Is Analog the Fix For Cyber Terrorism? 245
chicksdaddy writes "The Security Ledger has picked up on an opinion piece by noted cyber terrorism and Stuxnet expert Ralph Langner (@langnergroup) who argues in a blog post that critical infrastructure owners should consider implementing what he calls 'analog hard stops' to cyber attacks. Langner cautions against the wholesale embrace of digital systems by stating the obvious: that 'every digital system has a vulnerability,' and that it's nearly impossible to rule out the possibility that potentially harmful vulnerabilities won't be discovered during the design and testing phase of a digital ICS product. ... For example, many nuclear power plants still rely on what is considered 'outdated' analog reactor protection systems. While that is a concern (maintaining those systems and finding engineers to operate them is increasingly difficult), the analog protection systems have one big advantage over their digital successors: they are immune against cyber attacks.
Rather than bowing to the inevitability of the digital revolution, the U.S. Government (and others) could offer support for (or at least openness to) analog components as a backstop to advanced cyber attacks could create the financial incentive for aging systems to be maintained and the engineering talent to run them to be nurtured, Langner suggests." Or maybe you could isolate control systems from the Internet.
Rather than bowing to the inevitability of the digital revolution, the U.S. Government (and others) could offer support for (or at least openness to) analog components as a backstop to advanced cyber attacks could create the financial incentive for aging systems to be maintained and the engineering talent to run them to be nurtured, Langner suggests." Or maybe you could isolate control systems from the Internet.
Re:sure, no problem (Score:5, Interesting)
said the person volunteering to get up at 3 am to go to the office to reset the a/c system.
I can't speak for everyone, but I would rather pay extra for someone to be willing to do that (or do it myself, it shouldn't be a common situation) before I connect important systems to the internet.
Having an air gap isn't a perfect solution, but it makes things a lot harder for attackers.
Re:sure, no problem (Score:5, Interesting)
As a compromise, one can always do something similar to this:
1: Get two machines with a RS232 port. One will be the source, one the destination.
2: Cut the wire on the serial port cable so the destination machine has no ability to communicate with the source.
3: Have the source machine push data through the port, destination machine constantly monitor it and log it to a file.
4: Have a program on the destination machine parse the log and do the paging, etc. if a parameter goes out of bounds.
This won't work for high data rates, but it will sufficiently isolate the inner subsystem from the Internet while providing a way for data to get out in real time. Definitely not immune to physical attack, but it will go a long ways to stopping remote attacks, since there is no connections that can be made into the source machine's subnet.
Lots of unproven assertions here. (Score:4, Interesting)
"obvious: that 'every digital system has a vulnerability,' "
So far, this has been demonstrated (NOT proven) only in the current environment where hardware and software architects, developers and businesses can get away from product liability requirements by crafting toxic EULAs that dump all the responsibility for their crappy designs and code on the end user. If the people who create our digital systems had to face liability as a consequence of their failure to design a secure system, we may find they get off their a**es and do the job properly. Where's Ralph Nader when you need him?
And as the original poster noted, you CAN isolate the control systems from the Internet! Cut the wire and fire anyone who tries to fix it.
"analog protection systems have one big advantage over their digital successors: they are immune"
Nonsense! There were PLENTY of breakins by thieves into banks, runaway trains, industrial accidents and sabotage BEFORE the digital age. There was no "golden age" of analog before digital: That's just bullsh*t.
Re:sure, no problem (Score:5, Interesting)
This is why security should be a system and not an airgap. The idea that a computer should not be on the internet and patting yourself on the back for the idea and calling it a job well done is almost becoming a slashdot meme.
Never underestimate what bored shift workers do during night shift. We had one group of people figure out how to watch a divx movie on the screen of an ABB Gas Chromatograph.
The problem is more social than technological.
Re:"Isolate from the Internet" is hard (Score:4, Interesting)
Simplifying the hardware down to fixed-function IC or analog reduces the attack surface much more than attempts to isolate the hardware from the Internet.
It also dramatically reduces the functionality. You've saved yourself from hackers only to get undone by dangerous undetected failure of instrumentation. Anyone who boils a security argument down to stupefying everything has missed a world of advancements which have come from the digital world. Thanks but no thanks. I'm much more likely to blow up my plant due to failed equipment than due to some hacker playing around.
Re:sure, no problem (Score:4, Interesting)
Or, perhaps you need to design the HVAC system to take only the simplest of input from Internet-connected machines through interfaces like RS-422, and to otherwise use its not-connected, internal network for actual major connectivity.
I used to do software for fire alarm systems and heard a story about this. A shopping centre wanted to have a remote monitoring and reset system. All it could do was read the indoor temperature or reset the system. RS-485 link to a dedicated PC, firewalled with just the remote management service exposed to the LAN. Access was by using a VPN connection to the LAN.
One day they noticed that the system was stuck in some kind of reset loop. Seems someone found a way in and caused the machine it was connected to to keep sending reset commands. It must have happened some time in the night, and by the time they figured out what was going on the next day a couple of the motorized vents and one fan had failed due to the motors overheating. Every time the reset command was sent they did a self test where they exercised their motors.
The suspicion was that this was a distraction to cover up whatever else they were doing inside the network. Not being close to it I never found out the fully story, but it just shows that even a simple reset command can cause significant damage if abused.
@ CGordy - Re:sure, no problem (Score:5, Interesting)
However, the plant operators are engineers (this is the UK) and the senior ones and fast-track juniors have degrees (though a degree does not mean so much these days), even though the Operating Department is separate from the Engineering Department. Personnel do move from one to the other, and it is expected that even senior management will have had at least a few months experience "on the desk" (ie in the Control room).
There is no way whatsoever, no-how, any-which-way-but-loose (how else can I say it?) that these sysems would have any connection to the outside world or even within the plant itself to other than to the essential control panels.
There is however a problem with modern "smart" devices such as thermocouple local amplifiers/transmitters with microchips in them. This is that we don't always know how they are programmed. I am not talking about malware, but simply the programmer making errors (or well-meaning assumptions) such as buffer overflow after a certain future date. For this reason we prefer the old-fashioned analog versions of devices at this level.