Cyber 7.0: Critical infrastructure and the Internet-of-things.
Cyber 7.0 met on Wednesday, June 22, in Laurel Maryland. The conference focused on critical infrastructure and the Internet-of-things.
After welcoming remarks from Howard County Chamber of Commerce CEO Leonardo McClarty, Senator Ben Cardin (D-Maryland) delivered a short keynote address. He noted the upcoming vote on National Security Letters, alluding in a noncommittal way to their use in investigation of terrorism, and expressing general hope for legislation that would help prevent crimes like the recent massacre in Orlando.
He outlined the cyber security agreements the Administration has concluded with China. He approves of the agreements, he said, but thinks it likely they’ve had little real effect on the Chinese government’s conduct. He did praise ongoing legislative efforts to foster more information sharing among Government and the private sector (a theme that would recur throughout the day) and he drew a larger point about US policy needing ot become more sophisticated with respect to fostering the free flow of information. This he sees as, essentially, the foundation of US information operations in influencing and shaping the evolution of the global community.
He closed with expressions of pride in Maryland’s role in the cyber security industry, and he commended colleges and universities in his state—especially the community colleges—for their work in developing a talented, committed labor force.
Critical infrastructure: a threat perspective.
Renee Tarun, Deputy Director, NSA Cyber Task Force, delivered the second morning keynote. She organized her talk around the risks of interconnection, and the recognition that such risks always accompany the benefits.
“Threat-agnostic, consequence-based analysis,” she said, “is essential to critical infrastructure defense,” and she noted the emergence of highly-tailored “malware” designed to engage very specific targets. The hacks of both the Bowman Street Dam in Rye, New York, and of the power grid in Western Ukraine are examples of malware attacks. APTs occupying “key cyber terrain” will be a feature of malware attacks going forward.
A look at the threat landscape reveals a familiar array of threat actors. Nation-state adversaries committed to traditional cyber espionage. They are, she said, “getting faster, but our defenses are not.” Russia, China, Iran, and North Korea she named (following DNI Clapper’s testimony to Congress, as "sophisticated actors." They use hired talent not only for capacity and capability, but also for the plausible deniability they afford. This black market labor pool has been augmented by commodified malware, Tarun noted in an aside. You can now buy it and use it without being a sophisticated coder.
Russia and China, she said, are the biggest cyber threats. Their style and goals, however, differ. Russia aims at espionage. It conducts influence operations and it engages in battlespace preparation. Russia's top target is critical infrastructure. They've compromised, for example, a number of widely used indusrial control system (ICS) products.
For its part, China, while also interested in espionage as an adjunct and support to statecraft, is also heavily committed to industrial cyber espionage, intellectual property theft undertaken for the benefit of Chinese industry. Their top target is economic. How much they've disengaged from hacking IP in the wake of an agreement with the United States to desist remains to be seen.
Tarun then reviewed, briefly, Iranian cyber operations directed against an unclassified US Navy network, against the downstate New York flood control dam, and against various targets in the financial sector. The fourth nation-state threat, North Korea, she characterized as unpredictable. The DPRK is capable, and it’s willing to launch destructive attacks. Its regime has become increasingly convinced that cyber is a major instrument of state power.
Turning from threats to vulnerabilities, Tarun discussed the proliferation of the Internet-of-things (IoT) as a dramatic expansion of users’ and enterprises’ attack surfaces. Small, resource-limited IoT devices are being developed without security.
Our response to protecting critical infrastructure and key resources will necessarily be complex. We need, she argued, better standards, more defense-in-depth, and better teamwork. We need automated information sharing, and automated resilience and regeneration strategies.“ We need good methods of characterizing risk,” she said, since “cyber risk should be understood as a business risk.” Enterprises have one distinct advantage—self-knowledge—and they should turn that knowledge of their networks and environments to their advantage. “No one knows your systems like you."
