Tuesday, May 8, 2012

"Cyber" Attacks on America's Pipelines

Disclaimer: I am not a security expert. However, this guy is, and he posted that story just about a week before this one hit the net-waves.

Summary: DHS has issued a statement saying that what they suspect was a single entity made a bunch of so-called 'spear-phishing' attacks at companies that control oil pipelines. It is being played up by all the standard press, including that media outlet, as a reason we should pump more money into 'cybersecurity.' This is false. Here's why.

1. This was not a "cyber" attack: it may have been perpetrated with email, but it is essentially fraud. It relies on weaknesses in the humans at these organizations, in an effort to get their passwords, thus giving the antagonists access to the corporate networks. 'Phishing' -- the type of attack employed -- is explained aptly by Wikipedia. Please note the distinction between trying to get humans to trip up and give you their passwords vs. engineering your way into the system by exploiting vulnerabilities in the underlying software.

2. There is simply no reason for (a)people who are unsophisticated enough to fall for phishing scams to be in technically sensitive positions for major, critical infrastructure projects and (b)for the networks that connect to these infrastructures to be accessible from any machine that is connected to the internet. (a) is a personnel issue. (b) is an engineering issue: though it may be convenient to have our nation's infrastructure hooked up to the www, for this extremely obvious reason, that convenience is astronomically outweighed by the risks associated with it. We want the folks who control the nation's pipelines to have to be a bit inconvenienced by physical and technological security protocols before they start tinkering with those control systems.

3. This situation was resolved perfectly well under current law.

So, in totality, my opinion is that our system is working just fine, that this 'crime' was not so cyber, and that the 'solution' (if there can be one to a problem I believe is largely illusory) is to make sure infrastructure critical systems are not on the web. To bring it back full-circle, here is Schneier 're-tweeting' a NYTimes Guest Piece about the overblown the threat of cybercrime.

No comments:

Post a Comment