Finding IT's Achilles Heels
Sandia's Red Teams: On the Hunt for Security Holes
ALBUQUERQUE, N.M.-Is it possible for a cyber-terrorist to hack into a city's water distribution system and poison thousands? Or disrupt air traffic communications to cause two airplanes to collide? Or create a surge in the power grid that would leave millions of people in the dark?
These are the types of questions pondered by the so-called Red Teams, based at Sandia National Laboratories here.
On the fifth anniversary of the Sept. 11 terrorist attacks on New York and Washington, these scenarios are front and center for Sandia, the Department of Homeland Security and law enforcement agencies across the United States.
The Red Team's job is to anticipate cyber-terrorism, create contingency plans that assume the worst and ultimately thwart a pending attack by plugging existing holes.
Michael Skroch, leader of the Red Teams, said utilities and government agencies are increasingly at risk as they replace custom IT systems created in the 1950s and 1960s with less expensive, off-the-shelf Windows and Unix systems that, incidentally, are easier marks for hackers. The older systems were secure because they weren't well known and had limited contact with other systems.
Thus, "It's clear that the threat and risk level has never been higher for cyber-security," Skroch said.
Sandia is owned by the Department of Energy, is run by Lockheed Martin and is located at Kirtland Air Force Base. Formed in 1945, Sandia's overall mission is "to enhance the security, prosperity and well-being of the nation."
The Red Teams are part of Sandia's Information Operations Red Team & Assessments group. Each one comprises a small group (three to eight people) of computer and systems experts who are the IT equivalent of the Navy SEALs special-operations outfit.
The Red Teams provide independent assessments of information, communication and critical infrastructure to identify vulnerabilities, improve system design and help decision makers increase system security.
Although often viewed as a singular entity, the IORTA group breaks into several smaller groups to tackle individual Red Team projects.
In layman's terms, Sandia's Red Teams are hired by countries and companies to anticipate and stop cyber-terrorism and other security breaches before they happen.
The teams, which focus on the potential for attacks from adversaries, apply a wide spectrum of methodologies, tools, research and training to help achieve the customers security goals.
The Information Design Assurance Red Team is part of the IORTA program, which was begun in 1996.
Blind to cyber-threats?
To critics, groups like Sandia's Red Teams are pivotal because, they say, the United States is asleep to the threat of cyber-terrorism, just as it was to the Japanese threat in the months and years leading up to the attack on Pearl Harbor in 1941.
Evan Kohlmann is one of the more vocal critics. Kohlmann, a terrorism researcher at the University of Pennsylvania, is the author of "Al-Qaida's Jihad in Europe: The Afghan-Bosnian Network," and he runs the Globalterroralert.com Web site.
"The United States is gradually losing the online war against terrorists," Kohlmann wrote in an article titled "The Real Online Terrorist Threat" in the current issue of Foreign Affairs magazine.
"Rather than aggressively pursuing its enemies, the U.S. government has adopted a largely defensive strategy, the centerpiece of which is an electronic Maginot Line that supposedly protects critical infrastructure (for example, the computer systems run by agencies such as the Department of Defense and the Federal Aviation Administration) against online attacks," he wrote.
"The U.S. government is mishandling the growing threat because it misunderstands terrorists."
Meanwhile, the DHS has also struggled with cyber-security. It hasn't had a cyber-czar for a year and has been panned by Congress for its internal computer security practices.
Finding IT's Achilles Heels
However, Skroch, manager of IORTA's Red Teams, said the critics are off base.
"My immediate reaction to [Kohlmann's] assertions is that he may have limited information, not being on the inside," Skroch told eWEEK.
"Not being inside the [anti-cyber-terrorist] group, he wouldn't be able to see exactly what they were seeing. There is a great deal of sensitive information that is never made public."
Another critic, Gabriel Weimann of the U.S. Institute of Peace, wrote in a December 2004 special report that "the potential threat, indeed, is very alarming. And yet, despite all the gloomy predictions, no single instance of real cyber-terrorism has been recorded.
"Psychological, political, and economic forces have combined to promote the fear of cyber-terrorism. This raises the question: Just how real is the threat?"
Finding ITs Achilles Heels
Rest assured, Sandia-and several hundred clients-believes the threat is real. Red Team members search for vulnerabilities in IT infrastructures and find solutions or patches before a cyber-terrorist abuses the weakness. This practice is referred to as "red teaming."
"Our experience has shown that one fixed methodology is insufficient to properly assess a given system, component or scenarios," Skroch said.
"We have a spectrum of assessment methodologies and assessment types that we apply as needed to most efficiently meet customer goals and provide consistent, measurable and actionable results."
IORTA claims there are eight natural categories of red teaming that are combined to drive all their assessments, from high-level evaluation of risk through sophisticated analysis. The eight categories are design assurance, hypothesis testing, benchmarking, behavioral red teaming, gaming, operational red teaming, penetration testing and analytic red teaming.
One type or a combination of types is selected to achieve optimum results for a Red Team sponsor.
The IORTA process and its subprocesses were composed and refined from those developed at Sandia and its 50-year history of design-assess techniques.
The Red Teams also use external techniques such as fault trees and event trees, processes such as the COBIT (Control Objectives for Information and related Technology, a standard framework for information security) governance framework, as well as tools such as open-source computer and network security tools that are appropriate for a given assessment.
They refine their own techniques through continued R&D activities, Skroch said.
One recent example was a request from the Environmental Protection Agency to assess IT system security at all water distribution plants in the United States that serve more than 100,000 people.
Theoretically, a local or regional water system could be compromised via a Trojan horse or another attack and be forced to add an incorrect measurement of chemicals to untreated water-for example, an amount far above the maximum safety zone. The resulting excess could poison the water.
But, "When we looked into this, we said, Whoa-we can't do that," Skroch said. "There was no way we could visit and assess all 350 such facilities.
"So we selected five key systems-including [the Washington Aqueduct]-and produced our normal detailed assessments. From that, we distilled our methodology into an audit-type assessment tool called [Risk Assessment Methodology for Water, or RAM-W] that could be performed by the infrastructure owners once they received basic training on the process.
"We developed the core training and transferred that to [the] industry so they could train the 350 sites."
For example, since 9/11, security procedures at the Washington Aqueduct have been under new review and evaluation based on guidance and directives from the DHS and the Sandia Red Teams.
"As a result, [the] aqueduct now has strengthened its guards against intrusion [including computer hacking], and we have increased our vigilance," an aqueduct spokesperson said.
"Our security program uses a systems approach with controls on physical access, chemical storage and operational systems to safeguard the water."
Room for Improvement
As a DHS-designated Critical Infrastructure Facility, the aqueduct is provided with up-to-the-minute threat information and security enhancements "that won't be visible to the casual observer," the spokesperson said.
Sandia found many areas for improvement in these and about 30 other Red Team engagements of critical infrastructure. Many of them can be found in a paper that Sandia delivered at multiple security conferences and is available on the IORTA Web site titled "Common Vulnerabilities in Critical Infrastructure Control Systems."
"From the RAM-W reports, [the EPA was] able to come up with a set of Red Team research-based recommendations for those water districts, so they could know how and where to invest their money in security tools and policies," Skroch said.
Another ongoing project involves the detection of explosives, weapons or other military contraband being shipped into the country through U.S. ports.
"Security technologies are often brittle to threats," Skroch said. "Those developing security solutions usually forget that their technology or solution will itself become a target. For instance, when you put a lock on a door, a criminal may give up, attack the lock or find ways to go around the lock.
"Locksmiths know there are ways to pick a lock. It seems that many security vendors forget that their systems may be attacked once placed in the field."
Sandia also is contributing to systems that detect localized biological and chemical attacks in military and civilian event settings.
These projects utilize Red Teams to understand what types of threats must be detected and also to ensure that each chemical or biological system is hardened against possible attacks that might stop it from working.
Skroch would not elaborate on what the Red Teams are doing on these projects but said they are working on both the IT and the physical natures of the problems.
Red Teams' Toolbox
IORTA utilizes both hardware and software tools in its efforts. "Some tools are used for analysis, others for planning attacks, while other tools are used to reach out and touch our target," Skroch said.
"Our teams preference for tool environments are Linux-based operating systems for a number of reasons. However, we regularly use Windows platforms as needed," he said.
"In one approach, we regularly operate with open-source tools available on the Internet. There are a lot of great tools there and the communities that surround each are doing great things.
"We are very careful to not apply these tools to operational or sensitive networks, because there could be additional features in some of the tools. We will rewrite functionality of certain tools from scratch in-house to apply to such networks."
Skroch said the Red Teams also develop their own tools and scripts as needed on the fly.
"Red Teams portray a dynamic threat-it's no surprise we encounter unanticipated security barriers or situations," Skroch said.
"So, when we're in the field attacking a system, we have to develop our own scripts, hardware or social engineering attacks to penetrate information systems." Whether the Red Teams and their tools are successful remains to be seen. Ultimately, it's unknown how a cyber-attack would unfold.
Gregory Rattray, faculty member of the U.S. Air Force Academy, wrote on the academy's Web site that cyber-terrorism is likely to become a "more significant national security concern."
And although terrorists face multiple hurdles in launching a digital attack, "U.S. efforts to mitigate cyber-terrorism will have to advance incrementally."
In other words, the Sandia Red Teams have their work cut out for them.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.