Automation and integration are, Tarun concluded, the "only way we can scale to the scope of the problem." NSA champions "Integrated Adaptive Cyber Defense," an approach based on the OODA loop. She called for deterrence, resistance, and regeneration within the IACD model, and for increased public-private teamwork with respect to information sharing. (The DHS portal, she thought, should prove helpful here.) The Cybersecurity Information Sharing Act (CISA) covers not only sharing, she pointed out, but also authorization of private actors to monitor and defend their networks. She hopes that CISA can "kick-start" strong public-private partnership, but Tarun closed with a warning to expect “dangerous seas ahead."
A breakout session on IoT security was chaired by AKUA CEO Neil Furukawa. The panelists included Drew Cohen (CEO, MasterPeace Solutions), Chris Cleary (Director of Federal Business Development at Tenable Network Security), Larry Wall (CEO, Eurotech Inc), and April Doss (Partner, Saul Ewing LLP).
Furukawa opened the discussion by asking the panel what they thought the Government’s role should be in regulating the IoT. Doss observed that this was a complex question, if only because there were lots of Government players in the space. She listed the National Institute of Standards and Technology (NIST) and the National Telecommunications and Information Agency (NTIA—both NIST and NTIA are housed in the Department of Commerce), the Department of Homeland Securit y (with responsibilities touching every aspect of critical infrastructure), the Federal Trade Commission (FTC—which is playing a very expansive role from its consumer protection charter),: and the Department of Justice (especially the FBI). Some agencies are seeking a balance among standards setting, growth, consumer protection, and this is a difficult balance to strike.
Wall thought the consumer protection piece particularly striking and interesting. The IoT brings together disparate data sources, correlation of which offers an enormous opportunity for abuse.
Furukawa asked about the emerging cyber vulnerabilities that increase the risk of cyber-related crime. Cleary: suggested looking at vulnerabilities through the lens of center-of-mass analysis. Find the critical requirements that make systems work, and look for the vulnerabilities there. He noted the progressive accretion of requirements. “We overcomplicate devices, making it hard for individuals to control them.” Introducing the IoT into homes dramatically increases attack surfaces. Wall agreed with the challenges posed by system complexity: “We're going to see big commercial enterprises create an unmanageable complexity.” Cleary (after appropriately deferring to lawyers) call the: IoT “an attractive nuisance for attackers,” and a nuisance that will expose users and vendors to liability. Doss agreed that there “absolutely are liability issues” in the IoT's attack surface. A high percentage of incidents arise from operator error, and the interconnectedness of the IoT spreads risk. So we face exponentially larger legal risk. Consider Target, Doss advised. This was a PCI compliant company, but supply chain risks (specifically those posed by an HVAC contractor) were overlooked.
Cohen told an illustrative story about automotive AC connectivity—secured by username and password only, these credentials are easily scraped and the system manipulated. That’s a relatively trivial example, but he invited the audience to consider the serious potential the ability to alter or control a system offers. “You can destroy a business with such manipulation,” and configuration and deployment are enormous challenges.
Where, then, Furukawa asked, should research concentrate in attempting to address the issues surrounding the Cohen thought deployment an important area of inquiry. “ We're moving to many different OSs (and many IoT devices don't even run an OS).” Wall made a case for work on network management. Here, IT practices might be adapted to the IoT. Cleary thought device management, and the ways in which people interact with devices merited consideration.
And, finally, Furukawa asked the panelists to address the business and consumer benefits of the IoT. Wall observed that the IoT converges IT with OT (operational technology). “That's new. They're no longer different worlds. Moore's law is alive and well, and the Internet-of-things is all about enhancing our lives.“ Smart agriculture, to take one example, is affecting consumer food output. Totally new business models are emerging. “We can now collect data we've never collected before,” and the “servitization” model, that is, offering x-as-a-service, is becoming becoming pervasive. Cleary thought there was some good news even in the realistic consideration of the threat--it's not trivial to pull off, say, a comprehensive, Die-Hard style attack on a city.
When Furukawa opened the floor to questions, the audience asked about transportation technologies, like connected, driverless vehicles. Doss said she thought that automobile manufacturers would pay attention to credible results from ethical hackers.
