1

Connecting the Dots in Cyber Intelligence: How Real is the threat to the Critical Infrastructure?

FOURTH INTERNATIONAL FORUM

Sanjay GoelSanjay GoelSchool of BusinessSchool of BusinessUniversity at Albany, SUNYUniversity at Albany, SUNY

April 12-15, 2010April 12-15, 2010Garmisch-Garmisch-Partenkirchen,Partenkirchen,GermanyGermany

2

• SCADA systems integrated

• Recent reports claim US power grid compromised

• Possible link between blackouts and terrorists

• Smart Grid cause for concern

SCADA SystemsInfrastructure Risk

3

• There has been a relative lack of forthcoming information on the attacks on the critical infrastructure

• Probing and attacks continue from several sources (nations and transnational groups)

• Attacks on the infrastructure are inevitable

• We need to intelligently manage our risks

SCADA SystemsInfrastructure Risk

4

• There are 54,064 separate water systems in the U.S. (3,769 serve 81% population; 353 systems serve forty-four percent of the population.

• The disparate control systems makes the job of cyber warriors difficult

• At worst the cyber terrorists will be able to disrupt the supply for a short duration in a specific segment

• Any toxins would be diluted in the water supply

SCADA SystemsWater Supply

Source: Lewis, James, “Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats”, Center for Strategic and International Studies, December 2002.

US Electrical GridHighly Interconnected Network

5Sanjay Goel, School of Business, UAlbany

• Highly interdependent

• Failures can spread rapidly Source: Talbot D., “Lifeline for Renewable Power”, MIT Technology

Review, January/February, 2009.

6

SCADA SystemsVulnerabilities in Infrastructure

4:10 pm Transmission lines start tripping in Michigan and Ohio blocking flow of power East. Due to deficit Generators shut down. Causing blackout in the East

1:58 pm Eastlake Ohio plant shuts down

3:06 pm A First Energy 345-KV transmission line fails south of Cleveland Ohio

3:17 pm Voltage dips temporarily on Ohio portion of grid causing power to shift to another transmission line which fails

3:41& 3:46 pm 2 breakers connecting First Energy’s grid with American Electric Power tripped

4:05 pm Sustained power surge on Ohio lines

4:09 pm Voltage sags as Ohio draws 2GW from Michigan

7

SCADA SystemsCAL-ISO Hacking

Hackers Victimize Cal-ISODan Morain, June 09, 2001

For at least 17 days at the height of the energy crisis, hackers mounted an attack on a computer system that is integral to the movement of electricity throughout California… The hackers' success, though apparently limited, brought to light lapses in computer security at the target of the cyber-attack, the California ISO, which oversees most of the state's massive electricity transmission grid.

Power Grid Incidents

8

Several prominent intelligence sources confirmed that there were a series of cyber attacks in Brazil: one north of Rio de Janeiro in January 2005 that affected three cities and tens of thousands of people, and another, much larger event beginning on Sept. 26, 2007. The attack in the state of Espirito Santo affected more than three million people in dozens of cities over a two-day period, causing major disruptions. In Vitoria, the world's largest iron ore producer had seven plants knocked offline, costing the company $7 million. It is not clear who did it or what the motive was.

Sanjay Goel, School of Business, UAlbany

200912 NOV; ONS, BrazilOperador nacional do Sistema Eletrico (ONS) is Brazil's national system operator responsible for controlling the transmission of electricity as well as the operation of generation facilities throughout the nation. On November 12th, a hacker gained access to its corporate network but stopped short of accessing its operational network.

Smart Grid Paradigm Shift – Alternate Energy Sources

9

• Each household will have a smart meter

• Allows consumers to both supply and draw power from grid

• Two-way power flow• Two-way information

flow• Supports conservation

Sanjay Goel, School of Business, UAlbany

• U.S. gets only 1% of its electricity from renewable sources compared to 14% for Germany.

