How US Utilities Passed Up Chance To Protect Their Networks

From  http://www.csmonitor.com/USA/2012/0517/Cybersecurity-How-US-utilities-passed-up-chance-to-protect-their-networks?google_editors_picks=true:

Cybersecurity: How US utilities passed up chance to protect their networks

Cybersecurity needs are not hypothetical, as the recent DHS warning of a cyberattack on the US natural gas industry shows. Why then was a post-9/11 initiative to secure US utilities dropped?

By Mark Clayton, Staff writer / May 17, 2012

A natural gas pipeline is seen under construction near East Smithfield in Bradford County, Pa., in this January 7 file photo.

Les Stone/Reuters/File

With America now trying to thwart a cyberattack on its natural gas industry, it is helpful to recall the hectic days after 9/11, when industry scientists raced to shield from potential terrorist cyberattacks hundreds of thousands of vulnerable devices that control vital valves and switches on America’s gas pipelines, water plants, and power grid.

It was a race that seemed winnable. After five years of intense effort, a 35-member team of industrial-control-system wizards from the gas, water, and electric utilities industries had created a powerful new encryption system to shield substations, pipeline compressors, and other key infrastructure from cyberattack.

But just weeks before it was to be finalized in 2006, the funding plug was pulled on the encryption system, called AGA-12, by the American Gas Association and its partners at the electric power and water utility industries, some who worked on the project recall.

To this day, the cancelation of the project has called into question whether US utilities will, on their own, invest in measures necessary to protect their networks.

Tested at a Los Angeles water treatment plant, a gas utility in Chicago, and other locations, AGA-12 worked well. National labs verified it. Experts said it was good to go. Yet with 9/11 receding in memory, utility industry executives had begun worrying anew about the cost of deploying the system, former project participants say.

Today, six years after AGA-12 was aborted and 11 years after the World Trade Center attacks, the US natural gas industry is trying to thwart a real cyberattack campaign, according to the US Department of Homeland Security (DHS). Congress, meanwhile, is still debating whether voluntary or mandatory security standards are the best way to secure America’s critical infrastructure.

All of which leaves researchers who helped develop AGA-12 frustrated and a little wistful about the digital shield that they say would have provided a badly needed layer of security – especially in light of a trend toward cyberattacks on critical infrastructure companies.

“Technically it was an excellent standard and we were almost done with it when the project was terminated,” says William Rush, a now-retired scientist formerly with the Gas Technology Institute, who chaired the effort to create the AGA-12 standard. “One of the things I wake up in the middle of night and worry about is what to do if we’ve just been attacked. That’s not the time to worry about it – now’s the time.”

AGA-12, he says, was designed to secure older industrial control system devices out in the field, many of which still today communicate by modem and phone line, radio, or even wireless signal, but were never designed with cybersecurity in mind and remain highly vulnerable today.

It’s not clear that AGA-12 could have stopped the “spear-phishing” type of cyberattack now under way against the natural gas industry, experts say. But it could stop at least one kind: attacks directly on systems in the field of the kind DHS has highlighted in numerous studies and reports.

Installed in front of each vulnerable device would have been an AGA-12 gatekeeper, a sealed black box with a processor and cryptographic software inside, he explains. That “bump in the wire” would sift and decipher commands coming in from legitimate operators, but shield the vulnerable industrial control systems behind them from any false signals that might allow a hacker to take over.

“It was never intended to be a silver bullet,” Dr. Rush says. “But it would definitely have provided quite a lot more protection for critical infrastructure like gas pipelines and the power grid than we have right now.”

The reality of the cyberthreat was driven home in late March, when DHS issued the first of four confidential “alerts” warning of a cyberattack campaign against US natural gas pipeline companies’ computer networks. Some researchers have linked the attack to a 2011 attack for which US officials blame China.

Those recent attacks follow a trend in which corporate and industrial networks belonging to critical infrastructure companies are seen to be a growing target. In April, the cybersecurity company McAfee and the Center for Strategic and International Studies (CSIS), a Washington think tank, found that 40 percent of electric utility company officials in 14 countries said their networks were under attack and more vulnerable than ever.

Meanwhile, in an election year, Congress and the Obama administration are wrangling over new cybersecurity standards for critical infrastructure companies – primarily whether they should be based on a voluntary or mandatory approach.

