This post was provided to us courtesy Mr. Robert Former an information security professional and energy industry information security expert. We’d like thank both Robert and his employer, Itron,Inc. for their time and co-operation.
Will Gragido
Smart Meters – An introduction
- INTRODUCTION
Like any commodity, energy, gas, water and sewage disposal must be measured to be sold. Over time a number of technologies have evolved to accomplish this goal. Naturally as long as there has been a way to meter a service, there have been people trying to figure out how to get around the metering systems and get those services for free. This paper will examine some of the new metering technologies and compare them to the older traditional methods in the light of a secure implementation.TRADITIONAL METERING (Electro Mechanical)
The way services and utilities have traditionally been monitored has been with a mechanical system. Gas or water runs past some sort of vane which spins, driving gears and turning dials. Similarly a mechanical electric meter uses induction loops to spin an aluminum disk which then turns gears that spin dials. Of course this data needs to be collected to be billed. With this type of metering, a utility will typically get an actual read through a meter reader and use sophisticated statistical modeling to estimate the rest of the time. How often the actual read occurs is really a function of state regulation and utility policy. Now an interesting thing that you can do (among many) is that if you understand the cycle that your utility uses, you can invert the meter. That’s right, pull it out of the socket, turn it over, put it back in and you still get electricity, but the meter runs BACKWARDS! Cool, free electricity as long as you don’t let the meter reader see the meter installed upside down. Some meters had mechanisms to prevent them from running backwards, but not all. A way the utilities have come up with to combat this and other methods of fraud goes back to the sophisticated statistical modeling. If the system sees a significant change in your usage pattern, you get flagged for a live read.AUTOMATIC METER READING (AMR)
Automated Meter Reading was introduced to accomplish two primary goals; improve the accuracy of metering by getting more live reads, and reduce the work force required to gather meter data. AMR is set up to send the data back to the billing system via some communication method, be it fixed service radio, data over power line, Meter reader with a handheld device, or by a truck driving around and gathering the data over a low power radio link to the meter. AMR introduced another interesting feature: the ability to detect if someone had tampered with the meter. As the technology has advanced, and traditional mechanical meters are replaced, AMR systems have become increasingly prevalent. The major downside to an AMR system is that it is mostly a one way communication system. The meters “bubble up” the data on a periodic basis to the utility. Newer Advanced AMR systems have integrated some limited two way functionality adding features like reading meter data on demand and remote disconnect switches. “Demand Reset” is also a function sometimes provided in two-way AMR. When you track a customer’s peak demand, the meter records the maximum peak instantaneous usage over a period. At the end of that period, you need to reset the demand back to zero so you can record during the next period. In earlier days, there was a locked button or lever the meter reader would press (they had the key) when they did the readings. More modern devices can do it based on a clock. In two-way AMR you can send a demand reset command after you’ve successfully retrieved the demand value. This inevitable march of progress has led us to the latest in service metering technology, AMI.ADVANCED METER INFRASTRUCTURE (AMI)
Advanced Meter Infrastructure is where it gets cool (and spooky to some). AMI is the natural evolution of AMR technology. A full two way communication system that allows on demand reading, Time of Use (TOU) billing, remote disconnect operation, load limiting, demand response, and more. Where things get really interesting is when a Home Area Network (HAN)is integrated into the meter. Now the meter can talk to properly equipped furnaces, air conditioners, water heaters, micro generation systems, thermostats and In Home Display (IHD) devices that tell you just how much running the dishwasher will cost you to run at 3 in the afternoon vs. 3 in the morning. Past that it enables portable billing and usage of Personal Electric Vehicles (PEV) which can also be leveraged as local storage devices to help manage load spikes on the distribution system. Another interesting feature is the ability to subscribe to a service from the utility that allows them to reduce your power consumption by managing large appliances in return for a lower billing rate.Notice I said SUBSCRIBE. You have to sign up for it. This is important because for all the really interesting things AMI can do, it has also stirred up some serious political debate. While the technical concerns around security are addressed further on, let us examine the paranoia that AMI has raised. The first fear is that The Government (you know who I mean, the socialist/fascist (sic) fat cats in and around DC) is going to take control of your appliances and dictate when you can use them, and how much. This is followed rapidly by the fear that The Government will collect your usage information and somehow use it against you. None of this is helped by political pundits and demagogues who have decided to whip the masses into a frenzy using this as one of the egg beaters. Politics aside, there ARE some genuine security concerns to look at, and that is one of the things we will look at starting with the next installment, “The Risks”. There are some intermediate steps in the evolution from electro-mechanical metering to AMI, but they are outside the scope of this discussion. If you would like more information about the details, Wikipedia has some good articles.