“Fasten your seatbelts. It’s going to be a wild ride.”
Gib Sorebo, Chief Cybersecurity Strategist with Leidos, delivered the afternoon keynote. He began by reviewing the historical record, and discussing the dominant role attacks have played in driving cyber security across the healthcare, retail, and financial sectors. The history of attacks on critical infrastructure might be traced, he suggested, to a 1998 telephone switch hack that closed and airport. Most recently we can look to the December 2015 hack that produced blackouts across a significant portion of the Ukrainian power grid.
Hackers are growing more familiar with critical infrastructure and how it operates, and we can expect this trend to continue. The hackers who took down the power grid in Western Ukraine had considerable understanding of their target, but there were still clearly gaps in that knowledge. “It's only a matter of time before attackers close those gaps,” Sorebo said. Infrastructure runs on well-known, standard products. Consider Stuxnet--highly targeted, very sophisticated, and built with considerable understanding of the target and its environmnent. Stuxnet represents a considerable departure from the older pattern in which hackers hit targets of opportunity they usually didn't bother to take the trouble to study and understand. But now, as with Stuxnet, foreign intelligence services especially go to great lengths to know their target.
And, Sorebo pointed out, Stuxnet wasn't the first destructive attack. The Turkish pipeline blast of 2008 preceded it. The Ukraine grid hack was more conventional. It used compromised credentials in a poorly segmented network. Ukrainian utilities did a good job of recovering within a matter of hours. But we should note, Sorebo said, that someone was motivated to attack. The key ingredient is motivation. Threat equals motivation plus capability. A persistent actor can develop the capability to attack if sufficiently motivated, and attack tools are increasingly available on the black market.
Sorebo turned to a consideration of the range of effects it’s possible to achieve through attacks on critical infrastructure: ransomware, physical destruction, market manipulation, and so on. (The last, market manipulation, is a relatively new possibility with respect to critical infrastructure.) “ The point is, there's a good range of motivations for an attack on critical infrastructure.”
“All too often infrastructure security is a disconnected series of one-offs,” Sorebo said. He offered a set of pragmatic defense-in-depth measures for protection, detection, and response. He advised that we keep evolving defenses, and that we design security programs that go beyond checklists. Ask whether your controls are sound. Are they applied diligently? And, finally, “If you say you do something, but don't, that's often worse from a litigation or regulatory perspective.”
Solutions: framework data sharing.
The final session of Cyber 7.0 was a panel on frameworks for information sharing. Dickie George (Senior Advisor for Cyber Security, the Johns Hopkins University Applied Physics Laboratory) chaired the panel, whose members were Paul Tortora (Director, Center for Cyber Security Studies, US Naval Academy), Paul Tiao (Partner, Hunton and Williams LLP), Sarah Geffroy (AT&T Services Global Public Policy), and Tim Keogh (Vice President, Commercial Insurance, Sandy Spring Insurance).
Geoffroy began with a discussion of CISA, the Cybersecurity Information Sharing Act. She thinks many companies are still evaluating the benefits and the logistics of sharing cyber information through the Department of Homeland Security’s platform. There are still technical challenges with respect to the accuracy, context, and quality of the information being shared, exacerbated by lack of standard formats and nomenclature. Some financial disincentives to information sharing also still need to be overcome, as do concerns about consumer and market reaction to information disclosure. Beyond purely US issues, sharing information internationally remains a challenge for a multitude of legal, linguistic, and cultural reasons. None of these obstacles are insurmountable, Geoffroy said, but they all need to be addressed. Small and medium enterprise in particular feel organization and financial stresses of information sharing acutely.
Keogh brought an interesting insurance industry perspective to the discussion. Cyber liability, he said, is a relatively new concern, and cyber insurance policies aren't generic products. “They have to be tailored and crafted to meet your needs and situation.” Yet cyber liability insurance “isn't some fancy, optional coverage.” The costs of breach notification alone are substantial. “Leave your pride aside,” Keogh advised, “and invest some time in looking into cyber liability insurance.” He recommended partnering with someone who’s not just selling you a policy, but who’ll help you manage your cyber risk. And pay attention to regional exclusions. “You've got a website? Then you've got global exposure.” He acknowledged that there's still sticker shock for cyber liability insurance, but rates drop every year, and the consequences of foregoing coverage can be catastrophic.
