Sophos Cloud Optix
At a recent security conference Michael Welch, the deputy assistant director of the FBI’s Cyber Division, gave a speech where he discussed the issue of SCADA security.
Information Age magazine reported on his speech and quoted Welch as saying:
"We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into SCADA systems within the city,"
We don’t know which cities Welch is referring to, but this does bring more light to a subject that has been mired in confusion of late.
Many argued that the security of SCADA systems was being exaggerated after it became public that the water treatment attack in Springfield, IL was a false alarm.
That of course ignores the attack by pr0f on the City of South Houston’s systems and these other three referred to by Welch.
It’s great that Welch acknowledges the work we have to do in this area and even went so far as to suggest the FBI will double the size of their Cyber division in the next 12 to 18 months.
Sound too good to be true? Then it probably is.
A story on PoliceLedIntelligence.com shows the FBI’s budget for Cyber will increase by $19.6 million, or approximately 12 percent.
The majority of the funding increase will be used to expand their operation from 8 hours/5 days to 24 hours/7 days.
They even explained this to Congress, justifying their need for the funds:
"Because threat actors operate globally, a significant volume of cyber threat activity occurs outside of normal business hours."
I am not sure how traditional crime fighting works, but it would seem a Monday to Friday 8 to 5 operation would not work for anyone taking the job seriously.
A doubling of the FBI’s Cyber division would be a welcome step towards more criminals getting their well earned punishments, but I don’t see how a 12 percent increase is going to get us there.
Don’t be discouraged though, if you are a victim of an online crime you should continue to report it to your local law enforcement and if you live in the US to the Federal Trade Commission.
Who knows, you might be the next victim who gets compensated when the FBI get around to catching these guys.
I love the post, Chester (small pedantic correction, it's $18.6m, not $19.6m, prolly a typo). Thanks for the reference, and we agree of course that anyone serious about investigating cyber crime would work outside 8-5, M-F.
I would like to talk about the basis for your call here for doubling of the FBI's cyber budget – without metrics on which to base the budget, I'd say twice stupid is still stupid. The percentage of the overall FBI budget spent on cyber is still basis-points. And this is an area in which the FBI not only claims expertise but also one in which it jealously defends "its" turf – any other agency except one trying to investigate a cyber crime or incident on behalf of a victim ultimately comes across the FBI, with its FBI-from-Central-Casting approach to taking over your investigation (See any episode of The Streets Of San Francisco for further information). The only agency which has a shot is the US Secret Service, but the lines between when one takes over and the other one leaves are far – oh, very far – from clear.
So I'm not arguing with your logic, but I am saying that doubling the budget, while a bold statement, is ultimately just that – a statement, not a meaningful counter to the rapidly growing cyber threat. That is why Dave and I, and other law enforcement officers (including, satisfyingly, some line FBI agents and at least one former agent), DAs and commercial enterprise security folks believe that FBI management must be given metrics on which they can base rational budget decisions. We don't know – and frankly I think we know more than FBI management, but still, we don't know – just how much money would be a reasonable investment on behalf of taxpayers; how much money SHOULD be spent to combat this problem.
We should, you know, like, find out.
Thanks so much for your post.
Great job showing typical false bravado front when scared to death. One major problem with reporting anything to Low Enforcement is that they themselves are complicit in doing cyber-terrorism. It's okay when they break ANY/ALL laws but not the reverse.
Money well spent may also be getting regulations created to ensure SCADA software developers have to keep their software up to date. Creating a build 10 years ago then prohibiting patches is plain criminal. Have a revolving certification program for the software to meet. If it doesn't meet the current certification the software must never have any outside contact, including internet connections, USB sticks, etc. Include real penalties for non compliance.
Throwing money at law enforcement is a uniquely American panacea for all manner of societies ills. However, as anyone who's visited an airport lately knows, what we have purchased with our billions is a police state providing the illusion of security (and in a recent debacle, passenger safety from a concealed colostomy bag.) To many, increasing law enforcement's budget gives the impression that politicians and bureaucrats are "doing something" proactive about a serious problem, but experience proves this impression false.
Cybercrime bears little relation to violent crime like a burglary, a mugging, or a robbery. Cyber "criminals" move electrical signals along the public network from one computer to another. They perform this crime without ever coming in contact with a "cracked" computer. They leave no fingerprints or other forensic evidence, and because of the packetized nature of IP communications and the widespread use of proxy servers, their footprints are impossible to trace.
Yet, the FBI's AD in charge of cybercrime talks of a 24 hour-a-day effort for addressing this problem.
There's an old adage in engineering that goes like this:
"When all you have is a hammer, everything looks like a nail."
This proposed solution of throwing another 18.6 million (or 19.6 million) will create plenty of hammers, no doubt, but have we localized the nature of the problem to an excess of nails?
SCADA (an buzzword undefined by this article), is a normally an acronym meaning Supervisor Control and Data Acquisition, which is an adjunct computer system for monitoring mission critical control software. That mission critical software may itself be considered as SCADA.
The opinion of many in the business now known as "IT", the answer to protecting mission critical software is itself, an outer, protective ring of SCADA . For instance, a firewall is a simple SCADA system. It monitors TCP/IP packets into a subnetwork, passing only those packets meeting certain criteria (Supervisory Control), and reports its activities in a variety of protocols, usually a TCP based service called Syslog (Data Acquisition).
SCADA can monitor essential systems 24/7, without the intervention of human operatives. Most SCADA systems have so-called high and low water marks of activity that will trigger alarms meant to induce human intervention. In other words, if a critical system is operating outside of the norm, SCADA will alert an operator to take corrective steps.
We're not talking of Kubrik's HAL9000 computer of 2001: A Space Odyssey here, but of standard industry practice that's been in existence for over 10 years, using off-the-shelf silicon-based components.
The problems involved in protecting a mission critical control program from outside interference or "cracking" involve controlling unauthorized user access to the systems involved. Keys, passwords, or magic words all have flaws in providing unbreachable security for critical systems.
From a security consultant's standpoint, there is NO VALID REASON for mission critical systems to be connected to the public network. Period. Violation of this principal is at the crux of the SCADA hacking.
If the mission critical control system has no network address, it is invisible and therefore does not exist to a cracker sitting in Eastern Europe, China, the Middle East, or any other location where malicious gremlins may live.
The answer to the problem of critical SCADA cracking is in layered security. That begins with a strong lock on the door of the computer center, a barbed-wire fence around that building, a security patrol around the fence, and multiple layers of electronic monitoring and access control systems placed around the mission critical software by a capable security professional.
None of this has anything to do with law enforcement, but is the responsibility of the facility operator and his or her chosen professional staff.
According to my high school civics class, the job of law enforcement begins when a crime is committed. 9/11 did not suspend the US Constitution, in spite of the efforts of government to do so with Patriot I and Patriot II.
Give us guidelines — functional specifications if you will, but leave data security to data security professionals, and we'll leave the apprehension of criminals to the FBI.
Deal?