Vulnerability of Critical Network Infrastructure Systems

1
Vulnerability of Critical Network Infrastructure
Systems

• David Alderson, PhD
• California Institute of Technology
• alderd_at_cds.caltech.edu
• MSE 193/293
• November 15, 2004

2
Motivating Questions

• What are critical infrastructures, and how does
  our dependence on them make us vulnerable to
  accidents, failures, and attacks?
• To what extent does the open and insecure nature
  of the Internet and related cyber infrastructure
  pose a threat to national security?
• What are the current vulnerabilities, and what
  can be done in the short term to mitigate against
  them?
• Where would we like to be in the future with
  regard to the Internet and the critical
  infrastructures, and what needs to be done to get
  there?

We dont have all the answers yet!
3
Agenda

• Monday
• Critical Infrastructures
• Recent Failures
• Rise of the Internet
• The Potential Threat
• Policy Introduction
• Homework
• PBS Frontline Video Cyberwar!

• Wednesday
• Case Study Internet Worms and Viruses
• Threat Mitigation U.S. Federal Policy
• Conclusions
• Open Questions
• Research Topics
• Potential Paper Topics

4
Acknowledgements

• Caltech John Doyle
• UCB Vern Paxson
• UCSD Stefan Savage
• EPRI (now UMN) Massoud Amin
• CISAC Kevin Soo Hoo, Keith Coleman, Dan
  Wendlandt, Martin Casado, Mike May, David
  Elliott, William Perry
• Stanford Student Cybersecurity Group
• http//cybersecurity.stanford.edu

5
Network Dependence

• Most of the infrastructure systems we rely on in
  our daily lives are designed and built as
  networks
• These modern networks have
• Grown dramatically in Ubiquity, Use, Complexity
• Created great efficiencies and convenience
• Become increasingly important to daily life
• Large-scale disruption of such systems can be
  catastrophic because of our dependence on them
• We call these systems critical infrastructures

6
Critical Infrastructures

• Definition an infrastructure so vital that its
  incapacity or destruction would have a
  debilitating impact on our defense and national
  security.

Source Critical Foundations Protecting
Americas Infrastructures

• Examples
• Information and Communications
• PTN, TV/Radio, CATV, Internet, Satellite,
  Wireless
• Energy Systems
• Electrical Power Systems
• Gas and Oil Production, Storage and
  Transportation
• Banking and Finance
• Physical Distribution
• Transportation
• Water Supply Systems
• Vital Human Services
• Emergency Services
• Government Services
• Military Services

More information available from Critical
Infrastructure Assurance Office (CIAO)
www.ciao.gov
7
Failure of Infrastructure Systems

• Wide spread breakdowns in these systems
• have already happened and will happen again.

• Data networks
• ATM network outage ATT (Feb 2001)
• Frame Relay outage ATT (Apr 1998), MCI (Aug
  1999)
• Satellite Outage (May 1998)
• Transportation
• Union Pacific Service Crisis (May 1997- Dec 1998)
• Electric Power
• Northeast Blackout (August 2003)
• Western Power Outage (August 1996)
• All of the above
• Baltimore Tunnel Accident (July 2001)

These networks are interconnected and vulnerable.
8
Satellite Outage May 27, 1998

• Galaxy-IV satellite malfunctions, creating a wave
  of failures across many infrastructures

• 40 million pagers affected
• Gas stations lost the ability to process credit
  cards
• National Public Radio went off the air
• Airline flights delayed
• 20 United Airline flights waited for
  high-altitude weather reports
• Data networks Manually switched to GIII-R
• PageNet 3000 dishes

Source Massoud Amin, EPRI
9
Data Communication Failures

• Impact of failures can be dramatic
• Example The failure of a 40-wavelength WDM
  system carring 2.5 Gb/s SDH signals can affect up
  to 1,200,000 telephone calls
• Critical for businesses
• One minute of downtime
• at Federal Express1 costs the company 1M
• At Visa1 (avg. 5,000 transactions per second),
  the cost is 10M per minute.
• 1Stratus Group estimate, circa 1996

10
UPRR Service Crisis 1997-1998
11
Baltimore Tunnel Accident, July 2001

• Train wreck inside 1.7 mile Howard Street tunnel
• Cargo industrial solvents and corrosive
  chemicals
• Fire and hazardous smoke into Baltimore Harbor
• More cargo plywood and paper (fire lasts 5 days)
• Disruptions to train traffic along entire Eastern
  coast
• Wreck cuts through 3 major fiber optic lines in
  tunnel (UUNet, Metromedia Fiber Network and
  PSINet)
• Wreck causes water main break flooding in street
  intersection above for 100 hours
• Baltimore Orioles doubleheader evacuation
• Thousands stranded without hotel space
• Local water ran brown from faucets, toilets
  didnt flush
• 1200 local customers without power for several
  days

12
Brief Aside

• These incidents all seem incredibly rare, so why
  should anyone really worry about them?

