Security through Obscurity | Homeland Security

Which one is real?

Critical infrastructure is vulnerable to cyber attacks.  SCADA (supervisory control and data acquisition) systems, for example, commonly lack strong defenses against determined hackers.

SCADA systems control and monitor industrial processes like operations in a chemical plant or a water treatment facility.

Other information technology that manages sensitive physical activities, such as medical devices, is vulnerable to abuse.

Attacks Can Lead to Physical Damage

A cyberwarrior might compromise SCADA or other sensitive systems to wreak havoc, release floods of sewage, injure medical patients, cause trains to derail and on and on.

Cybersecurity Legislation or Executive Order

To address these risks, Congress has debated cybersecurity legislation.  The Obama Administration has considered an executive order that would apply to many enterprises that do business with the US federal government.  A common idea is for the federal government to set baseline security standards that the owners of critical infrastructure must meet.  Government would audit for compliance with the standards.

The imposition of security standards includes pitfalls:

a.  Standards promote a uniformity among defenders, so that the attackers know what defenses to expect from one place to the next.

b.  Standards promote a checklist style of compliance, where defenders focus on satisfying the auditor rather than truly and creatively beating the attacker.

c.  Federal standards imply greater influence and control by central government and reduced freedom for property owners to manage their property as they see fit.

d. Upgrading existing systems to meet security standards is expensive.

Why Aren’t There More Successful Attacks?

Question:  Although vulnerability of critical infrastructure has been widely discussed for many years, the number of effective attacks in the US has been small.  Why?  I suspect that the practice of executing an effective attack is harder than the theory.

I suspect that in practice it is quite challenging (not impossible!) for a malicious foreign agent to actually figure out how, surreptitiously, to access and cause real harm in, say, the sewage processing plant of a cattle feedlot in Hereford, Texas.  I suspect the sewage treatment plant is protected by a fog . . .  a fair amount of obscurity.  And as the foreign agent – working through the Internet –  mucks around with the treatment plant, someone at the feedlot is likely to become suspicious . . . or implement compensating controls . . .  or convert the plant to manual control . . . or something.

How does some remote joker know that she is actually accessing the sewage treatment plant at a particular location in Hereford and causing particular physical damage to occur?  How does she know that she has not been diverted to a honeypot or a virtual game?

A Role for Government: Misinformation

Instead of imposing national cyber security standards on myriad systems that control physical processes, what do you think of the following idea?  I envision the government (through Department of Homeland Security and other agencies) creating a fog of misinformation, honeypots and fake systems on the Internet.  It could propagate labyrinths of non-existent SCADA systems, bogus air traffic control systems, decoy medical devices and so on.

My vision is inspired by the US Department of Defense.  In the wake of the WikiLeaks disclosure of sensitive documents, DoD is flooding its systems with fake documents.  When a system is flooded with fake documents, an attacker (whether inside the department or outside) who steals a document does not know the difference between what is real and what is an illusion.

Dear Reader: What do you think of my idea?

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Update:  Chinese hackers were caught attacking a industrial water plant honeypot.  If hackers can be tricked into attacking a honeypot that looks like an industrial facility, then why not deploy billions or trillions of such honeypots and decoys?

Update 2014:  According to the Wall Street Journal, a company named Shadow Networks protects infrastructure with "a shadow network full of fake machines that act like honey pots."