About Our Guest Author:
Robert Former: Robert is a security engineer with 20 years experience in the IT field. Throughout his career, Robert has work in many aspects of Information Technology and has experience in the design, implementation, and operation of cabling, LAN, WAN, MAN, both traditional and IP telephony, data centers, server systems, and for the last 7 years, Information Security and Compliance. Robert currently holds the ISC(2) CISSP™, ISACA CISA™, and NSA IAM/IEM certifications. He is employed by Itron, Inc, a leading manufacturer of energy measurement systems, as the Principal Security Engineer in the R&D department. In his spare time, Robert enjoys spending time with his family as well as pursuing photography as an enthusiast and amateur radio.
When Antivirus becomes the Virus
Full Disclosure – I am a former McAfee employee, and currently draw a paycheck from a McAfee partner. The following are clearly my own thoughts and do not represent McAfee, my current/former employer(s) or anyone else.
Having been in the IT security industry for at least a decade, I have come to two key realizations:
1.) The IT security industry, as it relates to vendors selling products is largely based on FUD (fear, uncertainty, doubt), and
2.) Antivirus in almost no significant way equals comprehensive security
As many across the interwebs have already brought to light, McAfee had a very public snafu with one of their DAT updates (DAT 5958). Here is a mildly humorous link from Engadget’s site. To be clear, the point of this post is not to say the antivirus market poor or is dead, that McAfee has substandard products or solutions (usually the contrary), but that mistakes like this hurt not just one vendor or end customer, but the entire industry at large suffers.
That last part is an important point, especially in the case of endpoint security. Mistakes happen. QA processes are not perfect, vendors are trying to cut costs at every turn to increase profitability, so these things happen. In this specific case, if you were running VirusScan Enterprise with default settings, you will be a bit better than those who enabled “scan process by enable” or ran an on-demand scan with the 5958 DAT and scanned svchost.exe as the SVP of McAfee Support mentions in his blog post.
I see this with a lot of security practitioners where they turn on non-default options and get burned. Again, not picking on McAfee, but they also had a recent issue in their Patch 3 release of VirusScan Enterprise 8.7i where you enable “Prevent Windows Process Spoofing” (also an option that is disabled by default). This does not affect you if you don’t start turning on options you don’t fully understand. So, if you are responsible for endpoint security, a few simple tips:
1.) Have an IT test environment in place. Like Noah’s Ark, have representative systems (hardware, OS levels and apps installed) to test before you deploy. Many large enterprises wait 12-24 hours before rolling out DATs, and those who did were largely unaffected by this issue. Vendors like to throw around FUD here and push people to deploy reactive DAT coverage, and in few instances does security supercede system availability.
2.) Stick with the default options unless you are ready to accept the consequences – if you left the default options in place, neither of these two recent McAfee issues would have affected you. Quit turning knobs when you don’t fully understand what they do. A lot of us in IT assume instead of “trust but verify”.
3.) On-Demand scans are of minimal help on end workstations. AV scanning, especially on a scheduled basis is reactive. You already have malcode. Use realtime protection/on-access scanning, whatever. Save the scheduled reactive scanning for your file servers, SharePoint, and other file and data repositories.
4.) Antivirus is not total security, it is only one countermeasure. And, most importantly it is a reactive countermeasure at that. Regardless of what spin vendors put on it (heuristics, sandboxing, lookups in the cloud, etc.) by its very nature it is a reactive countermeasure. Implement more/better countermeasures, which leads me to …
5.) Complement endpoint security with more than just desktop and network firewalls. If you don’t use Host-based Intrusion Prevention on your laptops and critical systems, you probably should. Big difference in detecting malicious code or signature viruses versus stopping malicious traffic, and there is way more to it than blocking a port or protocol.
