Comment from Anonymous
Time: September 25, 2007, 11:12 am

You raise an excellent point about not exposing environments that are meant to be secure to additional threats. However, the examples you bring up are still dealing with vulnerability assessments of a given environment.

Your semi-rant’s summary is dead-on. All too often the problem is increasing the amount of vulnerabilities in a system by introducing changes to the environment. An honest and competent vulnerability assessment must be conducted any time a change is made to any environment. All too often it is overlooked and, even more frequently, executive ownership - not LOB management - of any discovery of increased risk is not obtained. This is critical to ensuring your efforts are in line with the business goals and it’s risk tolerance.

I don’t think that the threat landscape is changed much by what someone does to the environment they are charged with securing. Threat interest levels are a byproduct of perceived value of action against you. I suppose you could say that by increasing the vulnerability footprint to include additional attack vectors, you may induce some borderline threats to take action, but I submit this is a rarity. Threats will act only when a vulnerability and value of action is present. If you don’t introduce the vulnerability that is being sought by the threat, you don’t increase the likelihood of action. The threats are ever present.

In order to provide an accurate and honest risk assessment, you need to understand what the threats are in the first place and obtain a reasonable measure of how likely they are to act upon you. If an organization does not look to third parties for this information (peer assessments, government assessments, consultancies, etc.) they are implementing the HITS protocol, which lends itself to the status quo.

I hope this doesn’t come off as being pedantic. I strongly feel that threats are what threats are and the only influence you have in whether or not they act upon you is to ensure you don’t introduce new vulnerabilities and that any existing vulnerability is known and mitigated according to the business risk tolerance.

Comment from Jake Brodsky
Time: September 25, 2007, 11:15 am

There is another inherent risk that people sadly overlook all too frequently: What if someone figures out how to break a hash? Now where are you? With so many security systems out there depending on the hash code scheme, how quickly can you get to that embedded gear and update, not just the hash code, but the entire hashing system?

Just as an aside, the DNP3 protocol proposal for secure authentication includes the ability to allow for various hashing techniques. We know these coding methods will have a lifetime. That lifetime may be shorter than we all want to think about. So we allow for a variety of hashing methods for authentication. Of course, one would still have a problem updating all that firmware in the field. But at least the protocol is future proof.

As for the wireless issues, I argue that a denial of service attack is actually easier than you might first think. Far too many like the idea of wireless gear because it’s got a very inexpensive up front cost. And that’s true. As long as the potential for a DOS attack is acceptable, then wireless ought to be a good fit.

People who use it for mission critical alarms or control loops, however, ought to retihink the risk/reward equation…

Comment from Dale Peterson
Time: September 25, 2007, 11:28 am

Anonymous (you should pick a clever fake name)

Let me take an extreme example to try to make my threat point.

There are a myriad of threat agents on the Internet. If I have a system that is not exposed to the Internet, these threats do not come into play.

Now let’s say I choose to expose my system without any changes to the Internet. My argument is the threat has increased significantly but my vulnerabilities remain unchanged.

In wireless we have both the increase in threat because the threat agents now have increased access, and a potential increase in vulnerabilities from wireless protocols. However the wireless protocols are more secure than most wired protocols, it is the exposure to the threats that are the big issue.

And it should be a conscious decision with an understanding of the risk some important benefits to increase this exposure. I would use the Internet example to management because they have no problem understanding that increase in threat.

Comment from David
Time: September 25, 2007, 12:09 pm

Quick comment.
There is a not so popular threat mitigation approach that applies for wireless. Just thought I would bring it up to put it in perspective.

Set up your wireless security such that there are threats and maybe vulnerabilities. You don’t care if people CAN attack, but when they do you bring down the hammer. Make it so that its not worth it to take the risk…make a successful attack so “expensive” to the attacker that it isn’t worth it to try.
In this approach you spend your effort on detection, and a little on recovery. Spend little on management and prevention.

There are lots of ways to handle threat. Just thought I would add a little perspective to the discussion.

David

Comment from Jake Brodsky
Time: September 25, 2007, 2:59 pm

David, your discussion is valid in a military context. Some time ago, a United States military commander was asked if he feared a GPS jamming attack during initial operations against Iraq. He replied that if anyone were so stupid as to try such a thing, they would find out right away how quickly a missile can home in on the jammer.

However, if you read 47CFR15.5 you’ll notice that unlicensed operations, such as wireless, makes certain concessions. Most importantly, you must accept any interference you may receive. And if your signal interferes with licensed operations in any way, you must shut down your gear upon notification by an official FCC representative. Even if you don’t live in the US, nearly all countries have similar regulations on the books. This is one of those universal ideas that basically states the down-side to operating without a license: No license? No rights.

