Threats of Russian cyber espionage prompt calls for the U.S. voting system to be designated as “critical infrastructure”—but does this designation have any teeth?
By Michael H. Howland, CEO of Armored Cloud
Earlier this month the Washington Post carried a disquieting headline “Intelligence community investigating covert Russian influence operations in the United States”. The story warns that intelligence officials believe that Russia is attempting to disrupt the upcoming U.S. election process by using cyber attacks against aging and highly vulnerable U.S. State and Local election networks. The article says that the purpose of the Russian cyber activity is unclear, but at a minimum the goals appear to be to cause chaos and provide Election Day disruptions to “sow public distrust in the upcoming presidential elections and in U.S. political institutions.”
According to the article the Russian sponsored cyber covert action represent such a real threat to the foundation of U.S. political institutions that Homeland Security Secretary Jeh Johnson has proposed designating the voting systems as “critical infrastructure”. As the WP story points out “in other words as vital to the nation’s safe functioning as nuclear power plants and electrical power grids.”
This is scary stuff, especially if one follows the cybersecurity industry and is aware of the sad shape of the U.S.’s overall critical infrastructure networks and the cyber Industrial Control Systems (ICS) networks that manage them. In 2014, Homeland Security’s NCCIC/ICS-CERT[1] reported 245 confirmed cyber attacks against critical infrastructures (I believe that the actual number is likely much higher.)
An Already Vulnerable Critical Infrastructure
Since the 2009 start of the ICS-CERT program through the end of 2015, 535 assessments of public and private sector critical infrastructure owners and operators have been conducted. The findings of these assessments are summarized in annual reports that started in 2014. The most recent report from 2015 reveals that the majority of critical weaknesses identified in 2014 remain in 2015. This is where it gets interesting. In 2015, ICS-CERT conducted 112 individual critical infrastructure assessments and uncovered 638 weaknesses.
The most common weaknesses (36%) were “insufficient ICS network boundary protection”.[2] Said differently, absent strong boundary protection, attackers can penetrate critical infrastructure ICS’ to access valuable information and manipulate the systems by controlling their ICS. Monitoring and controlling communications at the ICS is the key tenet of protecting our critical infrastructure.
So what does this mean in real life? Recently, a major telecom provider reported a critical infrastructure cyber intrusion where bad actors were able to access a major U.S. city water system ICS and alter settings related to the operation of the system, such as water flow and amount of chemicals used to treat the water. Intrusions like this, while not themselves devastating, are a warning that future hacks could seriously compromise the United States’ critical infrastructure.
After Boundary Protection, the next five most common weakness’ ICS-CERT found are:
- Configuration Management Issues: issues that would allow malicious actors access to the ICS (i.e., unnecessary ports, protocols, applications)
- Lack of Identification and Authentication Management: inadequate password controls.
- Identification and Authentication: lack of accountability and traceability for individual user actions.
- Inadequate Access Control of Least Privilege: if users are given higher access levels than necessary, an attacker or malicious insider can leverage user and computer accounts to access the ICS. [3]
- Inadequate Allocation of Resources: inadequate staffing, training, and equipment considering the critical importance of the ICS.
Procrastination: An Invitation to Further National Tragedy
If history is an accurate indicator of what it takes to move the public and private sectors of this country into action, then we only need to look back to fairly recent events. Until the Oklahoma City bombing, domestic terrorism was not really considered a threat and likewise as a country we felt secure from foreign radical Islamic terrorism until the horrific events of 9-11.
In the wake of these events our country rolled up its collective sleeves and went to work. It would be tragic beyond belief if we fail to recognize the signs that some very bad people with horrendous goals are out there probing and testing our critical infrastructure network controls. What makes this argument even more compelling is the explosion of IoT (Internet of Things)—all those widgets and gadgets that connect everyone and everything together. Each one of these widgets and gadgets expand and expose possibilities for vulnerabilities for bad actors to exploit.[4]
With our nation’s critical infrastructure at risk, to now include our electoral process, it is increasingly important that all avenues of protection for ICS’ be considered. As more cyber attacks unfold, the threat to our critical infrastructure is no longer conceptual. It is a very real threat, and the potential for severe consequences is likewise very real. It is important for industry to try new approaches. One of those is Armored Cloud.
Cloaking Critical Networks to Prevent Cyber Attacks
One underutilized form of ICS boundary protection is to simply make the boundary surface invisible to cyber criminals. Image if you could remove the threat to the ICS by simply cloaking it or, said differently, “hiding” it so there is no visible network to attack. With Armored Cloud you can do just that: cloak your important networks so there is nothing that a bad actor can find to attack. Everything within your ICS continues to operate as you want it to, but the bad actors cannot attack it because it is not visible. Simple as that! All of the firewalls and other defensive systems already being used remain and function as required.
Figure 1 demonstrates a typical critical infrastructure ICS
Figure 2 shows what happens with Armored Cloud being used to cloak the ICS
We make demos and trials of our solutions available to qualified businesses and organizations. To learn more about Armored Cloud please call us at (877) 978-1688 or fill out our online contact form. If you are a US government agency, please contact our partner Telos at (800) 444-9628 or visit their website.
FOOTNOTES
[1] Homeland Security’s National Cybersecurity and Communications Integration Center/Industrial Control systems Cyber Emergency Response Team
[2] Homeland Security’s NCCIC/ICS/CERT Assessment Summary Report FY 2015
[3] Ibid
[4] Recently, there was an article in the Style page of a major newspaper about a family who were living without electricity in the middle of record-breaking heat because their power has been turned off. The consumer had not paid their power bill in protest over the installation of a wireless meter in their home that gave the company access to their electricity usage. The citizens’ complaint was that they were not given an option of having the device in their home and considered the unit intrusive and a threat to their privacy. The utility has acknowledged that they had not fully explored the potential for abuse of their little wireless device.