What happens when the Net is attacked?

That's the question an obscure Homeland Security project is attempting to answer. So far, so good.

The IT security checklist developed by the U.S. Cyber Consequences Unit is an effort to update outdated checklists that researchers say have left gaping holes in the cyberdefenses of critical infrastructures.

The list is a result of on-site visits and interviews with personnel in the electric-power and health care industries, and is an attempt to focus security efforts on real-world consequences of security breaches.

The checklist contains 478 questions grouped into six categories and 16 avenues:

  • Hardware vulnerabilities. Physical equipment, environment and by-products.

  • Software access vulnerabilities. Identity authentication, application privileges, input validation and appropriate behavior patterns.

  • Network vulnerabilities. Permanent network connections, intermittent network connections and network maintenance.

  • Automation vulnerabilities. Human maintenance procedures and intentional actions threatening security.

  • Human operator vulnerabilities. Maintenance of security procedures and intentional actions threatening security.

  • Software supply vulnerabilities. Internal policies for software development and polices for dealing with external vendors. Scott Borg, director and chief economist at US-CCU, outlined some of the major concerns in each of the primary categories.

  • Physical equipment. The overlap between physical and IT security opens many vulnerabilities. Physical access to hardware often is not adequately controlled. One electric-power facility reported a plague of petty thefts from temporary construction workers in sensitive areas that had not been secured. This area accounts for the greatest number of vulnerabilities. As hospitals move to electronic records, the emphasis is on convenience, with little monitoring of how software is used or changed. 'There's a huge opportunity for mischief,' Borg said.

  • Network vulnerabilities. Access to the network is not adequately controlled and documented. Often this is a result of demands by senior management for immediate changes that do not go through proper authorization channels. 'We are finding all kinds of undocumented ways of accessing the networks.'

  • Automation. 'This is going to the heart of SCADA,' Borg said. Control systems are designed to be as clear and simple as possible, making them both user- and hacker-friendly. Often there is no monitoring or record of access to these systems, because they are not supposed to be accessed from the outside.

  • Human operators. The weak spot in almost any IT security system. Improper behavior and use of unauthorized programs open vulnerabilities in networks.

  • Software suppliers. Whether software is developed in-house or outsourced, the quality of the code is rarely guaranteed. Certifying the software can be counterproductive, because it's often obsolete by the time the process is completed. 'One of the ways around this is to certify the procedure for developing the software rather than the software itself.'


  • 'Solutions for all of the things we are talking about already are under way,' Borg said.

    But for some of the items on the checklist, there are still no cost-effective commercial solutions. Borg urged industry to step up to the plate and develop solutions, and said government should encourage development by creating incentives through its acquisition policies.

Without a comprehensive understanding of the potential economic impacts from cyber attacks, it is difficult to make an informed decision regarding ... countermeasures.'

'Andy Purdy, DHS

Rick Steele

When a building collapses, you can see the devastation. When a network is brought to its knees, the effects are less obvious. That's why a little-known research institute funded by the Homeland Security Department is working to bring some order to the study of cyberattacks.

Despite annual reports from the FBI and repeated consultant studies, surprisingly little is known about the real costs of malicious code, denial-of-service and other attacks, because the companies that own the infrastructure are reluctant to share the information.

'Historically, the threat of cyberattacks has not received as much attention as the physical threat posed by terrorism and natural disasters,' said Andy Purdy, acting director of the DHS National Cyber Security Division.

As a result, estimates of financial impact have been based on guesses, said Scott Borg, director and chief economist for the U.S. Cyber Consequences Unit. There has been little solid data to analyze, and no tested methodologies to analyze it.

We don't even know what threats we should be protecting ourselves against.

'So much of what we have been hearing about cyberattacks was just hearsay,' Borg said. 'We found out a lot of things people were worried about were extremely unlikely.'

US-CCU was established in 2004 with a shoestring, four-month budget of $200,000 to do surveys of the electrical-power and health care sectors. Other industry sectors providing critical infrastructure were to be added later.

'We were very naive,' Borg said. 'The research project proved larger and more difficult than anticipated.'

The original contract was stretched out to cover a year, and now'well into its second one-year contract'US-CCU is still in what Borg calls a 'rather extended start-up phase.'

'We have time'

Fortunately, doomsday scenarios such as shutting down the power grid or the Internet are not likely to occur soon.

'These are not impossible, but they are way harder to do than a lot of people anticipated,' Borg said. 'Al-Qaida is not going to shut down the Internet or the power grid. So we have time.'