It’s not hard to execute a denial of service attack on an RF link. And there really isn’t much you can do to stop it. Even if you could know why your wireless gear has suddenly stopped talking, there is no-one to complain to. And if it turns out that the source of the interference is a licensed source, there would be serious legal consequences for having taken action against that source.

If your wireless gear were licensed, you’d be in a much better position to take action. I’ve literally been there and done it. I’ve seen accidental signals trash one of our licensed SCADA channels. In a few minutes I had the signal identified. I called the chief engineer of that radio station to let him know that his Studio to Transmitter Link was not working right. He immediately thanked us, apologized, and in three minutes the interference was gone.

With a license comes responsibility to operate within the confines of that license. In return, you can expect certain rights to demand that others cease interference with your frequency. With a license you can make a civil case, and perhaps even a criminal case against an interferer. Without a license, you have no cause to complain about anything. If it stops working, well, too bad.

Comment from Ron Southworth
Time: September 25, 2007, 9:27 pm

Hi Dale a well thought out discussion… We all can rant on at times. At lest you have the conviction or the ability to not have to hide behind ananymity and can identify yourself.

I think Jake is bang on the money and we have discussed this in various forums before.

I beleive your intent Dale is to encourage some debate in this instance.

Ron’s Rant follows….

As previously mentioned by other contributers the threat and vulnerability, the ability to perform DOS/DDOS on RF based technology is a factor that simply cannot be eliminated.

It is the nature of the medium.

We have to compromise our risk surface to some extent as previously stated when using this technology for a communicatons layer. This compromise must be based upon a real quantifyable and balanced assessment acceptable to the organisations risk apetite.

We CAN put various mitigation stratagies in place to deal with the threats and the vulnerability and operate many CIP systems using this technology providing the mitigation stratagy is not flawed.

Part of the mitigation stratagy for utilising RF if you have any common sense has to involve legislation certainly for (CIP) and therefore implies the need for licencing.

Our communications laws my vary slightly but it all comes back to the Guiding principals in the ITU accord.

I was involved with a lot of ITU activities in the mid to late eighties so I say this with some degree of certainty at least as a guiding principal.

IMHO the shame is that the class licence approach or free to air in our user pays world increases the risk. The legislators have removed their teeth and ability to deal with this catagory of user to reduce operating costs and their workload in dealing with providing structure to the spectrum being used. This tradeoff in cost of ownership is very frequently not accurately or genuinely factored into the equation.

The Radio Spectrum and the global ionosphere is a limited resource.

Some common sense needs to prevail and that has to extend to doing objective risk assessments that arre not skewed by the initial capital outlay.

I think there is a need to invest in infrastructure globally from pipes, transport systems and energy supply to structured communications systems and good old cables in the ground.

Where to from here.

We can talk about all of these stop gaps to try and increase the mean time to compromise a system but the MTTC window in RF as a medium has some fairly narrow limits that make too much effort a waste of resources quite frankly.

We would be better off to invest in the future and put some structured cabiling into the ground and work on securing our broadband and more standard products where speed limits are much higher and overheads in dealing with security encapsulation can be more easily tolerated.

The same sorts of risks are going to be there but the attack vector comes back to some initial form of physical attack this is shurely much easier to at least monitor and respond and deter? Easier to legislate too?

Comment from joat
Time: September 26, 2007, 5:04 am

The decision to “not use wireless” can be a very basic one, depending on the system(s) in question. For wireless, the ever present residual risk is that of interference, either intentional or naturally occurring. It is not the confidentiality or integrity of the network (areas most often focused on by security practioners) that is at risk, it is availability.

Because interference is typically unpreventable, the decision becomes so basic that it often appears to be a “knee-jerk response”: Any system or process that cannot tolerate frequent interruptions of connectivity (i.e., availability) should not employ wireless as a transport for control signals or data.

Comment from David
Time: September 26, 2007, 8:37 am

I like this thread.
Are there situation where communications links can not tolerate ANY interruption…yet they still use RF?
If there are, how do those organizations ensure that level of communication?
Something tells me that those organizations will have budgets for that type of “communications insurance” that exceeds funds in this domain.

Is that it…is the conversation over?
Wireless communication should be reserved for causual inter-office/administrative interactions and data trasfer.
I would say yes. The threat surface is too large and the threat impact is too great. We assume that vulnerabilty WILL exist on one of several vectors including physical and cyber. Risk will always be high.
David

Comment from Ralph Langner
Time: September 26, 2007, 9:52 am

David, here is an answer to your question! A big vendor is advertising a WLAN product line by claiming that they achieve realtime, i.e. deterministic behavior. To prove their point, they demonstrate the usage of emergency shutdown functionality via WLAN (no kidding). I didn’t see this in a real world environment, but who knows, perhaps one or the other asset owner will like the idea to save several feet of copper cable and will buy in.

