. Culture shock? They didn't even share the same industry acronyms.

So what did they do with all the smart grid money? They put an intelligent device (smart meter) in millions of homes with little or no concern with security for the end user or the grid network that, in most cases, were non-existent. So have we gotten smart about security? In most cases no, and sadly, from smart grid suppliers to the power companies they serve, what I have witnessed is a lot of people either sticking their heads in the sand or passing the security hot potatoes from device to chip set to software company with no one accepting responsibility for this serious security issue. So how did industry and government work on correcting this security nightmare? Compliance, standards, certifications and mandates.

Compliance, Standards, Certifications and Mandates will not Produce Cybersecurity

I have so many quotes on why compliance doesn't mean you are secure I am not sure where to start. Bob Lockhart, Pike Research; Patrick C. Miller president and CEO of EnergySec; and Eric Gunther, CTO and co-founder of EnerNex have all clearly stated to me that compliance does not mean our systems are secure. In a recent ICS Cybersecurity conference hosted by Joe Weiss, CEO of Applied Control Solutions and the 12-year conference coordinator and expert in the cybersecurity of industrial control systems, discussed the pros and cons of these well-intended oversight organizations. In his conference discussions, he recognized the value of these organizations, but also referred to a government release document that specifically disclosed the most vulnerable areas in the power grid. This is what happens when you get 1,000 eyes on things and with hundreds of meetings often requiring public disclosure.

I attended a cybersecurity conference UTC Telecom 2012 where keynote speaker Mark Weatherford, deputy undersecretary for cybersecurity for the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security, asked who felt competent in their knowledge of cybersecurity. One or two hands went up out of the more than 500 in the audience. Weatherford responded by saying we need to prepare our work force and find talent "to prepare the next generation for cybersecurity. Gaps in talent mean gaps in security." The issues of cybersecurity are clearly a public/private issue requiring absolute cooperation from both sectors if we are to achieve national security.

We even run into the problem of how to secure the intellectual property of cyber-security. In a recent interview, DC patent attorney Ted Wood, who leads the Parks IP Law Grid Industry Group, stated, “The tendency to rely only on trade secret protection for all cybersecurity and encryption innovations may be too risky. So wherever possible, companies should protect their key intellectual property by filing for patents early in the development process." He went on to say that Washington already recognizes the urgent need for effective cybersecurity. "But we must more efficiently harness American ingenuity to address the challenges we are facing in defending our critical infrastructure, especially the power grid, from cyber threats”

The Problems with Today's Security Solutions

To understand how cybersecurity works today, you need to know two security disciplines. Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS). One of the best definitions I found wasIDS vs. IPS Explained. Both systems are plagued with problems that require new security architectures. No more band aids. We need serious change in both architectures. First let's look at IPS.

The biggest problem with IPS is that they use encryption keys that are stored and managed. Remember what Vint Cert said about authentication. The Internet was an open architecture never really designed for authentication. Secondly, stored keys have been mismanaged for a long time and can get lost -- even stolen -- right out of the RSA and also seen on networks. Recent theft of RSA keys even put Department of Defense contractors like Lockheed Martin in jeopardy from targeted nation-state attacks. The problem with current security architectures is that they are doomed to failure due to their designs offering at best patches rather than real security.

Current IDS solutions watch data and then notify concerns of potential intrusions using historical database information. In the real-time world of data streaming, this historical approach is not adequate. Even worse is when an authorized individual takes an improper action in the business process. Current IDS solution would in most cases consider this an acceptable data input. If Intrusion detection is to be accurate, it must watch both data and human process actions. Current IDS solutions are adding limited solutions to these human actions in what they call white boarding but even these approaches are limited, expensive and based on historical data which may be too late.

In a recent Government Technology magazine year-end review, A Summary of The Top 2013 Cybersecurity Predictions, Michigan CSO Dan Lohrmann surfed the Net looking for the top blogs and articles that both recap online security trends from the past year, as well as offer new cybersecurity predictions for the coming year. The vendor responses seem to be a litany of expected breaches. 