13
20th Centurys 100 largest disasters worldwide
Log(rank)
Log(size)
14
2
10
Log(rank)
1
10
0
10
-2
-1
0
10
10
10
Log(size)
15
Typical events are relatively small
2
10
Log(rank)
Largest events are huge (by orders of magnitude)
1
10
0
10
-2
-1
0
10
10
10
Log(size)
16
20th Centurys 100 largest disasters worldwide
2
10
Technological (10B)
Natural (100B)
1
10
US Power outages (10M of customers, 1985-1997)
0
10
-2
-1
0
10
10
10
17
2
US Power outages (10M of customers, 1985-1997)
10
Slope -1 (?1)
1
10
?
0
10
A large event is not inconsistent with statistics.
-2
-1
0
10
10
10
18
The Infrastructure Protection Challenge

• Need to protect against accidents, failures, and
  attacks, that occur both in the physical and
  cyber world.
• Why is protection difficult?
• 1. Network complexity dynamics and
  interdependence
• Diversity in the causes, size, and scope of
  potential disruptions
• 2. Diversity of stakeholders
• Infrastructure owners and operators (90 private)
• Infrastructure support industries
• Users
• Government
• 3. Misalignment of incentives among stakeholders

19
1990s Rise of the Internet

• The Internet
• A revolution in communications and networking
• Rapid integration into social and economic fabric
• Remarkable new efficiencies zero-latency
• New potential vulnerabilities hackers, computer
  viruses, denial of service attacks
• General Recognition
• The risks are real and growing
• Historical methods for protecting and assuring
  physical infrastructures are ill-suited for this
  new era

20
The Internet has become a critical information
infrastructure.

• Individuals
• Private corporations
• Governments
• Other national infrastructures

21
The Internet has become a critical information
infrastructure.

• Personal communication
• email, IM, IP telephony, file sharing
• Business communication
• Customers, suppliers, partners
• Transaction processing
• Businesses, consumers, government
• Information access and dissemination
• web, blog

22
The Internet has become a critical information
infrastructure.

• Our dependence on the Internet is only going to
  increase.
• This will be amplified by a fundamental change in
  the way that we use the network.

23
Communications and computing
Store
Communicate
Compute
Communicate
Communicate
Courtesy John Doyle
24
Store
Communicate
Compute
Communicate
Communicate
Act
Sense
Environment
Courtesy John Doyle
25
Computation
Communication
Communication
Devices
Devices
Dynamical Systems
Courtesy John Doyle
26

• From
• Software to/from human
• Human in the loop

• To
• Software to Software
• Full automation
• Integrated control, comms, computing
• Closer to physical substrate

Computation

• New capabilities robustness
• New fragilities vulnerabilities

Communication
Communication
Devices
Devices
Control
Dynamical Systems
Courtesy John Doyle
27
The Internet has become a critical information
infrastructure.

• The Internet has become a type of public utility
  (like electricity or phone service) that
  underlies many important public and private
  services.
• Internet disruptions have a ripple effect
  across the economy.

• The Internet is a control system for monitoring
  and controlling our physical environment.
• Hijacking the Internet can be even more
  devastating than interrupting it.

28
The Internet A Target for Attack?

• Central importance with other communications
  systems, the Internet is becoming the central
  nervous system of our (inter)national
  infrastructures
• Open Architecture as a system based on universal
  access, it is difficult to keep enemies out
• Exploitation is cheap and convenient
• Tools (laptop and network connection) are
  inexpensive
• Training is easily obtained or downloaded
• Detection, arrest, and prosecution are difficult
• Evolving landscape The technological, economic,
  and legal environment of the Internet is still
  evolving
• The Internet is an attractive target for
  asymmetric attack

29
The Internet Additional Challenges

• Shrinking Time Scales information, control
  signals span the globe at the speed of light
• Hard to contain information zero replication
  cost
• No congestion costs its cheap to generate
  traffic
• Faceless Internet usage is largely anonymous,
  making it hard to know who is doing what
• Borderless access can be obtained from across
  the street or across the world
• The Internet is an attractive target for
  asymmetric attack

