Wednesday, April 15, 2009

Scanning the Grid

Last week's WSJ article has stirred controversy within the cyber security community. Many, including myself, recognize the vulnerabilities in the power grid but nonetheless feel this specific story was was hype. Others believe the real threat to the grid is from insiders, not external hackers.

The fundamental problem with the WSJ article is that it provided no specific information to support its claims. Sure, its logical to assume that rival nation-states, like Russia and China, are interested in developing offensive cyber warfare strategies and tactics - including the capability to take out a power grid. However, without solid attribution data it is difficult to state with certainty that China and Russia have indeed penetrated our grid.

As we've discussed attribution is difficult, but not impossible. Thankfully, independent cybersecurity researchers have stepped into the void and attempted to provide more reliable attribution data. Team Cymru recently published a study documenting the origination point of probes for SCADA systems. As we've discussed in class, SCADA systems are used to monitor and control power plants and the power grid. If a hacker were able to locate and gain control of a SCADA system responsible for power generation or distribution, the hacker could presumably crash the SCADA system and disrupt the grid.

According to Team Cymru's research,
scans of our Darknet for 2008 for udp/20000, tcp/502, udp/2222, tcp/44818 and udp/44818. These ports encompass protocols that are believed to control a large section of currently deployed SCADA systems. The IPs scanning for these ports seem to be grouped into four geographic regions:

USA: The two main hotspots for scanning appear to emanate from IPs located in Houston, Texas and Miami, Florida.

Western Europe: There are hotspots in London, United Kingdom, Seville, Spain, and apparently in locations in Scandinavia and Southern France.

Eastern Europe: Hotspots in this region include St Petersburg and Moscow as well as a location in the Ukraine and Bucharest, Romania.
Far East: By far the most concentrated grouping of hotspots, the Far East contains concentrations of SCADA scanning IPs in Thailand, Hong Kong, Taiwan, Korea, Japan and several locations in China.

On the surface, this data appears to indicate that hackers in China and Russia are actively scanning the Internet in search connected SCADA systems. I appluad Team Cymru's efforts to bring analytical clarity to the question of whether rivals are penetrating our power grid. However, I do feel compelled to point out a couple of limitations of their studies.

First, just because a scan originates from China does not mean the hacker executing the scan is based in China or Russia. A hacker from another country could easily connect to a bot in China or Russia to carry out a scan.

Second, its important to note next to China and Taiwan, the United States was the third most popular origination point for scans for SCADA systems. Does this mean that hackers in the United States are also probing for SCADA systems? Or does it mean that hackers are using bots based in the US to carry out thier scans?

My point is that more data and analysis is required in order to accurately identify the source of a probe or a cyber attack. Again, attribution is difficult but impossible and it is absolutely necessary.

4 comments:

Erin said...

The thing that stands out to me most about this post is the importance of individuals in this new type of warfare. Traditionally, one person would not have the power to take down another nation - this could only be done by a NATION of comparable power. The only counter example to this would be terrorism, which is now also brought to a higher level of efficiency through the internet. Terorists may be easier to identify then hackers, but attributing which country they originate from, (if it is even just one country), is difficult. Because of this, it is just as difficult to "lay blame" or "fight back".

The other way that individuals are now more vital than ever is exhibited by the fact that "independent cybersecurity researchers have stepped into the void to provide more reliable attribution data". Due to the internet, these individuals not only have the resources and abilities to work on the same level as government researchers, but they are going above and beyond what the government has been capable of. What appears to be needed is more frequent and more efficient communication between these different researchers.

galina.olmsted said...

Like Erin, I do wonder about the way the individuality of these sorts of attacks and this brand of cyberterrorism ought to affect the way the US government approaches both prevention and retaliation. Even if these hackers are acting on the behalf of a particular nation-state, if something were to happen, it wouldn't be hard for the Chinese or Russian government to deny any involvement and to say that the attack was launched by a single person acting on his or her own behalf. How willing is the US government to consider retaliation against an entire nation when the act of cyberterrorism or aggression comes from a single actor? This is an attribution issue that prevents itself in all acts of terrorism, but with cyberterrorism, it seems that accountability is even harder to come by.

Also, one has to wonder, how is the US government planning to punish cyberterrorists in other countries? If a Russian hacker were to bring down a US power grid, and the Russian government refused to turn him or her over (here's pretending that it would be easy to identify a single actor), would the US government really be willing to act against Russia in retaliation? If not, what's the disincentive against cyberterrorism if the risk of getting caught is low, and the consequences next to none? It seems to me as though the US government needs to think these sorts of issues out before something happens, rather than just trying to play it by ear when it does.

Stephan said...

At first mention of foreign countries supposedly having access to our nations power grid, I was extremely troubled. Granted it is an extremely delicate situation in which our country could be brought to its knees if this were indeed true, yet it is important to evaluate the motives of those countries who would be capable of such an action. If it is a country such as China, shouldn't they be extremely worried about several repercussions. The Chinese government is one of the largest holders of US debt which would devalue immensely should our power grid be overtaken.

In addition to the potential monetary loss, according to Bamford in the SHADOW FACTORY, "Corrupting or destroying another nation's data network is considered by most countries an act of war. And in a world where all networks are intertwined like a ball of string, once a well-disguised virus is set loose on one system, it may quickly spread to others..." Granted monetary values may be considered inconsequential in times of all-out war but isn't there a reasonable belief that the NSA as well has capabilities for immediate retaliation as well?

Ben2012 said...

I'd like to look at this article in a slightly different light. It's obvious that the WSJ, a respected institution doesn't fully grasp the nature of the changing battlefield and therefore are missing a lot when they try to write about it. I wonder how different some of our policymakers are.

The problem with articles like this is that they are conceived and written by generalists, reporters who aren't experts in the field and are buying into information and hype served to them by others, some or most of whom probably have their own agendas. Yet, in our policymaking process, the decisionmakers, particularly elected officials, but I also, I think, nonelected principals in positions of great power, are also generalists. They rely on other individuals with their own agendas for not only information, but interpretation of that information. To what degree this is the case (the NSA is probably an exception), I don't know, but I think it's a valid question with worrying datapoints. Look at the background of top Clinton and Bush administration intelligence officials; I can't find one, outside of maybe Michael Hayden, with a background in technological systems. One could also contend that this is true for corporations and small business aiming to secure their own infrastructure as well: I submit that the decision-maker's lack of knowledge on the subject is a primary cause of America's weakness.

The implication of all this is that there has to be some large effort to integrate simple, but critical, technological concepts into the general lexicon. It is readily apparent to me that there are plenty of experts in the field writing publicly or working midlevel jobs in intelligence agencies with the needed expertise. The knowledge exists. The effort must be in creating a platform to spread that knowledge from the impenetrable structures at Fort Meade to the general decision makers and interpreters, both public and private. This article shows that, perhaps because it's in the government's (read: NSA's) interest to leave some vulnerabilities unpatched or perhaps because we haven't focused on it enough, we have a long way to go.