Just How Overrated is Cyberspace Doomsday?

Thursday, May 12, 2011

J. Oquendo


"If the Internet suddenly vanished, there would be deaths as a result." Unsure that I completely agree with this statement or the author's point of view, so here is an alternative point of view based on documented and verifiable information along with another opinion.

While the Internet has made life easier for many, the reality is, life will go on with or without the Internet and it is highly unlikely that someone will die because there is no Internet connectivity.

There will likely be no Armageddon, however, there certainly will be a lot of bored people.

In the original article [1], there is an impression that there will be some form of "doomsday" if the Internet went offline. I choose to think that this is a fatalist and pessimistic statement with no information to the theory.

Now the odds of the Internet as a whole going offline due to a "cyberattack" are likely along the same odds of me winning the Powerball Lottery this year multiple times. And while the author does not outright label his specific areas of "the Internet" correctly, I will label it as SCADA and chime in on the SCADA based attacks.

SCADA inferences come from the author's choice of words: "After a major successful attack, we’d be back to the dark ages in an instant. No electricity, no computers, no gasoline, no refrigeration, no clean water. Think about what happens when the power goes out for a few hours. We’re stymied."

Analyzing these statements from a security, network and or architectural engineering perspective, these statements seem to indicate that there are a lot of misinformed professionals who do not seem to understand the not only security from a defensive posture, but also from the attack canvas.

Creating such a doomsday threat would be a great feat for anyone to accomplish. Not only would it be a great feat, but it would be a costly one.

From the networking standpoint, an attacker would first need to understand "scope the battlefield." In a SCADA environment just because the utility company has Internet connectivity does not mean that the equipment used to control power, sensors and so on, are capable of being reached by said attacker via the Internet.

In fact, almost all of the connections are separated. There are also plenty of obscure technologies that most "hackers" as we know them are not familiar with. This includes protocols, frameworks, devices such as PLCs, HMIs and the list is rather long. So let's create an attack scenario without the complications of media hype and sensationalism shall we?

From the security standpoint, I as an attacker coming through the front door, would have to be capable of bypassing and compromising a variety of different capabilities. Firewalls, intrusion prevention systems, possible honeypots, perhaps some two factor systems. This is the reality of breaking through the door.

From the client side attack perspective, I would have to hope the same. I would need to be sure that someone opened my malicious document, I would hope there would be no antivirus or anti-malware software to detect my attack and finally, I would need all of my targets to execute my payload.

So as an attacker my objective is to "turn off the lights" and in order to accomplish this objective I would need to compromise a utility company. Once compromised, I would need to understand enough of the topology of the network I am compromising and hope that maybe, just maybe, I can somehow hit a kill switch.

From my point of view, it would be rather time-consuming to attack things head on. Not only would it be time-consuming but I run the risk of being detected during my attack.

In a situation like this where I am attacking, there is no "mock-up" electrical grid as I will not have a replica to test my theory based attacks. As an attacker in this instance, I want to get in an and out as fast as possible. I want to avoid possible detection via way of any firewall logs, IDS, IPS or any kind of other logging mechanism.

Because I am focused, I do not want to waste my time and money allowing what I perceive as my enemy, an inkling of an idea of what is about to occur. To do so, I would prefer to use a client side attack. Knocking at the front door would be disastrous to my objectives.

The summary of a client side attack for those unaware of what a client side attack is simple: I send you an exploit via different methods. This could be a USB key, could be an email, could be a specially crafted webpage. In either event, I need someone internal to a target to run something I send in order to trigger malicious code that will enable me to cause a machine in a targeted location, to connect back to me.

Client side attacks usually enables an attacker to avoid detection as many companies choose to focus on what is coming into their network as opposed to what is leaving their network.

Even if a company were monitoring what is leaving their network, I could always use some form of throttled covert tunneling which would enable me to slip under the radar. So imagining that for a moment that I did manage to connect back to the utility company, now what?

Unless I have explicit knowledge of how their network is configured, this would be the equivalent of me walking into a foreign office building and looking for a specific office. I would be lost.

"Here I am, finally I am in the building in this big lobby, since I have never been here and there are dozens of offices, what do I do? I need to get into office X, where do I need to go?" Because of security systems, I would need to walk around this office without anyone being suspicious and not only stopping me, but actually even seeing me.

With a quick summary of some of the steps I would need to take in order to get my foot in the door successfully, I would then need to do this across the grid. Utility company after utility company.

Because there is the possibility of redundancy and failover systems that I may not know about, I do know that I would need to cause a cascade failure in order to take everyone offline at the same time. After all, it would make no sense for me to take one company offline only to have some back-up generator power on and put them back online. These are things that I as an attacker would need to plan for.

Now to be successful in my attack, the entire attack as a whole has to be calculated with precision accuracy. Literally timing checks against some type of NTP server. If not, I could end up knocking out the electricity to my sector only, leaving the rest online.

