Page 7 - index
P. 7
Naval architects have used engineering to reduce the likelihood of realizing risks inherent to
blue water seafaring since at least 980 - 982 CE, when Erik the Red discovered Greenland.
Clearly, it’s neither engineering quality nor myopic perspective that results in critical
infrastructure’s perceived security shortcomings. These putative deficiencies are actually
reflections of a perceptual bias resulting from viewing the situation through an information
technology (IT) colored lens. Indeed, what are seen as critical infrastructure’s security
weaknesses may, if properly managed, become force multiplying assets.
For example, critical infrastructure evolves at a relatively slow pace. This frustrates
cybersecurity advocates who demand rapid application of security updates to what are,
unarguably, assets that are both essential and vulnerable. However, what the cybersecurity
community often overlooks is that this slow pace is itself a risk mitigation strategy.
Change introduces unknowns, which in turn introduce risks that may result in unplanned
downtime. Unplanned downtime is unacceptable in mission-critical systems such as power
generation and delivery, water delivery and wastewater management or air traffic control. As a
result, changes are tightly controlled and subjected to intensive and long-term predictive vetting
prior to implementation.
One needs only to look at the headlines to understand the benefits conferred by this approach
to conventional, IT-based cybersecurity. The recently uncovered “FREAK” (Factoring attack on
RSA-EXPORT Keys) vulnerability derives from a US government policy, in force from 1992 to
2000, that restricted the export of strong encryption.
As a result, weaker “export-grade” encryption was built into software intended for the global
market. This weaker encryption was incorporated into widely proliferated browser software that
eventually came back into the United States. Browsers can be forced to use the weaker
encryption which can be defeated in a matter of hours. Once the encryption is defeated,
passwords and other personal information can be stolen and used as the basis for a more
comprehensive attack.
Make no mistake, FREAK is not about clever subversion of software security routines. FREAK
is about a lack of rigor, integration and foresight with respect to software change engineering
and configuration management. That’s a longer way of saying that vulnerabilities like FREAK
are more about poor risk management practices than brilliant evil hackers.
So where does that leave the state of security?
First, nobody’s making an argument (at least, no reasonably prudent people) that critical
infrastructure’s security posture doesn’t require upgrades and improvements to cope effectively
with the current threat environment. Instead, the argument is to base critical infrastructure
security improvements on two pillars: 1) The implementation of security upgrades should be
made as part of an overall risk management and mitigation approach that accounts for the risks
inherent to operating in a hostile environment, and 2) This approach must embody orthodox
systems engineering approaches (as defined in standards including MIL-STD 499 and IEEE
7 Cyber Warnings E-Magazine – March 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