The point of this is not to unleash a hit piece on a specific vendor or technology, but to make sure practitioners frame the security tools and countermeasures in the appropriate context. AV won’t save you from malicious traffic for the most part, or from a targeted attack. Just like network security is not the answer to all of your security issues. The answer is an honest assessment of your countermeasures and their configurations, and if that maps to an acceptable level of protection versus risk. Sounds so simple, yet the devil’s in the details.
Threat Modeling
Threat Modeling
For most of us, the concept of ‘Threat Modeling’ takes on different meanings based upon our experiences, areas of expertise, areas of interest and comprehension of what constitutes and is defined as a ‘threat’ by industry and by ourselves. For man, ‘Threat Modeling’ is the realm of the developer. It is an area of expertise, which specifically addresses security, concerns of interest to them while for others, ‘Threat Modeling’ is used during assessment work. It is during these assessments, most of which are specific to code analysis and review, which we see many use these techniques to formulate and define more robust ‘Threat Models’ vis a vis the definition of potential attacks and exploits. Regardless of the definition you subscribe to, we can assume that ‘Threat Modeling’ accounts for much, but does it account for everything we need it to?
Threat Modeling Attributes
It’s important to note that ‘Threat Modeling’ has undergone much change over the last decade. It has experienced evolution and likely will need to going forward as both the application of the act of ‘Threat Modeling’ as well as the philosophy behind it, continues to evolve and grow. This is really rather non-negotiable when one looks at the current state of technological advancement we are in today and where we dare to take ourselves. As a result, we can assume the following of ‘Threat Modeling’:
- There are traditionally three commonly held views of ‘Threat Models’
- Attacker Centric
- Application / Software Centric
- Asset Centric
- ‘Threat modeling’ can be related to any asset deemed to posses worth and be considered of value to an individual or organization
- Personnel
- Facilities
- Applications
- Systems
- Networks
Identification and declaration of exactly what defines an asset is crucial to the process of ‘Threat Modeling’, failure to perform due diligence here will be noted and likely lamented in post mortem investigations.
- It is the desire of the owner or the party(s) tasked with stewardship of the asset in question to protect and ensure the safety of the asset (and any associated / related assets)
If there is any doubt as to whether or not it is the intent of those tasked with responsibility and stewardship for all defined assets, ‘Threat Modeling’, though still important should not be the first order of business!
- All assets have points of vulnerability
- All points of vulnerability can be exploited if left unaddressed or if addressed in appropriately
- Vulnerabilities can be exploited via internal or external means
We live in an imperfect world and as a result, all things; even the most cleverly engineered – organic or inorganic, have flaws. Assuming otherwise is a failure of logic and will almost always lead to a fall. Accepting that all things have vulnerabilities and are susceptible to exploitation knowing that these vulnerabilities can be remediated and the risk mitigated is of paramount importance to the success or failure of ‘Threat Modeling’ exercises or any associated activities.
- Useful in developing in countermeasures
This is of course quite elementary and obvious yet it is something that needs re-enforcement for several reasons not the least of which is that many despite this obvious benefit or by product depending on your point of view, still will not endeavor to engage in formalized ‘Threat Modeling’.
- Can be focused on defense or offense
This, I believe is self-explanatory as one might, again taking into consideration their working definition of ‘Threat Modeling’ into account either look at is as a defensive activity as we discussed earlier or as a mechanism useful, if not paramount, in offensively compromising an asset.
Where to Begin With Threat Modeling?
At a very base level, one needs to ask oneself some key questions prior to engaging in the activity of ‘Threat Modeling’ in order to avoid any oversights or mistakes. These questions are rather elementary yet their value cannot be emphasized enough. They provide the ‘looking glass’ if you will, which is necessary in order to successful model threats and gain the most value from the activity. Some of common questions which one should endeavor to ask and answer may look like (but by no means need reflect verbatim):
- What are the assets you need to protect?
- Where do they reside?
- Who are your customers? User community?
- Who are your adversaries?
- What are your strengths?
- What are your weaknesses?
- What can be done to minimize the attack surface and mitigate risk?
- How often should you engage in this process?