Translation, in my effort to black out the world or USA, I cut my own power off leaving me incapable of reaching other targets, rendering my plan half baked. This in itself is another monumental task. Now imagine doing this across tens of companies; remember I would need to cause a cascading failure.

There are a lot of assumptions by the author and other authors like him. There is the assumption that many SCADA companies do not understand the risks and have not addressed them. This is not the case as there are many paid professionals in that industry speaking constantly on an hourly basis [2].

There is the assumption that there is some magical "catch-all" software that with a click of an enter key, an attacker can create doomsday. Too many articles such as the referenced article [1] that are creating movie like outcomes which makes things very complicated for many in the trenches.

Realistically speaking, let us assume for a moment that a "cyberterrorist" group was targeting all of these infrastructures at once. The author assumes that an attacker, even if they did compromise a company, has an iota of an understanding about HMIs, PLCs and other relevant SCADA connections, components and protocols.

The reality is, many of these environments are very complex and they are not running the same software, same protocols and so on. There would need to be years of reconnaissance with heavy financial investments to pull it off. I must also mention that any attacker would have to cross their fingers and hope that their target(s) did not upgrade, migrate or change software. Otherwise, it is back to the drawing board.

This is not meant to be a personal attack on the author of the article but more of a "what are you talking about?" There are plenty of individuals in and out of the utility companies that are aware of the dangers and the risks associated with interconnectivity between local LANs and the Internet.

I speak and interact with many SCADA professionals everyday and I know factually that it is a bit absurd to even fathom that outside of a natural disaster, that "the Internet going down" would cause "people to die."

Sometimes the air needs clearing and issues need to be corrected, otherwise can begin to see why "urban legends" take flight. "Did you hear?! If the net goes down. We're going to die!!!" If I told this to an average 10 year-old they would likely look at me as if I were crazy let alone publicly make such a comment.

To be fair and accurate, during the "Northeast Blackout of 2003" [3], there were eleven fatalities out of 55,000,000 people in the North East which totaled 0.000019999999999999998% and affected about eight states. There were no cataclysmic car accidents, train derailments, riots, emergency room catastrophes. Life went on.


[1] https://infosecisland.com/blogview/13615-Just-How-Important-is-Cyberspace-Defense.html
[2] http://www.infracritical.com/
[3] http://en.wikipedia.org/wiki/Northeast_Blackout_of_2003

Possibly Related Articles:
SCADA Government internet Attacks Infrastructure National Security smart Cyber Space
Post Rating I Like this!
Robert Siciliano Articulate, well said and very appreciated response. I hope to stand corrected. I’ll be the first to admit that I don’t maintain the qualifications you have nor do I have the insight that you may. I’m no security guru and have never professed to being more than a personal protection and identity theft expert. My vocation is to raise awareness and do whatever is necessary to get everyone, including the masses to take responsibility for their security posture any way possible. Sometimes the fear of my dad providing me a pummeling often whipped me into shape.

So to address your response: My writings are always quite literal. I don’t leave any room for interpretation. Doomsday and instant death wasn’t at all my intention nor was it insinuated. “there would be deaths as a result” was. I also specifically said it’s all unlikely, but possible. Doing this as long as I have I’m careful to couch my statements.

I fully agree with every single thing you laid out and thank God there are professionals like you to keep us up and running. I for one am a hacker groupie and sing your praises (albeit off tone).

I also agree with “To be fair and accurate, during the "Northeast Blackout of 2003" [3], there were eleven fatalities out of 55,000,000 people in the North East.” Which essentially is what I was referring to.

And “outside of a natural disaster, that "the Internet going down" would cause "people to die."

Japans earthquake and following tsunami is an unfortunate example. With the power down and systems inadequate to cool the core, and ensuing explosion occurred. I am of firm belief that the Japanese culture is probably the most efficient on the planet and if anyone should be prepared for what they went through its them. Murphy, Mother Nature and Edison all contributed to the disaster.

To the degree that we rely on the internet today and with the Chinese and others spending years doing recon and investing a lot of money to set up the described "successful attack", we need a better plan, or at least as you seem to suggest an ongoing imaginative plan incorporating all possible what’ifs.

I’m sure everything here is debatable and subject to a slam. Please keep in mind we are on the same team and desire the same outcome, to keep everyone secure.
stephen wright Ok no slamming allowed.. got it.

Good article and intelligent viewpoint.
However it is just an opinion and not neccessarily a correct one in all scenarios and not all scenarios are covered.

The first problem I have with the article is the first sentence..."If the Internet suddenly vanished, there would be deaths as a result." Really,..and here I thought that the internet was just the means that most attacks use...But as it is not the payload, not the destructive act, just a means to an end. Everyone can rest assured that if Facebook dissapears..the world will not end. WOW I knew you were really worried about that..

