Research Organization Fights Techno- Terrorists

February 2007
By Maryann Lawlor
E-mail About the Author

Information from a variety of organizations pours into the U.S. Department of Homeland Security (DHS) National Operations Center. According to Dr. Douglas Maughan, cybersecurity program manager, DHS, the department needs to incorporate some of the products from its own R&D efforts to secure its networks.
Government, industry and academia unite to tackle threats to the national information infrastructure.

Iraqi insurgents are not the only adversaries adept at adapting—cybervillains also have learned to transform their tactics and circumvent new ways of protecting information infrastructures. Despite improvements in security software and practices, crackers, criminals and even nation-states continue to take advantage of an unsecured Domain Name System, flawed technologies and minimal testing and commercialization options for researchers.

Finding ways to stay one megabyte ahead of these techno-terrorists is the job of a virtual organization within the U.S. Department of Homeland Security (DHS) Science and Technology Directorate, Washington, D.C. The CyberSecurityR&DCenter manages research and development (R&D) projects and helps to get proven technologies into the marketplace faster.

According to Dr. Douglas Maughan, cybersecurity program manager, DHS and the Homeland Security Advanced Research Projects Agency, the center is working closely with industry and academia to support the R&D life cycle from beginning to end. Before the research even begins, the center sponsors workshops and meets with companies to discuss top priority security problems and to design R&D road maps. This preliminary work feeds into the center’s R&D program, which now is focusing on solutions in the areas of detection, prevention and response.

But unlike many R&D programs, the center’s efforts do not end when a solution is developed. In fact, some of its most important work takes place after scientists and engineers create a technology prototype that is ready to be moved forward. It is then that CyberSecurityR&DCenter officials put their energies into ensuring that the solutions can be put on a commercial, rather than a back, shelf.

One of the center’s top priorities comes from the White House’s 2003 National Strategy to Secure Cyberspace. The document identifies three issues concerning the Internet infrastructure that need to be addressed: Internet protocol (IP) version 6, routing security and Domain Name System (DNS) security. Because the commercial sector is tackling solutions for the first two issues, Maughan explains that the center decided to focus on the third.

Web surfers use the DNS every day. It provides the mapping from a Web site’s domain name to an IP address. But Maughan says the problem is that the DNS does not authenticate identification and that vulnerabilities in this system have been documented for the past 10 years. As a result, crackers can hijack traffic by sending e-mail messages that appear to come from companies such as Google or Bank of America, and users do not know the difference. “That’s what phishing is all about. It’s me trying to get you to think that I’m your bank. Then you come to my fake Web site and type in your user name and password thinking that you’re going to your bank when you’re going to a fake bank. Now I have your user name and password, and if I’m a bad guy, I’m going to use that to log in to your account, to take your money, to steal your identity,” Maughan says to illustrate the importance of DNS security.

This vulnerability has not been addressed before for several reasons, he adds. First, it has taken 10 years in the standards process to reach agreement about a solution. The second roadblock was put up by industry. Because of stiff competition, companies were not willing to champion the idea of DNS security as it would not only benefit the sponsoring firm but also its competitors. “This is a perfect example of an area of technology as outlined in the national strategy where the government should step up and take the lead. That’s what DHS Science and Technology has done,” Maughan states.

To create a standard that improves DNS security, the center worked with the National Institute of Standards and Technology, or NIST, to develop a document that describes what it will take to deploy DNS security. In addition, the two organizations collaborated to ensure that the most recent version of the Federal Information Security Management Act standard requires government agencies to deploy DNS security. “This is critical because we believe it’s important for the U.S. government to demonstrate that this technology can be deployed and can secure our Internet infrastructure,” he relates.

Personnel from the CyberSecurityR&DCenter also spent a year talking to executives at the Microsoft Corporation to convince them of the need for DNS security. As a result of these discussions, the company announced in late November 2006 that starting this year, DNS security technologies will be incorporated into its next-generation product line. “From our standpoint, this was an absolute necessity,” Maughan states.

Another priority for the center is helping to improve current technologies and to develop new solutions in the areas of detection, prevention and response to protect the national critical information infrastructure. Among the topics in which the center has invested research funding are vulnerability prevention, vulnerability discovery and remediation, network attack forensics and real-time identification of malicious code. To address some of the newest cyberthreats, the center also has funded research for wireless security, identity theft prevention and the detection and mitigation of botnets.

In addition, the center is working to ensure that these research investments not only bear fruit but also produce results that can be commercialized and that do in fact make it to market. Maughan, who has spent more than 10 years with organizations that fund government research, says that this is one critical step that many R&D organizations never take.

“The biggest frustration has been that of all the research that we fund, we see very little of it making it out into the commercial sector. The problem in cybersecurity is that it’s very difficult to test solutions because you have to have some way to test malicious code to know how to defend against these threats. So testing and evaluation is very difficult, and the whole process of technology transition and commercialization is often very difficult,” Maughan maintains. In fact, venture capitalists who invest in firms that focus on emerging technologies say that if one out of 10 of their start-up companies succeeds, they are doing pretty well.

