Discussion on:

How likely is a cyber 'Pearl Harbor'?

It seems like we need to increase security awareness in general. One thing I have thought about is if most computing is pushed to the cloud then that is like putting our eggs in a few baskets. This makes for a much easier attack surface than attacking indvidual companies or users.

Is it better for many small attack surfaces that are only as secure as the local IT guys skills allow, or a few large, heavily secured attack surfaces that are managed by the best security guys you can get? I know where I'd put my critical systems.

And where is the proof that this is actually what happens?

The Cloud Providers are still in Business to make money so they are after the cheapest Security that is as Unintrusive as possible so that their users are not put out and have to jump through hoops to access their Data.

I know it's what the Cloud Marketers say but the reality is somewhat different and even if they do pay for the Best where are they actually getting them from?

What is apparent today is that companies do not want to train people they prefer to have others train them and then they poach them wherever possible. After the recent economic conditions it's blatantly apparent that those who can are not moving to new unestablished places that simply may not be there to pay them in a months time so I ask again exactly where are these so called Experts coming from?

Who is paying them and more importantly who would want to work for these new untried companies?

Col

so I think we can all agree it's likely our Chinese Overlords will show us leniency for nicely putting our vital info out, nicely documented and indexed on the net. Ni hao.

Just because it is a cloud service doesn't mean that the company paying for it isn't the one building the interface. There are numerous hosting sites that all they provide is the base platform (rack space, web hosting) and the company builds the application on top of it. Sure it is a cloud service, but it is not built and maintained by the cloud vendor so the security could still be in question.

Bill

"any critical systems shouldnt be connected directly to the Net in the first place"

But they are!

You're right when you say we need to improve security, but the will doesn't seem to be there. Not at government level or in the public's perception.

Currently under threat of being tried for getting into some US Government computers.

They shouldn't crucify him, they should hire him!

Peter M.

Of course, it was a few years ago now. Do you think that the computers are any more secure?

"Do you think that the computers are any more secure?"

Hopefully they've changed the passwords by now. IIRC, one of them was 'password'...

That they have?

The reality here is that they do not want Security they want to blame people who walk in through a Open Front Door and hold them responsible for a Complete Lack of Security. After all it's not my need to secure the system others shouldn't look.

Security by not having any so no one is going to bother looking is no security at all.

Col

Many users have to use old presumably insecure applications because they are too expensive to replace - we must begin to move away from built-in obsolescence. Anyway, even the most recent everyday applications need regular security patches, which have to be downloaded. The supplier assumes you will always be connected in order to enable the updates, so the security argument becomes circular.

Which brings me to the key point: OS and hardware should be equipped with a means of securely disconnecting the computer from the networks whenever there is no pressing need to be connected. Software suppliers need a new model for keeping applications up to date.

You can turn a firewall on to block all traffic in and out of an interface effectively cutting it off from the internet. I bet it is even possible to script changes so that you can run a scheduled task to enable access for updates and then disable it after the updates are applied.

If you really wanted to get hard core you could run a script that disables and then enables the NIC.

Bill

Edited to add second paragraph.

"scare tactics, trying to push a particular agenda (CISPA)"

Its all about control, censorship and more infringement on personal privacy and freedom.

When Panetta says "They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country." I can't help but shudder when I think of the scaremongering rhetoric here and the damage that can do. Clearly people haven't learned all the lessons from relatively recent world events.

Making people scared of 'THEM' is a classic control tactic, a way to make people silently obey for the greater good. problem is, however well intentioned such tactics ever are they can easily lead to a loss of liberty and other unintended consequences.

Now, despite my distaste for the scaremongering I do recognise that there is a very real point under all of this - key infrastructure technologies or information could be vulnerable due to poor design, old systems and plain old human error and this could compromise national security and safety. All true, all good points. The answer, however, is not to start layering fearful rhetoric over the top and risk masking the real issue by doing so, but to instead invest that time and energy in providing intelligent solutions and practices.

