Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/7/2005
08:44 PM
Patricia Keefe
Patricia Keefe
Commentary
50%
50%

Baked-In Security

While much of the Monday-morning quarterbacking of the response to Hurricane Katrina revolves around poor communication, bureaucratic missteps, sluggishness, and red tape on both the state and federal levels, the disaster got me thinking about something entirely different: the readiness of our national infrastructure--roughly 80% of which lies in private hands--to withstand or bounce back from a disaster or cyberattack of similar proportions.

While much of the Monday-morning quarterbacking of the response to Hurricane Katrina revolves around poor communication, bureaucratic missteps, sluggishness, and red tape on both the state and federal levels, the disaster got me thinking about something entirely different: the readiness of our national infrastructure--roughly 80% of which lies in private hands--to withstand or bounce back from a disaster or cyberattack of similar proportions.One look at New Orleans and the Mississippi cities of Gulfport and Biloxi makes it very clear what happens when we have wholesale, widespread shutdowns of key utilities--water, electricity, fuel, and communications: chaos, panic, and death. It also points to the perils of inadequately secured ports, oil rigs, and levees. It's not good.

Now, we don't have oil rigs and levees everywhere. And a Category 5 hurricane is not a common occurrence. That is not the point. The issue isn't even whether anything could have withstood the howling winds, storm surge, and flooding wrought by Katrina. Clearly not.

The issue is that we do have chemical plants all over the place, key ports of entry ringing the country, a network of interstate highways and skyways, and a national grid of utility, water, communications, and network services we all take for granted. These pieces of our critical infrastructure have long been considered prime targets for physical and cyberattack, and, indeed, it may not be possible to protect them from a determined attacker.

But it is possible to put into place physical and cyber safeguards, and it is possible to have a detailed, thought-out plan for recovery in the event of, say, a major shutdown of the electricity grid or air-traffic control. We just assume these things are so.

Which is why, I think, as stunning as the images of destruction are--and you don't expect to see that kind of devastation in the United States--the country seems more shocked by the aftermath. We perhaps naively expected to see an almost instantaneous response--the kind we are accustomed to seeing our nation lend to other planetary citizens. And for whatever reasons, when it did not happen, the shock was felt around the world. Closer to home, people died.

And yet, it could be worse. The question that is going to have to be addressed at some point in the angst-ridden postmortem is this: What if this level of disaster happens again? On a broader, more nationwide scale? We can no longer say terrorist attacks and the unbridled wrath of Mother Nature don't hit here. The last four years make it clear they do. And we can no longer assume that when these disasters strike, wrecking the level of havoc they do, that we'll be bouncing back to normal in no time. We won't.

Give our focus on technology, I cannot help but wonder about a wider scale shut down of key services driven by cyberattacks and whether we've made any progress in the area of cybersecurity beyond the many committees, subcommittees, and proclamations that have been created over the last four years to address the subject. So it seemed a good time to check in with the security experts at the SANS Institute, specifically its longtime director of research, Alan Paller. As it turns out, my timing was perfect--in recent weeks there has been progress on this very issue, including "three or four" conversations about it at the White House level. Among the changes under way:

  • An old idea that could go a long way toward addressing the cybersecurity side of critical infrastructure has gotten new wind recently as three current and former federal CIOs -- Karen Evans, the head of E-government and chair of the Federal CIO Council; Lisa Schlosser, CIO at HUD; and John Gillian, formerly CIO of Energy, recently retired CIO of the Air Force now a senior exec at SRA--have renewed efforts to push the idea. Variously called "The Big Idea" and "Baked-in Security," the idea is to lead the way by using federal procurement to set new security standards and to force vulnerability testing. Using the clout of government contracts, these CIOs are essentially advocating pushing some of the security responsibility down to the vendors. The thinking is that if the feds can demand a certainly level of security and monitoring capabilities built into the PCs they buy--i.e., Center For Internet Security-compliance--how long will it be before Boeing says, "Hey, we want those too," and more ordinary companies and consumers chime in as well? Paller asks.

  • On the physical security front, in turns out that the utility companies are working together as you read this to pull together a standard for Scada (Supervisory Control and Data Acquisition) industrial control systems, a very big deal further explained by InformationWeek Editorial Director Bob Evans in an Aug. 29 column on our annual security issue. According to Paller, "The utilities are getting together and saying, 'Wait a minute, Scada provider. When you sell your next system to us, it has to have these characteristics.'"

    The reason there is so much excitement over "Baked-in Security" is fourfold, Paller explains:

  • It recognizes that only the federal government has the money to force, or if you prefer, persuade vendors, to make these changes. "It radically lowers costs to do it once, at the supplier level, rather than having to harden systems at every desktop after deployment."

  • The hoped for "catalytic" changes can have widespread impact since we are not talking about fighter jets or systems specific to the narrow needs of some agency. We're talking about ordinary systems used everywhere for a variety of purposes. The feds run hospital systems, power plants, telephone networks--you name it, Paller says. "There is nothing these guys [critical infrastructure suppliers] run that the feds don't run, so the federal buying power is highly relevant."

  • It transfers some big pieces of the security responsibilities back onto the vendor. For example, instead of an agency doing vulnerability testing of the software it is buying, Paller says, the government is picking up on an idea he attributes to Gartner, and starting to put together RFPs that require developers to run a vulnerability test of their software on the platforms they are proposing the customer buy. The vendor is too embarrassed to deliver systems that fail the vulnerability tests, so they fix them. This way customers are provided with secure systems at the outset. Procurement is also being considered as a way of requiring vendors to include facilities for automated monitoring of security of software or hardware so that it stays safe.

  • The expectation is that the requirements at the federal level will roll over to everyone eventually, upping the level of secure systems all around.

    A little closer to my original question, at best, Paller says we can expect to see mobile recovery technology, starting with mobile communications, improved "radically" following the lessons learned from Katrina. But in terms of large-scale impact on the national infrastructure, he is doubtful. More likely, he predicts, will be the changes wrought over time by the initiatives he described above. Let's hope those CIOs find some willing listeners.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 9/25/2020
    9 Tips to Prepare for the Future of Cloud & Network Security
    Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
    Attacker Dwell Time: Ransomware's Most Important Metric
    Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-25288
    PUBLISHED: 2020-09-30
    An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
    CVE-2020-25781
    PUBLISHED: 2020-09-30
    An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
    CVE-2020-25830
    PUBLISHED: 2020-09-30
    An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.
    CVE-2020-26159
    PUBLISHED: 2020-09-30
    In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
    CVE-2020-6654
    PUBLISHED: 2020-09-30
    A DLL Hijacking vulnerability in Eaton's 9000x Programming and Configuration Software v 2.0.38 and prior allows an attacker to execute arbitrary code by replacing the required DLLs with malicious DLLs when the software try to load vci11un6.DLL and cinpl.DLL.