To use that time wisely, US-CCU recently released a security checklist to help enterprises focus on real-world consequences of cyberattacks. Borg and research director John Bumgarner based the 478 checklist items on their on-site visits.

'We started seeing huge vulnerabilities during our visits,' Borg said. Most of the systems they evaluated were compliant with current security checklists and industry best practices. 'And portions of those systems were extraordinarily secure. But they were Maginot lines,' susceptible to being outflanked.

The problem was that existing best practices were static lists based on outdated data. The US-CCU list shifts the focus from perimeter security to monitoring and maintaining internal systems. The problem with perimeter security is that there is always some way to circumvent it.

'We are way into diminishing returns on our investments in perimeter defense,' Borg said. 'To deal with it now, you have to think of the problem of cybersecurity not from a technical standpoint, but by focusing on what the systems do, what you could do with them and what the consequences [would] be.'

Unfortunately, the tools for analyzing consequences have been lacking. The biggest roadblock has been the unwillingness of companies to share data, either with other companies or with the government.

'Without a comprehensive understanding of the potential economic impacts from cyberattacks, it is difficult to make an informed decision regarding investment in and prioritization of countermeasures,' Purdy said.

It was Purdy's predecessor in the Cyber Security Division of DHS, Amit Yoran, who authorized formation of US-CCU in April 2004. But the initial impetus came from the department's Private Sector Office, which was concerned about the lack of credible information about the costs of cyberattacks.

Borg, a senior research fellow at Dartmouth College's Tuck School of Business, had given briefings to government agencies and corporations on his models for economic analysis. He also had been chief economist on the Livewire cyberattack exercise in 2003 and served in the same capacity in this year's DHS Cyber Storm exercise. He was tapped to lead the effort.

Borg advocates applying real-world economics rather than quick-and-dirty estimates to the cost of cyberattacks.

'The cost of cyberattacks can be assessed by looking at how they change the overall inputs and outputs of business,' Borg wrote in his funding proposal to DHS.

This is obvious, but previous attempts have simply added up the cost of lost capacity attributed to attacks, without taking into account how much capacity is normally used or how much value it creates. Disruptions in critical infrastructure are often mitigated by work-arounds or by postponing an activity, and value is not completely lost.

Initial studies by US-CCU have produced some surprises. In an era of just-in-time inventory and high-speed delivery, shutting down a company or a portion of the infrastructure is normally seen as the greatest threat to productivity.

'But shutting things down for up to three days just doesn't cost much,' Borg said. Systems have enough excess capacity and inventory to survive short shutdowns well.

On the other hand, poorly secured process control systems, which form a nexus of the nation's physical and IT infrastructures, appear to be a greater danger than anticipated. These supervisory control and data acquisition'or SCADA'systems, have long been a security concern.

Cybersurprise

'I had already been paying attention to SCADA systems,' Borg said. 'But I was surprised by the degree of interconnections with the Internet.

'Most of this stuff has not been a big surprise to the relevant business people,' he said. The problem has been the lack of communication among business people and between business and government, because much of this information is proprietary.

It was this wariness that required US-CCU to be set up as an independent institute, working at arms-length from DHS and able to protect corporate data from government.

Funds for US-CCU have been funneled through a General Services Administration contract with Sonalysts Inc. of Waterford, Conn., an e-business consulting group that is the legal and financial administrator for the unit.

US-CCU has been able to survive on its shoestring budget because the 10-person staff uses its own day-job offices, and much of their work is donated, Borg said.

His next goal at US-CCU is to develop more industry-specific security tools, because one size does not fit all in IT security.

'No wonder we have vulnerabilities,' he said. 'This is a huge opportunity for both security vendors and the hacker community.'

But instability within the DHS Cyber Security Division has hampered the unit's ability to gain either funding or attention, Borg said. Yoran resigned in September 2004, and Purdy remains in an acting capacity nearly two years later. A newly created slot for assistant secretary of cyber-security is unfilled, and personnel changes have limited institutional memory. The draft of the US-CCU cyber-security checklist was released in April without the DHS name or seal and has yet to be vetted by the department.

'I have tried hard to keep the National Cyber Security Division informed about the CCU's work and sought guidance on the release of the checklist,' Borg said. He tried to set up a meeting to discuss the checklist, but 'the relevant people seemed to have trouble fitting me into their schedules.'

Still, Purdy said that 'understanding the consequences of cyberattacks is particularly important in assessing the risk to a critical infrastructure,' and this requires a 'quantitative, systematic and rigorous process,' which US-CCU is striving to provide.

Let's hope it's given the chance to succeed.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above