The new cyber threat: attack from the air10 March 2014
Chris McIntosh, CEO of ViaSat UK, gives his views on the substantial threat to the electrical infrastructure from cyber attack and how an evolved defensive strategy can combat it.
The National Grid and other elements of the UK's critical infrastructure are still open to several vulnerabilities according to Chris McIntosh, CEO of global security firm ViaSat UK. This view is supported by research from ZPryme Smart Grid Insights which revealed that more than half of infrastructure providers in the US believe electrical networks are insecure, while 57% expect attacks against infrastructure both to increase in frequency, and also to expand further into IT and operating systems. 43% of providers canvassed believed that the most vulnerable segment of the electrical grid was the end user.
“Critical infrastructure companies have been slower to evolve: both in the need to justify the considerable expense this can involve and the sheer scale of the infrastructure they have to protect. Yet this lack of speed is at risk of leaving holes not only in companies' security, but also that of the nation" says McIntosh.
He points to increased communication over the Internet as a significant threat for critical infrastructure. Historically infrastructure companies have used dedicated lines of communication, meaning any attacker had to break into these physical connections. The gradual replacement of these dedicated lines with Internet-based communication has created many more opportunities for potential attackers to breach the system. This becomes even clearer with the increased adoption of smart meters in homes and businesses. By providing a direct connection to critical infrastructure networks in a location that is unlikely to be heavily defended, electronically or physically, infrastructure companies are introducing an extra level of vulnerability to their systems.
In the following interview Mr McIntosh spells out the thinking behind his assertion that a holistic approach is essential to maintaining the security of the system, perhaps of the country itself.
MPS: What do you see as the nature and scale of the threat?
CM: We have in the past predominantly been focused on military and government customers because they have been right at the top of the threat pyramid and this is where there can be huge consequences with respect to the security of information - either information being taken from the system, or systems being unable to operate correctly, and what we've realised is that the critical infrastructure itself - in the UK and across the globe - is under the sort of attack with the modern technology that is now being used on the grid that can bring a country to its knees very quickly; it's what we all depend and rely upon: take that away and within days if not hours we could end up in a catastrophic situation.
MPS: I think the key to this is the expansion in the number of points of entry. And in due course we are going to have power metering and so on in every household, each of which is an entry to the system - an enormous number.
CM: Yes exactly that. What used to happen was that with something like the grid you would have a system that was designed specifically for that grid, so it didn't touch the internet, it had its own internal communications; what we've done now is to interconnect all of these, using modern comms and control systems - which often go via the internet.
And then we have the audacity to believe that our systems are air-gapped even though we are controlling them via the internet. There is no such thing as an air gap now because anything that touches the internet can be connected to, and when it does not use the internet humans find ways of connecting to the system using, for example, USB sticks and CD ROMs . It means that the ones and the zeroes are there in the ether, and not only are there enormous numbers of entry points, we've now got to cope with organised crime that can go against these targets remotely.
MPS: Isn't double prime encoding a defence against an attack?
CM: Yes, it is, and any form of encryption, VPN etc will always slow down an attack, but anybody who thinks that that makes them totally invulnerable to an attack - is wrong.
MPS: So Is the encryption crackable? Why does it just slow it down rather than prevent an attack?
CM: Because the methods to attack any form of encrypted system are changing rapidly, and the threats are changing. So for example the military and government, which have some highly classified networks, are constantly working on how they need to improve their protection in order to guard against evolving threats.
And of course an easy place to go wrong is to look at the code that's used, which is equivalent to looking at the lock on the gate - but actually the attack doesn't generally go through the lock, you attack the hinges, or go underneath - it's the whole system that needs to be protected, and as soon as we start putting information across the internet we've got to make sure we've protected the whole system and not just the lock.
MPS: So the attacker ignores the lock, the encryption, and finds ways around it?
CM: There is far more to a security system than just the encryption, and the reason I equate it to a lock is because you might have the best lock on the best safe on the planet but if you write down the code to the lock and keep it, the way you attack that system is to find out where the code is kept.
But the owners of such systems tend to focus on how strong the lock is, and they forget everything else, which leads to passwords being kept in desk drawers.
MPS: And there are ways to find out where the code is kept - a common method is to infiltrate with memory sticks, perhaps dropped in the car park, which is then picked up and used by individuals on their system, but the stick is already loaded with attack software.
CM: I can give you an example - if you want to get some malware on to a system, drop a stick with the CEO's name on it in the car park of the organisation.
MPS: The phrase car park crops up often - it seems to have become a portal between the real world and the cyber world.
CM: The second aspect is the way the threat has changed. We now experience all sorts of methods of attack - the most threatening being from apparently legitimate organisations in eg China and Russia that steal information to order and for a fee. This means a co-ordinated attack in what has hitherto been regarded as a low threat environment, which means that suddenly areas such as critical infrastructure have got to start protecting themselves far better than they have done in the past.
It's no longer just individual hackers trying to break into systems for fun - now it's people who could actually be trying to bring the network down - we have to make sure we respond to the changes in the threat.
MPS: You refer obliquely to organisations that are not state sponsored, but they are ignored by the host country. The Americans in particular have put out some frightening numbers derived from businesses that report the number of attacks they routinely experience - running into the thousands every day. Are they believable?