I always think that modern politicians and military personnel can struggle a little adjusting from the old, ringfence, barrier, command and control mentalities of the last few generations when faced with the brave new world of interconnectivity and borderless communications, where anything you want is potentially a few keystrokes away. After all, how can traditional security cope with the ghost in the machine?

A lot of leaders (both political and military) do 'get-it' and I think the populace have already woken up to the idea that cybersecurity is important. We've been a little while in getting there but I'm confident that advances can be made quickly if we don't turn this into a political football to gain power and control beyond our needs.

I've said more than enough already and I'm not entirely sure I've made my point clear. Maybe I need more Lucozade this morning

Well said! You've made your point too.

This is very slippery ground...What if (or when) things get tougher? What if some White House spokesman say "we have been victims of cyber terrorism, the attack was organized by (for example) San Marino's government. They broke into our system and derail train full of children and lethal chemicals"? Will they bomb the s..t out of San Marino based on that?

In the virus/malware removal & data recovery business we see increase malicious activity every month. Instead of keeping our customers in the dark we have chosen to slightly increase our price and greatly increase our customer awareness. If my company has to survive by cleaning the same computers over and over again then I will get a job on a farm doing legitimate work! We no longer accept customers who say " I am computer illiterate". We will steer them to classes at a local High School or Community College.

Our government needs to have the same attitude. Instead of destroying the last free frontier on the planet they should be educating people on how to preserve it. The word "Virus" is important here! When you get infected your freedom has been violated by an uninvited guest. When you network your computer(could be unintended via wireless)you spread this virus to other computers not protected against said virus. If this is a new configured threat that could be 10's or hundreds of computers.

Anti Virus-Malware companies depend a lot on the information small companies like mine send off to them every day. We see a lot of new threats every week and resolve only a few due to time restraints. Obviously this is not just a threat to local bank accounts but stems all the way to national security. If everyone with a computer learns to protect themselves by not allowing "free" stuff or automatic downloaders to live on them(to mention a few)then everyone benefits.

I also agree with the gentleman who said certain systems or networks should never see the internet. Downloads and updates should be sent to one secured system via email or postal even. The op should always install these not the source via the internet.

Skynet anyone?

The Answer to 1984 is 1776
You are the Resistance
Resistance is Victory

A Pearl Harbor in the 21st century doesn't need to be a single, catastrophic event. For instance, eroding faith in the financial system, piece by piece, is a smart black hat move. DDOS (verb) banks, financial SAAS, Wall Street, etc., and financial data movement might be reduced to a trickle, and that's just one example. What about all the other sloppy code that props up our target rich environment? Big players should forced to lock down their systems. Naive and/or greedy executives might do a lot of squealing about lost profits, but I suspect they have enough cash to solve for safety and reliability rather than short term profit.

How about the risk of outsourcing companies back office to foreign powers that may switch off / corrupt systems any time ?

My favorite is "derail passenger trains carrying lethal chemicals." Did he really say that? when did we start transporting lethal chemicals on passenger trains? Of course, Al Gore invented the internet so I guess anything is possible...

Anyone can see from the context that Freight trains carrying lethal chemicals was meant. I worked for the railroad for 11 years. In 1981, at Potomac Yards in Alexandria Va, a car load of Nuclear waste derailed in the yard, while I was working 10 feet from it because of an issue with the automatically controlled switches. More recently, on November 10, 1979 in Mississauga, Ontario, Oct 7 2011 in Tiskilwa, Ill, and July 11, 2012 Columbus, Ohio, mass evacuations were caused by explosive derailments involving toxic chemicals.

One thing I learned in my many years in the Navy and supporting the Navy, the Military plans for enemy capabilities not enemy intentions, and, they always plan for what they think is the worse case scenario. While, most likely, any attack would not be a massive all-around attack, look at what happened the last time the Navy said "Oh they won't do that." in the fall of 1941. We already know the Chinese have been sponsoring cyber-attacks on DoD systems for years. We already know they are friendly with Iran. We already know Iran resents our efforts to keep them from developing a nuclear capability. We already know that Iran sponsors terrorists. We already know that terrorists are developing greater cyber capabilities. While a + b + c may not always be combined to equal d the fact that they can, should raise enough of a concern to take precautions.