Comment from Jake Brodsky
Time: September 26, 2007, 10:34 am

David, let me enlighten you on how we design high availability RF links: First, we license the channel. This enables us to take action against a source of interference.

Second, we use highly directional antennas. This is a double benefit: first, you get a better signal to noise ratio, and you get some immunity to signals that are not coinicident to the path.

Third, we allow for alternate routing if possible. Our T3 microwave network is a partial mesh. We use routers to automatically recover from a failed link, if possible.

When discussing links in this context, an unlicensed spread spectrum link is not out of the question. In those situations we CAN tolerate a link that stops working.

What we can not do is put all our eggs in one basket. One WLAN of everything, take it out, and what have you got? Zigbee derived standards also have potential, though I’d need to see how they route around problems first.

And let’s not forget that when you do route around a problem, the throughput will drop. Can the process tolerate this? I don’t know. It depends on the process.

My point is that everyone seems to forget that WIRELESS IS RADIO. All the problems with radio are still problems with wireless. Add to that one major problem: With broadband spread spectrum wireless, while you do have process gain to help your link work, you also have a very serious dynamic range problem. The more energy you let in to your receiver, the energy you’ll need to stay linear. And the process gain is only as good as the receiver linearity. When the receiver front end saturates due to too much signal, a few dB of process gain isn’t going to save you.

Comment from David
Time: September 26, 2007, 11:08 am

Thats awesome.

All of these questions are rhetorical.
So how many installations rely on your implementation for their realtime/deterministic radio communications? And for that number what percentage use the radio network as the primary WAN/MAN for interconnection of sites?

And, is this implementation good solid engineering from your organization, or is it built on an industry accepted standard for reliable, realtime, radio/wireless communications? (where can I read about that standard).

This is the main part why I enjoy reading these blogs, there is so much to discover. Security of data in this domain is constantly hitting barriers, then breaking them down.

David

Comment from Jake Brodsky
Time: September 26, 2007, 1:28 pm

As you may have noticed from my web address, I work for a water and sewer utility. The ratios of these things are different for everyone depending on what kind of operations they’re running.

We are what is known in the business as a surface water utility, meaning we get our water from rivers. We distribute that water across two counties and a range of altitudes from around 800′ MSL to just below sea level. The implication here is that we have many hydraulic zones, pumping stations, water storage facilities, pressure reducing valves, and so forth. Thus our SCADA system is probably more complex than typical for a utility our size.

On the other hand, with lots of elevated water storage tanks, we also happen to have some mighty fine antenna sites. So most of our Microwave backbone goes from water tank to water tank. We have distributed SCADA transmitters all over the place and we pick up RTUs from the other nearby sites, aggregate them on a WAN, and then truck all this back on a completely independent network from the Office network to an operations control center.

When we designed this critter, there were very few standards for security. Today, that’s changing. The ISA formed the 99 standards for security. NIST is working on a control systems security standard, NERC CIP is working on a specific version for the energy firms, and there is even some speculation that the Sarbanes Oxley (SOX) Act may have jurisdiction too.

So in the span of just a few years we’ve gone from nothing to ridiculous. The hard part is figuring out how we can deploy these standards, validate our gear, and maintain security. This is a never-ending process.

Comment from Ron Southworth
Time: September 28, 2007, 1:52 am

(Jake just one point of clarification. In my rant, I was referring to broadband cable systems in a structured cable sense not in an RF environment.)

I beleive that too much emphasis is being placed on securing the RF layer. The ROI point for work in this area has a limit and this needs to be kept in perspective.

The “layer above” in say the protocols & device communications arena is where the work and focus needs to be ramped up.

Introducing tighter quality control and verification measures will improve reliability, security and availability of the product. This is a good thing but will take time to be accepted, introduced and implimented. As this is a common layer across multiple communications medium this has to be a better ROI?.

Jake, Compliance to a standard won’t improve the situation in my opinion but working towards best practices and defence in depth strategies and risk based mitigation techniques that you talk about and I know you are very effective in implimenting will acheive a better outcome

I see SP99 as some good best practices to impliment for certain but compliance for it’s own sake is frequently met in a minimalistic way and not as a philosophy.

Comment from Ron Southworth
Time: September 28, 2007, 11:23 pm

As you have stated elsewhere Jake validating and verifying that your organisation has implemented security to best practices however, will improve things.

I suppose if this is what context you mean compliance than I agree with your assertion Jake.