How financial pain and an angry public can safeguard our critical infrastructure

Last Updated on Sunday, 29 November 2009 10:32 Written by Jeffreycarr Sunday, 29 November 2009 10:32

Allan Paller laid the groundwork in his testimony before a House hearing on SCADA Systems and the Terrorist Threat in October, 2005 when he relayed the following story:

Microsoft systems are being put more and more into SCADA systems. You are buying them. GAO just came without a report that said that the problem—not just, a few months ago—came out with a report that says the problems in SCADA security are getting worse because they are connected to the Internet and because they are buying off-the-shelf, vulnerable operating systems. So how do you make somebody who has a powerful monopoly over all of the computers that we buy change their way and deliver safer systems? About 2-1/2 years ago, the CIO at the Air Force got up at a public meeting and said, we are now spending more money to fix the problems we have because of Microsoft bugs than to buy the stuff in the first place. But he did something that no one else has done. He took Federal procurement power and said, we are going to fix this. And what he did is he consolidated all of the contracts that the Air Force has with Microsoft, all of them, and in doing that he saved $100 million. It is a half-a-billion-dollar procurement, but he has got provable savings of $100 million. But that wasn’t the exciting part of it.

The exciting part of it was that he required Microsoft to deliver systems that were preconfigured according to the standards that DHS helped create, that the National Security Agency really fronted, and an organization called the Center for Internet Security brought together. So there was consensus benchmarks for what safe means, and that allowed the Air Force to require the vendor to deliver safer systems. It was a lot of argument, a lot of negotiation, but in the end Steve Vollmer (sic) and Microsoft said yes. And what I am trying to show you is you can actually change the rate at which systems get safer by using combined buying power, and that is what I believe can be done very quickly in a SCADA environment

In this country, there is no greater leverage to bring about change than Profit. Many power companies do not disclose successful network breaches out of fear that it will cost them financially. They do not implement changes that will harden their networks because it will hurt their bottom line. And because compliance on these issues is still voluntary, they are within their legal rights to do so. I think Allan had exactly the right idea 4 years ago but since we’ve seen no significant progress on the part of the asset owners and operators, it’s time to up the ante. Since profitability is the driver for this industry, that’s where pressure needs to be applied. And they know that time is coming, or at least Rick Sergel (the out-going CEO of NERC) does. Here is a quote from his November 5, 2009 speech entitled “A New Reality” before NERC/s Board of Trustees and Member Representatives Committee:

On this issue in particular, we have a deadline. Congress is presently considering legislation that would overwrite the SRO* model for setting cyber security standards. A parallel discussion is ongoing in the major media, and has been ongoing for quite some time. In April, we saw the impact an article in the Wall Street Journal could have. We’re expecting to see a 60 minutes piece air in late November or December. Make no mistake, the questions will come. The decision time-frame on these issues is measured in weeks, or perhaps months but not years. It is our goal to provide that in a reasonable timeframe. If we don’t, others will.

(* SRO means Self-Regulating Organization)

Now is the time to up the pressure on this sector. Change their SRO status and force compliance to standards that we already know must be put in place by establishing heavy fines when they do not comply. Microsoft has been forced to make changes in its business model not only by the U.S. Air Force in the example Paller gave the Committee but, more recently, by the EU.

Most importantly, there needs to be a public outcry with accompanying letters to our representatives in Washington. The risk to the public due to ongoing vulnerabilities in the Grid is very high. Further, should a major blackout occur, there is no 911 response to a family in trouble. They are on their own for the duration however long or short that period is, vulnerable to whatever threat manifests without benefit of Police  response because every officer will be deployed to guard critical facilities; all because it didn’t make “business sense” to the Independent System Operator in their region to harden their networks against known vulnerabilities. If this makes you as angry as it does me, then you need to let your representatives know.

If it helps, feel free to point to this blog post or send them a copy of our report when it comes out in December, or just tell them to call me. I’ve met with a few folks from the House Committee on Energy and various affiliated Subcommittees and am happy to do so again until this problem gets successfully resolved.

