Archive for the ‘cybersecurity’ Category

NIST guidelines for smart grid cybersecurity, 2/15/11 UMBC

Tuesday, January 25th, 2011

The North American electric power system has been called the world’s largest interconnected machine and is a key part of our national infrastructure. The power grid is evolving to better exploit modern information technology and become more integrated with our cyber infrastructure. This presents unprecedented opportunities for enhanced management and efficiency but also introduces vulnerabilities for intrusions, cascading disruptions, malicious attacks, inappropriate manipulations and other threats. Similar issues are foreseen for other cyber-physical infrastructure systems including industrial control systems, transportation, water, natural gas and waste disposal.

A one-day Smart Grid Cyber Security Conference will be held at UMBC on February 15, hosted by the UMBC Computer Science and Electrical Engineering Department and Maryland Clean Energy Technology Incubator. The conference will be a comprehensive presentation by the National Institute of Standards and Technology regarding an Inter-agency Report 7628 (NISTIR 7628) named Guidelines for Smart Grid Cyber Security which is a critically important document for guiding government, regulatory organizations, industry and academia on Smart Grid cybersecurity. This regional outreach conference is valuable to any organization that is planning, integrating, executing or developing cyber technology for the Smart Grid.

The conference is free, but participants are asked to register in advance to help us organize for the correct number of participants.

A full copy of the 600 page report is available here.

JASON report on the Science of Cyber-Security

Monday, December 20th, 2010

The DoD-sponsored JASON study group was asked to consider the question of whether there is a ‘science’ to cyber-security or if it is fundamentally empirical. They released an 88-page report last month, Science of Cyber-Security with the following abstract:

“JASON was requested by the DoD to examine the theory and practice of cyber-security, and evaluate whether there are underlying fundamental principles that would make it possible to adopt a more scientific approach, identify what is needed in creating a science of cyber-security, and recommend specific ways in which scientific methods can be applied. Our study identified several sub-?elds of computer science that are specifically relevant and also provides some recommendations on further developing the science of cyber-security.”

The report discusses to general technical approaches to putting cyber-security on a scientific foundation. The first is based on the standard collection of frameworks and tools grounded in logic and mathematics such as cryptography, game theory, model checking and software verification. The second is grounding cyber-security on a model based on an analog to immunology in biological systems.

It concludes with some observations, recommendations and responses to nine questions that were included in their charge. One interesting observation is that cyber-security, unlike the physical sciences, involves adversaries, so its foundation will use many different tools and methods. A recommendation is that the government establish cyber-security research centers in universities and other research organizations with a “long time horizon and periodic reviews of accomplishments”.

Tech Council of MD CyberMaryland Forum, Wed AM 12/08/2010

Friday, December 3rd, 2010

The Tech Council of Maryland is the state’s largest technology trade association and has more than 500 members. It is sponsoring a series of meetings on cyber security:

“Understanding that the conversation about cyber security needs to continue among all stakeholders, the Tech Council of Maryland is moving its CyberMaryland Forum throughout the state. The Forum is open to anyone with an interest in the cyber security industry.”

The next CyberMaryland Form meeting will be held this coming Wednesday morning at UMBC:

“The next meeting of the CyberMaryland Forum will be held on Wednesday December 8, 2010 from 8:30 to 11:30 am at the University of Maryland, Baltimore County. Our content will cover the latest developments in the state’s initiative to be the “Epicenter for Information Security and Innovation”, the development of the UMBC/Northrop Grumman Cyber Incubator program to help grow fledgling cyber security companies and other hot topics in the cyber security industry. To learn more about the CyberMaryland Forum, contact Mark Glazer at 240-243-4045 or mglazer@techcouncilmd.com.

The Tech council encourages UMBC faculty, staff and students to participate and is waiving the registration fee for the UMBC community. The meeting will be held in the main conference room at UMBC’s South Campus Technology Center at 1450 South Rolling Road.

Security of Industrial Control Systems: How is it Different from IT Cyber Security

Friday, November 19th, 2010

The Maryland Clean Energy Technology Incubator is holding a special conference on Security of Industrial Control Systems: How is it Different from IT Cyber Security? on Tuesday 14 December 2010. The conference will be held in the main conference room at the bwtech@UMBC research and technology park’s south campus facility.

The one-day conference will discuss issues and solutions to deal with cyber threats to our industrial control systems used in operating our critical infrastructure: electric grid, water distribution, transportation system, and chemical process industry. Speakers will include leaders in the fields of industrial control systems and IT cybersecurity from Applied Control Solutions, UMBC, NIST, Washington Suburban Sanitary Commission, MITRE, Federal Energy Regulatory Commission and Fortinet.

The meeting will end with a discussion of the formation of new group from academia, industry, and government with the objective of creating the skills, products and services needed to effectively deal with cyber threats to our the industrial control systems.

How the DC Internet voting pilot was hacked

Wednesday, October 6th, 2010

University of Michigan professor J. Alex Halderman explains how his research group compromised the Washington DC online voting pilot in his blog post, Hacking the D.C. Internet Voting Pilot.

“The District of Columbia is conducting a pilot project to allow overseas and military voters to download and return absentee ballots over the Internet. Before opening the system to real voters, D.C. has been holding a test period in which they’ve invited the public to evaluate the system’s security and usability. … Within 36 hours of the system going live, our team had found and exploited a vulnerability that gave us almost total control of the server software, including the ability to change votes and reveal voters’ secret ballots. In this post, I’ll describe what we did, how we did it, and what it means for Internet voting.”