My concern is the lack of response as to solutions that will effectively detour these attacks. Actually, if these solutions were working properly, who would even care about these attacks? We need simple, impenetrable security that can, in real time, lock out and detect cyber attacks. We cannot effectively do it using current security architectures.

No more tricky fixes

There is no secret that today’s security technologies are made with back doors. This has been done intentionally for years in both the public and private sectors. There are practical reasons like that time you forgot your password and had to tell which dog you liked best or try to remember the spelling of your mother’s maiden name to gain access. Back doors are also sometimes inserted purposely by the developer for debugging reasons. There are national security mandates and industry requirements that are put in all trying to find that perfect balance between security and getting in when they need to. It’s a tough balance, but we need to start somewhere, and I think machine-to-machine (M2M) applications in critical infrastructure are a good start.

The problem with back doors in security is that today’s software and even physical chip set acid baths can detect them. The magnitude and concern for these security back doors is so great that DARPA has designed software to find and fix these security hatches. The master of back doors in security -- the NSA -- is ready to release Perfect Citizen, which was designed to detect cyber assaults on things like power grids, nuclear plants and other critical infrastructure.With hundreds of smart phone apps and new Internet-of-Things devices creating new M2M applications every day, we can’t start fast enough to minimally target where impenetrable and complete security solutions must be deployed.

Real People, Real Cybersecurity Solutions

As a security consultant and advisor, I have been able to review lots of cybersecurity designs. When searching for the best solutions, I tried to keep my eyes open for new approaches rather than just putting patches on the same old stuff. The general criteria was to find an impenetrable prevention security solution that also offered real-time detection and prediction capabilities that would be inexpensive, easy to manage and easy to deploy. To keep from the faulty designs of the past, I found I needed some changes in the approach to cybersecurity. The result of my search was meeting some pretty smart people that used a combination of complexity and common sense in developing their new security architectures. Here are the pieces to the puzzle.

I earlier discuss the problems with encryption keys is viewing them on the network, theft and mismanagement. This is a big problem with current solutions that are just waiting for more problems. A start to the correction of these problems was discussed in my earlier interview Cybersecurity and 'Smart Encryption' with Prem Sobel, who solved the encryption key problem by creating what he called "a random data generator that generates-destroys-recreates keys and passwords on demand." It's kind of like giving your keys to the whole neighborhood to use, then changing the locks in milliseconds while you are asking for the keys back so your can reuse them. Try opening that door." A little common sense with a lot of math, and Sobel's solution has stunned the world of cryptography. He continued by saying that his security solutions “were pen-tested by the best -- including some noted hackers in Ukraine and Russia.”

In another recent interview article, Cybersecurity in Today's World, Curt Massey added another critical piece to security, offering the ultimate in common sense security. His company’s solution, “You can’t attack what you can’t see … or touch". So Massey's people made their security solution invisible to hackers, and invited an eclectic and diverse group of highly skilled pentesters and outright hackers to give it their best efforts to penetrate it. One shadowy hacker’s response was quite telling: “I don’t have time for fake targets, plug wire into Internet.” The "fake target" was a series of live servers sending a data-rich stream into the "wild" Internet and back; unauthorized hackers just can’t see or affect a network thus protected. Massey added that, "most of humanity seems to believe that hacking will always be with us; popular culture, movies, books -- all just accept that we will forever be afflicted with it. We refused to accept that premise."

The final piece of the puzzle was to find a real-time IDS solution detecting both man and machine security breaches simultaneously and in real time. This tough but necessary requirement to achieve cybersecurity led me to Toronto, where I found inventor and security pioneer Rajeev Bhargava.

Bhargava took a completely different look at cyber-security. In my interview article with him, A New Way of Detecting Cybersecurity Attacks, he discussed his patented invention of using anomaly detection for real-time viewing and securing business process actions not just data. "We need to stop looking at zeros and ones and recognize that a digitally enhanced action is just an extension of a human action, and they must be viewed simultaneously if we are to achieve true security," he said. "With our solution, a single event (live data element) can be checked for anomaly instantly and acted upon.... with current IDS solutions, the context is not the business process but rather the IT analyst or mathematicians who generate the rules, patterns and algorithms."