One way the center is helping researchers move their solutions into the commercial space is by facilitating the dialogue between entrepreneurs and large companies. Last month, the center conducted a forum where information about six of the most mature technologies was shared with large system integrator firms from the Washington, D.C., area. The event was organized because the center recognizes that companies such as SAIC, Northrop Grumman Corporation and General Dynamics Corporation are more likely than small firms to be awarded government contracts for these new systems.

“Part of that transition and commercialization effort is to help our little guys get an audience with the big guys. Many of the big firms don’t have a lot of new ideas. We’re trying to help them get some new technologies so they have a better proposal and a better product to sell. In the end, the government can benefit,” Maughan says.

Problems with moving new solutions to government agencies often stem from the agencies themselves. Many times, chief information officers (CIOs) do not have established procedures to move new technologies through their internal processes, so the products cannot be deployed. “We have plenty of research that’s sitting on the shelf collecting dust. … The problem is that if you don’t have processes in place, it will never make it [into the agency],” Maughan notes.

Even the DHS has been caught in this conundrum. Maughan says he has been putting a lot of effort into introducing some of the technologies to Science and Technology Directorate CIO Deborah Diaz, so she can take them to DHS CIO Scott Charbo. Maughan would like to see the department take advantage of some its own DHS-funded research by deploying solutions within the DHS infrastructure. “For me, that’s a home run, if we can get to that point,” he shares.

Projects the center has completed include the Cyber Defense Technology Experimental Research, or DETER, testbed. The environment was developed to help researchers conduct malicious code research. It comprises approximately 400 machines and will continue to grow during the next couple of years, Maughan says.

Project LOGIIC is one program for which the CyberSecurityR&DCenter has worked especially closely with both the commercial and government research sectors (see page 20). Representatives from the oil and gas industry identified their top concerns about cybersecurity. Researchers from Sandia National Laboratories and the commercial sector then devised a methodology for reducing the vulnerabilities in the oil and gas sector’s process control environments using commercial software products.

In addition to hands-on projects, researchers have collected and analyzed information that helps others further their programs. For example, they have investigated anti-phishing technologies so that the Anti-Phishing Working Group can develop awareness, training and solutions to protect online banking users. In addition, a source software vulnerability analysis was conducted. Maughan categorizes this effort as “extremely important” because many people use open-source software in their critical infrastructures.

Work the center conducts is increasing in importance as each new capability is introduced into the marketplace, Maughan relates. “The bad guys have been adapting just like we have had to adapt. It started with viruses; it moved to worms, then moved from worms to botnets. We can plug some vulnerability, and they’ll find another one,” he says.

The “bad guys” hunt in specific sectors to meet their objectives, he adds. For example, individuals or groups of hackers can and do break into systems for malicious reasons. Criminals are another segment of the threat community. Perpetrators include identity theft specialists who install crimeware for financial gain. And now threats from nation-states involve cybersecurity offensive capabilities. “Sector by sector they have a different set of threats, but the threats are evolving just like our defenses continue to evolve,” he says.

The DHS’ portfolio of cybersecurity research and development (R&D) projects aims to produce solutions that will secure the U.S. critical information infrastructure.
New capabilities also complicate system protection. For instance, prior to wireless technologies, the Internet provided some level of anonymity. However, users could be tracked to a physical address. The ability to connect wirelessly makes anonymity mobile. “It used to be that I could track IP addresses, and they were tied to a physical location. Now, you’re one step removed from that. I could be here in Menlo Park, California, today, and later tonight I could be somewhere else and still have the same access. As you try to build defenses, you have to take that threat into account,” Maughan points out.

The human-computer interaction also must be addressed during research. “I do keep an eye on the human-computer interface of projects because it is such a big problem for the adoption of security. If it’s any more difficult than what users have to do today, they’re not going to use it,” he explains.

“What I hope to see in the future is more and more commercial products that are more secure and more easily administered than they are today so that when you get your new machine, it’s much easier. You understand what you should do and why you should do it, and your machine doesn’t get taken over as part of a botnet. I think those kinds of technologies are going to be key to securing the systems of the future,” Maughan states.

How the center will develop in the future will be determined by its customers. It will continue to address the critical cybersecurity R&D needs identified by DHS customers, other critical infrastructure sectors and critical infrastructure providers. “The growth of the activities of the center will be limited solely by the budget provided to the DHS Science and Technology Directorate,” he says.

Industry, Government Secure Infrastructure With LOGIIC

However consumers may think of oil companies as they fill their gas tanks these days, they might be surprised that the oil and gas industry is leading the way in cybersecurity with some significant work. The result of a workshop that took place more than two years ago, the project solidifies a new model for government-industry collaboration and creates a protection method for industry-specific systems that connect to business networks.

