Room for Improvement
As a DHS-designated Critical Infrastructure Facility, the aqueduct is provided with up-to-the-minute threat information and security enhancements "that won't be visible to the casual observer," the spokesperson said. Sandia found many areas for improvement in these and about 30 other Red Team engagements of critical infrastructure. Many of them can be found in a paper that Sandia delivered at multiple security conferences and is available on the IORTA Web site titled "Common Vulnerabilities in Critical Infrastructure Control Systems."Another ongoing project involves the detection of explosives, weapons or other military contraband being shipped into the country through U.S. ports. "Security technologies are often brittle to threats," Skroch said. "Those developing security solutions usually forget that their technology or solution will itself become a target. For instance, when you put a lock on a door, a criminal may give up, attack the lock or find ways to go around the lock. Click here to read about how Sandia keeps an eye out for cyber-terror. "Locksmiths know there are ways to pick a lock. It seems that many security vendors forget that their systems may be attacked once placed in the field." Sandia also is contributing to systems that detect localized biological and chemical attacks in military and civilian event settings. These projects utilize Red Teams to understand what types of threats must be detected and also to ensure that each chemical or biological system is hardened against possible attacks that might stop it from working. Skroch would not elaborate on what the Red Teams are doing on these projects but said they are working on both the IT and the physical natures of the problems. Red Teams' Toolbox IORTA utilizes both hardware and software tools in its efforts. "Some tools are used for analysis, others for planning attacks, while other tools are used to reach out and touch our target," Skroch said. "Our teams preference for tool environments are Linux-based operating systems for a number of reasons. However, we regularly use Windows platforms as needed," he said. "In one approach, we regularly operate with open-source tools available on the Internet. There are a lot of great tools there and the communities that surround each are doing great things. "We are very careful to not apply these tools to operational or sensitive networks, because there could be additional features in some of the tools. We will rewrite functionality of certain tools from scratch in-house to apply to such networks." Skroch said the Red Teams also develop their own tools and scripts as needed on the fly. "Red Teams portray a dynamic threat-it's no surprise we encounter unanticipated security barriers or situations," Skroch said. "So, when we're in the field attacking a system, we have to develop our own scripts, hardware or social engineering attacks to penetrate information systems." Whether the Red Teams and their tools are successful remains to be seen. Ultimately, it's unknown how a cyber-attack would unfold. Gregory Rattray, faculty member of the U.S. Air Force Academy, wrote on the academy's Web site that cyber-terrorism is likely to become a "more significant national security concern." And although terrorists face multiple hurdles in launching a digital attack, "U.S. efforts to mitigate cyber-terrorism will have to advance incrementally." In other words, the Sandia Red Teams have their work cut out for them. For reader reaction to this article, click here. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
"From the RAM-W reports, [the EPA was] able to come up with a set of Red Team research-based recommendations for those water districts, so they could know how and where to invest their money in security tools and policies," Skroch said.