In going through this exercise, trivial though it may seem, a great deal of valuable information and data points may be collected and assessed for their use and application during ‘Threat Modeling’ activities.
Models At Our Disposal
There are many models currently in use today. Some are more focused or directed towards developers while others focus more on the needs of assessors and auditors. Regardless there is no one single way to go about conducting ‘Threat Modeling’. Below are a few wonderful examples of current ‘Threat Modeling’ methodologies & resources:
A View To A Kill: Executing a Threat Model and Processing The Results
- Picking Your Poison: Deciding on Threat Model
- Executing a Threat Model after exhaustive data gathering & analysis of said data
- Post Mortem: Examining the Remains
- Lessons Learned: Planning for the Future
- It’s a Cycle: Wash, Rinse, Repeat
Conclusion:
The value presented by the activity associated with ‘Threat Modeling’ is difficult to argue against. ‘Threat Modeling’ provides a vast amount of data and can aid both individuals and organizations (in quantitative and qualitative terms), in a multitude of ways not the least of which is providing clarity into the vulnerability of an asset or potential for exploitation of an asset. Failure to undertake these activities is akin to dereliction of duty for developers and assessors alike as those with nefarious intent not fail to exhaust every measure at their disposal to accomplish their mission.
Want To Play A Game?: Preparedness and Cyber Event Games
Any Given Tuesday
On February 16, 2010 the Bipartisan Policy Center’s national security preparedness group (led by Thomas Kean and Lee Hamilton), in co-ordination with former CIA Director General Michael Hayden and others. I watched it as the participants worked their way through the mock scenario and like many in my field remained quiet with respect to the matter preferring to hear the comments of others prior to offering up any ideas of my own with respect to the exercise itself. The role playing game took place in an alternate 2011. In this alternate reality 2011 hackers distribute a free phone application containing a virus, which lets them do the following:
- Sniff and capture passwords
- Capture keystrokes
The scenario combines a series of quite serious events that individually pose major problems and collectively represent a disastrous situation:
- Malicious code & content is propagated via an infected mobile phone application thusly propagating the code and establishing command & control (C&C) (EVENT OF INTEREST)
- Worsening conditions due to the spread of the malicious code & content lead to confusion in the financial markets (FINANCIAL CRISIS #1), resulting in the abandonment of smart phones as hey are now viewed with grave suspicion
- Consumer confidence plummets in the market specifically with respect to the mobile communication & smart phone manufacturers resulting in a $3 Billion USD loss in two weeks (FINANCIAL CRISIS #2)
- Data servers and alternate communications systems components (servers), experience excessive traffic conditions leading to worsening communications availability, quality, integrity (COMMUNICATIONS NETWORK CRISIS #1)
- Alternate universe 2011 experiencing climate issues (Environmental CRISIS1 & 2)
- Summer 2011 is one of the hottest in recorded history
- Impacts cooling stations within the power grid
- Summer 2011 is one of the hottest in recorded history
- Hurricane hits Gulf Coast
- Damages to the natural gas infrastructure of the United States
- Sub-national terrorist attack (bombing), at a power station takes place
- Renders key elements of the national power grid inoperable
- Millions left without power
Conclusions Made By The Participants: The U.S. Is Not Prepared For a Large Scale Cyber Event
Concerns and Comments on The Outcome
I struggled greatly with this for many reasons not the least of which is that I am a citizen of the United States, was born and bred here and make my residence here as well along with hundreds of millions of other Americans. Former Director General Hayden along with others concluded that should an event such as this occur the outcome would be disastrous. Though I understood the rationale being employed to conduct the test (it is hardly new – role playing scenarios have been used for decades to test preparedness), I was and to a degree, remain torn with respect broadcasting a message such as this one to the world at large regardless of whether or not it reflected true, current, state statistics. My fear is that in sharing this type of information with the masses the result could very well be pandemonium and panic as opposed to curiosity leading to inquiries to congressmen and women or senators.