“The issue isn’t a lack of standards,” says James Lewis, director of the Technology and Public Policy Program at CSIS. “It’s the lack of a business case for individual companies to spend for public safety. This [AGA-12 case] just confirms it. They know what to do to make things secure and have chosen not to do it for sound business reasons. A voluntary approach doesn’t work.”

At least six energy industry organizations that have developed voluntary cybersecurity standards for their industrial control systems would disagree. They include the North American Electric Reliability Corporation (NERC), International Electrotechnical Commission, American Petroleum Institute, and the AGA. But because the standards are voluntary or are “guidelines,” it’s unclear how widely they have been acted upon.

Asked if field devices have received added protections that supplanted the need for AGA-12, Jake Rubin, an AGA spokesman, says the AGA, federal government, and industry groups “have put cybersecurity guidelines in place that independent operators are using currently in the field.” However, he adds, “The ‘bump in the wire’ concept cannot be applied to all existing systems.”

“AGA members are committed to the safe and reliable delivery of clean natural gas to their customers at affordable and stable prices,” says Mr. Rubin, an AGA spokesman in an e-mail response. “They must make decisions that balance these factors, with safety always being the top priority for America’s natural gas utilities.”

But other observers say that while some newer equipment with better security has been adopted in recent years, many of the same vulnerabilities remain because long-lived industrial control systems are rarely replaced if still functioning. Without a mandate, few companies will incur the cost to deploy enhanced security systems, they say.

“We found that the adoption of security measures in important civilian industries badly trailed the increase in threats over the last year,” Stewart Baker, a former DHS official who led the CSIS and McAfee study, said in a statement in April.

 

Weakness in Systems used by Pentagon Power Grid

From http://www.csmonitor.com/USA/2012/0425/America-s-Stuxnet-Weakness-found-in-systems-used-by-Pentagon-power-grid:

America’s Stuxnet? Weakness found in systems used by Pentagon, power grid.

An amateur enthusiast has found evidence that hackers could exploit a security vulnerability in the systems of a company that serves power plants and military installations.

By Mark Clayton, Staff writer / April 25, 2012

An amateur cybersecurity researcher who bought industrial computer networking equipment on e-Bay for fun has discovered a critical weakness in equipment that helps run railroads, power grids, and even military installations nationwide.

The American Electric Power corporate headquarters in Columbus, Ohio. AEP is a customer of RuggedCom.

Paul Vernon/AP/File

The vulnerability means that hackers or other nations could potentially take control of elements within crucial American infrastructure – from refineries to power plants to missile systems – sabotaging their ability to operate from within.

Analysts say the problem is likely fixable, but the enthusiast says he has gone public only because the company that manufactures the equipment, RuggedCom of Concord, Ontario, has declined to address the issue since he made it known to them a year ago.

“It’s clearly a huge risk,” says Dale Peterson, CEO of Digital Bond, a control systems security firm in Sunrise, Fla. “Anytime someone can take down your network infrastructure, essentially cause a loss of control of the process – or your ability to monitor it, very dangerous things can happen.”

The vulnerability has to do with what is known as a digital “back door.” The back door is a secret login that allows the manufacturer to get into the equipment’s control systems without anyone knowing about it – even the purchaser. In theory, manufacturers could use their back doors to send updates to the equipment, but since they are secret, their use is not well known.

The discovery of back doors built into digital industrial control systems is not unprecedented. In fact, RuggedCom was recently acquired by a subsidiary of Siemens AG, the giant German industrial engineering company that has been criticized for using hidden, yet vulnerable, back doors in its control systems.

What is unusual is that RuggedCom’s equipment is often used as a digital fortress, protecting from hackers far more vulnerable systems that throw mechanical switches or close and open valves. Also surprising, experts say, is that the password needed to enter through this back door appears to be relatively easy to hack.

If hackers can get through the back door of RuggedCom’s routers and digital switches, the entire system that they are a part of becomes vulnerable. For example, Stuxnet, the world’s first publicly identified cyber super weapon, in 2009 wreaked havoc on Iran‘s nuclear centrifuge refining system by exploiting a password hidden inside a Siemen’s operating system.

“It is a very serious threat,” says Robert Radvanovsky, a cybersecurity researcher and cofounder of Infracritical, a think tank focused on shoring up cyber weaknesses in critical infrastructure. “The big concern is that these devices are what connect to the control systems that run the substations where power gets routed.”