The problem was a shell-injection vulnerability that involved the procedure used to upload absentee ballots. Halderman concludes

“The specific vulnerability that we exploited is simple to fix, but it will be vastly more difficult to make the system secure. We’ve found a number of other problems in the system, and everything we’ve seen suggests that the design is brittle: one small mistake can completely compromise its security. I described above how a small error in file-extension handling left the system open to exploitation. If this particular problem had not existed, I’m confident that we would have found another way to attack the system.”

Stuxnet worm update

Tuesday, October 5th, 2010

From slashdot earlier today:

“Numerous Stuxnet related stories continue to flow through my bin today, so brace yourself: Unsurprisingly, Iran blames Stuxnet on a plot set up by the west designed to infect its nuclear facilities. A Symantec researcher analyzed the code and put forth attack scenarios. A threatpost researcher writes about the sophistication of the worm. Finally, Dutch multinationals have revealed that the worm is also attacking them. We may never know what this thing was really all about.”

Stuxnet questions and answers from F-Secure

Friday, October 1st, 2010

If you are interested in the Stuxnet worm, take a look at this blog post from F-secure Labs, Stuxnet Questions and Answers. It’s relatively free of over ventilation and speculation. F-secure is a Finnish company specializing in anti-virus and computer security software. Here’s an intriguing example from the post that does speculate a bit.

Q: How does Stuxnet know it has already infected a machine?
A: It sets a Registry key with a value “19790509″ as an infection marker.

Q: What’s the significance of “19790509″?
A: It’s a date. 9th of May, 1979.

Q: What happened on 9th of May, 1979?
A: Maybe it’s the birthday of the author? Then again, on that date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused to be spying for Israel.

Hat tip HN.

update: Another good resource is SYmantec’s W32.Stuxnet Dossier.

“While the bulk of analysis is complete, Stuxnet is an incredibly large and complex threat. The authors expect to make revisions to this document shortly after release as new information is uncovered or may be publicly disclosed. This paper is the work of numerous individuals on the Symantec Security Response team over the last three months well beyond the cited authors. Without their assistance, this paper would not be possible.”

Is Stuxnet a cyber weapon aimed at an Iranian nuclear site?

Thursday, September 23rd, 2010

There have been reports over the past weeks about Stuxnet, a new malware system that experts say is designed to seek out and damage certain kinds kind of industrial sites. Some argue that it has already hit and damaged its target.

The Christian Science Monitor published a good overview earlier this week.

“Cyber security experts say they have identified the world’s first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant.

The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet’s arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something.

At least one expert who has extensively studied the malicious software, or malware, suggests Stuxnet may have already attacked its target – and that it may have been Iran’s Bushehr nuclear power plant, which much of the world condemns as a nuclear weapons threat.”

The computer security company Symantec has been tracking it for a while and reported back in August that Stuxnet differs from typical Windows oriented in that it is designed to infect the Programmable Logic Controllers used in industrial control systems.

“As we’ve explained in our recent W32.Stuxnet blog series, Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.

Previously, we reported that Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.”

Symantec’s analysis of where Stuxnet has been found supports the theory that it was intended for targets in Iran, as the following map illustrates.

Security expert Frank Rieger writes that Stuxnet is exceptionally well designed and written and starts out on infected USB sticks.

“stuxnet is a so far not seen publicly class of nation-state weapons-grade attack software. It is using four different zero-day exploits, two stolen certificates to get proper insertion into the operating system and a really clever multi-stage propagation mechanism, starting with infected USB-sticks, ending with code insertion into Siemens S7 SPS industrial control systems. One of the Zero-Days is a USB-stick exploit named LNK that works seamlessly to infect the computer the stick is put into, regardless of the Windows operating system version – from the fossil Windows 2000 to the most modern and supposedly secure Windows 7.”

Rieger further argues that evidence suggests that Stuxnet is targeted not at Iran’s Bushehr reactor but at the uranium enrichment plant in Natanz and has already achieved success. To support the last conclusion, he sites a note on Wikileaks about a “a serious, recent, nuclear accident at Natanz” in July 2010.

Google, China and Cyber-security

Sunday, September 12th, 2010

The US Army War College publishes Parameters as the “US Army’s Senior Professional Journal”. The summer issue has an article by Fort Leavenworth analyst Timothy L. Thomas, Google Confronts China’s Three Warfares, that discusses alleged recent Chinese hacking attacks on Google, censorship, Google’s reactions, and other related events. His article concludes:

“The Chinese probes of the world’s cyber domains have not ceased. Recently, Canadian researchers uncovered a massive Chinese espionage campaign targeting India. In their report, Shadow Network, they outlined the massive campaign emanating from Chengdu, China that harvested a huge quantity of data from India’s military and commercial files. China’s activities against Google and India (and their reconnaissance activities in general) portend a much broader pattern, a long-term strategy to hold military and economic assets of various nations hostage. There are a number of Chinese books that support this supposition. Gaining the high ground in international digital competition is becoming a national objective for the Chinese. China’s previous activities certainly afford them a political advantage in any future conflict.”

UMBC cyber defense team seeks new members

Thursday, September 9th, 2010

UMBC’s Cyber Defense Team is looking for new members. In spring 2010 the team competed in the regional Collegiate Cyber Defense Championship for the east coast. In this competition, each team defended a mock corporate network against a horde of professional hackers in a fast-paced, real-time event over the course of two days. The competition is also a great way to network with government agencies and key companies in the security industry.

The UMBC Cyber Defense Team provides a great opportunity to gain practical, hands-on experience in information security, intrusion detection, cybersecurity, and network security. The team practices both penetration and defense of isolated networks similar to real business environments. The group will give introduction presentations 12-1pm on Wednesday, September 15th in ITE 201b and 1-2pm on Thursday, September 16th in ITE 325b.

No experience is required, but you should be motivated to learn about computer networks and systems security. Contact Justin McMillion at jmcmil1 @ umbc.edu for more information.