Conclusion

There is not a security publication that I have read that is not predicting an increase in cybersecurity attacks this year. Legacy security solutions are showing that they were never meant to scale to the volumes of interactions occurring in today information age. These older security solutions are becoming too complex, too expensive, can’t scale and are too difficult to manage. We must look in terms of new security architectures if we are to rapidly achieve the required cybersecurity solution we need today, especially in the protection of our critical infrastructure. It may not be as hard as you think, and is immediately available to people who are willing to listen to new approaches from very smart people who just added a little common sense to security.

Larry Karisny is the director of Project Safety.org, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.


| More

Comments

Stacy Bresler    |    Commented January 9, 2013

That is a great collection! I'd like to add to your conclusion a bit. I agree that there is a need for some updated security solutions. My focus is in the energy sector where not only are there legacy security solutions meeting increased complex technology environments but legacy systems (old systems) meeting very modern technology at the same time! I think in many cases, there is a need to get back to some security 101 basics and focus attentions to security solutions that provide the best bang for the buck. I'm a firm believer that security log monitoring coupled with appropriately skilled security professionals are the best one-two punch any utility can invest. It will pay dividends - especially if those professionals are engaged in industry-specific (active) information sharing programs. You are spot on with regard to your statement that "it may not be as hard as you think." It has been my experience over the years that often more effort is put in fighting against practical, common sense security measures than it would take to implement and maintain. Some of the things we can do that will take us giant leaps forward in our security protections are not all that difficult to do. It just takes the will to do them.

Prem Sobel    |    Commented January 10, 2013

Does a company get a purple heart if it is attacked in this on going cyber war? :)

Prem Sobel    |    Commented January 10, 2013

Yes, and let us not people the nay-sayers (which includes government officials) that nothing can be done. Where there is a will there is a way. The positive always, in the end, can and will, defeat the negative. Software and hardware architecture designed for security is what is needed.

Prem Sobel    |    Commented January 10, 2013

A DoS attack by its very nature is a statistical anomaly, easily detected by the fact that the number of incoming connections has jumped by over 1000%. I would suggest that this should automatically bring up a program to analyze the source and nature of those messages and reject them until the inut rate drops to normal.

Larry Karisny    |    Commented January 10, 2013

The "it may not be as hard as you think." was kind of tongue and cheek. There is serious smarts behind making this stuff actually work. The common sense part is the horrific architectures in current legacy security designs that for some reason people think will continue to work. Your comments are welcomed.

Curt Massey    |    Commented January 11, 2013

Well, solving the problems from a technical perspective is not that hard; the solutions are here! What's hard is getting the 'old hands' to let go of their soft, comfortable and familiar standards and protocols. To get certain entities to forgo the extremely bloated money train in favor of security and, in the case of critical infrastructure, SURVIVAL.

Prem Sobel    |    Commented January 14, 2013

Whether congress has declared war or not there are at least two military agencies that have been created to defend and attack back that I know of. One is Air Force the other is Navy. Have we not been at war with terrorists for over a decade??? And some such groups have already declared and attacked US banks on the network with DDos, which unfortunately has been at least partially successful.


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
McAfee Enterprise Security Manager and Threat Intelligence Exchange
As a part of the Intel® Security product offering, McAfee® Enterprise Security Manager and McAfee Threat Intelligence Exchange work together to provide organizations with exactly what they need to fight advanced threats. You get the situational awareness, actionable intelligence, and instantaneous speed to immediately identify, respond to, and proactively neutralize threats in just milliseconds.
Better security. Better government.
Powering security at all levels of government with simpler, more connected IT.
Cybersecurity in an "All-IP World" Are You Prepared?
In a recent survey conducted by Public CIO, over 125 respondents shared how they protect their environments from cyber threats and the challenges they see in an all-IP world. Read how your cybersecurity strategies and attitudes compare with your peers.
View All

Featured Papers