Turing's Man Blog
- Last Updated on Monday, 29 October 2012 23:15
- Published on Tuesday, 23 October 2012 19:53
- Written by Pawel Wawrzyniak
- Hits: 21553
Of course, it is! However, we can take care of many of the known risks. In most cases, the biggest threat for data center operational security is a human error, but every site is vulnerable for critical infrastructure threats, which are the results of external causes. As well as a very special kind of threat which comes from Trojan technology – I've found two interesting cases (or – maybe scenarios?) and I would like to share my thoughts here.
Data center continuous operation relies heavily on fuel supplies, electrical energy supplies, water supplies and communication links availability. All these assets are external to data center infrastructure itself and have to be provided by 3rd party companies. Therefore, not only human errors, sabotages and natural disasters are the threats to be considered. Also, social and political stability of the region is the thing that can seriously affect operational continuity. Do we enumerated all the threats? No! There are two extra threats we should discuss, both related to the mentioned Trojan technology.
Besides all mentioned risks there are threats that come directly from malicious hardware and software – the Trojan technology. Having so many devices of a different type, from automatic switchgears, power analysers, HVACs, through UPSes and building automation controllers, up to network and security devices, servers etc., with all their firmware, all layers of software and its dependencies, everywhere – software security is a subject that has to be considered. We will not talk about firewalls and antivirus protection, which are obvious requirements for every network of every organization. We should look deeper into two cases reported quite recently: first – the counterfeit Cisco equipment in US Governmental institutions, second – Stuxnet worm which targets industrial automation made by Siemens. Although, let's start from the beginning.
What is critical infrastructure?
There is a great definition of common meaning in Wikipedia:
Critical infrastructure is a term used by governments to describe assets that are essential for the functioning of a society and economy. Most commonly associated with the term are facilities for:
- electricity generation, transmission and distribution;
- gas production, transport and distribution;
- oil and oil products production, transport and distribution;
- water supply (drinking water, waste water/sewage, stemming of surface water (e.g. dikes and sluices));
- agriculture, food production and distribution;
- heating (e.g. natural gas, fuel oil, district heating);
- public health (hospitals, ambulances);
- transportation systems (fuel supply, railway network, airports, harbours, inland shipping);
- financial services (banking, clearing);
- security services (police, military).
So, "critical infrastructure" refers to the basic services required for – let's say – operational security of a given nation, country or economical region. It's all about security, continuity and stability. However, this term can be used in narrow scope and refer to the "critical infrastructure" of a given organization or data center itself. In such case it will mean a set of most important services required for business continuity of the organization or data center. When we talk about data center only, by "data center critical infrastructure" we usually mean its core systems, like: guaranteed power, cooling, physical structure, cabling and communication links. Anyway, we want to use "critical infrastructure" in both – wider (most common) and narrow – scopes here.
What does it mean "critical infrastructure threats"?
So, when we consider "critical infrastructure" in wider scope, by critical infrastructure threats we don't mean the threats that affect data center – internal – infrastructure directly. We mean all the threats that can affect any area of country's or region's critical infrastructure and have direct or in-direct influence on data center operational security (affects data center critical infrastructure indirectly). This means – we can have valid and operational guaranteed power and cooling system, but when there is a serious threat on the side of region's critical infrastructure we cannot use our systems anymore. Let's explain this a little bit more following some examples.
What is a possible impact of critical infrastructure threats on data center?
How long can we operate our data center without electrical energy supplies? The common answer is – as long, as fuel tanks in our diesel power generators are filled with fuel! Really? Honestly, who will provide fuel to us, even if we have top-notch service agreement, in case of a total blackout in the electric grid for the whole region? If we don't have the electricity and we need fuel, our providers also require fuel and diesel power generators to operate, not to mention, that in such case all diesel power generators available in the region will be secured by crisis management forces and civil defense (read – send to the areas of the highest need). With high probability we can assume that our contractors can fail with the supplies and we should be rather ready for a controlled shutdown of our data center.
The same story goes with water. How can we operate the data center without water availability? This is not only required for water-cooling and humidifiers (we can live without them – all in all there will be more static electricity everywhere), but first and foremost – by humans. Without water supplies the things will go complicated, no matter where we have our primary or secondary data center – as long as there is no water, people will be unable to perform their duties.
