The online arms race has significant implications for those responsible for safeguarding critical infrastructure, as Sam Fenwick discovers

cyber_hoodie.jpgScarcely a month goes by without cybersecurity hitting the headlines. For public safety  organisations, the main concerns are attacks by organised crime syndicates and terrorists, but what capabilities do they have?

“What we’ve seen so far from the likes of IS are relatively unsophisticated activities – things like DDoS [distributed denial-of-service] attacks and website defacement, because you can go and buy DDoS attacks on the dark web; you just need enough cash, preferably in bitcoins, to pay somebody,” says Ewan Lawson, senior research fellow for military influence at the Royal United Services Institute (RUSI). “You can tell them who you want taken down and how long for, and they’ll crack on and do it. The same applies for ransomware.

“Having said that, as soon as a piece of malware gets out onto the web and into the wild, there’s always the possibility that it will be picked up and reverse-engineered by somebody. Someone has been disrupting the Ukrainian power grid over the past 12-18 months. The techniques and the tools [they’ve used to] do that will become increasingly widely available and could be easily be picked up by groups operating for terrorist purposes as much as they could for hacktivists and criminals.”

A Pandora’s box of such tools may have opened in the form of Vault 7, a collection of 8,761 documents, which WikiLeaks claims contains the majority of the CIA’s hacking arsenal. In a press release, WikiLeaks said: “The archive appears to have been circulated among former US government hackers and contractors in an unauthorised manner, one of whom has provided WikiLeaks with portions of the archive.” The archive describes a number of projects, including HIVE, “a multi-platform CIA malware suite and its associated control software”. WikiLeaks has said that it will avoid the distribution of “armed cyberweapons” from Vault 7, “until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should [be] analysed, disarmed and published”.

However, as the material is already in the hands of multiple parties, and it would be surprising if they all had the same level of data security as the CIA, it is perhaps inevitable that the contents of Vault 7 will fall into the wrong hands, if they haven’t already.

While iOS isn’t the most commonly used operating system, it is interesting to note that Apple has stated that many of the issues that have been exposed by WikiLeaks “were already patched in the latest iOS” and that it will “continue work to rapidly address any identified vulnerabilities”.

Lawson notes that the speed at which vulnerabilities are fixed is an issue for nationstate actors seeking to “pre-position” themselves for cyberattacks, because of the need “to update the malware you’ve put in place to make sure that it still operates”.

“The presence of malicious actors on your network could be for all sorts of purposes, and there’s a risk is that you underestimate that, so you think ‘there’s a bad actor on there, but they don’t seem to be up to anything malicious, I’m not going to be too concerned about it’, but what they could be doing of course is pre-positioning for an attack, which could be days, months or years away.” He adds that the first thing any “half-decent state actor” will do if it decides to target your network is to get onto it, “map it and see where the easy and difficult places to get to are... And, the problem is do you know that it’s someone just mapping, or is it someone placing a device – it’s difficult to know.”

Lawson says that we should be increasingly concerned about cyberattacks on transport infrastructure, noting a strange incident last year “when the Swedes reported to NATO an attack on their air traffic control system; they subsequently said [it] was something to do with sunspots, but there weren’t any sunspots at the time.” He adds that there have been outages at the NATS air traffic control centre in Swanwick in the UK, but “no-one is going to tell us publicly to what extent those have been the consequence of bad coding in the system or deliberate nefarious activity”.

“We’re not seeing [large scale attacks on terrestrial traffic systems] yet [because] that level of attack, the research and the intelligence that’s needed, [requires] nationstate-level resources, and [nobody is] pushing the boundary that far, as far as somewhere like the UK is concerned. That said, if you turn off the powergrid in western Ukraine, as Russian-speaking actors have appeared to do at least twice now, you have that effect potentially indirectly.