Called Project LOGIIC, which stands for Linking the Oil and Gas Industry to Improve Cyber Security, the work began when oil and gas industry leaders expressed concerns to the U.S. Department of Homeland Security (DHS) about cybersecurity in general and control systems security in particular. Business leaders from companies such as Chevron met with the DHS cybersecurity leadership team to identify a path forward on security issues. After several brainstorming sessions, industry representatives decided that they should focus on improving the security of the process control systems they rely on to manage the pipelines.

Sandia National Laboratories, Albuquerque, New Mexico, joined the effort in March 2005 to provide technical guidance for the project. Ben Cook, LOGIIC’s project lead at Sandia, explains that LOGIIC actually is the name of two connected yet distinctly different efforts. First, LOGIIC refers to the way industry and the government, specifically the DHS, collaborate. “One of the key elements of this partnership model is that industry is given a leadership position. We saw that in our case over the past year. Industry officials had the lead in selecting the problems that were of interest to them, and they were intimately involved in the project. In our case they actually managed the project,” Cook relates. Government and industry shared equally in supplying program resources, including funding and personnel, he adds.

Second, the acronym refers to the specific project involving the DHS as well as Sandia, oil and gas companies, research organizations, security vendors and process control technology companies. The endeavor, also called LOGIIC, is the first example of how the partnership model can produce tangible results.

The changing face of networking in the oil and gas industry is one of the reasons for the heightened importance of cybersecurity, Cook states. In the past, process control systems were isolated and companies used proprietary operating systems at the pipeline control sites. If someone gained access to one computer and tried to install malicious software or a virus, the attempt would most likely fail, and a virus would have no way to spread. “Now, control system networks look very much like business networks; they use the same technologies. They’re connected to one another, and those control system networks are connected indirectly to the Internet through business networks. So they have the same type of threat exposure that business networks have. All of a sudden the control system networks are at risk,” he explains. The vulnerability level should not be over sensationalized, Cook stresses, because high-consequence networks have backup safety systems that avert cyber intrusions.

The Sandia team focused on improving situational awareness for network security. Toward this end, the researchers decided not only to take advantage of information gathered from business networks such as intrusion detection systems, but also to apply enterprise security technologies to the process networks that are used for pipeline control. Sandia scientists worked with control system vendor partners to build a laboratory model of the system architectures used in the field. With this model as a testbed, the team deployed emerging commercially available security solutions such as intrusion detection devices and embedded firewalls.

To ensure that security personnel would not be overwhelmed with information, the team brought in an enterprise security management (ESM) application that acquires data from the security devices. A programmable LOGIIC controller that interfaces with the mechanical device or flow computers located on a pipeline incorporates data about events, including cyberattacks and state-of-health indications. The data then is aggregated, and security events are prioritized so that patterns can be identified.

To test the effectiveness of the security system, Sandia researchers developed five vulnerability scenarios, and the laboratories’ red team created a model of potential adversaries. The scenarios included attacks through the Internet, extranets and wireless connections as well as a tap into one of the network nodes at a pipeline location.

“By the end of the project we had taken all of these vendor products and we had simulated a whole enterprise—a business network connected to the demilitarized zone connected to the control system network in our lab that used real control system technologies. We thought about the vulnerabilities of that architecture. We went out and identified and deployed these best-of-breed security technologies—point solutions, in a sense. Those point solutions were integrated through the correlation engine, which provides the bird’s eye view of what’s happening within the system and prioritizes what turns out to be the millions and millions of events that were generated,” Cook says.

“At the end of the day we were able to identify the movement of an attacker across network segments that created a certain pattern. You start to see the traversal of network segments, and in time, you see hop, hop, hop. There’s a pattern that can be identified by ESM that shows the propagation of a potential attack. That tells the operator that there is a series of security events. One of them on its own is not particularly concerning, but together, we better raise the red flag,” Cook explains.

Although the effectiveness of this in-depth defense approach has been demonstrated in the laboratory, fielding the security architecture is yet to come. Cook says that at least one of LOGIIC’s industry partners will try to set up and deploy the system. Because the Sandia team has proposed a modular and non-vendor-specific solution, oil and gas companies could choose to use similar products from security vendors who are not part of Project LOGIIC, he adds.

“It’s great to do the demo, but if that technology is not adopted by industry—if it’s not deployed—then from a DHS perspective and a Sandia perspective, we haven’t done our job,” Cook states.

Although the oil and gas industry was the first group to connect with the government through the LOGIIC partnership model, Cook emphasizes that the cooperative arrangement could benefit nearly any corporate sector that is part of the United States’ infrastructure. These sectors include the banking, electric and water industries, among others, he says.

Web Resources
DNSSEC Deployment Initiative:
DHS Science and Technology Directorate: