The new reality of high-security network separation

With the ongoing shift to network-centric warfare, and C4i (Command, Control, Communications, Computers, and Intelligence), and the ever increasing efforts we see from different sources to infiltrate and attack such system (like the “Titan Rain” attacks in 2004, or the latest wave of attacks in the last few months - alleged to be coming from China, targeting both government agencies, military systems and civilian defense companies), it becomes more and more evident, that we need to take a close and hard look at some of the information security concepts that have been prevalent for the past several decades, on the protection of high-security networks and systems.

One of the most fundamental concepts that this reality seriously challenges, is that of “Physical Network Separation”, where security of highly sensitive systems is achieved primarily through having them located on networks that are physically separate from other – less trusted networks and systems.

The problem with this approach, is that it is primarily based on the assumption that such separation actually isolates these sensitive systems from others.

However, as anyone who has worked in such environments probably knows from experience – incidents where people otherwise legitimately using such separated networks sometimes make mistakes, and even with no ill intention – lead to the destruction of this approach. Have you ever had a user accidentally connect their laptop to the wrong network port in the wall, only to realize (even if almost immediately) that they connected a lower classified system to a higher classified network? Or how about some user who innocently connected their smart-phone, or music player to the USB port of a classified computer – “just to charge it”?

And – how many of us, who work with high-ranking officers, officials or other executives – how many of us have had such high-ranking individuals take their rank to mean exemption from standards, and allowed themselves to view marketing presentation they got from someone at some convention they attended? And speaking of conventions – how many of us have attended such conventions where we connected to our own network using whatever WiFi access point was there (without knowing who set it up or how), or casually (and with great satisfaction) took that “Free USB Thumb Drive – all you need to do is give us your business card or register to get one!”, and without any hesitation – connected that “Freebie” device to our computer (and was it really “Free”, after all?...)?

Any time such an incident occurs, it essentially creates a bridge between the untrusted system or network, to the higher sensitivity network or system to which it connected. Even if such a connection only lasted just a few short seconds – even one or two seconds – that can very well be long enough for an appropriately designed malware to identify the new connection and possibly “leap” through it to the higher-trust network or system. From there – the road to full network or system compromise is much shorter, and the attacker is already within it.

What happens then can take several equally devastating directions:

1.       The malicious software can manipulate hardware and software elements of the system it infects, possibly enabling connections or interfaces that can allow the attack to escalate even further, or for the threat-agent behind that malware to be able to access it more easily. For example – a system that was before disconnected from anything but copper Ethernet, might now have an otherwise disabled WiFi or Bluetooth interface up and running – ready to facilitate attacker communication to that system and through it – onwards and inwards deeper into the now compromised high-security network. Such capabilities have been demonstrated with the Stuxnet worm, for example, which had the ability to increase its infiltration of target networks once it was initially introduced to systems within them, by manipulating various elements of operating system, software and hardware controlled by these elements

2.       The malicious software – now infiltrated into the otherwise high-security network or system, might be designed to execute certain harmful activities on the infected targets, which can very well be based on a single, coordinated trigger like time. Once this trigger occurs – this malware might be designed to inhibit the infected target systems’ performance in one way or another – which, when compounded over any number of multiple infected and now disabled systems on that network, now renders that network useless. If this is a network the military uses for certain critical military operations functionality – like air traffic control, navigation, remote control or other critical functions – that military is now rendered incapacitated, at least to the extent of not having whatever capability this attack affects available anymore. Imagine having such an attack designed to over-ride the existing controls in your city’s drinking water containment and delivery system, and cause a synchronized over-chlorination of the drinking water to an entire city, or turn all city traffic lights green at the same time for every direction of travel.

3.       The malicious software can be designed to listen on different communication or input (like keyboard loggers do, for example), and in very small increments (to make it more portable, and also more stealthy) – use the very same mechanism it used to infiltrate into that target network or system – to “infiltrate outwards” back into lower security networks until it is eventually able to directly communicate the collected information to its creator. Now – information that was before protected by a shroud of physical separation is now able to find its way trickling down from one network to a lower classified network until it is no longer within any perimeter of protection at all. If you are working in such an environment of high-security networks – ask yourself this: Can this happen to us? What is our current assumption for the information that this network communicates, and how do we handle that information now? The answer – in most cases would be: “Any information on this network is considered equally trusted as any other on it, and no data-level protection is implemented over it (meaning such information is transported within this network unencrypted) – which means this CAN happen to us!”. Am I right?...