“If you look at parts of Europe, there have been suggestions that acts of physical sabotage have taken place in some countries by persons unknown. If they wanted to make sure that they weren’t interrupted by bluelight [services], what better way than to be able to disrupt [them], particularly if [they’re] managed by an IT network which hasn’t been properly secured?”

Minimising risk
Paul Hill, Motorola Solutions’ EA & APME security services delivery lead, says the latest large-scale cybersecurity incident he has responded to is the Shamoon incident in Saudi Arabia, which took down “upwards of 30,000 computer systems for Saudi Aramco. We had some customers not directly affected by that, but in the close vicinity, who were more than excited or wary of what happened.” He knows of ransomware attacks in the US that targeted public transport systems, one of which took down an operator’s system. “This was supposedly an offline, not connected, system but the ransomware was able to get in and caused an effective denial of service to that system. 

“An engineer [had plugged a USB stick into the system] and unwittingly introduced the malware. On this occasion, the malware’s sole purpose was to cause disruption. It encrypted the system, effectively taking it offline, and demanded a financial ransom to take the encryption away. There’s no more of this ‘Oh, we’re not connected to the internet, there’s no risk’... The threats in the wild today don’t need [an internet] connection.”

The main thing that Hill tries to put across to his customers is the need to have a framework that will “withstand the unknown”. He explains that under the procedures set out by the ISO27001 framework or something similar, if unknown malware is discovered, a risk assessment is performed, the right controls are implemented and the situation is monitored. “It’s not always about spending thousands on the latest fi rewall or updating your intrusion prevention system; it could be as simple as an education and awareness programme, which tells people ‘this is what spam is, this is what could happen if you don’t implement the appropriate controls on a personal level’.” 

He adds that ISO27001, and the National Institute of Standards and Technology (NIST) Cybersecurity Framework in the US, are intentionally vague so that the procedures they recommend as a means of dealing with cybersecurity risks can be used to address unknown risks and work for all verticals. “The risks are different to each of those systems, but it’s the framework and the methodology which is the key.” 

Hill says that one consequence of social media (and LinkedIn in particular) is the ease at which hackers can identify who works for a target organisation and then use the data to launch an email-driven malware attack. “The way malware works is ‘I really don’t care about attachment rate; if I send a thousand emails and one person clicks the link, I’m in that system’.” 

Returning to the incident with the USB stick, he adds that while the company could have responded by introducing many technological controls and/or installing software that can detect changes to the system, it could simply educate its employees, put physical controls around the control rooms and introduce procedures to minimise the threat from USB sticks. He adds: “People will always be the highest risk threat to the system regardless of whether it is a public safety radio system or a highend financial banking system.” 

Hill says that one well-known UK transportation provider with a Motorola radio network had a malware problem, so he and his team assessed their cybersecurity and recommended the controls which monitored the intake of people into a particular network environment and advised them to put physical controls in place to block up USB ports – the source of the malware. “[Since] then, they’ve had no repeat incidents of that nature. The Hong Kong police force had a similar scenario and we were able to provide remediation and recommendation so the system was far more robust against that type of attack in the future,” he adds. 

The best defence
When it comes to cybersecurity, Christophe Calvez, head of product security office of Secure Land Communications at Airbus, says his company follows a structured methodology to design or analyse the security of a system. This usually starts by setting the security objectives to protect the assets, using the so-called “CIA triad”: confidentiality, integrity and availability, noting that anything an attacker would seek to achieve falls into one of these categories. 

He says that having redundant equipment is one of the ways to mitigate the impact of a denial of service attack that impacts the availability of one system element. Calvez highlights the importance of integrity protection mechanisms for public safety communications networks, given the critical impact on field operations if ‘noes’ were ‘turned’ to ‘yeses’ or if an intruder cut the first few seconds of a message, converting a police officer’s message of ‘don’t shoot’ into ‘shoot’ during a firearms mission. Regarding confidentiality, he highlights TETRA’s use of encryption on the air interface and end-to-end encryption, which prevents eavesdropping. 

