Robert Knake’s “Cyber-terrorism Hype v Fact” is short on Facts

Last Updated on Thursday, 18 February 2010 06:22 Written by admin Wednesday, 17 February 2010 02:09

Update (18 FEB 10): Mr. Knake kindly asked that I make a few corrections regarding the spelling of his name and his affiliation, which I immediately corrected. He also offered to write a response to my criticism which I think is a splendid idea. I’ll post a link to his response as soon as it’s up.

—————

Robert Knake is an accomplished, well-educated individual who’s a Fellow at the Council of Foreign Relations, which is a well-known and well-regarded institution.  For that reason, I was quite surprised by the position he took in his CFR article “Cyber-terrorism: Hype v Fact“.

He focused much of his article on two lynchpins: 1) Al-Qaeda is not capable of launching sophisticated network attacks against critical infrastructure; 2) an air-gapped system is safe from cyber attack.

Regarding 1), Knake has unwisely limited his scope of potential cyber terrorists to Al-Qaeda. Assuming that he’s actually referring to acts of cyber terrorism by Muslim extremists, there are many more to consider than just  those who affiliate themselves with AQ. We’ve seen many Turkish and Pakistani hackers who are skilled engineers and who have been involved in attacks against SCADA networks as well as successfully exploited .gov and .mil web servers in the name of Allah and Islam

Regarding 2), an air-gapped system can still be compromised (and has been compromised by penetration testers), but an even easier way is by targeting vulnerabilities in smart grid devices installed on the exterior wall of homes and businesses. Compromising the microcontrollers in those devices could provide an attacker with access to the broader network.

Finally, Knake seems to be an advocate of the “security through obscurity” school when he writes: “Understanding the control software for an electric grid is not a widely available skill. It is one thing to find a way to hack into a network and quite another to know what to do once you’re inside.” Sandia National Labs has shown that the technical know-how required to attack a SCADA system is widely available through open sources online.

The above screenshot is from a Sandia presentation on Threat Analysis using it’s NSTB software.

Based on our research, which conflicts with Knake’s apparent understanding of this cyber terrorist threat environment, there are actors who self-identify as Muslim extremists (albeit not AQ), who have demonstrated the necessary motive, means, and opportunity to attack CI and who can certainly find the technical information needed to inform such an attack.

My response to Gib Sorebo’s charges of “exaggeration and demagoguery”

Last Updated on Tuesday, 9 February 2010 09:45 Written by Jeffreycarr Tuesday, 9 February 2010 09:45

Gib Sorebo wrote a post on his RSA blog criticizing much of the content of our Project Grey Goose report on Critical Infrastructure as FUD, exaggeration and innuendo. Actually I use the word “criticize” loosely because he never actually rebuts our facts nor our findings, he just calls them names. I expected more from the co-lead of SAIC’s Smart Grid security practice.

Here’s a quick re-cap of his points, and my answers. And Gib, unlike you, I encourage informed dissent in my comments section so feel free to respond.

Regarding our concern that the DoD’s most critical assets rely on the commercial grid, he had two criticisms: (1) we should have mentioned that they have backup generators and (2) we should have encouraged the DoD to buy MORE generators.

That’s really not the point, Gib. That’s the problem. Backup generators are grossly insufficient in the event of a long-term collapse of the grid. We aren’t talking about heavy winds knocking down trees and causing a temporary outage. We’re talking about a preemptive strike by an adversary who wants to impact Command and Control, and who targets the many vulnerabilities in the power grid to accomplish that. If extra generators were the answer, this wouldn’t be a long-standing problem, would it.

Regarding our criticism of the reluctance of energy asset owners/operators to report network attacks, his criticism was that everyone is reluctant to report attacks, why single this industry out?

Two reasons why – because of the word “critical” in “critical infrastructure” and because in the case of cyber security, we need more transparency into what the systemic problems are, not less. Hiding problems is what brought us to where we are today – highly vulnerable to attack. Exposing problems, on the other hand, will serve to underscore the need to take action now; action that is being thwarted by special interests, lobbyists for the power industry, and NERC itself.

Regarding his use of blanket statements like this one: “The other statements made about the vulnerabilities in the electricity sector are either exaggerated or just wrong”, he leaves it dangling without calling out specifics, other than saying that our use of the word “voluntary” in reference to CIPs is not 100% accurate. Ouch.

Regarding his final criticism that we don’t provide more details on the Smart Grid vulnerabilities, I can only say – Gib, read the source material. That’s what we lead each vulnerability off with. If you want more detail, click on the link.

Gib closes by calling our report conjecture and the re-telling of old news stories. Interesting criticism, Gib, but that’s what happens when an industry like this one chooses to erect a wall of silence around its many vulnerabilities, decides which ones to report, and makes those reports exempt from FOIA requests. However, that’s a false criticism anyway. No one except a very few hard-core kool-aid drinkers deny that incidents have happened and gone un-reported. Disclosing those incidents wasn’t the objective in our final report. Our objective was to disclose the most serious extant issues that need to be addressed if we want to secure the Power grid.

Project Grey Goose report on Critical Infrastructure: Attacks, Actors, and Emerging Threats

Last Updated on Thursday, 21 January 2010 07:26 Written by Jeffreycarr Thursday, 21 January 2010 07:26

Proj Grey Goose report on Critical Infrastructure: Attacks, Actors, and Emerging Threats