For those concerned about privacy, they should address issues like the so-called Patriot act, or the laws restricting the rights of consenting adults, not legitimate concerns about vulnerabilities that can be exploited in a catastrophic way.

Wanderer said, "Of course, Al Gore invented the internet..."
----------

This mendacious GOP misquotation of Al Gore says far more about the abysmal personal ethics and educational level of the person who uses it, than about Al Gore.

Gore, himself, did not make that claim-- the GOP did. Their spin factory simply lied in an RNC press release, hoping illiterates would pick up their partisan misquotation and pass it along.

During a CNN interview, Gore said, "During my service in the United States Congress, I took the initiative in creating the Internet"-- a claim that even former House Speaker Newt Gingrich verifies as true, because Gingrich knows Gore refers to a legislative, not a technical role.

Those who were listening to the Wolf Blitzer interview never thought Gore took credit for the technical side of what some mistakenly call the "web". However, Gore clearly did take early congressional leadership in pushing federal development of the nation's first high speed computer network-- the foundation of what eventually became the internet.

Gore as chairman of a key science subcommittee (1986) facilitated establishment of five supercomputer centers through the National Science Foundation, centers which became the cornerstone of the Internet.

To those GOP bozos who deny the importance of government in science and technology, here is an article that provides urgently needed perspective--
http://en.wikipedia.org/wiki/High_Performance_Computing_Act_of_1991

and this--
http://blogs.scientificamerican.com/observations/2012/07/23/yes-government-researchers-really-did-invent-the-internet/

and this--
http://en.wikipedia.org/wiki/Al_Gore
"Internet pioneers Vint Cerf and Bob Kahn noted that, 'as far back as the 1970s, Congressman Gore promoted the idea of high speed telecommunications as an engine for both economic growth and the improvement of our educational system. He was the first elected official to grasp the potential of computer communications to have a broader impact than just improving the conduct of science and scholarship [...] the Internet, as we know it today, was not deployed until 1983. When the Internet was still in the early stages of its deployment, Congressman Gore provided intellectual leadership by helping create the vision of the potential benefits of high speed computing and communication.'

"Gore introduced the Supercomputer Network Study Act of 1986. He also sponsored hearings on how advanced technologies might be put to use in areas like coordinating the response of government agencies to natural disasters and other crises.

"As a Senator, Gore began to craft the High Performance Computing Act of 1991 (commonly referred to as "The Gore Bill") after hearing the 1988 report Toward a National Research Network submitted to Congress by a group chaired by UCLA professor of computer science, Leonard Kleinrock, one of the central creators of the ARPANET (the ARPANET, first deployed by Kleinrock and others in 1969, is the predecessor of the Internet). The bill was passed on December 9, 1991 and led to the National Information Infrastructure (NII) which Gore referred to as the "information superhighway."

I have worked on many control systems. Most are on isolated networks that are not routed to the Internet. The likelihood is low that these critical infrastructure systems can be taken down easily. In most of these areas, Internet access is prevented to reduce the risk that a machine that has access to both segments can be used to bridge the gap. Probably more hype than anything, and when a politician is carrying the torch for this, it is probably to push his/her agenda.