In the event of a security breach, Calvez stresses the importance of teamwork, as often tackling the issue requires cooperation between the operator, the infrastructure and device manufacturers and the provider of the IP backbone. He adds that while attacks using known IT vulnerabilities can be detected and logged, Airbus minimises the potential for vulnerabilities through making sure all the software is controlled and the protocol stacks are hardened. 

Hill adds that data security isn’t just about malware and hacking. “I received a letter in the post maybe six years ago... [that said] that someone had lost a laptop on a train and that my passport details were included on there. That shows how broad the threat sources are in this subject.” When it comes to storing data on the cloud, he says: “It’s unclear (unless you dig quite deep into the policies) where the data is stored and where their data centres are. When you introduce cloud solutions, you [must] be aware of the extra avenues of risk and make sure that you have the controls in place that are appropriate to those additional risks. 

“Awareness of cybersecurity has never been as high as it is today. People are talking about it, but organisations are being forced to look at it,” Hill continues. “The EU legislation which is coming into force in 2018 is forcing countries to identify critical infrastructure and implement appropriate IT security controls....” 

He adds that Motorola Solutions has recently launched a new set of service packages – essential, advanced and premier – and the company considers cybersecurity to be so important that security update services are built into its essential package: “It’s not an option that people can take if they want it, we see it as that important, it is in our lowest and most essential package.” Part of the rationale behind this move is enlightened self-interest, given the reputational damage that successful cyberattacks inflict on both operators and their vendors. 

Speaking of the supply chain, Hill cites the huge data breach suffered by Target, a US retailing company, explaining that the hackers gained access to Target’s network through a vulnerability created by a third-party supplier. “You must look at security holistically: you’re only as strong as your weakest link. That could be something you perceive as very low-risk, when it could be the thing that brings the system down.” 

“20 years ago, there were already security risks and attacks. The TETRA standard was designed with native security features to mitigate the risks,” says Calvez. Now with the transition to LTE, even if the attack surface has become wider with new services,  applications and products need the protection that a security-by-design approach based on risk analysis provides. 

Hill is broadly in agreement. “If you look at LTE for next-generation communications, it’s right to say that there are a lot more interfaces and moving parts in the design of the system. All those things will need to feed into the risk assessment phase of an IT security management system.” 

As far as LTE is concerned, Calvez highlights the work being done to ensure the product’s security through standardisation to provide the same level of security as it exists with TETRA technology. This can be achieved, for instance, by end-to-end encryption services with integrated cryptographic key management. All aspects are carefully examined from the perspective of mobile security, IT security, and application security. In the case of Airbus’ TETRA/LTE hybrid terminal, the Tactilon Dabat, several layers of security are present. This includes the mobile radio’s secure boot and the application layer as well as the use of mobile device management software, which allows operators to push policies onto terminals and control applications. 

While cyberattacks are a significant and growing concern, much can be done by educating employees, working with suppliers and having the right framework to deal with new threats as they materialise.

ASTRID’s approach to cybersecurity 
We’ve heard how operators can improve their cybersecurity, but what are they doing to protect themselves? “...ASTRID has been helping to manage the fight against cybercrime for many years,” says a spokeperson for ASTRID, Belgium’s critical communications network operator. 

“[It] has the necessary equipment, including the latest firewalls, and intrusion prevention and detection systems. 24/7 system monitoring is provided by the ASTRID Service Centre. Web attack detection is carried out in collaboration with technical suppliers, as part of the Managed Security Services. It includes [the] permanent monitoring of connections using different security facilities, such as firewalls. 

“ASTRID also conducts vulnerability analyses for the different systems. These generally lead to periodic system update campaigns, via the installation of new, corrective software maintenance versions.

“Finally, ASTRID has issued an invitation to tender on cybersecurity, to be finalised in 2017, which will cover new risks and allow external audits to be carried out.”

Author: Tetra Today