There is an interesting
article over on HSToday.US that looks at an overview of 34 R&D
contracts ($40 million) recently awarded by the DHS S&T Directorate to look
at a variety of areas of cybersecurity research. The 34 contracts have been
awarded to 29 research organizations including national laboratories, universities
and private organizations. The research will address issues in 14 technical
topics.
Anthony Kimery’s article looks at the broad picture of this
research but doesn’t address how this might impact the industrial control
system (ICS) community. That isn’t unexpected since the document that forms the
basis for the research proposals being funded, the Cyber
Security Research and Development Broad Agency Announcement (BAA) BAA 11-02,
doesn’t mention control systems in its 82 pages and only mentions Stuxnet once
(in an inappropriate manner at that).
Research Areas
Having said that, it is safe to assume that at least some of
the research will result in information that will be useful to the ICS security
community. Since we don’t have access to the specific research proposals we
have to look at the technical topics listed in the BAA that the folks at
S&T wanted the research community to address. Those technical topics areas
(TTAs) are:
• TTA #1: Software Assurance;
• TTA #2: Enterprise-Level Security Metrics;
• TTA #3: Usable Security;
• TTA #4: Insider Threat;
• TTA #5: Resilient Systems and Networks;
• TTA #6: Modeling of Internet Attacks;
• TTA #7: Network Mapping and Measurement;
• TTA #8: Incident Response Communities;
• TTA #9: Digital Provenance;
• TTA #10: Hardware-Enabled Trust;
• TTA #11: Moving Target Defense;
• TTA #12: Nature-Inspired Cyber Health; and
• TTA #13: Software Assurance MarketPlace
ICS Security Excluded
The definition of three of these TTAs (#2, #4 and #12)
specifically limits the research to areas affecting information technology. It
is conceivable that results may have applications for ICS security, but the specific
targeting of IT systems makes it unlikely that results will be easily
transferable to the industrial control system setting.
TTA #7 looks at too large a scale to be of immediate
usefulness in protecting control systems as it looks at the geographic and
topological mapping of Internet hosts and routers.
ICS Systems
TTA #5 doesn’t mention control systems specifically but the
description of targeted systems seems directly applicable to ICS; it targets ‘time-critical’
systems. It defines these as “a system for which faster-than-human reaction [emphasis added] is required to avoid
adverse mission consequences and/or system instability in the presence of
attacks, failures, or accidents” (pg 46). Interestingly this TTA suggests that
researchers look at both security and resilience. Recognizing that malware is
part of the cyber-environment the folks at S&T suggest that operation in
the presence of malware is a key to security and resilience. They propose that
researchers look at technology that enables (pg 47):
• Tolerating malware (for example,
safely doing a trusted transaction from a potentially untrusted system);
• Investigating "safe
sandbox" techniques for critical transactions; and
• Tolerating a residual level of
ongoing compromise within components and subsystems of a larger system.
TTA #6 concerns the modeling of Internet attacks and this is
where the folks at S&T mentioned Stuxnet (pg 49):
“Malware and botnet activity in
recent months and years has intensified across the Internet and other critical
infrastructures, with recent events, such as Conficker and Stuxnet,
demonstrating the clear and present threat posed that is intelligent, adaptive,
and effective at scale over increasingly shorter time periods.”
While Stuxnet certainly targeted control systems and did
spread via the internet to non-target systems, the Internet was not used in
spreading the malware to the targeted computers in Iran. Beyond this apparent
misunderstanding, however, this TTA is at least partially addressed to research
on control system security. The BAA makes this clear when it requires that:
“Technologies developed under this topic must perform their
functions within legal and ethical boundaries. It is expected that the
resultant tools would be commercialized and made available to critical infrastructure providers
[emphasis added] in addition to government network operations.”
Limited ICS Applicability
The definitions of the remaining TTAs all could have some
applicability to ICS security, but they are still basically addressing IT
security issues. Depending on how the research proposals are structured will
determine how much use they will be to the ICS community. Having said that,
there are some parts of the TTAs that appear to be the most interesting from
the view point of control system security.
TTA #1 looks at software assurance and calls for the
development of new tools that will allow for the analysis of existing software,
“discovering vulnerabilities, defects, and other types of weaknesses” (pg 36)
as well as tools for runtime monitoring of software. The first will help
identify potential security holes and second will help to identify attacks in
progress. Both will be of great help in protecting any cyber-system from
attack.
TTA #3 is very broadly defined, maybe too broadly defined to
be of practical use but it does raise the issue of the inherent conflict
between security procedures and ease of use. It note that (pg 42):
“Security must be usable by
non-technical users, experts, and system administrators. Put another way,
systems must be usable while maintaining security. In the absence of usable
security, there is ultimately no effective security. The need for usable
security is increasingly being recognized, as is the fact that usable security
is a challenging problem.”
TTA #8 introduces a new term in cybersecurity response; the
CSIRT – the Cyber Security Incident Response Team. This is a sociological
research requirement designed to determine “the characteristics that make an
excellent CSIR individual, team, and community, and how these capabilities are
identified and enhanced” (pg 54). While this might be helpful in the long run
it isn’t going to make any immediate change in the funding and manning of such
organizations.
TTA #9 is a socio-economic look at cyber-attacks. It is a
one-dimensional analysis of the problem of cybersecurity that asks researchers
to look at the economic motivation of attackers. It completely ignores the
political aspects of attackers; there is no acknowledgement of the problem of
cyber-terrorism or nation-state directed attacks.
TTA #10 asks researchers to look at the importance of
digital provenance; “the chain of successive custody, including sources and
operations, of computer-related resources such as hardware, software,
documents, databases, data, and other entities” (pg 61). Digital provenance is
going to be increasingly important as more and more counterfeit components and software
make their way into the control system supply chain.
TTA #11 addresses the concept of hardware security as
opposed to ensuring security through software and firm ware. S&T asks
researchers to look at “new technologies will ensure that hardware will not
inadvertently leak secrets or execute malware (even if penetrated by malware), and
it will execute security-critical tasks even if partially compromised” (pg 64).
It certainly sounds like a worthwhile goal, but it would seem to limit some of
the current functionality found in systems where firmware or software allows for
expansion of capabilities.
TTA #13 introduces a novel idea, building into cyber-systems
something akin to the biological response to infections. The BBA notes:
“In the future, network components
must have heightened ability to observe and record what is happening to and
around them. With this new awareness of the system health and safety, these
“self-aware systems” enjoy a range of options: these system may take
preventative measures, rejecting requests which do not fit the profile of what
is good, a priori, for the network; these systems can build immunological
responses to the malicious agents which they sense in real time; these systems
may refine the evidence they capture for the pathologist, as a diagnosis of
last resort, or to support the development of new prevention methods. In the
future, system owners should be able to monitor and control such dynamic cyber
environments.”
TTA #14 ties back into TTA#1. It asks for the establishment
of (pg 75): “a software assurance facility and the associated services that
will be made available to both software analysis researchers and software
developers, both open source and proprietary. Software analysis researchers
will have access to services allowing them to test new algorithms for static,
dynamic, and binary analysis against a variety of software in a multi-platform
environment.” The value of such a facility is obvious, but it requires the
successful implementation of TTA #1 to provide the tools of the facility.
Results Are What Counts
The awarding of these contracts is an important step, but
the amount involved is a relatively small investment in cybersecurity. And it
must be remembered that the investment in research does not always (or even
often) produce the desired results. Still it is an important step being taken
by DHS and some of these programs should start paying off in the next year or
so.