RuggedCom sells “hardened” equipment designed to run around the clock in any temperature or weather condition. So it has a variety of clients seeking such robust machinery. Defense-industry customers mentioned on the RuggedCom website include big names like Boeing and Lockheed Martin, while power-industry customers include several of the nation’s largest utilities – American Electric Power, National Grid, Pepco, and others. The systems are also used by transportation authorities in the cities of Houston, Lakeland, Fla., and in Washington State and Wisconsin.

Pipelines, refineries, traffic lights, trains, military systems – all are at greater risk, especially to adept hackers belonging to nation-state intelligence agencies. The “good news,” Peterson says, is that even though the vulnerable systems are widespread, the problem is likely fixable, unless the RuggedCom operating system is too reliant on the back door login and its weak password-encryption system.

A RuggedCom spokesman, responding to an e-mail query, wrote that the company would be unable to respond Wednesday to Monitor queries about the vulnerability.

Feeling the company was dragging its heels and might never fix the problem was a key motivator for Justin W. Clarke, the San Francisco-based researcher who finally decided to reveal the threat a year after he first informed RuggedCom managers about it. RuggedCom said in mid-April that it would need three more weeks to notify customers but did not say whether it planned to fix the back door access with a firmware upgrade, Mr. Clarke says.

“I didn’t do this for money – I didn’t get paid for this,” he says. “I just wanted the problem fixed and nothing I heard from the company ever indicated that would happen.”

Everywhere he went during his day, he says, he saw the systems he knew how to hack sitting there vulnerable – from traffic light control boxes to power substations.

He learned about the vulnerabilities after buying the company’s devices off e-Bay “when they showed up cheap,” says Clarke in an interview. “This is something I do in my spare time with own money. I’m just this guy on street who knows how to do very bad things to important equipment, and I couldn’t stand that feeling so many systems – even in our military – were so vulnerable.”

He hopes a fix will come out now that the US-Computer Emergency Readiness Team, a federal cyberwatchdog, issued a vulnerability warning Tuesday, and its sister agency focused on industrial computerized control systems put out its own warning Wednesday.

Testimonials on the RuggedCom website show how deeply embedded its equipment is inside some of the most important US systems. Located at the end of the Alaska’s Aleutian island chain, about 300 miles from the coast of Siberia, the Shemya Island power plant provides power to National Missile Defense Authority facilities on the island.

“Ruggedcom switches were selected for use in the US Air Force Shemya Power Plant,” wrote Ted Creedon, chief engineer for Creedon Engineering in one testimonial for the company. “All electronics provided to the USAF were disassembled, quality inspected and burned in at the Chief Engineers office in Anchorage. Reliability was not an option.”

#8 – EXECUTIVE ORDER – IMPROVING CRITICAL INFRASTRUCTURE CYBER SECURITY – ED PERKINS

IMPROVING CRITICAL INFRASTRUCTURE CYBER SECURITY 

US President Barack Obama signed the long awaited Cybersecurity Executive Order on Feb. 12, 2013. The full text of the Executive Order can be found on the White House website here:

http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

For months, the Obama administration had been floating the issuing of an executive order on cybersecurity. With the failure of the Cyber Intelligence Sharing and Protection Act (CISPA) to get traction in Congress they have delivered – the “Improving Critical Infrastructure Cybersecurity” Executive Order was signed on February 12. [For details of CISPA, see this link:

http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/HR624.pdf]

The focus of the Order is protection of Critical Infrastructure. The Secretary of Homeland Security and the Attorney General, in coordination with the Director of National Intelligence are the responsible officials.

This article describes the basic sections of the Order and the timeline that is laid out for implementation.
Continue reading

ACM Tech News – an excellent resource

From http://technews.acm.org:
Welcome to the April 27, 2012 edition of ACM TechNews, providing timely information for IT professionals three times a week.

ACM TechNews mobile apps are available for Android phones and tablets  and for iPhones  and iPads .