Finally, we have communication links – if any of the above threats is present to visible scale for a longer period of time (a week or two – we don't have to go too much serious and say – three or four weeks, because it means a total disaster or war), I doubt we could rely on the links stability. If we have serious troubles, all the related companies and providers have them too. Seems there is nothing more to do like to switch to our DRC – Disaster Recovery Center, secondary site, or anywhere else we can to back up our primary data center and its critical processes. Of course, such back up site has to be located in the region which is not influenced by any of the previously mentioned issues. And here comes our first conclusion…
Operational security by design
It seems that data center designers and owners are quite well prepared when it comes to risk assessment, design decisions and securing day-to-day operations with the common design and risk management techniques. The industry knows how to select the best possible location for data center. One which will guarantee the lowest risk related to natural disasters (floods, hurricanes and tornados, earthquakes etc.), political or social instability (strikes, wars, protests and revolts) and finally – how to secure data center operations continuity with the appropriate level of redundancy (all these Uptime Institute and ANSI/TIA-942 Tiers, as well as other classifications, which are defined by many companies for their internal usage). Also, each serious company knows, that not only state-of-the-art primary data center is required, but also there should be an active-active synchronization with the secondary site and – maybe – cold standby (offline) data center should be located somewhere in the far distance for BCP/DR purposes? (please – don't understand this sentence: "somewhere in the cloud"). When it comes to decisions, everything of course is a direct result of risk assessment and has its own financial explanation. Here we all are quite good, prepared and know what to do. Therefore, as there are lots of guidelines and publications on this matter, what's the problem? We will uncover all the cards, but please – not now. We still need some words of additional explanation.
What can result in the mentioned issues?
Previously, we presented only some of the most important issues. These are not all possible threats, because we want to stay on a reasonably general level with our further discussion. We are unable to cover all scenarios and cases in the blog post – this is a good subject for more in-depth analyse.
We can agree also with some level of generalization, that all the issues presented before can result from many possible threats, including the most obvious:
- Natural disasters, like: floods, fire, tsunami waves, heavy rains, strong winds or tornadoes, earthquakes and its results (chemical or radioactive pollution, unavailability of critical infrastructure services).
- Political or social conditions – temporary crisis, a state of war, strikes, revolts, epidemics etc.
- Sabotages or acts of hooliganism (including devastation or fire).
- Terrorist attacks – yes, this have to be separated from the previous point (including explosives, chemical or radioactive pollution, fire etc.).
Let's have another conclusion – where we are quite well prepared for all of the mentioned groups of threats – at least in the theory with all BCP and DRP documents – the situation seems to be less manageable when it comes to the reality. There are at least two interesting cases in which all the "good practices" just failed completely. Now, we can go straight to the point. We will now talk about the threats that come from Trojan technology.
Counterfeit Cisco equipment case – Trojan equipment?
First of all, let's make a clear statement: with all revelations presented below we have to be double-careful, we cannot trust them 100%. Although, we should use the documented cases – no matter how true they are, as long as they are potentially real – for further investigation and consider them seriously. Now we can begin.
Quite recently, I've found some information on counterfeit Cisco equipment which was supplied to the US governmental and military institutions. Trojan technology in its worst incarnation. Imagine the possible impact on critical infrastructure, if you allowed the installation of counterfeit routers, switches and other network equipment in your state-of-the-art data center? All physical security systems you implemented, all other information security systems, including firewalls, IDS and IPS systems, are almost useless. Especially, when it comes to the routers which operate between your internal network (corporate or institutional) and WAN. The nightmare begins! You're remotely controlled, supervised or spied. You're disabled for unknown reason – troubles HQ is outside your data center, outside your infrastructure. The impact can be huge. Not only for governmental or military institutions, all critical infrastructure related service providers, including health organizations or financial sector are under risk. To be honest – the threat is not for the infrastructure itself only, it can influence economy and both political and social stability. And it's the risk we cannot ignore.
According to the information presented on the Internet in several different security related websites (some presented at the end of this article), FBI is concerned about US critical infrastructure damage and the potential access to secure government or military systems. When it comes to security issues, "potential" should be enough to take the information seriously and begin deeper analysis. There are many speculations on the web, that counterfeit network equipment provides a backdoor capabilities and access into compromised networks for its originators. Between many threads related to the speculations there is one that focuses on the fact that exploitable, counterfeit Cisco equipment was manufactured especially to be deployed as a Trojan technology – to deeply penetrate the critical infrastructure of the potential victims. Additional explanation is to be the price of the counterfeit routers, switches and extension cards, which are so low (hence attractive for security non-aware parties) that the profit margins are likely very thin and the only real advantage can be gained from espionage capabilities or exploiting the backdoors in the future. Is it true? Personally, I don't need to know if it's true or not. The whole thing seems to be reasonable and potentially possible. Therefore, it has to be considered and taken seriously.
