By John A. Carbone
With the establishment of the new U.S. Department of Homeland Security, we have underscored the importance of protecting our nation against those who would seek to do us harm. As technologists, how can we participate in this critical effort and help safeguard ourselves, and the free world? What can technology offer as defense against al-Qaida and other terrorists? It turns out that we can help a great deal, if we apply our existing technology to eliminate opportunities for terrorists to infiltrate and subvert our electronic infrastructure and connected devices.
During the fall 2001, investigations by the FBI and other agencies revealed that al-Qaida had penetrated security on numerous systems in the U.S. to monitor and collect data from technology companies, utilities, and government offices. For example, an article in the Washington Post dated June 27, 2002 quotes U.S. analysts who say intruders could destroy lives and property by taking command of electrical power grids.
This is particularly alarming considering that the analysts with the U.S. Department of Energy have identified eight scenarios for successful SCADA (supervisory control and data acquisition) attacks on electrical power grids using software tools readily available on the Internet.
Downloading tools from the Internet is not the only vulnerable part of the system. The Internet is connected to just about everything these days and a hacker or terrorist cell could use the Internet to disable everything from the flow of money in an ATM machine to getting fast emergency service via the 911 system.
A recent attack showed the world just how underinformed we are regarding the vulnerability of the Internet and its potential for attack by al-Qaida, hackers, or viruses: "WASHINGTON (AP) — Disruptions from the weekend attack on the Internet are shaking popular perceptions that vital national services, including banking operations and 911 centers, are largely immune to such attacks."
This article, published on CNN.com January 28, 2003, serves as a wake-up call to system designers that they must do something more to safeguard critical infrastructure and connected systems.
The opportunity for terrorists goes far beyond SCADA systems and infrastructure. In this age of connectivity, virtually every Internet-enabled device is vulnerable to attack from afar. Even automobiles are now "connected," and will become even more computer-controlled as we implement "drive-by-wire" technologies much as we have with "fly-by-wire" for aircraft. While this offers drivers valuable services, it also offers terrorists a new opportunity. In an age where automobiles contain dozens of computer-controlled systems, including ABS, engine, and transmission systems, and soon drive/steer-by-wire, imagine the havoc that could be caused by a hacker who instructs all the cars in Los Angeles to disable their brakes and accelerate, all at the same time.
In the military and commercial aerospace environment, subversion of mission computers and avionics systems could cause similar catastrophes, and endanger national security. Fortunately, this isn't likely to happen. Why? Because the National Security Agency (NSA) is demanding that our military and aerospace systems meet security criteria that prevent them from being compromised.
Such criteria include Common Criteria's Evaluation Assurance Levels 1-7, which require software systems either to demonstrate or prove their security. Level 1 is the most basic, requiring modest testing to assure secure operation for systems not deemed particularly critical. Levels 2, 3, and 4 also can be satisfied with testing to assure proper operation. Levels 5, 6, and 7, on the other hand, require strict, formal mathematical proof of security, not testing alone. Level 7 is reserved for the most security-critical systems.
The F-35 Joint Strike Fighter program, for example, requires NSA approval in accordance with EAL-7, the highest such criteria possible. Other programs, like the F-22 Raptor jet fighter, require EAL-6 or lower criteria, as appropriate to their mission. The lower the criteria, the lower the level of criticality.
For example, to satisfy EAL-7, engineers must design the system with security in mind initially and must it possible to decompose every system function into successively smaller subsets, down to a simple, provable module. Each step demonstrating that mechanisms are non-bypassable, always invoked, tamper-proof, and evaluatable. This formal proof requires lots of analysis, documentation, and review. It is economically infeasible to achieve Level 7 unless the system is designed from the start so that it will be "provable." This cannot be added-on after the fact.
Often, only one system has the job of performing several different functions, especially as processors increase in performance. If such a multi-functional system must meet different levels of safety or security criteria for each of its functions, there must be some guarantee that lower-security functions cannot interfere with higher-level functions — under any circumstances.
Such systems require Multiple Independent Levels of Security, or MILS, as NSA designates them. MILS system designers must guarantee that such unintended interactions are not possible. Otherwise, systems integrators would have to integrate each function individually on a separate processor, which would increase costs and system complexity. MILS satisfaction on a single processor is cost-effective and possible with today's technology.
Criteria such as EAL-7 and MILS make our military and aerospace systems impregnable to security breaches. Other standards such as DO-178B assure safety (mechanical, design and more) and reliability. Yet, in the presence of these demanding, effective standards, our non-military systems remain vulnerable to external subversion by hackers and viruses, threatening our homeland security.
What can be done? Simply apply the solutions that already have been proven effective in military applications.
If SCADA systems, connected devices, and other mission-critical systems were developed in accordance with EAL security criteria, we'd be less exposed to external threats. We already see trends in this direction. While DO-178B is an RTCA standard applied by the FAA to software in commercial aircraft seeking certification, the Global Air Traffic Management (GATM) initiative makes it a required part of military systems as well.
Thus, one sector — in this case the military — adopts standards proven effective in another sector — in this case commercial aviation. Commercial embedded systems could take a page from the military, as the military has from commercial aviation, and apply the DO-178B, EAL, MILS, and other available criteria to commercial products, making them less susceptible to terrorist attack.
This technology is COTS — short for commercial off-the-shelf; it's available today, and it doesn't cost any more than other less secure solutions.
We've invested many millions of dollars to develop the world's most advanced technology for our defense. This technology has proven effective in achieving high levels of safety and security in military and aerospace systems. Let's stop using 1980s-vintage technology throughout our 21st century world. Remember, lots of people continued to use horse-and-wagon transportation long after the automobile was available. They didn't know any better because information took a long time to work its way across the land. Today, we know better. Today, we have better technology. Let's use this powerful technology to help strengthen our homeland security. Let's use it now.
John Carbone is vice president of marketing at Green Hills Software Inc., a real-time software firm in Santa Barbara, Calif.
