Security is a seemingly simple word with an equally simple dictionary definition: “safety”, “freedom from worry” and “protection.” (Thank you Merriam-Webster!) Unfortunately the process of first obtaining, and then maintaining, security is anything but simple these days. When professionals discuss ‘security’ they usually dissect the issue into three main components: physical security, electronic (or cyber) security and operational security. Some experts break it down even further, but for my part I find those three categorizations to be adequate.
Most of us know something about physical security. That is why we have locks on our doors and put guards at the front gate of sensitive property areas. Most of us even know at least a little bit about operational security, even if we don’t recognize it as such. Keeping some types of information confidential and having rules and policies about abuse of email and Internet access are examples of operational security. But few people have much personal experience with electronic/cyber security. That is something usually left to the technical folks in IT. So why all the recent concern and commotion about security?
Well, the events of 9/11 drastically changed our view of security. It proved that we weren’t as secure as we thought, and that there are people willing to go to great lengths to inflict massive destruction and even death to innocent people just to make a point. Oklahoma City showed us that these sorts of people weren’t just foreign zealots. Those of us who utilize the Internet (and who doesn’t these days?) realize that it is a dangerous place as well. Criminal groups on the Internet seek to steal your identity and then your life savings – often through elaborate schemes designed to appear benign if not beneficial.
One result coming out of 9/11 was that the federal government recognized that our country has a lot of vital national infrastructure (e.g., bridges, dams and transmission lines) and contains numerous potentially dangerous or essential industrial facilities like petrochemical plants, refineries and power plants. All of these represent a potential target to people and groups who are willing to use violence to advance their cause.
These could be terrorists who want to ruin our country or activists who want to draw attention to their pet causes. The Department of Homeland Security (DHS) was established to address this issue, and within the DHS there are now several sub-departments who’s mission is to address the security of various industries and specifically identified national infrastructure.
For those of us in the Electric Utility industry, one of the most obvious results coming out of this effort has been the series of evolving recommendations (now requirements) coming out of NERC. Initially there was standard 1200, then came 1300 and now the nine rules known as the CIP (Critical Infrastructure Protection) rules, which are intended to establish and maintain adequate security for the bulk electric power system as well as other so called critical cyber assets. Moreover, NERC CIP standards attempt to provide guidance regarding all three aspects of security: physical, operational and electronic/cyber.
Specifically, CIP-005 requires a utility to establish an “electronic security perimeter” within which all critical cyber assets must reside. Setting aside the thorny question of what truly constitutes a “critical cyber asset,” one might ask: What is meant by an electronic security perimeter? The answer is somewhat complicated, but let’s start with the rudiments of the problem.
In order for a remote attacker to gain access to any type of computer or computer-based device, there has to be a communication channel between the attacker and the computer/device. The Harry Potter books are wonderful stories, but in real life hackers and other evil-doers do not have magic wands. If there is no communication channel into a system, then it is impossible to remotely harm that system. (Some people use the term “air gap” to describe maintaining a disconnected, independent network.)
That said, today there are all sorts of communication channels and system interconnections we need to be aware of, and the goal of CIP-005 is to locate all of them and either place suitable protective mechanisms (e.g., a “firewall”) on those channels, or eliminate them entirely. This is the cyber equivalent of putting up roadblocks and checkpoints on every road leading to a given town, so that nothing enters or leaves without being inspected.
While at first this scenario might sound easy to implement, think about the added complexity if those trying to gain access to the town surreptitiously had access to alternative – and perhaps unconventional –transportation such as a helicopter or an ATV. Well, today’s communications options are not unlike that. Aside from obvious telephone and internal and external LAN and WAN connections there is the possibility of utilizing wireless networking using WiFi, Cellular or WiMAX technologies – all of which present new and sometimes unique challenges to conventional protection methods and technologies.
For example, a laptop computer within your electronic perimeter and attached to a SCADA system LAN could have a cellular card installed that permits the creation of an ad hoc connection to the Internet through the cellular system. That same possibility exists for using an integral telephone modem to “dial-out” to the Internet. If you have installed a WiFi (wireless Ethernet) access point, anywhere on a LAN inside your security perimeter, then a technically proficient attacker could establish a wireless connection through that portal, if it is not adequately defended. Notably, hackers have an annual competition regarding the greatest distance over which one of them was able to make a connection to an access point – that distance record is currently over twenty miles! They also have access to a surprisingly robust and constantly expanding array of tools for breaking into unprotected or inadequately protected wireless networks.
A commonly forgotten communication channel is one of the oldest unintended access points known to computer science. The “Sneakernet” is a quasi-humorous name collectively given to the manual transport of files and software between computers using portable media. In the bad old days, that media might have been a deck of punched cards or a spool of magnetic tape. Today it can be a USB “thumb drive” or a CD/DVD platter. In fact an amazing range of devices can be used to transport and deliver files and programs to a computer: other (laptop) computers, PDAs, digital cameras, MP3 players, digital video recorders and even many of the color printers on the market today.
Precisely how a “sneakernet” connection could help an attacker penetrate your critical systems depends on the objective of the attacker. If they can place a bit of well-designed “malware” onto a computer inside your security perimeter, such a program could spread around to other interconnected systems until it found an outgoing network connection, which it could then use to establish a covert communication channel to the attacker — not at all an unrealistic scenario!
The usual protective approaches taken to establish an electronic security perimeter are designed to keep the bad guys out. But they may not identify the malware that has already gotten in via sneakernet from establishing an outgoing connection. For example, if an attacker were to infect a thumb drive with some really sneaky malware and leave it in some area where that your employees are known to congregate – for example, your building lobby or a coffee break area — the odds are very good that someone will eventually carry it inside and plug it into a computer.
Protecting the established electronic security perimeter is complicated by these added factors of wireless, dial-up and portable media. And unlike “fixed” network connections that can be addressed with a suitable firewall or any of several other technology-based countermeasures, these “unconventional” holes in your security perimeter are far more difficult to manage. It often turns out that these can be best countered through employee training and the application and enforcement of clear policies and procedures. I’ll be addressing that subject matter in a future column.
About the Author
Dr. Shaw is a Certified Information Systems Security Professional (CISSP) and has been active in industrial automation for more than 30 years. He has authored two books (“Computer Control of Batch Processes” and “CYBERSECURITY for SCADA Systems”) and continues to write extensively on a wide range of technical topics, issues and trends. He is currently Principal & Senior Consultant for Cyber SECurity Consulting, an industrial automation, security and technology firm. Inquiries, comments or questions regarding the contents of this column and/or other security-related topics can be emailed to timshaw@industryconsulting.org.