The rest of the article has some technical merit, but the requirements, capabilities, methodolgy and resources of an attacker and the end results are assumptions..not fact. The fact is no one knows it all..the fact is that systems protected by best practices and "experts" get cracked all the time...ask HB Gary..by people that likely have less knowledge and skill then the defenders, but find new and innovative exploits.

If we then consider an act of sabotage by a nation state that may or may not use coupled attacks, that DOES have deep pockets AND expertise..all bets are off. Throw in greed of private companies who don't protect their network and computing resources adequatley due to cost, along with some bureacratic nonsense in regulations and vendor shoddiness for good measure..it isn't a question of "IF" anymore, its a question of when and how bad will it be.

But then, thats just MY opinion..

J. Oquendo Mr. Siciliano,

I must admit, this is a revision as my initial article would have been greatly uncalled for and not have pointed out many facts. Anyhow, I understand literal writing but it need be understood that many individuals in "high places" interpret things as literal as well. We end up giving not necessarily false information that yields wild claims but we can also waste taxpayer dollars in the process. If we thought about this logically for a minute: "Hackers taking out even one grid" we would be seeing a lot of attacks on a re-curring basis.

I am sure there are a lot of insecure companies that are connected to the Internet and hopefully those companies are waking up to the realities that "times are a changing." Because of the constant state of compromises affecting all sorts of companies, one would have to live in the stone age to not understand that there are huge risks. So much so with the utility companies that they are under watchful eye from the Obama admnistration.

@ Mr. Wright:

Since you mention opinions, I too shall chime in with a quote I like to re-call: "Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius

"but the requirements, capabilities, methodolgy and resources of an attacker and the end results are assumptions..not fact."

What are your perceived facts? In order for me to compromise a company from the technological perspective, I need a foot in the door. I have one of two choices, client side or trying to hack my into the front door. Bear in mind USB based attacks are considered client-side since I would need intervention. The capabilities are not assumptions. All of the possible targets would differ in their technologies and applied usage of technologies and protocols. The methodology from this scenario would be to ultimately cause a "blackout" as I inferred from the initial article. How anyone would accomplish that is irrelevant as they would still need to follow a similar train of thought: "Getting in the front door"

You state: "systems protected by best practices and "experts" get cracked all the time...ask HB Gary..by people that likely have less knowledge and skill then the defenders, but find new and innovative exploits."

1) There was nothing new nor innovative about the HB Gary attacks whatsoever. There was no mystical exploit it was good old fashioned social engineering.
2) Best practices are something I shy away from. Companies all differ and no best practice fits all. My POV from the best practices side of the arena is that, people use them as crutches in the old game of CYA (http://en.wikipedia.org/wiki/Cover_your_ass)

You add: "an act of sabotage by a nation state that may or may not use coupled attacks, that DOES have deep pockets AND expertise..all bets are off." The issue with even thinking about this occurring is that it tends to move into "Hollywood." How do you propose a nation state get by multiple companies to cause a cascading failure? I could see it affecting maybe one or two companies but that is it. The reality is what it is. Given an infinite budget I seek to create a crippling attack across a country. To make it work I need an experienced team consisting of many types of people from programmers to networkers and this list goes on. Because I have an infinite budget, I could pay the brightest in the world but where would that leave me via terms of remaining covert? In order to make it work from the nation state perspective, I need die hard "countrymen" willing to keep their mouth shut forever. That in itself is problematic.

So moving on, I get these countrymen. I even compromise a company or two. In order to get the "blackout" effect, I need it to work symmetrically across the board otherwise I have wasted my time and resources. Companies as stated differ. The technological complexities alone would be momumental in undertaking my blackout role. But let's assume I did accomplish my objectives. There is huge problem at the end of the day. Its called fallout. Financially most countries have become so dependent on one another that somewhere along the line, I would either set my country up for targeted REAL military counter-response. Or my financial markets would take a hit as a result of my attack. These are the real outcomes. Forget about "games of ping."

Finally you state: "it isn't a question of "IF" anymore, its a question of when and how bad will it be." To that I still believe that I will hit the Powerball before I see a "cyber blackout"
stephen wright Mr.Oquendo,

We both are entitled to our opinions and time will tell who was right. I sincerely hope you are, but the number of attacks, the numerous known successful SCADA attacks and the history of attacks, exploits and malware in general, suggest otherwise. The assumptions I referred to are those you make in your article referring to number of attackers and attacks, methodology of attack and use of weapons, cyber and otherwise. Rather than give a blow by blow analysis of why I disagree with you..on a matter that has security ramifications, in a public forum where all eyes can see..I suggest that you contact me directly via email and we can discuss this securely. You know my email address..
Good Day.
Trevor Alexander Just a correction: the nuclear portion of the disaster in Japan, at least, has a huge component of corruption to it, that is ignored in the above analysis (I understand that it's out of scope, but it's not mentioned):

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.