Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/7/2005
08:44 PM
Patricia Keefe
Patricia Keefe
Commentary
50%
50%

Baked-In Security

While much of the Monday-morning quarterbacking of the response to Hurricane Katrina revolves around poor communication, bureaucratic missteps, sluggishness, and red tape on both the state and federal levels, the disaster got me thinking about something entirely different: the readiness of our national infrastructure--roughly 80% of which lies in private hands--to withstand or bounce back from a disaster or cyberattack of similar proportions.

While much of the Monday-morning quarterbacking of the response to Hurricane Katrina revolves around poor communication, bureaucratic missteps, sluggishness, and red tape on both the state and federal levels, the disaster got me thinking about something entirely different: the readiness of our national infrastructure--roughly 80% of which lies in private hands--to withstand or bounce back from a disaster or cyberattack of similar proportions.One look at New Orleans and the Mississippi cities of Gulfport and Biloxi makes it very clear what happens when we have wholesale, widespread shutdowns of key utilities--water, electricity, fuel, and communications: chaos, panic, and death. It also points to the perils of inadequately secured ports, oil rigs, and levees. It's not good.

Now, we don't have oil rigs and levees everywhere. And a Category 5 hurricane is not a common occurrence. That is not the point. The issue isn't even whether anything could have withstood the howling winds, storm surge, and flooding wrought by Katrina. Clearly not.

The issue is that we do have chemical plants all over the place, key ports of entry ringing the country, a network of interstate highways and skyways, and a national grid of utility, water, communications, and network services we all take for granted. These pieces of our critical infrastructure have long been considered prime targets for physical and cyberattack, and, indeed, it may not be possible to protect them from a determined attacker.

But it is possible to put into place physical and cyber safeguards, and it is possible to have a detailed, thought-out plan for recovery in the event of, say, a major shutdown of the electricity grid or air-traffic control. We just assume these things are so.

Which is why, I think, as stunning as the images of destruction are--and you don't expect to see that kind of devastation in the United States--the country seems more shocked by the aftermath. We perhaps naively expected to see an almost instantaneous response--the kind we are accustomed to seeing our nation lend to other planetary citizens. And for whatever reasons, when it did not happen, the shock was felt around the world. Closer to home, people died.

And yet, it could be worse. The question that is going to have to be addressed at some point in the angst-ridden postmortem is this: What if this level of disaster happens again? On a broader, more nationwide scale? We can no longer say terrorist attacks and the unbridled wrath of Mother Nature don't hit here. The last four years make it clear they do. And we can no longer assume that when these disasters strike, wrecking the level of havoc they do, that we'll be bouncing back to normal in no time. We won't.

Give our focus on technology, I cannot help but wonder about a wider scale shut down of key services driven by cyberattacks and whether we've made any progress in the area of cybersecurity beyond the many committees, subcommittees, and proclamations that have been created over the last four years to address the subject. So it seemed a good time to check in with the security experts at the SANS Institute, specifically its longtime director of research, Alan Paller. As it turns out, my timing was perfect--in recent weeks there has been progress on this very issue, including "three or four" conversations about it at the White House level. Among the changes under way:

  • An old idea that could go a long way toward addressing the cybersecurity side of critical infrastructure has gotten new wind recently as three current and former federal CIOs -- Karen Evans, the head of E-government and chair of the Federal CIO Council; Lisa Schlosser, CIO at HUD; and John Gillian, formerly CIO of Energy, recently retired CIO of the Air Force now a senior exec at SRA--have renewed efforts to push the idea. Variously called "The Big Idea" and "Baked-in Security," the idea is to lead the way by using federal procurement to set new security standards and to force vulnerability testing. Using the clout of government contracts, these CIOs are essentially advocating pushing some of the security responsibility down to the vendors. The thinking is that if the feds can demand a certainly level of security and monitoring capabilities built into the PCs they buy--i.e., Center For Internet Security-compliance--how long will it be before Boeing says, "Hey, we want those too," and more ordinary companies and consumers chime in as well? Paller asks.

  • On the physical security front, in turns out that the utility companies are working together as you read this to pull together a standard for Scada (Supervisory Control and Data Acquisition) industrial control systems, a very big deal further explained by InformationWeek Editorial Director Bob Evans in an Aug. 29 column on our annual security issue. According to Paller, "The utilities are getting together and saying, 'Wait a minute, Scada provider. When you sell your next system to us, it has to have these characteristics.'"

    The reason there is so much excitement over "Baked-in Security" is fourfold, Paller explains:

  • It recognizes that only the federal government has the money to force, or if you prefer, persuade vendors, to make these changes. "It radically lowers costs to do it once, at the supplier level, rather than having to harden systems at every desktop after deployment."

  • The hoped for "catalytic" changes can have widespread impact since we are not talking about fighter jets or systems specific to the narrow needs of some agency. We're talking about ordinary systems used everywhere for a variety of purposes. The feds run hospital systems, power plants, telephone networks--you name it, Paller says. "There is nothing these guys [critical infrastructure suppliers] run that the feds don't run, so the federal buying power is highly relevant."

  • It transfers some big pieces of the security responsibilities back onto the vendor. For example, instead of an agency doing vulnerability testing of the software it is buying, Paller says, the government is picking up on an idea he attributes to Gartner, and starting to put together RFPs that require developers to run a vulnerability test of their software on the platforms they are proposing the customer buy. The vendor is too embarrassed to deliver systems that fail the vulnerability tests, so they fix them. This way customers are provided with secure systems at the outset. Procurement is also being considered as a way of requiring vendors to include facilities for automated monitoring of security of software or hardware so that it stays safe.

  • The expectation is that the requirements at the federal level will roll over to everyone eventually, upping the level of secure systems all around.

    A little closer to my original question, at best, Paller says we can expect to see mobile recovery technology, starting with mobile communications, improved "radically" following the lessons learned from Katrina. But in terms of large-scale impact on the national infrastructure, he is doubtful. More likely, he predicts, will be the changes wrought over time by the initiatives he described above. Let's hope those CIOs find some willing listeners.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    Commentary
    Ransomware Is Not the Problem
    Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
    Edge-DRsplash-11-edge-ask-the-experts
    How Can I Test the Security of My Home-Office Employees' Routers?
    John Bock, Senior Research Scientist,  6/7/2021
    News
    New Ransomware Group Claiming Connection to REvil Gang Surfaces
    Jai Vijayan, Contributing Writer,  6/10/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: Google's new See No Evil policy......
    Current Issue
    The State of Cybersecurity Incident Response
    In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2005-0394
    PUBLISHED: 2021-06-18
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
    CVE-2007-3733
    PUBLISHED: 2021-06-18
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
    CVE-2021-21997
    PUBLISHED: 2021-06-18
    VMware Tools for Windows (11.x.y prior to 11.3.0) contains a denial-of-service vulnerability in the VM3DMP driver. A malicious actor with local user privileges in the Windows guest operating system, where VMware Tools is installed, can trigger a PANIC in the VM3DMP driver leading to a denial-of-serv...
    CVE-2021-26834
    PUBLISHED: 2021-06-18
    A cross-site scripting (XSS) vulnerability exists in Znote 0.5.2. An attacker can insert payloads, and the code execution will happen immediately on markdown view mode.
    CVE-2021-26835
    PUBLISHED: 2021-06-18
    No filtering of cross-site scripting (XSS) payloads in the markdown-editor in Zettlr 1.8.7 allows attackers to perform remote code execution via a crafted file.