[LINK] Attacks on crucial systems

stephen at melbpc.org.au stephen at melbpc.org.au
Tue May 1 05:02:38 AEST 2012 

'Bullet time' to stop cyber attacks on power grids   30/4/2012 Paul Marks 


IN THE MATRIX, the famous "bullet time" effect showed how Keanu Reeves's 
character Neo was able to sway out of the path of incoming bullets, as 
time appeared to slow. 

Now the film has inspired engineers to develop a way to cope with cyber 
attacks on crucial infrastructure, such as electricity grids, water 
utilities and banking networks.

The idea, from security engineers at the University of Tulsa in Oklahoma, 
is to slow down internet traffic, including malicious data, to give 
networks time to deal with attacks. 

To do this, when a cyber attack has been sensed, an algorithm sends hyper-
speed signals accelerating ahead of the malicious data packets to 
mobilise defences.

"Slowing the malicious traffic by just a few milliseconds will let the 
hyper-speed commands activate sophisticated network-defence mechanisms," 
says Sujeet Shenoi at Tulsa. 

Such measures are needed because cybercriminals increasingly seem to 
target crucial industrial infrastructure. 

In 2010, for example, the Stuxnet worm infected Iran's nuclear programme. 
It was shown to be not so much a typical computer virus as a 
multifunctional weapon that can be reprogrammed to target any crucial 
industry. As industrial systems generally go for many years without 
software upgrades or password changes, they can often be vulnerable to 
such attacks.

Hyper-solution

Hyper-speed signalling could help, says Shenoi, although it would not be 
cheap to convert an existing network into one that can run the Tulsa 
team's algorithm.

The reason? First, a data pathway has to be reserved for the use of hyper-
speed command-and-control signals during an attack – and that could be 
seen as an expensive waste of capacity. And, when an attack is sensed by 
a scanning firewall-like sensor and the tainted data traffic is slowed 
down, more buffers and storage will be needed to cache the slowed data 
packets now swilling around on the network, otherwise crucial data could 
be lost.

Finally, new defence mechanisms need to be programmed into the network's 
routers, including the ability to inspect, tag and track suspicious 
packets, quarantine the risky ones and protect targeted devices on the 
network (like power grid relays, pump controllers or even hole-in-the-
wall cash machines).

But hyper-speed signalling is only as good as its threat sensors. The 
system might sense malware program code disguised as text files, say, but 
only if it has prior knowledge of the virus or worm signatures. That 
opens the door to variants it has never seen before – potentially 
allowing a Stuxnet-style attack to be initiated.

One way around this, says Shenoi, is to keep the network in hyper-speed 
mode at all times during, say, a period of international tension when 
cyber attacks could be launched in an initial bout of sabre-rattling at 
any moment. But slowing network speeds is not a great idea for telecoms 
networks who sell their services on the back of their speed capabilities, 
he says.

Another sensing option has been developed, however – with funding from 
the US Department of Energy and Department of Homeland Security – by 
computer scientists at Dartmouth College in New Hampshire and the 
University of Calgary in Alberta, Canada. 

Led by Dartmouth's Jason Reeves, they have developed a way for 
infrastructure to effectively monitor itself. The system is designed to 
raise a flag when out-of-the ordinary processor behaviour occurs – such 
as running a motor too fast, just as Stuxnet did in 2010.

The team's software monitors the kernel – a chunk of code that mediates 
between the software on one side and the processor and memory on the 
other. 

"We detect changes in the sequence of code the program runs, ones often 
introduced by malicious programs," Reeves says. "We can also verify the 
operating system code to see if it has been modified by malware."

Their system, currently set up for power-grid-embedded computers running 
the Linux operating system, could feasibly trigger the Tulsa team's hyper-
speed algorithm. "Our system detects the presence of untrustworthy 
behaviour and leaves the response up to the administrator," Reeves says.

International Journal of Critical Infrastructure Protection

Volume 5, Issue 1, March 2012, Pages 40–52
www.sciencedirect.com/science/article/pii/S1874548212000054
  (and)
www.newscientist.com/article/dn21756-bullet-time-to-stop-cyber-attacks-on-
power-grids.html

--
Cheers,
Stephen



Message sent using MelbPC WebMail Server

More information about the Link mailing list