CM: They are. The problem is that once you have set up your firewall it will tell you that you've been hit 2000 times in the last four hours - but a large number of those will have come from the same place - trying to force their way in by looking for the weak link. But it doesn't really matter where they come from - the important thing is the intensity and variety of methods of attack.
The Zpryme report states that the end user is the most vulnerable point of the grid. If they really believe that then it is the security team's fault because the system should be protecting the end users and not putting them in a position where they can make mistakes that lead to a breach. It's too easy to blame the staff and the users when we actually haven't given them the correct tools and procedures.
MPS: Most of the time the user is an innocent abroad, and doesn't know the tools exist.
CM: One way malware is introduced into a system is via email. There are organisations that will chastise an individual for opening an email. In other words, for using the system exactly as it is supposed to be used. And of course, the offending emails look legitimate, they look just like the emails you would expect to receive.
I say it is not the users fault - there should be protection on the system to identify the potential malware and block it.
MPS: The Zpryme report seems to have been based on the opinions of end users. Are such opinions valid? Why do 57% of respondents expect an attack?
CM: In the report they explain that the responses are from professionals in the area, the people who are actually dealing with attacks and responding to them. So they seem justified. But the 43% who believe the end user is responsible for example - those are just opinions. But I believe the survey gives a pretty good representation, and whatever the actual figures, the result says that the end user is part of the vulnerable front, and when 60% say they think infrastructure attacks will increase what they are really saying is that most people in the business expect them to increase.
MPS: But what are they doing about that expectation?
CM: A good measure is the number of organisations that are suddenly trying to become security specialists , whatever their real business - which makes life interesting for the actual security specialists.
MPS: Could you spell out what you believe are the 'several vulnerabilities' in systems?
CM: Let's take an example from a grid control system. The first thing you look as is the end point - where there is a physical connection to the network. It would be somewhere where an engineer can plug his laptop into the system. That is a simple way to introduce malware. What we don't do is ensure that every system that can interact is itself secure - realize that the security of the engineer's laptop is just a important as the security of the system he is going to plug into.
MPS: So the system itself can be very strong, but it has many points of entry innocently used by operators and so on, any kind of interaction such as a phone - and it has been invited in.
CM: But there are levels of protection that can significantly reduce the likelihood of a successful attack, and that is what a specialist needs to investigate.
Then you look at the SCADA, you look at the comms systems being used, and whether we use the mobile 'phone or radio network, we still have a large percentage of the traffic that is not encrypted at all, and one of the things that's happening is that it is so easy to attack those systems through their comms network because there is not even a low risk level of security on them to make it difficult.
MPS: Can you spell out the holistic approach, and what it implies?
CM: We would look at the people, the processes and the technology, so we aren't just talking about the technology itself. In essence we do exactly what we would do for military or government customers, which is to accept that there is certain to be some level of insecurity within the system so it is not just about building a big wall around it, is identifying how high and thick that wall should be but also then what must be put inside the system to identify when someone has breached it and how to respond.
So one must look at the complete network and everything that interacts with it, and then we look at an 'onion skin' model which will give us the alarm, the alert, and - most important - the visualization that will allow us to see what's happening and allow us then to make informed decisions. Where possible we put automated sensors around the network so that the network itself moderates itself and actually looks for problems from within.
MPS: Is it impossible for an attacker to hide what he is doing from the security system?
CM: Often that is exactly what they are trying to do. For example Zero day attacks - attacks employing a technique for the first time on a system that you are not yet prepared for. It is possible to protect oneself by using a 'sacrificial lamb' in the network. It takes the hit, and that alerts the rest of the network. The dummy is made to look like the heart of the system so it attracts attack, but what it actually does is alert the system and teach it about how the attack is working. That then allows protection to be developed. But being realistic there is always a level of vulnerability associated with being attacked by something you've never seen before.
MPS: So now you need another level of defence against the inevitable successful attack.
CM: Generally there are layers of defence - but there is an internal defence that continually looks for abnormalities in the system that aren't working just as they should. By doing it this way, which is very much how this company focuses its activity, you can look at nodes in the system and say 'I don't trust that device because it is acting differently to the way it normally does - for example the frequency and form of its reporting might be different - and this warrants investigation.
To do this we have sensors across the network, placed at transformers, substations, or in the form of inserted boards or even software at control units, that make it possible to do comparisons on a point by point basis.
It makes it possible to identify at an early stage that something is wrong without knowing how it go in or what it is.
At this point one is learning the signature of the attack. One response would be to isolate it allowing the solution to be identified before it spreads and cripples the network.
It is also important to allow time to identify the variants of the same attack that can be expected. This allows defences to be hardened, which reduces the number of successful attacks.
MPS: If I am a customer, am I going to find that you need to be there for ever or can I get a one stop fix that will work for at least a couple of years? Everybody knows the scenario where one is continually paying fees to a retailer just to keep his equipment working.
CM: Well, this company doesn't deliver boxes and say - when you've added those you'll be safe and clean until the threat changes or your networks are upgraded. What we do is provide a cyber security service at a fixed price that maintans the level of protection even though the threat and the scenario are constantly changing.