Having worked as an industrial Sr Controls design and debug Engineer for almost 21 years and now being in Government IT for over 10 years I see the building blocks of this being put in place right now. We are seeing increasingly complex controls systems being put in place to control our infrastructure systems like water supply, wastewater treatment, emergency communications, transportation and security and the employees in most of these physical plants are at best computer illiterate having had no need for these skills in the past. So when the contractors are all done installing, debugging and proving the new systems they pull up stakes and move on to the next contract and in doing so the plant operators are left looking at complex systems through a screen of icons that are ether green, yellow or red not understanding what each of those things are in physical reality. This situation leads to these systems REQUIRING communications back to the installation contractors so they can jump in and ether correct the situation or help the operators understand what is happening. I fight on every project coming the door to try to instill some sort of security awareness to the conversation during budgeting, design and installation but in the end budget money is used for things like more police or firemen instead of operator training or including firewalls or monitoring devices to actualy watch these new systems in the budget. Thus when the new systems are up and running we see things like a charter cable modem installed in a wastewater treatment plant to circumvent IT because " we are making it to difficult for the operators and contractors to save money" by doing remote support when problems arise. we are told the operators will only hook up the "modem" when they need assistance and will physically unhook the "modem" when they are finished.
THIS IS REAL LIFE IN MY TRENCH!

While zero outside connectivity is ideal, "we are told the operators will only hook up the "modem" when they need assistance and will physically unhook the "modem" when they are finished. " is at least a better alternative to 100% connectivity. It sounds like they took your concerns to heart.

The Navy's connectivity is extremely slow. To download a patch or an update could take a while. How long do you think the cyber-attackers need you to be connected?

Stuxnet was about 500k, but security researchers said it was unusually large.

Bill

Precision guided munitions are complicated and expensive; roadside IED's are cheap and simple. The former are only in reach of nation states; the latter can be cobbled together by anyone with a grudge or an agenda. The same applies to cyber-attacks. The sophisticated software engineering in the precision-targeted Stuxnet-Flame-Gauss suite of cyber-weapons is probably achievable only by crack teams with extensive resources, but a dedicated team of terrorist hackers can pull together enough from public resources to launch effective attacks that cripple or destroy multiple facilities. They do not have to worry about collateral damage or getting the parameters just right. The purpose is chaos and fear. Droppers that only work on 1 in 10 targets and code that only throws some of the generators out of synch but rattles the windows elsewhere is quite acceptable.

How real are such threats? >theres no way to accomplish them solely via the Internet. Most things have to be done on site, and any critical systems shouldnt be connected directly to the Net in the first place. This is a nave and simplistic view of industrial control systems. True, critical systems should not be connected to the Internet, although a depressingly large number are. (There are even search engines that can help you find which ones are directly accessible.) However, even the ones that are supposedly isolated by a so-called "air gap" are, in the vast majority of cases, reachable. The Second Law of Cyber-Terrorism states: "Absolute isolation of any computer system from outside connection is impossible in practice; the so-called air gap is an illusion." The Iranians learned this at Natanz. Their highly secured facility was controlled by "completely isolated" PLC's, yet the Israeli-American designed Stuxnet was able to worm its way into the controllers. How? All control software needs to be maintained to fix bugs, enhance performance, or accommodate new hardware or changing conditions; all the software used to program controllers needs to be maintained as current for similar reasons. Ultimately there is ALWAYS some indirect route that connects the PLC's on the installation floor to the outside world. Pen testers (penetration analysts) will tell you that in virtually all practical circumstances, they can find a way from the Internet to the factory floor.

In the absence of regulations mandating enhanced security, little will happen because the economic incentives are all biased against investment in security--and security in ICS's is likely to be enormously expensive. Many in the cyber-security community believe that little progress will be made until terrorists--state-sponsored or otherwise--spread a major swath of darkness over the land or reduce the generators at a dozen plants to scrap metal or ignite a flaming corridor along the gas lines of the Eastern Seaboard. All of these scenarios have been shown to be possible.

Bad though an extended blackout caused by disruption and corruption of the power grid may be, far worse is the prospect of doing to generators on the grid what happened to the centrifuge motors at Natanz. The Third Law of Cyber-Terrorism: Anything that rotates under computer control can be destabilized or desynchronized under computer control. (Citation on request.) An attack based on this scenario was designed as far back as 2003 (see, Web Games, Lior Samson) and a proof-of-concept demonstration conducted by DHS in 2007 (Aurora Project).

