By Derrick Harris May. 14, 2012, 4:45pm PT
Updated: Nothing sends shivers down my spine quite like a hypothetical in which someone sets a whole block on fire after cutting off the fire department’s electric supply in order to slow its response. It’s a scary thought, but not entirely unplausible. Perhaps it should give us some peace of mind, though, to know that armed with the right tools and, more importantly, the right mindset, these types of attacks might be preventable.
The topic came up during a recent call with Splunk’s director of security and compliance solutions, Mark Seward, after the FBI and Department of Homeland Security named Splunk as part of its toolkit for investigating a potential cyberattack on an Illinois water facility. That turned out to be a false alarm, but I was troubled by the notion that we were only doing data analysis forensically, after the fact. Gas pipelines are, especially, are still under heavy attack. Forget finding out who did it; I want events stopped before they happen.
Seward said that’s possible, but not easy. Attackers have gotten so good, he said, and have such diverse attack vectors that it’s hard to predict what will happen when. “Security professionals have to harness the creativity of their minds to start thinking like a criminal,” he explained. They have to “think creatively about how someone would go about disrupting [a] service and what footprints would they leave behind.”
When that happens, it becomes possible to watch data in real-time and identify anomalies or put together patterns that suggest an attack might be underway. Splunk actually has a SCADA tool for pipelines that would let someone see changes in sensor data in real time, Seward said, in order to detect locations that stopped reporting or changes in pressure. Or maybe it’s as simple as noticing someone trying to access an application via Active Directory without permission.
Seward said smart meters — and the electric grid, in general — are particularly important to monitor. In the case of smart meters, which are constantly sending usage data to power companies, employees could quickly correlate meter shutoffs with work orders on those buildings and GPS data to determine whether a company truck is at the site. At a small scale, Seward said, robbers monitoring smart grid data could identifiy houses to rob by looking for consumption footprints that suggest nobody’s home. At a large scale, they could try to power down air-traffic control towers, first-responder buildings or the utility providing water to cool rods at a nuclear power plant.
It’s a concern he shares with former CIA director James Woolsey, who discussed the vulnerability of the grid and the need for the innovative minds working on smart-grid technologies to solve it at our Structure: Data conference in March.
If there’s some solace to take away from talking about our national-security vulnerabilities, though, it might be that technology appears to be stepping up to help identify threats. Aside from Splunk, which is useful for monitoring machine-generated data in real time, there also tools such as Hadoop that can assist in identifying past attack patterns that systems can be trained to watch out for in the future. As I’ve reported before, security software is actually proving to be an early hotspot for big technologies, and it’s hard to see that trend slowing down. The rise of techniques such as machine learning and predictive analytics, combined with human intuition, should only improve our ability to identifiy threats.
I couldn’t do my job well if I didn’t truly believe that technology, done right, can solve a lot of the world’s problems. National security is one area where I definitely hope I’m not proven wrong.
Feature image courtesy of Shutterstock user cla78.