Many places on the Internet state that the threat is real. There is even a PowerPoint presentation available for browsing, which analyses the case in details – with all the names, brands, numbers etc. If the revelation is true in fact, therefore the compromised network hardware of potentially hostile foreign origin sits within – so called, so believed to be – "secure networks" of the US government, military, and intelligence services. According to the presentation I decided to back up here – the FBI has been concerned about it.
No other words are required – please refer to the attached slides. If this is a kind of conspiracy theory, a joke or anything like that, I propose to respect the original authors for all the time they lost for preparations. Anyway, no matter this is true, partially-true or false – we must agree that such risk is potentially possible. We should also re-consider our internal security and make some additional decisions.
The whole thing is about network equipment. It's, of course, very critical as we explained previously. Without the communication links, even the most secure data center is useless. In the end, we should only add that there are other parts of data center critical infrastructure which are possible targets of the same threat. Let's say: UPS firmware, SNMP adapters connected to the UPS systems for remote management over the IP networks, Modbus cards, BMS and SCADA systems, etc. There are lots of possible places where counterfeit hardware – in sense of being supported by malicious firmware or software – can be the source of serious troubles.
Stuxnet case – who cares about "non-IT" systems?
Stuxnet is very important. Why? Because it hit industrial automation systems, which were somehow forgotten by security experts who used to be focused on typical, computer networks and related threats. Stuxnet proved how much damage can be done via attack on unsecured, unmanaged industrial system – a network of automation controllers and their MS Windows based, SCADA applications. What is Stuxnet?
Stuxnet is a highly sophisticated computer worm. "Worm" is a kind of a dangerous piece of software, among other species like: "Trojan horses", "viruses", etc. – the simplest distinction between "virus" and "worm" can be the medium used for propagation. Where "viruses" propagate their code via bootable media or executable files infections, worms are propagating themselves via attacking unsecured network nodes (computers in general, but any active equipment, which is considered to be the "network node" and is using any kind of network capable operating system is vulnerable). "Trojan horses" – well, quite a different story in this context, however, when we think about the software this can be any piece of software which is imitating the functionality of other software for the end-user (allowing widespread propagation), at the same time having hidden, malicious functionality which is available for the attacker (including "rootkits"). When this definition is more general and presented not to describe malicious software type, this can be, as we have seen in the previous example, used to describe any other kind of attack where imitation is used to hide the malicious part. Therefore, "Trojan technologies" are existent not only in the world of software, but also anywhere else – in infrastructure, hardware, really anywhere (where firmware and sophisticated logic exists). Let's come back to the worms. These species attack network nodes – we have said that this is any active equipment which operates in the network. Please note, this don't have to be TCP/IP based network, as other protocols are also possible – this can be any other network, including industrial ones with their own protocols. This threat is even more important when we realize that currently we want to integrate all the infrastructure components into one, manageable system. We want to "converge" them.
The funny part in Stuxnet story is related to the fact that this worm was discovered in June 2010. For some unknown reason, somehow, for last 20 years we were more focused on TCP/IP networks security and forgot about all outskirts of the IT world. However, we were integrating our industrial automation systems with SCADA applications connected to the typical, enterprise TCP/IP networks. We were integrating two worlds to have better control, but somehow we placed the border in the wrong place. Stuxnet only proved this issue.
Stuxnet initially spreads via Microsoft Windows, where SCADA applications were installed. Then it targets Siemens industrial software and equipment. According to the evidence of facts, this was not the first time when "hackers" (we mean "bad guys here") have targeted industrial systems, however this was the first discovered malware that spies on and subverts industrial systems, and the first one ever to include a programmable logic controller (PLC) rootkit. The propagation and infection algorithm targeted only specific industrial processes controlled by Siemens hardware and software and was subverting Step-7 software application that was used to reprogram PLCs.
The worm is highly sophisticated and consists of a layered attack against three different systems:
- MS Windows operating system,
- Siemens PCS 7, WinCC and Step-7 industrial software applications that run on Windows and one or more Siemens S7 PLCs.
