3 minute read

A while back we looked at Challenge 1 in the Four Grand Challenges in Trustworthy Computing from 2003. In my opinion, we have fallen quite short on Challenge 1, that is "eliminating epidemic attacks by 2014". Today, we will look at Challenge 2.

Challenge 2, is generally defined as "ensure[ing] that new, critical systems currently on the drawing board are immune from destructive attack".

Challenge 2 looks at systems of critical importance that are currently being designed and implemented. Unlike Challenge 1, that focuses on systems that are already deployed, Challenge 2 focuses on security, reliability and trustability of systems that are (or were at that time) currently being developed.

The metric of success is based on the CIA model, focusing on systems that ensure:
  • Confidentiality
  • Integrity
  • Availability
and is extended with:
  • "Auditability"
  • Global Accessibility
The group identified a number of critical systems (Figure 1), and stated that "there is very little reason to believe that such systems, if developed under current technology, will be trustworthy".
Figure 1. Critical systems and infrastructure identified by the CRA group in 2003.
This statement comes almost five years after the U.S. Presidential Directive 63, which had a national goal stating:
No later than the year 2000, the United States shall have achieved an initial operating capability and no later than five years from today the United States shall have achieved and shall maintain the ability to protect the nation's critical infrastructures from intentional acts that would significantly diminish the abilities of:
  • the Federal Government to perform essential national security missions and to ensure the general public health and safety;
  • state and local governments to maintain order and to deliver minimum essential public services.
  • the private sector to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial and transportation services.
The Colloquium for Information Systems Security Education in 2008 again put critical systems, and specifically SCADA systems, as a priority area in need of organized research. There has been a growing amount of research into critical system defense, security and forensics, but the 2011 alleged hacking of an Illinois water system, as well as some infrastructures we have seen, lead me to believe that research is not being practically implemented.

From discussions with people dealing with critical infrastructure, there seems to be an attitude much like a home computer user. They know there is a risk, but in many cases don't feel like there is a big enough risk to justify investing the amount of money necessary to update, secure and monitor their systems (even some physical systems). In the U.S., government regulation to that would allow the DHS to "enforce minimum cybersecurity standards on infrastructure computer systems that, if damaged, would lead to mass casualties or economic loss". Regulation, however, was opposed.

I somewhat understand why some critical infrastructure providers may find it hard to justify large investment in cybersecurity. Last year, 198 cyber incidents were reported to DHS across all critical infrastructure sectors, most of which were reportedly spear-phishing attempts. Granted, many more attacks probably took place that were not discovered / reported, but with numbers like that, a director may be thinking that it is statistically unlikely that they would get hit.

For me, the takeaway is that critical systems are still not being designed with cybersecurity, and sometimes even physical security, in mind. Further, critical infrastructure providers have the same problems as any other business; their people - as well as technology - can be a security gap. Since critical infrastructure is a hot topic right now, I hope security and risk awareness increased, but I have yet to see any real changes implemented in many countries. Almost 10 years after the grand challenge was proposed, I would say that not only are we not designing systems that are "immune from destructive attack", but we are still not designing critical systems with basic cybersecurity in mind.

Image: FreeDigitalPhotos.net