Warfare, after all, is a behavioral activity demonstrated by human beings toward one another; it is as old as time. Archeologists have substantial evidence that suggests in no uncertain terms the realities of warfare long before history recorded the rise of the State as Westerners define it. In his 1996 book, War Before Civilization by Lawrence H. Keeley (Oxford Press, 1996), a professor in the Anthropology Department of the University of Illinois Circle Campus, Chicago stated that “approximately 90–95% of known societies throughout history engaged in at least occasional warfare and many fought constantly.” Cyber warfare is a logical extension of this mindset; a modern addition to a longstanding tradition replete with customs, courtesies, weapons and protocols. I’ve written previously on the activity and attitudes held by certain nation states with respect to cyber warfare; some friendly others not so friendly to the United States. The fact of the matter is that cyber warfare is real. Debates suggesting anything to the contrary simply the product of the uninformed or those who wish to believe that things in the world were different than how they are.
Final Thoughts
Will we see acts of war or wars fought in cyber space? I believe we’ll see a continuation of that which we’ve already seen and noted over the last two decades if not longer. To assert otherwise would be foolish. Will the manifest the way in which they did in the continuity / disaster recovery exercises described in ‘Operation Shockwave’(or for those who recall them operations ‘Black Ice’ and ‘Blue Cascade’ which took natural disasters or disasters introduced by sub-national entities and married them with cyber attacks)? I wouldn’t want to speculate however I believe that though there is much conjecture with respect to this subject; much debate amongst industry pundits (some fluent, experienced and familiar with warfare and the cyber derivative and some not) that it is not beyond the realms of possibility. A great deal of work has been done in the study of traditional warfare:
- The Art
- The Science
- The Nature
- The Humanity or lack of Humanity
- Tactics
- Strategy
So too as it relates to the integration of defensive and offensive tactics, strategy and solutions and this I believe will continue as our need to address threats which exist on a logically driven front yet have the potential to impact the physical world will only continue to grow. We have an obligation to do what we can however we can to protect our nation and our allies. I still believe we should be more discrete with sharing information (I can’t unlearn that which the Marine Corps taught me), and hope that via proper educational channels (many of those participants within the Bipartisan Policy Center’s panel suggested and commented on the need to work with industry in order to ensure safe guarding of the nation), and we will arrive at a point where exercises such as this and the feelings of angst they produce, are no longer needed nor angst generating.
Introduction: Changing the Paradigm
Lately, cyber-crime legislation seems to be in vogue. The Cybersecurity Act introduced by Senators Rockefeller and Snowe (S. 773), and the International Cybercrime Reporting and Cooperation Act, introduced by Senators Gillibrand and Hatch, as well as some serious talk in the European Union of creating a treaty to address cyber criminal activity, have caused me to put a lot of thought into what would make such laws or treaties successful, and what would cause them to be ineffective, or worse, detrimental. We should all be able to agree (based on solid research and evidence), that cybercrime exists, and that, as the Internet knows no legal or national boundaries, that it impacts us all, whether we find ourselves in the Americas, Asia-Pacific Rim, or somewhere in any number of European–Middle Eastern – African nations.
However, though we can agree on the existence and prevalence of cyber-crime globally, what we struggle to do and fail to agree upon is arriving at succinct way in which to address, investigate, and prosecute it on a global level. As such, the need for a truly international legal framework, one which scales and encourages all nations to participate while ensuring that proper recourse is taken and justice is being served without bias is required now more so than ever before in human history. Legislation drafted in a vacuum – regardless of the intentions of those parties responsible for its drafting and creation, will only serve to cloud the already murky waters of prosecution while ultimately negatively impacting the ability of one or many nations to prosecute these types of criminals. A new era in thought and deed is required to usher in a formulaic, repeatable approach to prosecuting those actively involved activities deemed ‘criminal’, while preventing those from considering involvement from getting involved in the first place.
A Farewell to Arms: A New Era in Prosecuting Cyber-Criminals
The first premise of this treatise, I owe to a great conversation I had with Will Gragido of Cassandra Security, Inc. It involves basing the international cybercrime laws I’m referring to above in the RICO statutes of the Untied States of America. The Racketeer Influenced and Corrupt Organizations Act (commonly referred to as RICO Act or RICO) is a United States federal law that provides for extended criminal penalties and a civil cause of action for acts performed as part of an ongoing criminal organization. It was first enacted by section 901(a) of the Organized Crime Control Act of 1970 (Pub.L. 91-452, 84 Stat. 922, enacted October 15, 1970) and is codified as Chapter 96 of Title 18 of the United States Code, 18 U.S.C. § 1961–1968.