HEADLINES AT A GLANCE
In U.S.-Russia Deal, Nuclear Communication System May Be Used for Cybersecurity
Computer Surveillance Will Help Keep an Eye on National Security
Tiny Crystal Revolutionizes Computing
Tech Needs Girls: World Leaders Draw Up Roadmap for Female Tech Education and Careers Push
CAPTCHA, Crowdsourcing Pioneer von Ahn Captures Grace Murray Hopper Award
Algorithmic Incentives
Dynasty? U of W Repeats as National Cyber Defense Champ.
NSF, SRC Partner on Failure-Resistant Systems
In U.S.-Russia Deal, Nuclear Communication System May Be Used for Cybersecurity
Washington Post (04/27/12) Ellen Nakashima

U.S. and Russian negotiators are close to completing a deal in which a secure communications channel originally established to prevent misperceptions that might lead to a nuclear conflict will be expanded to accommodate cybersecurity. U.S. officials and experts from both countries say the Nuclear Risk Reduction Center would be a major step forward in the initiative to guarantee that misunderstandings in cyberspace do not escalate to full hostilities. The system features computer terminals at the U.S. State Department and the Russian Defense Ministry that are manned 24 hours a day, and it permits the rapid translation of electronic messages to key officials. Officials say that in the event of a cyberincident, the communications channel could be triggered if either Russia or the U.S. identifies seemingly hostile cyberactivity. The channel’s use would only be mandated if the activity is of “such substantial concern that it could be perceived as threatening national security,” according to an Obama administration official. The official notes the Russians asked for a phone-based hotline between the White House and the Kremlin for cyberincidents that is separate from the nuclear hotline. The pact would be the first between the U.S. and another nation that aims to lower the likelihood of a cyberconflict.
View Full Article | Return to Headlines

Computer Surveillance Will Help Keep an Eye on National Security
Queensland University of Technology (04/26/12) Stephanie Harrington

Technology that combines two-dimensional (2D) and three-dimensional (3D) video images taken from a variety of challenging environments will make it easier to identify people who are not facing cameras, according to Queensland University of Technology researchers. Queensland professors Sridha Sridharan and Clinton Fookes plan to develop mathematical algorithms that will make it possible to take features from video and convert them into a model capable of recognizing and matching facial features. “What we are trying to do is use multiple cameras in space to reconstruct a face in 3D, or use multiple images over time of the same face to reconstruct into 3D,” Fookes says. “Once we have the information, the system will then be able to identify a shortlist of possible candidates and it will then be up to a human observer to authenticate the correct match.” The result of the project will be a set of tools for facial analysis in visual surveillance and video content extraction applications. The surveillance technology would benefit law enforcement agencies, which often struggle with poor quality video and images during investigations.
View Full Article | Return to Headlines

Tiny Crystal Revolutionizes Computing
University of Sydney (04/26/12) Verity Leatherdale

Researchers at the University of Sydney, the U.S. National Institute of Standards and Technology, Georgetown University, North Carolina State University, and the Council for Scientific and Industrial Research have developed a tiny crystal that enables a computer to perform calculations that are too difficult for the world’s most powerful supercomputers. “The system we have developed has the potential to perform calculations that would require a supercomputer larger than the size of the known universe–and it does it all in a diameter of less than a millimeter,” says Sydney’s Michael Biercuk. The new quantum simulator is potentially faster than any known computer by 10 to the power of 80, according to the researchers. They say the crystal goes beyond all previous experimental attempts in providing “programmability” and the critical threshold of qubits needed for the simulator to exceed the capability of most supercomputers. The simulator also can be used to gain insights about complex quantum systems. “We are studying the interactions of spins in the field of quantum magnetism–a key problem that underlies new discoveries in materials science for energy, biology, and medicine,” Biercuk says.

Tech Needs Girls: World Leaders Draw Up Roadmap for Female Tech Education and Careers Push
International Telecommunication Union (04/26/12)

American, European, African, and Asian leaders recently gathered for a high-level dialogue hosted by the International Telecommunication Union (ITU) to outline a roadmap to get more girls into technology-oriented studies and careers. ITU Secretary-General Hamadoun Toure says information and communications technology (ICT) jobs are expected to greatly outstrip the supply of professionals to fill them within the next 10 years, which represents “an extraordinary opportunity for girls and young women.” He stresses that stereotypes and obsolete attitudes about ICT careers being too difficult, unfeminine, or boring for girls should be abolished. “Encouraging girls into the technology industry will create a positive feedback loop–in turn … inspiring new role models for the next generation,” Toure says. Other factors the dialogue identified as collectively impeding girls’ progress in technology fields are a geeky image of the tech discipline promulgated by the popular media, misguided school-age career counseling, a lack of inspirational female role models, and a shortage of supportive home- and workplace-based frameworks. Toure urged the event’s participants to work with ITU on a three-year Tech Needs Girls campaign concentrating on the themes of empowerment, equality, education, and employment.