Tiao offered a legal perspective on the steps businesses should take to manage risk. This perspective is based on his background in both prosecution and civil litigation. “Start by knowing where your crown jewels are.” What are they, where are they, and how can you protect them? Think about how you can use your resources effectively, and above all design governance to give someone bottom-line accountability. Without bottom-line accountability, he emphasized, no risk management plan will succeed. Consider exposure to liability through your third-party vendors. “You many have hundreds of vendors.” Make sure your contracts include protections against cyber liability. Tiao advised managing the risk from insider threats. Not only should you do background checks before hiring, but you should work to keep employees happy. Monitor them, not only for potential threats, but also to know their state of mind. Prepare an incident response plan. Such plans are complex, and require a knowledgeable team ready-to-go. The team needs to know who's on it and what their roles are. And the plans need to be exercised, up-and-down the chain, before they need to be put into action.
Tortora suggested doing a Shodan search around your neighborhood. “It's eye-opening.” It will reveal the surprising extent of unprotected IoT devices in your environment. He described Cyber Safe, a US Navy program modelled on its successful and longstanding Sub Safe program (established in the mid-1960s after the accidental loss of USS Thresher). Naval systems must meet Cyber Safe standards. The connectivity of subsystems presents obvious problems. He described one such case, in which a diesel generator aboard a nuclear submarine was found to be automatically communicating (as it was designed to do) with its manufacturer so it could automatically receive software updates. “Obviously a problem,” he noted.
George asked the panel an obvious but challenging question: if I’m able to protect my valuable information, why is it in my interest to share such information with people who can't protect it? The panelists gave various answers, but they all came down to distinguishing kinds of information. Since risk comes down to threats, vulnerabilities, and consequences, they agreed that everyone benefited from sharing information about threats. "If you work together here,” as Tiao put it, “everyone benefits." Even rivals can be induced to cooperate if you share information selectively. You might not want to share information about vulnerability and consequence, but threat information should be eminently shareable.
To an audience question about whether sharing information about an actual breach would bring down regulatory action against the enterprise doing the reporting (and the agency clearly alluded to here was the Federal Trade Commission, the FTC), the panel acknowledged that this was indeed a vexed policy question.
So the questioner continued: “We have the FBI and DHS, saying they won't treat victims as criminals.” But regulatory agencies seem to take a different view of the matter. How should businesses understand and deal with this conflict? Geoffrey thought that the final version of CISA did include some regulatory relief, but she acknowledged that troubling questions remain. Tiao said that the law is intended to give some assurance and comfort. DHS doesn’t intend to dime you out to the FTC if you share information with them. To protect businesses that share information, DHS “will de-identify” their reports so other agencies won't know where the information originated. And he added that threat information “of course” poses no regulatory risk. Somewhat curiously and surprisingly, since the observation runs counter to so much of the praise commonly passed out for inter-agency cooperation, Tiao also said poor interagency relations constitute an additional safeguard. “It's a strange dynamic, but some agencies know it's not in their interest to share with other agencies.”
Keogh pointed out that you can get some regulatory expenses covered in policies. “There's no goodwill provision in regulations. If they're going to come down hard on you, they're going to come down hard on you.” Carriers might be able to help you manage regulatory risk.
A member of the audience pointed out that private industry had significant trust issues with the Government’s regulatory reach, and invited the panel to comment. Tiao thought this a “great point,” and observed that DHS was getting better, and that this improvement was alleviating some skepticism. Companies want Government to have their back, and that’s as it should be
With this panel’s conclusion, Cyber 7.0's formal proceedings came to an end. Leonardo McClarty thanked those who attended and encouraged all to save the date of June 21, 2017, for Cyber 8.0.