Originally, according to Gragido, its authors had envisioned it solely being used in prosecutorial endeavors targeting members of the United States branch of the Italian Mafia known colloquially as La Cosa Nostra. Its use has been realized beyond its initial purpose and continues to be used creatively by law enforcement in prosecuting others who were actively engaged in organized criminal activity. As a result, its application is much more widespread and effective than comparable legislation and traditional, perhaps even out dated, prosecutorial tactics. Were there an equivalent or a porting of the RICO Act to the cyber realm, cyber-law would move forward at the speed of light, thus enabling it to truly meet the needs of the Internet dependent global economy. RICO-like statutes would mean that we could prosecute people who were racketeering and conspiring to perform illegal acts on the Internet (as implied by the basic tenets of the act), in addition to those who knowingly associate with known criminal entities. People like Alberto Gonzalez, who was recently convicted for his instrumental role in the TJX data theft – a theft culminating in excess of 44 million credit cards, could have been stopped while in their planning stages. Legislation such as the type being described here might very well have prevented some other crimes, such as Hannaford, Heartland, 7-11, and countless others.
Tempus Fugit: Time Flies and Waits for No One
We are living in progressive and wondrous times. The passing of the Rockerfeller-Snowe bill within the Congress of the United States of America demonstrates a small, yet important glimpse of just how progressive they are. This bill would permit the United States to apply an enforce sanctions against a nation who knowingly harbors cyber-criminals. Though the bill is well intentioned, and in truth ahead of its time in some respects, it is fatally flawed in many areas not the least of which its failure to approach the importance of geo-presence and location within the legislation. Criminals, as we all know, can hide, spoof, and bounce off many countries while they commit their crimes little effort provided they are well organized and possess a rudimental knowledge of tcp/ip networking and spoofing techniques. As a result we would in many cases find ourselves applying sanctions against mules, hapless redirectors, or a botnet lieutenant guilty of nothing more than having an un-patched system connected via an enterprise or home network, to the internet. I started thinking about how we surf the internet, or in other languages, how we navigate through it. That gave me an idea that I would propose could be a great foundation. We need a RICO-like statute that is based on Admiralty law. I propose calling it Cyber-RICO.
Cyber-RICO: Changing the Rules To Accommodate The Game
One might ask, why Admiralty law? Well, for a variety of reasons. First of all, Admiralty law (sometimes referred to as maritime law) deals with questions and offenses that happen in international waters, and I think that we can draw a solid parallel to the cloud like nature of the Internet and those very real waters. It touches many countries, and we all have a vested interest in protecting it. More importantly, no one nation can lay claim to, nor police international waters, as by definition, they are international and thus the responsibility of all who use and take advantage of them. Think about that for a moment. Who doesn’t use or take advantage of international waters if not directly, than indirectly? International commerce uses these waterways a seaborne transport mechanism for goods and services, much like people the world over use the Internet cloud. And just like on the high seas, where for millennia privateers and pirates have sought to try to take advantage of the open, permeable nature of these waterways, so too in the Internet age have our own pirates (cyber-criminals) and privateers (economically motivated hackers), who have sought to take advantage of the nebulous nature of the Internet.
Back when maritime laws were developed, the principle reason that drove ratification of these multilateral treaties was self-interest. Some nations, such as those that provided safe harbor to the pirates, were hesitant to come adopt them at first. However, when the pirates turned against them, the countries own self-interest quickly encouraged them to ratify and espouse such a law
The basis of maritime law is that any country that has signed the multilateral treaty can involve themselves in the enforcement of the laws. In the same fashion, the Internet Cyber-RICO would give countries the ability to prosecute cybercriminals that commit these crimes on the high seas of the Internet. Even when country boundaries are crossed, international task forces could now work with a common framework of enforcement, such as with the current anti-piracy task forces that are working off the coast of Somalia. They respond to any call for assistance, regardless of the flag that the afflicted vessel is flying. That is the right spirit of the law, and it would work as well as it relates to cybercrime.