In short, the attacks that Panetta dramatized are far easier to pull off than most people realize. Such warnings will continue to be called scaremongering or self-serving promotion until something happens. Then whatever administration is in office will be blamed for not being prepared.

--Prof. Larry Constantine (pen name, Lior Samson)

Many, many points of infrastructure control lie outside the perimeters of power plants, natural gas pipelines, petroleum pipelines, and the like. There are, for example, thousands of compressors and switches. Can they be hacked? Of course.

This whole discussion reminds me of the 90's. When people said planes will fall from the sky, trains will stop and things will explode in year 2000. This generated an enormous amount of work for IT consultants to get all systems checked.

After all, it is not a bad idea. I might just start a business auditing network security.

Great article, up until the point when you left your wingman... There are two obstructive parties in Washington; not only one. To use an article to promote the perspective of the left is disingenuous to the basis of the content and severity of the issue being written about.

Having worked with and on control systems ranging from TMI to large petroleum processing installations, I have always been terrified of the the minimal to non-existent security. This article woke me up about the planed up-coming cyber warfare attack. Listening to Mr. Panetta, it is not going to be pretty.

You see, like Pearl Harbor, the Gulf of Tonkin and September 11 this attack is being planned right now by our very own leaders of the US Military Industrial Complex, or in current times should I just say the US Government?

The timing is perfect, we are just about to put another Madison Avenue groomed puppet into the white house. Dick Cheney's Project for the New American Century is already underway. Witness the US cyber attacks upon Iran's peaceful nuclear industry. Witness the media drums beating on how Iran, as isolated and broke as it is; is dire threat to each and every peace loving freeman alive. Witness how some PM's are appearing before the UN stating the case for an all out attack on Iran, NOW!. Listen how both adorable presidential puppets have drawn "lines in the sand".

I am just wondering where Mr. Panetta is planing to drive his little cho-choo stocked full of innocent civilians and lethal chemicals off the tracks.

Speeches are meant to get attention; hyperbole is all part of the metric. On the other hand, of course there are people in the world that mean to do other people harm for whatever reason (for some, it's amusement...). It is a basic responsibility of the individual to make themselves secure, just as it is a corporate responsibility to be as secure as possible.

The world is still getting used to the idea that its interconnection is like living in a house with only screen doors (walls, ceilings, floors) and that privacy and security have taken on whole new meanings. Corporate entities may do a good job of securing their infrastructure, but is they don't impress upon their employees that they share some of the burden for security, the corporate entities are seriously dropping the ball. In my (limited) experience with corporate IT policy training, I have yet to hear words to the effect of, "If you do or fail to do X, Y or Z, you run the risk of crippling or killing the ability of our company to pay you". Investing the employee with some sense of ownership for security would be a good start to closing up some of the holes.

Iran is not in the habit of starting wars. In fact they have not started a war in over 200 years; a record neither Israel not the United States can match. Nor is Iran stupid enough to carry out an overt act which would justify the long-sought invasion by the United States. Should a cyber "Pearl Harbor" happen, the most likely perpetrators are Israel and the US and the most likely target Wall. Street.

Think about it. Europe is disintegrating and Wall Street has sold trillions of dollars worth of credit default swaps against Europe's debt; swaps for which they do not have cash reserves to pay claims on. The moment Greece, or Spain, or any other EU nation collapses, those default swaps come due.

If the US Government simply declares those swaps null and void, the derivatives market will collapse. If the US Government simply prints up the cash to pay those trillions in claims, the resulting inflation will collapse the dollar. If the computers are taken down by those "evil Iranians" (Reg Trademark White House), in a stunt reminiscent of Tom Clancy's "Dent of Honor", nobody knows who owes what to who! And it's all Iran's fault (nudge nudge wink wink)

Such a faked cyber attack would allow the money-junkies to duck the blame for the mess they have made of the US economy with their Ponzi-scheme central bank, as well as angering Americans into yet another war of conquest. And such an "attack" would justify the government taking complete control of the internet, for the sake of "National Security" (and to silence the alternative media).