There is an interesting article over on HSToday.US that looks at an overview of 34 R&D contracts ($40 million) recently awarded by the DHS S&T Directorate to look at a variety of areas of cybersecurity research. The 34 contracts have been awarded to 29 research organizations including national laboratories, universities and private organizations. The research will address issues in 14 technical topics.
Anthony Kimery’s article looks at the broad picture of this research but doesn’t address how this might impact the industrial control system (ICS) community. That isn’t unexpected since the document that forms the basis for the research proposals being funded, the Cyber Security Research and Development Broad Agency Announcement (BAA) BAA 11-02, doesn’t mention control systems in its 82 pages and only mentions Stuxnet once (in an inappropriate manner at that).
Having said that, it is safe to assume that at least some of the research will result in information that will be useful to the ICS security community. Since we don’t have access to the specific research proposals we have to look at the technical topics listed in the BAA that the folks at S&T wanted the research community to address. Those technical topics areas (TTAs) are:
• TTA #1: Software Assurance;
• TTA #2: Enterprise-Level Security Metrics;
• TTA #3: Usable Security;
• TTA #4: Insider Threat;
• TTA #5: Resilient Systems and Networks;
• TTA #6: Modeling of Internet Attacks;
• TTA #7: Network Mapping and Measurement;
• TTA #8: Incident Response Communities;
• TTA #9: Digital Provenance;
• TTA #10: Hardware-Enabled Trust;
• TTA #11: Moving Target Defense;
• TTA #12: Nature-Inspired Cyber Health; and
• TTA #13: Software Assurance MarketPlace
ICS Security Excluded
The definition of three of these TTAs (#2, #4 and #12) specifically limits the research to areas affecting information technology. It is conceivable that results may have applications for ICS security, but the specific targeting of IT systems makes it unlikely that results will be easily transferable to the industrial control system setting.
TTA #7 looks at too large a scale to be of immediate usefulness in protecting control systems as it looks at the geographic and topological mapping of Internet hosts and routers.
TTA #5 doesn’t mention control systems specifically but the description of targeted systems seems directly applicable to ICS; it targets ‘time-critical’ systems. It defines these as “a system for which faster-than-human reaction [emphasis added] is required to avoid adverse mission consequences and/or system instability in the presence of attacks, failures, or accidents” (pg 46). Interestingly this TTA suggests that researchers look at both security and resilience. Recognizing that malware is part of the cyber-environment the folks at S&T suggest that operation in the presence of malware is a key to security and resilience. They propose that researchers look at technology that enables (pg 47):
• Tolerating malware (for example, safely doing a trusted transaction from a potentially untrusted system);
• Investigating "safe sandbox" techniques for critical transactions; and
• Tolerating a residual level of ongoing compromise within components and subsystems of a larger system.
TTA #6 concerns the modeling of Internet attacks and this is where the folks at S&T mentioned Stuxnet (pg 49):
“Malware and botnet activity in recent months and years has intensified across the Internet and other critical infrastructures, with recent events, such as Conficker and Stuxnet, demonstrating the clear and present threat posed that is intelligent, adaptive, and effective at scale over increasingly shorter time periods.”
While Stuxnet certainly targeted control systems and did spread via the internet to non-target systems, the Internet was not used in spreading the malware to the targeted computers in Iran. Beyond this apparent misunderstanding, however, this TTA is at least partially addressed to research on control system security. The BAA makes this clear when it requires that:
“Technologies developed under this topic must perform their functions within legal and ethical boundaries. It is expected that the resultant tools would be commercialized and made available to critical infrastructure providers [emphasis added] in addition to government network operations.”
Limited ICS Applicability
The definitions of the remaining TTAs all could have some applicability to ICS security, but they are still basically addressing IT security issues. Depending on how the research proposals are structured will determine how much use they will be to the ICS community. Having said that, there are some parts of the TTAs that appear to be the most interesting from the view point of control system security.
TTA #1 looks at software assurance and calls for the development of new tools that will allow for the analysis of existing software, “discovering vulnerabilities, defects, and other types of weaknesses” (pg 36) as well as tools for runtime monitoring of software. The first will help identify potential security holes and second will help to identify attacks in progress. Both will be of great help in protecting any cyber-system from attack.
TTA #3 is very broadly defined, maybe too broadly defined to be of practical use but it does raise the issue of the inherent conflict between security procedures and ease of use. It note that (pg 42):
“Security must be usable by non-technical users, experts, and system administrators. Put another way, systems must be usable while maintaining security. In the absence of usable security, there is ultimately no effective security. The need for usable security is increasingly being recognized, as is the fact that usable security is a challenging problem.”
TTA #8 introduces a new term in cybersecurity response; the CSIRT – the Cyber Security Incident Response Team. This is a sociological research requirement designed to determine “the characteristics that make an excellent CSIR individual, team, and community, and how these capabilities are identified and enhanced” (pg 54). While this might be helpful in the long run it isn’t going to make any immediate change in the funding and manning of such organizations.
TTA #9 is a socio-economic look at cyber-attacks. It is a one-dimensional analysis of the problem of cybersecurity that asks researchers to look at the economic motivation of attackers. It completely ignores the political aspects of attackers; there is no acknowledgement of the problem of cyber-terrorism or nation-state directed attacks.
TTA #10 asks researchers to look at the importance of digital provenance; “the chain of successive custody, including sources and operations, of computer-related resources such as hardware, software, documents, databases, data, and other entities” (pg 61). Digital provenance is going to be increasingly important as more and more counterfeit components and software make their way into the control system supply chain.
TTA #11 addresses the concept of hardware security as opposed to ensuring security through software and firm ware. S&T asks researchers to look at “new technologies will ensure that hardware will not inadvertently leak secrets or execute malware (even if penetrated by malware), and it will execute security-critical tasks even if partially compromised” (pg 64). It certainly sounds like a worthwhile goal, but it would seem to limit some of the current functionality found in systems where firmware or software allows for expansion of capabilities.
TTA #13 introduces a novel idea, building into cyber-systems something akin to the biological response to infections. The BBA notes:
“In the future, network components must have heightened ability to observe and record what is happening to and around them. With this new awareness of the system health and safety, these “self-aware systems” enjoy a range of options: these system may take preventative measures, rejecting requests which do not fit the profile of what is good, a priori, for the network; these systems can build immunological responses to the malicious agents which they sense in real time; these systems may refine the evidence they capture for the pathologist, as a diagnosis of last resort, or to support the development of new prevention methods. In the future, system owners should be able to monitor and control such dynamic cyber environments.”
TTA #14 ties back into TTA#1. It asks for the establishment of (pg 75): “a software assurance facility and the associated services that will be made available to both software analysis researchers and software developers, both open source and proprietary. Software analysis researchers will have access to services allowing them to test new algorithms for static, dynamic, and binary analysis against a variety of software in a multi-platform environment.” The value of such a facility is obvious, but it requires the successful implementation of TTA #1 to provide the tools of the facility.
Results Are What Counts
The awarding of these contracts is an important step, but the amount involved is a relatively small investment in cybersecurity. And it must be remembered that the investment in research does not always (or even often) produce the desired results. Still it is an important step being taken by DHS and some of these programs should start paying off in the next year or so.