Another factor to consider:

Based on numerous publications and sources, China is the leading source of this level of attacks in the world today, and has been for several years.

But, hold on – what does it say on that computer you are using in your organization today, and on practically every component it contains? “MADE IN CHINA”, right?

Are these two facts completely unrelated? Is the fact that China - who has formally identified the western world’s reliance on technology and how deeply that technology is embedded in the west’s very core, is also the country that, more than any other country in the world, managed to embed ITSELF in practically every piece of technology and system we use in the rest of the world – is that merely a coincidence?

I don’t really think it is safe to think that, given all we know so far. I certainly think that these facts prove that the current concepts behind our national-level information security can no longer be considered as appropriate as they perhaps were 15 or more years ago.

So what does this all mean?

1.       The prevailing assumption regarding the trustworthiness of high-security networks, the systems they contain, and the information they handle – that because these are physically separated from other networks and systems means that these can indeed be considered highly secure – I think this assumption is no longer appropriate

2.       I think that all of us who work in facilitating information security for critical systems and networks – whether in government, in the military, critical infrastructure organizations, or high-profile civilian  organizations – must reconsider our approach to protecting our assets’ information security requirements, realizing that – in most likelihood – the enemy is already within, and take it from there

3.       Unless anyone can tell me with any level of authority, that their systems are 100% internally developed – from top to bottom, and are 100% internally verified – the more likely reality is that their systems are comprised of a multitude of components at various levels, from hardware to OS, to applications – any of which can be already embedded with some kind or another of such malicious code as Stuxnet – and the fact that they don’t know they are infected, because no damage was caused, does not mean anything – since the damage might be very gradual and stealthily executed, or even has not yet been triggered to occur at all

So what do we need to do with this reality then?

While no single point I suggest here will – in of itself, provide any singular and meaningful answer to this challenge – implementing them together, following the “standard” approach of “multiple layers of defense” can possibly improve our resilience to this threat, especially considering that today – most of our high-security networks are singular networks, and flat ones, at that (once you are on the “Top Secret” network – you are every bit as trusted as all others on that network, at many levels):

1.       Implement more layers of internal-network segmentation – not only at the actual network level (be it physical, OSI L2 or L3), but also at the functional or organization unit level or even the individual computer or person level – for example: on an otherwise single “Top Secret” network – have internal firewalls, content filters, IDS/IPS and other similar devices further segment that network to “sub-networks” such as by rooms, workgroups, rank of members (people), job function, Etc. This will create more layers through which such attacks would need to traverse, making it a bit harder to happen compared with a single, un-segmented “Top Secret” network

2.       Under the same logic – have the traffic between these “sub-networks” encrypted, have traffic between each computer on these networks individually encrypted, or even information at individual computer process levels encrypted to further segment these networks and the information – this time using cryptography for that purpose (separate encryption “tunnels” essentially create “encryption segments”, preventing disclosure of information at a more granular level than when all the information on the “Top Secret” network is otherwise unencrypted as it flows through it)

3.       Divide our projects, processes and key assets into smaller, individual instances. My logic here is that if we plan, coordinate, communicate, Etc. one huge and critical process all on the same “Top Secret” network – if that network is compromised, our entire process is compromised too. Instead, we should consider if certain processes or projects do not have to be as monolithic, and can achieve the same required results even if we didn’t implement them as one unit, but instead had 2 or 3 or 4 individual processes that otherwise each do their part to work together and provide the desired capabilities or results. For example: if we are working on a new, highly critical system, we should try to break that system (and our work on it) to several parts, each worked on from a different network, properly sub-segmented as I suggested above

4.       Prepare the organization for “travelling back in time”. For example: in a military unit, preparing for such attacks can mean ensuring that our troops and officers still know how to communicate in Morse using a flashlight or other visual means, in case electronic communications is no longer available or too compromised to use. Another example: ensure that our water system can still be operated manually, and that its computer controls can be fully disabled and overridden – should those either fail or be compromised by malicious entities of any kind, and perform non-computerized ongoing sanity and quality checks on such systems to ensure that, for example – whatever level of Chlorine or Fluoride the computer system says exists is indeed physically correct and verified

Obviously, there is a myriad of other ways this issue can be mitigated by, but none offer any reasonable degree of assurance that our networks and our most sensitive information have not already been infiltrated, and so this paradigm is left largly unresolved, forcing us to at least reconsider our existing view of what network and information security are, in this ever changing arena in which we operate.