Critical_Infrastructre_Blog_Image.jpgLast week, I had the pleasure of joining Elizabeth Wharton on her radio show, Buzz Off with Lawyer Liz, to talk about the security of critical infrastructure, specifically as it relates to the significant downtime Delta Airlines experienced last week. Liz had asked me to be a guest on the show for a couple of reasons: the research I have been involved with with regards to critical infrastructure security and my personal connection to last week's incident.

It was nice to talk to Liz for a while on the topic, and it was even nicer to be able to do so from my own office! I had spent the previous two days simply trying to get home from Las Vegas (where I spoke on the topic of secure penetration testing). Monday morning of last week, I awoke to news that Delta, the airline I was to be flying home on a few hours from that moment, had significant issues with their computer systems. My flight out of Las Vegas had a number of issues that delayed its arrival in Atlanta by over seven hours. This, in turn, caused me to miss my connecting flight back home, leaving me stranded in the Atlanta airport overnight with no rental cars or nearby hotel rooms available.

Transportation is considered one of the elements of national critical infrastructure. While my travel woes as an individual may represent a mere inconvenience, as a whole, the impact of a large number of people being unable to travel represents a serious problem.

Problems with transporting goods can also cause issues that ripple through other elements of public health, safety, and security. Even the failure of commercial air travel can result in large numbers of travelers putting a strain on the infrastructure and services of an airport and the surrounding area.

While the Delta outage has been explained as being caused by a power system failure, and exacerbated by a failure of backup systems to engage, it can serve as a good starting point for a conversation about the impact of cyber attacks on similar systems. It certainly served well in that role for my conversation with Liz on her show. Can an intentional attack cause a similarly dramatic impact on an organization? I think that the answer is yes.

Large organizations that provide critical services have mind-boggling complexity. Think of the custom code that schedules flights and handles the logistics of making sure that all of the resources and assets are in the right place at the right time.

Personally, I don't pretend to understand everything that's required to keep a major airline operating at capacity, but one thing is certain: automatic software-driven logistics are required to keep it running at the volume of service it operates at every day. There is no "going back" to doing it "by hand", if you want anything resembling what is now considered "normal" service. An airline runs on its code, as do most organizations for which we've provided penetration testing services.

If custom software is the "machine" that runs an organization, then the infrastructure it relies on also must be resilient to failure and attack. The server software, the hardware it runs on, and the networks over which it communicates are all critical to ongoing operations. Taken as a whole, code and the complex systems required to run it directly and indirectly impact real physical processes that your organization relies on for profit and continuity of business. Whether it's moving people or goods cross-country, manufacturing, or simply taking orders, complex "cyber" systems are responsible for very "real world" processes and results.

Now, think of the complexity involved in these systems. Every hardware component has the potential to carry millions of lines of code along with it, supporting operating systems of millions of lines of code, that run the equally complex server software that, in turn, support the code that is custom to your industry or specific business.

In computer science, we know that it is impossible to state for certain that a program of any complexity has no bugs or flaws. Security researchers find vulnerabilities in commonly-used software on a daily basis, a process that drives the security industry. However, that only accounts for a portion of an organization's infrastructure. How will vulnerabilities be found in custom code and the organization-specific portions of the infrastructure, before they are identified by attackers?

Efforts towards the development of secure software and following best practice on designing and deploying safe server/network infrastructure, are a good step towards resilience. This can only go so far, however, as there are no best practices for developing systems that are impervious to skilled, human-driven attacks by motivated threat actors. There will always be a place for offense-oriented testing of complex systems. 

I enjoyed talking to Liz on this topic, and I hope to join her again on her show. Be sure to check out the episode I was on, and become a regular listener (I have): 

Buzz Off with Lawyer Liz08/10/16 Topic: "When Connected Systems Fail"