CAPTCHA, Crowdsourcing Pioneer von Ahn Captures Grace Murray Hopper Award
Network World (04/26/12) Bob Brown

Carnegie Mellon University associate professor Luis von Ahn has received ACM’s 2011 Grace Murray Hopper Award, which recognizes outstanding work from young computer professionals and comes with a $35,000 prize. Von Ahn’s latest project, Duolingo, helps people learn foreign languages while translating text on the Web. “Professor von Ahn’s breakthrough research has changed the game for how we use computers,” says ACM president Alain Chesnais. “His innovations impact our personal usage of computing devices and make commercial applications of computing more secure.” Von Ahn’s accomplishments also include the development of the widely used Completely Automated Public Turing Tests to Tell Computers and Humans Apart technology, a challenge-response test designed to ensure that the response is from a person. A second generation of the technology uses crowdsourcing to simultaneously digitize books. Chesnais says von Ahn’s “potential for further altering how we work and play in the digital age seems boundless.”

Algorithmic Incentives
MIT News (04/25/12) Larry Hardesty

Massachusetts Institute of Technology (MIT) professor Silvio Micali and graduate student Pablo Azar have developed a type of mathematical game called a rational proof, which varies interactive proofs by giving them an economic component. Rational proofs could have implications for cryptography, but they also could suggest new ways to structure incentives in contracts. Research on both interactive proofs and rational proofs falls under the designation of computational-complexity theory, which classifies computational problems according to how hard they are to solve. Although interactive proofs take millions of rounds of questioning, rational proofs enable researchers to establish one round of questioning. With rational proofs, “we have yet another twist, where, if you assign some game-theoretical rationality to the prover, then the proof is yet another thing that we didn’t think of in the past,” says Weizmann Institute of Science professor Moni Naor. Rational-proof systems that describe simple interactions also could have applications in crowdsourcing, Micali says. He notes that research on rational proofs is just getting started. “Right now, we’ve developed it for problems that are very, very hard,” Micali says. “But how about problems that are very, very simple?”

Dynasty? U of W Repeats as National Cyber Defense Champ.
Government Computer News (04/25/12) William Jackson

A team from the University of Washington recently won the National Collegiate Cyber Defense Competition for the second straight year, defeating regional champions from nine other schools. The tournament, which began in 2005, is part of a nationwide effort to identify and develop cybersecurity talent. The U.S. Air Force Academy finished second in the competition and Texas A&M University came in third. As part of the competition, each team was given an operational network for a fictional Web services hosting company with subsidiary retail operations, such as email, Web sites, data files and users. The network had to be operated and services maintained in the face of outside attacks. The teams were scored on their ability to maintain services while completing business tasks and lost points for failing to meet service-level agreements. In addition, cloud computing was a major component of the competition this year, says University of Washington cybersecurity program director Melody Kadenko. She notes that teamwork helped the Washington team win the competition. “The most important component was how they interact with each other,” Kadenko says. “They already had the knowledge … but you can’t teach how to get along with somebody.”

NSF, SRC Partner on Failure-Resistant Systems
CCC Blog (04/24/12) Erwin Gianchandani

The U.S. National Science Foundation (NSF) and the Semiconductor Research Corp. (SRC) recently announced Failure-Resistant Systems, a joint initiative that seeks proposals for new techniques that would ensure the reliability of systems. The proposals should focus on a system-level cross-layer approach to reliability, and encompass the failure mechanisms of both digital and analog components. Such a technique would potentially offer high reliability and lower power and performance overheads. “By distributing reliability across the system design stack, cross-layer approaches can take advantage of the information available at each level, including even application-level knowledge, to efficiently tolerate errors, aging, and variation,” the initiative’s solicitation says. “This will allow handling of different physical effects at the most efficient stack layer, and can be adapted to varying application needs, operating environments, and changing hardware state.” NSF and SRC plan to fund 15 to 20 awards, each ranging from $300,000 to $400,000, over three years. The deadline for proposals is June 26, 2012.