Robert Knake’s “Cyber-terrorism Hype v Fact” is short on Facts

Last Updated on Thursday, 18 February 2010 06:22 Written by admin Wednesday, 17 February 2010 02:09

Update (18 FEB 10): Mr. Knake kindly asked that I make a few corrections regarding the spelling of his name and his affiliation, which I immediately corrected. He also offered to write a response to my criticism which I think is a splendid idea. I’ll post a link to his response as soon as it’s up.

—————

Robert Knake is an accomplished, well-educated individual who’s a Fellow at the Council of Foreign Relations, which is a well-known and well-regarded institution.  For that reason, I was quite surprised by the position he took in his CFR article “Cyber-terrorism: Hype v Fact“.

He focused much of his article on two lynchpins: 1) Al-Qaeda is not capable of launching sophisticated network attacks against critical infrastructure; 2) an air-gapped system is safe from cyber attack.

Regarding 1), Knake has unwisely limited his scope of potential cyber terrorists to Al-Qaeda. Assuming that he’s actually referring to acts of cyber terrorism by Muslim extremists, there are many more to consider than just  those who affiliate themselves with AQ. We’ve seen many Turkish and Pakistani hackers who are skilled engineers and who have been involved in attacks against SCADA networks as well as successfully exploited .gov and .mil web servers in the name of Allah and Islam

Regarding 2), an air-gapped system can still be compromised (and has been compromised by penetration testers), but an even easier way is by targeting vulnerabilities in smart grid devices installed on the exterior wall of homes and businesses. Compromising the microcontrollers in those devices could provide an attacker with access to the broader network.

Finally, Knake seems to be an advocate of the “security through obscurity” school when he writes: “Understanding the control software for an electric grid is not a widely available skill. It is one thing to find a way to hack into a network and quite another to know what to do once you’re inside.” Sandia National Labs has shown that the technical know-how required to attack a SCADA system is widely available through open sources online.

The above screenshot is from a Sandia presentation on Threat Analysis using it’s NSTB software.

Based on our research, which conflicts with Knake’s apparent understanding of this cyber terrorist threat environment, there are actors who self-identify as Muslim extremists (albeit not AQ), who have demonstrated the necessary motive, means, and opportunity to attack CI and who can certainly find the technical information needed to inform such an attack.

My response to Gib Sorebo’s charges of “exaggeration and demagoguery”

Last Updated on Tuesday, 9 February 2010 09:45 Written by Jeffreycarr Tuesday, 9 February 2010 09:45

Gib Sorebo wrote a post on his RSA blog criticizing much of the content of our Project Grey Goose report on Critical Infrastructure as FUD, exaggeration and innuendo. Actually I use the word “criticize” loosely because he never actually rebuts our facts nor our findings, he just calls them names. I expected more from the co-lead of SAIC’s Smart Grid security practice.

Here’s a quick re-cap of his points, and my answers. And Gib, unlike you, I encourage informed dissent in my comments section so feel free to respond.

Regarding our concern that the DoD’s most critical assets rely on the commercial grid, he had two criticisms: (1) we should have mentioned that they have backup generators and (2) we should have encouraged the DoD to buy MORE generators.

That’s really not the point, Gib. That’s the problem. Backup generators are grossly insufficient in the event of a long-term collapse of the grid. We aren’t talking about heavy winds knocking down trees and causing a temporary outage. We’re talking about a preemptive strike by an adversary who wants to impact Command and Control, and who targets the many vulnerabilities in the power grid to accomplish that. If extra generators were the answer, this wouldn’t be a long-standing problem, would it.

Regarding our criticism of the reluctance of energy asset owners/operators to report network attacks, his criticism was that everyone is reluctant to report attacks, why single this industry out?

Two reasons why – because of the word “critical” in “critical infrastructure” and because in the case of cyber security, we need more transparency into what the systemic problems are, not less. Hiding problems is what brought us to where we are today – highly vulnerable to attack. Exposing problems, on the other hand, will serve to underscore the need to take action now; action that is being thwarted by special interests, lobbyists for the power industry, and NERC itself.

Regarding his use of blanket statements like this one: “The other statements made about the vulnerabilities in the electricity sector are either exaggerated or just wrong”, he leaves it dangling without calling out specifics, other than saying that our use of the word “voluntary” in reference to CIPs is not 100% accurate. Ouch.

Regarding his final criticism that we don’t provide more details on the Smart Grid vulnerabilities, I can only say – Gib, read the source material. That’s what we lead each vulnerability off with. If you want more detail, click on the link.

Gib closes by calling our report conjecture and the re-telling of old news stories. Interesting criticism, Gib, but that’s what happens when an industry like this one chooses to erect a wall of silence around its many vulnerabilities, decides which ones to report, and makes those reports exempt from FOIA requests. However, that’s a false criticism anyway. No one except a very few hard-core kool-aid drinkers deny that incidents have happened and gone un-reported. Disclosing those incidents wasn’t the objective in our final report. Our objective was to disclose the most serious extant issues that need to be addressed if we want to secure the Power grid.

The Friday Brief

Last Updated on Friday, 6 November 2009 09:38 Written by Jeffreycarr Friday, 6 November 2009 09:38

A few thoughts and a few helpful resources for the end of this week:

1. In the wake of the tragic and senseless killings of innocent people at Ft. Hood by a crazed psychiatrist who happened to be Muslim, take notice of who uses this as an opportunity to bash an entire religion. You want to avoid those people, both professionally and personally. Every religion has extremists out on the fringes, including Christianity. In no case should the acts of extremists be used to paint an entire group of believers, regardless of the religion. The people who engage in that kind of religious bigotry have surrendered the control of their mind to fear instead of logic. And fearful people are dangerous to be around.

2. F-Secure provides some succinct advice on “How to Practice Safe Tweeting“. If you’re on Twitter, you should definitely read and implement their suggestions. And if you want to follow me on Twitter, you can do so here.

3. The collection phase of the Project Grey Goose Power Grid investigation wraps up today and analysis of the data we collected begins tomorrow. If you have any information that you would like to share with our investigators regarding grid insecurities, hacker intrusions, or other present or emerging threats, please contact me. We hope to release our findings by the end of the month.

4. I just heard unofficially that my book “Inside Cyber Warfare” will probably be available in a pre-release version known as an O’Reilly Rough Cut by November 30. I’ll post more details as I know them.

I’ll be in DC on business for most of next week so posting will be light. Have a great weekend everyone.