What is characteristic about Stuxnet is that it was not aimed for mass destruction. Stuxnet does little harm to computers and networks that do not meet the specific configuration requirements. However it propagates as much as it was able - only in specific conditions it was attacking the PLCs – Stuxnet authors were trying to be 100% sure that only specific industrial applications will be influenced. Moreover, the worm was to be automatically erased from infected computers on 24 June 2012.
Stuxnet is a fact, but it is obvious that such sophisticated piece of malicious software can influence all kinds of conspiracy theories. There are many speculations on Stuxnet origins and main targets. I stay very skeptical for all undocumented revelations, but at the same time I treat reported cases very seriously. The fact is that we have learnt a lot about the need to take industrial systems security to the higher level – definitely we should implement all good practices we developed in IT security world in this place. We can just mention that Ralph Langner, researcher who identified that Stuxnet infected PLCs, first speculated publicly in September 2010 that the malware was of Israeli origin, and that it targeted Iranian nuclear facilities. However, Langner more recently, in a TED Talk recorded in February 2011, stated that in his opinion Mossad was involved, but the leading force was the only cyber superpower in the World – the United States. Speculations… Nothing more as the required evidence of facts was not provided.
Although, Kevin Hogan, Senior Director of Security Response at Symantec, reported that the majority of infected systems were located in Iran (about 60%), which has led to (yet another) speculation that it may have been deliberately targeting "high-value infrastructure" in Iran (I – personally – don't know the "high-value infrastructure" term, but I guess it is the other name of "critical infrastructure", which we described previously). The main target was aimed to be the Bushehr Nuclear Power Plant or the Natanz nuclear facility. Langner called the malware "a one-shot weapon" and said that the intended target was probably hit (I love these – "probably", "possibly" and "potentially", but this is how the security world looks like). At the same time (what is very fair), Langner admitted this was a speculation. Another German researcher, Frank Rieger, was the first to speculate that Natanz nuclear facility was the target.
"Stuxnet: Computer worm opens new era of warfare" - a short video published on YouTube by CBSNewsOnline. There is a good question about critical infrastructure security in front of new threats
Also, it's good to remember, that Stuxnet was not the only case – there were other worms of the similar type reported, like Duqu which was initially analysed by The Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics. As well as Flame, which was reported quite recently (May 2012).
Alright, it should be enough – we don't have to know all the details and all the truth. We should just consider the risks. We presented all the information we required to realize that no matter how strong and safe we feel, we should remember that we are vulnerable for threats that comes from the weakest points of our infrastructure (possible Trojan technology, if we buy hardware from untrusted sources; industrial systems which are not so mature like IT systems when it comes to the information security etc.). Even if we think we are safe, we have to rely on external, critical infrastructure which is independent from us (is provided from external suppliers) and is built on many interrelated, sophisticated systems that are also potentially vulnerable. Therefore, we cannot feel 100% safe all the time. We have to be ready – but, of course, all the steps we have to implement to protect our business must result from in-depth and rational risk assessment (but this is a different story).
When it comes to the counterfeit Cisco equipment – we can state that secured and double-checked supply chain and procurement process is also a part of organizational security. We shouldn't buy any critical equipment from unknown vendors or suppliers, only to show we are able to save money.
When it comes to the Stuxnet case – there are the same rules in industrial automation systems like for overall IT/network security in the organization. Especially now, when the trend for tight integration with the overall IT infrastructure is more and more visible. It really doesn't matter that industrial systems are usually related to the facilities management, building automation or industrial processes management systems – therefore are not considered to be the part of IT.
Finally – just to mention the other, but related topic – we have the baselines defined for our operating systems on servers, firmware as deep as to the network equipment level (in these better cases) and software versions – when it comes to the software systems, including end-users applications available in the organizational network. All these baselines and standards are implemented for the sake of IT security. Shouldn't we consider to extend our baseline for the other critical infrastructure components – including firmware of the UPS systems, SNMP adapters, cooling controllers, SCADA/BMS components and their supporting software etc.? I believe this is an obvious step to be done.
And last, but not least – we will never be 100% sure that we are safe and can guarantee 100% of availability.
As long as we want to be sure about the facts presented in this article – there are many speculations on both the counterfeit Cisco equipment case, as well as Stuxnet. Should we really dig more into the cases? No. We should only use them for our further consideration and inspiration. We can always learn something more about ourselves and our own weak sides, even if the mentioned security threats are hoaxes, partial hoaxes or maybe true, but covered with too many speculations. The potential impact is more important than the truth behind the story in such cases, as long as the scenario remains probable.