• GOAL: 10% by 2012 and 25% by 2025

Source: Talbot D., “Lifeline for Renewable Power”, MIT Technology Review, January/February, 2009.

10

100 Smart Grid projects distributed across 49 states have been funded by federal grants and industry contributions equaling about $8 billion.

Smart GridInvestments

Smart Gridwhere are the weaknesses

11

• Smart Meters can be targeted for malware and other attacks

• Homogeneous network of computers highly vulnerable to fast moving viruses and worms

• Threats– Connect and disconnect

customers from grid– Change metering data and

calibration constants– Changing meter's communication

frequency.– Rendering meter non-functional.

Sanjay Goel, School of Business, UAlbany

12

Cyber IntelligenceInternet: An Arena for Terrorists

13

• Data-mining works when– Search profile is well-defined– Significant historical data for

predictions– Low cost of false alarms

• In espionage, counterintelligence, or terrorist plots– Uncertainty of what data to ignore or

pay attention to– Attacks often hard to predict (little

past data available)– Avenues to hide involvement and

communication– False positives could lead to arrest of

innocents and lost time on bad leads

Cyber Intelligence“Looking for a Needle in a Haystack”

We failed to stop 9/11 despite having critical intelligence

14

• No specific connection between real identity and internet aliases (can be multiple web identities)

• How is this done?– Anonymous web browsing, e.g. proxy servers– VoIP (e.g. Skype)– Private message boards– Chatrooms / IRC– Use of botnets (to send messages, relay, etc.)– Steganography with website / SPAM images

• Need intelligence techniques for assigning attribution (means, motives, and opportunity)

Cyber IntelligenceAnonymity of the Internet

15

• Countless ways in which computer can be used to perform illegal activity

• Criminals leave behind traces that can be analyzed– Evidence in several media forms, e.g., text, audio, image,

video• Multiple sources of data are needed to corroborate

Computer Forensics Tracking Incidents

16

• A Simulated Signal Intelligence and Human Intelligence– Approximately 800 reports.– 8 month plot window.– 409 named entities.– 98 locations

Social Network AnalysisAlibaba Dataset

A 12 Member Terrorist Cell --- connected with the Ali Baba Network plans to “bake a cake” (build a bomb) which will be targeted to blow up a water treatment facility near London. The plot takes place from April to September of 2003

Robert Savell, School of Engineering, Dartmouith

17

• We are collecting data from targeted hacker forums/blogs/ websites

• Natural Language Processing is being used for analyzing the data

• Process used for analyzing data– Develop seed list of relevant concepts in domain of interest and

cluster web pages– Develop concept-concept graph for each cluster of documents, and

use concept co-occurrence distance and proximity filtering to reduce edge density;

– Identify related communities of concept terms within each resulting graph component.

– Manually assess each graph “community” and review the sets of related web pages for information of interest.

Open Source DataProximity of concepts

18

• Honeynets are networks of honeypots where all inbound and outbound traffic is collected– Typically runs multiple operating systems

& applications

– Provides real services that closely match actual conditions in the organization

• Any attempt to contact the network from outside is likely an attempt to breach its security

• Any outbound activity is likely evidence that a system has been compromised.

• Hacking tools can fingerprint honey pots/nets so they should be camouflaged

Network ForensicsHoneyNet

19

• Darknet is a portion of routed, allocated IP space where no active services or servers reside– Consists of a server that gathers packets & flows that enter the Darknet

• Blocks contain no active hosts, thus traffic must be caused by mis-configuration, backscatter from spoofed source addresses, or scanning from worms and other probing.

• Can be used in conjunction with flow collectors, backscatter detectors, sniffers and/or IDS boxes for further analysis

Network ForensicsDarkNet

20

• Create security guidelines for utilities to implement

• Design resilience in critical infrastructure• Security needs to be built into the infrastructure

that we create (Smart Meters) • Assume reasonable risk and smartly allocate

resources• Improve ability to detect attacks and respond

quickly (data collection and analysis)

Securing the InternetConclusions