Africa – home of the world’s largest cyber pandemic, and what needs to be done now

Last Updated on Thursday, 17 September 2009 12:59 Written by Jeffreycarr Thursday, 17 September 2009 12:59

The above map illustrates the projected arrival of broadband service to Africa in 2010 and 2011 via undersea cables. That’s the good news.

The bad news, and the point of this post, is that Africa is home to about 100 million PCs, 80% of which are estimated to be infected with some kind of malware. This has occurred because the intense poverty  throughout the continent has resulted in a pervasive distribution of pirated software and the inability to pay for Anti-Virus protection. Currently, most Internet access is via dial-up, but once broadband comes to Africa, all of those infected PCs will become an easy target for bot herders looking to build the next mega-botnet; Think about it. Almost a hundred million PCs with little to no AV protection connected to the Internet backbone via a super highway instead of a dirt path. What could a bad operator do with a botnet of that size? Pretty much anything he wants, including paralyzing an entire nation’s networked infrastructure. That’s all systems connected to the Internet, including power, water, communications, commerce, etc.

If this were a public health risk, (a) it would never have been allowed to get this far out of hand, and (b) labs would be working around the clock to produce enough anti-virus serums to stop the pandemic in its tracks.  If every infected PC in Africa were a person, this would rank as the second worst pandemic in the history of the world.

Today, botnets are a key asset for organized crime producing millions of dollars in revenue from a variety of malware schemes and a potentially potent weapon in Non-state geopolitical attacks against government Web sites. Simply put, Africa’s population of infected PCs is a significant emerging threat on an international scale and action must be taken to remedy it before those undersea cables go online.

Since Microsoft Windows is the OS that we are talking about, it falls on Microsoft to do something about this problem. One good first step would be what Microsoft’s Paul Cooke discusses here – support pirated versions of Windows 7 with patches, etc.

Keeping a machine up to date is one of the first steps in helping ensure that they remain reliable, compatible, and safe from threats when they are online. Some of the most famous incidents of malicious software infection have come after security updates were publicly available from Microsoft – Blaster, Zotob, Conficker and Sasser, just to name a few. Rest assured that we at Microsoft are committed to making sure that security updates are available to all of our users to help ensure a safe online experience for everyone.

Just doing this for Windows 7 is not nearly enough. Microsoft needs to make this commitment for all Windows PCs or it becomes more of a PR stunt then a genuine effort to do the responsible thing. However, even if MSFT would commit to such a massive endeavor (and I don’t believe that they would), it wouldn’t be enough because of its reputation of issuing free updates to pirated PCs which, in turn, make them unusable. There’s nothing wrong with that on principle, except that it has now established MSFT as untrustworthy (read the comments section of the above referenced Cooke quote to see what I mean). This means that other, independent agencies would have to vet the MSFT patches and security updates as not being disguised OS killers and then distribute them freely throughout Africa.

AV firms like Symantec, McAfee, and others should also consider offering free subscriptions to their AV lines on a project by project basis. This one would certainly qualify for such an altruistic effort.

Bottom line: if there isn’t a global response to this threat before mid-2010, we will all come to regret the consequences, and global corporations who could afford to act and didn’t, should be held accountable in the aftermath.

The Friday Brief

Last Updated on Friday, 22 May 2009 08:18 Written by admin Friday, 22 May 2009 08:18

It’s been awhile since I did one of these but I hope to get back into the habit starting today.

• This is a surprisingly detailed description of an offensive cyber weapon under development.
• I’m astounded that this is what passes for sound research, particularly when its presented before the U.S. – China Economic and Security Review Commission.
• US Marshalls service, FBI, and other agencies shut down their network to stop the spread of the Neeris worm. Much worse than that is the finding that the US Marshalls hadn’t updated their AV software in 3 years!
• Microsoft loses its second patent infringement case in as many months.
• Remember Gia Krialashvili from my Loot a Burning House post? He was one of the ringleaders of an attempted coup against the President of Georgia. Georgian police just killed him in a shoot-out.
• Michael Brown (aka Doin’ a heck of a job, Brownie), former disgraced head of FEMA is attempting to reinvent himself as a (drumroll) cyber security expert. OMFG.

Enjoy the weekend, everyone.