30
Best Practices in Security

• Most attacks occur through known vulnerabilities
• Most attacks could be prevented if the victim had
  been using best practices for cyber security
• Latest software patches for known bugs
• Virus protection software with up-to-date virus
  definition files
• Frequently changed passwords of proper syntax
• Firewalls
• More than one layer of protection All of the
  above!
• SANS/FBI publishes a list of top 20
  vulnerabilities, updated annually
  (www.sans.org/top20)
• But evidence repeatedly suggests that best
  practices are not followed consistently

31
Misalignment of Incentives

• Protection is costly and inconvenient
• Business imperative is competition
  (profitability, cost management, new markets, new
  technologies), not protection
• Users are not accustomed to bearing any direct
  costs of protecting infrastructures
• Direct (immediate) benefits of protection are
  unknown (difficult to measure)
• Exploitation is cheap and convenient
• tools (laptop and network connection) are
  inexpensive
• training is easily obtained or downloaded
• prosecution is difficult
• Exploitation is potentially highly-rewarding
• money, power, prestige

32
An Ongoing Debate
Does the vulnerability of the Internet pose a
threat to national security?

• Con Summary
• Typical disruptions are small
• Reports of electronic terrorist capability are
  exaggerated (and mostly hype)
• There is no hard evidence to support claims of a
  real threat

• Pro Summary
• Critical infrastructures are interconnected
• Internet dependency is more than you think (and
  growing)
• Internet vulnerability means a real threat to
  critical infrastructures

Available from http//www.nap.edu/issues/15.1/
33
An Ongoing Debate
Does the vulnerability of the Internet pose a
threat to national security?
Our nation is at grave risk of a cyber attack
that could devastate the national psyche and
economy more broadly than did the September 11th
attack. A letter to George W. Bush from
concerned scientists February 28, 2002
I think cyber terrorism is a theoretical
possibility. It's a real prospect for some
countries where harassment is more of a problem.
But will cyber terrorism be like Sept. 11? No, I
don't think so. Not right now. John
Hamre Deputy Secretary of Defense,
1997-1999 PBS Interview, February 18, 2003
34
An Ongoing Debate

• Does the vulnerability of the Internet pose a
  threat to national security?
• Why Is This A Hard Question?
• There is a lack of public evidence
• Strong disincentives for companies to share
  information about incidents
• Strong disincentives for the government to share
  information about vulnerabilities
• Measurement is a challenge
• How to quantify the consequences of an incident?
• Who has time to gather data during an incident?

35
To what extent does the open and insecure nature
of the Internet pose a threat to national
security?

• Despite the amount of attention that this problem
  has received, there is still no evidence that
  provides a conclusive answer.
• Threat Capability x Intent
• Do adversaries have the capability?
• Do adversaries have the intent?
• Vulnerability Threat x Consequence
• What are the potential consequences?

36
(No Transcript)
37
PBS Frontline Special Cyberwar!

• Hollywood-style presentation is dramatic
• and should be viewed critically
• Noteworthy Incidents
• Eligible Receiver (1997)
• red team exercise by DoD
• Moonlight Maze (1998)
• incident in which systematic probing of Pentagon,
  NASA, DoE computers was discovered
• Mountain View (2001)
• discovery of systematic surveillance by users
  in Middle East of information about the public
  utilities, government offices, and emergency
  systems in many U.S. cities
• Also, read the Interviews (perhaps more revealing
  than the video)

38
Policy Issues

• Physical vs. cyber infrastructures
• International threat vs. homeland security
• Most (90) of physical and cyber infrastructures
  are privately owned and operated
• Diversity of stakeholders owners, operators,
  vendors, users, government
• Basic Questions
• Who is responsible?
• Who is in charge?
• Who will pay?

39
Summary

• National infrastructure depends on networks
• Interconnected nature makes network behavior hard
  to understand or predict
• Our dependence makes us vulnerable
• The Internet is critical as an information
  infrastructure and as a control system
• Protecting cyber infrastructure is important
• Hard to assess the threat
• Harder to decide on a course of action

40
Questions? Comments?
alderd_at_cds.caltech.edu

• For next class watch PBS Frontline video
  Cyberwar!
• http//www.pbs.org/wgbh/pages/frontline/shows/cybe
  rwar/
• Additional Resources
• MSE 91si U.S. National Cybersecurity
• http//www.stanford.edu/class/msande91si/library.h
  tm