What is CInet?
Critical Infrastructure owners and operators lack a secure means to communicate with each other and with the government in the event that public networks are under threat, disrupted, or cannot be trusted. The Global Resilience Institute has proposed the creation of a Critical Infrastructure Network (CInet) to provide a separate, secure communications network for critical infrastructure owners and operators.
CInet would allow the government to share classified threat intelligence with approved partners in the private sector. It could also be used to move operational communications off the public Internet and to restore communications in the event of a widespread Internet outage. Working with partners in the private sector, the Federal government, and state and local agencies, GRI is engaging in a feasibility study in the metro Boston Area and has begun preliminary technical design work.
Questions? Comments? Email Nathaniel Toll: firstname.lastname@example.org
Recent cyberattacks attributed to Russia highlight importance of CINET in critical infrastructure resilience
In our first blog post on Critical Infrastructure Net (CINET) and subsequent post on the public accessibility of industrial control systems, we outlined an attack on a water company that could have been prevented with CINET implementation and demonstrated how specific devices are vulnerable and publicly accessible. In this blog post we frame CINET against the backdrop of worrying new reports from March of 2018 which outline how Russian cyber actors carried out prolonged operations for over two years that “targeted government entities and multiple U.S. critical infrastructure sectors including energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors” throughout the United States. The technical details of the attacks are described in detail by the Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) in Joint Technical Alert (TA18-074A). and also in a report by security company Symantec which refers to the Russian group as “Dragonfly”.
Rebranding: “Chaos Engineering” as “Resilience Testing”
Last week, I had the opportunity to hear Aaron Rinehart brief on “Chaos Engineering”. Aaron is the Chief Enterprise Security Architect at UnitedHealth Group. His job is to break things. And by break things, I don’t mean innovate as in “move fast and break things” or break-in to things as in penetration testing but actually break systems. It’s a cool job. UnitedHealth is a beast of a company. Cobbled together through dozens of acquisitions, it has 270,000 employees and 200 million in revenue. Also worth noting, when seemingly every other health insurance company got owned by the Chinese in 2015, UnitedHealth dodged the bullet. Maybe they weren’t targeted. Maybe the breach wasn’t discovered. Maybe they got lucky. Or maybe there is something to this approach. As networks and applications (and their interactions) grow increasingly more complex and interdependent, the likelihood of cascading (and therefore devastating) failure also increases. Purposefully causing these failures in a deliberate and controlled fashion is possibly the only rationale way to persist in the faith of both system error and malicious activity.
Cyber resilience: A local approach
In our previous blog posts we have looked at a case study of a vulnerable water plant and explored using Shodan to scan the internet for vulnerable programmable logic controllers. In researching what I wanted to write about next, I watched a presentation at Blackhat 2017 by two U.S. Attorneys about their investigation, arrest and conviction of Roman Seleznev, a Russian hacker and dealer of stolen credit card information. What struck me during the presentation was that many of his targets were small U.S. businesses (the presentation highlighted a few restaurants in the Northwest U.S.) because many of them were easier to hack as they had poorly configured remote desktop protocols and were storing credit card data in unsecure formats. The result of some of these breaches were the target businesses shutting down shortly after publicly announcing being compromised. This got me thinking, what is the affect of cyber attacks on small businesses? What about on rural hospitals? Or local governments and first responders?
Using Shodan as a tool to find vulnerable devices | GRI Blog
In the last blog post, we looked at the case study of the Kemrui Water company as outlined by the Verizon Data Breach Report which underscored potential consequences of having industrial control systems connected to the public internet. This post will go a little bit deeper and look at the ease in which a device similar to those that were probably in use at the water company and connected to the public internet can be found and potentially exploited. For this process I used the tool ‘Shodan’. Shodan is essentially a search engine for internet connected devices. It ‘crawls’ the internet, sending out connection requests and recording the public results, which include banner information, open ports, and running services. There have been numerous articles and blogs that highlight how Shodan has been used to find internet of things devices such as webcameras, license plate readers, programmable logic controllers (PLC), even ships using satellite antennas and botnet command and control servers.
Making our infrastructure more resilient to cyber-attacks | GRI Blog
As we develop the concept of CINET, one of our main challenges is to illustrate how separation of control networks from the public Internet and the existence of a dedicated channel for information sharing could help make our infrastructure more resilient to cyber-attacks. There are only a few public cases of disruptive or disruptive cyber attacks targeting critical infrastructure. At this point, Stuxnet and the Ukraine power grid attacks have been beaten to death. In a series of posts, we are going to review a few less well-known ones. For those readers who treat the Verizon Data Breach Incident Report as the Bible of cybersecurity, this case study will be familiar. For the rest of you, here is a brief recap.
Now are we ready to talk about CINET? | GRI Blog
On Wednesday I testified before the U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection about information sharing. U.S. Rep John Ratcliffe (R-TX), chairman of the subcommittee, and Congressman Jim Langevin (D-RI), ranking member, were particularly interested in what more needs to be done in the two years since Congress passed the Cybersecurity Act of 2015. That act eliminated many of the excuses for why companies don’t share cybersecurity information. It also directed the Department of Homeland Security and other agencies to develop the means to share classified information with private companies.
GRI senior research scientist testifies before U.S. House of Representatives subcommittee on cyber threat information sharing
On Wednesday, November 15 the U.S. House of Representatives subcommittee on Cybersecurity and Infrastructure Protection, of the Committee on Homeland Security, will hold a hearing to discuss how DHS can maximize cyber threat information, and determine the most effective partnerships for sharing cyber threat information, including with the private sector. Four witnesses, all from outside the government, will testify as part of this hearing.
To replace SSN with something more resilient, model it on the internet | GRI Blog
Rob Joyce wants to get rid of the social security number. “Every time we use the Social Security number you put it at risk,” Joyce, the White House Cyber Coordinator told Washington Post Live recently. Joyce’s comments have led to no small amount of day dreaming by the technical community on the possibility of using a “modern cryptographic identifier” or (drum roll please) block chain. That’s all well and good. But the challenges with replacing the social security number as an identifier (with something more secure), aren’t technical -- they are everything else. And as Steve Bellovin points out, it would be really, really hard.
What is ‘cyber resilience’ — and how is it useful? | GRI Blog
Cyber Resilience. It’s the latest craze in the field. But what does it mean? And more importantly, is it a useful concept? It may seem like a strange question to ask for my first blog post at the Global Resilience Institute but I have found that agreeing on definitions and frameworks is an important though often overlooked step in the field (anyone who disagrees should google “active defense” to see why).