The phrase ‘après les deluges’ is associated with a specific piece of British history. It is the motto of the famous Dam Busters squadron, No 617 of the Royal Air Force. Their mission to destroy three dams that fed water to the industrial heartland of Germany is etched into the psyche of military historians and many members of the public.
While the attack itself was dramatic, its actual impact on the industrial output of the Ruhr was minimal. Images of a tidal wave of water flowing down the valleys obliterating all before it were also a little dramatic, more suitable for the propaganda machines than a depiction of real life.
But the idea of vast volumes of water held back by dams being suddenly released upon an innocent population is still one that can cause political leaders and the public to quickly become frightened.
Imagine then the reaction of the people of New York, with all their history with contemporary terrorism, when they are told that the control system for one of their dams had been successfully penetrated by hackers believed to be associated with the Iranian Government.
While the Bowman Avenue Dam near Rye in New York was small by comparison with some of the significant hydro-electric schemes that exist in the United States, initially it had been feared that the attack had been directed at the Arthur R. Bowman Dam in Oregon.
This is a 245ft-tall earthen dam that irrigates the local area in Prineville and serves a population of a little less than 10,000 people. But what if the attack could have been a precursor to see how simple it was to access the control systems of much larger facilities operating similar control systems?
What if they, at some point, had sought to open the sluice gates and allow a vast wall of water to be released onto a major city? At the very least it would cause massive flooding problems – at its worst, panic in the population.
What also if this attack could provide clues to other vulnerabilities in the Critical National Infrastructure (CNI)? Hardly a week seems to go by without come kind of revelation of a new cyber-attack being undertaken by state or non-state groups.
Could other equally important parts of the utilities networks be vulnerable? Such was the seriousness of the situation that the US Government chose to withhold publication of the facts for two years.
This specific example of the threat to CNI is one that quickly reminds us that the age-old adage that security is only as good as the weakest point in the chain still applies. This idea, first coined in Thomas Reid’s Essays on the Intellectual Powers of Man, published in 1786, in which he sets out his ideas on philosophy, is one that is frequently used to illustrate the ease with which any secure system can be bypassed.
Alarmingly, anyone familiar with the current levels of investment in technologies in many of these areas knows just how ingrained those vulnerabilities are, especially in systems where wireless technologies have been deployed to gain benefits from the use of old point-to-point land-line and Very High Frequency Radio links.
A more current form of the age-old adage on security is that resilience to attacks and exploitation is not gained simply by upgrading networks to new wireless-based technologies.
The ubiquity of wireless networks creates a huge problem. Anyone with the right equipment to eavesdrop on the networks can quickly usurp the basic protocols that govern their operation to create ways of entering what appear to be secure command and control systems that can activate elements of systems remotely.
In Queensland, Australia, one of the most dramatic illustrations of this occurred in 2000 when Vitek Bowden managed to gain access to a remote communication system and release thousands of tonnes of sewage into a vulnerable area inhabited by wildlife.
His ability to penetrate the networks was based on his knowledge of how the simple protocols that convey data between nodes in the control systems operated. The vulnerabilities he exploited still exist today.
The vulnerabilities of existing systems servicing the remote operations of systems in many elements of the CNI are that they are built on 1970s technologies. At the heart of these systems is a protocol that was being developed at the same time that the Internet was emerging from a government laboratory in the United States.
The Signalling System No. 7 (SS7) protocols developed in 1975, which were originally used to run the international telephone networks, are still in use today. At the time they were developed, few if any people had started to think about the issues of people penetrating elements of the CNI with malign intent. As such it is readily compromised by readily- available hacking tools that are now increasingly proliferating in cyber-space.
To make life even easier for the hackers, contemporary protocols such as the Mobile Application Part (MAP) of modern distributed communications system have been mapped onto SS7 to ease their adoption in wireless technologies.
Using a relatively simple device, an attacker can use the MAP to obtain the International Mobile Subscriber Identity (IMSI) and subscriber information. Once compromised, this provides the attacker with a foundation from which to build. This is one of many core vulnerabilities that exist in the SS7 protocol which, because of its use in legacy systems, will be exploitable for many years to come. This is a situation that should alarm us all.
Using similar equipment, anyone able to sit within range of a wireless signal with the right equipment can generate the right forms of messages that will receive responses that compromise the operation of command and control systems that operate elements of CNI.
With such access it is not difficult to think of a state or non-state actor literally being in the position to switch off the lights or release water or sewage onto an unsuspecting population.
These kinds of compromise can also provide the basis for more sophisticated fraud, such as theft, by exploiting the Unstructured Supplementary Service Data (USSD) protocol in a multi-stage attack in which the attacker adopts a number of different communication node personas to trick systems into revealing sensitive financial information and then transferring money to designated receiving accounts.
Another similar vulnerability allows an attacker to compromise subscribers’ passwords and reset them, essentially allowing carte blanche access to subscribers’ account details. Other attacks allow fraudulent calls to be made.
So what is the solution to this problem? In the future the move to Long Term Evolution (LTE) networks will provide a greater degree of security. In these next-generation systems many of the lessons that have emerged from SS7 vulnerabilities are being learned.
However, widespread use of these systems is still some time in the future. Today, the problem is one of vulnerability by antiquity. There are simply too many legacy systems still controlling elements of the CNI. The problem of the here and now is important. In 2015 the United States Department of Homeland Security received nearly 300,000 reports of attempts to penetrate industrial control systems.
Clearly, the vulnerabilities in SS7 pose a clear and present danger to current elements of the CNI. Today’s hackers find themselves in an environment where its relatively easy pickings for them to create a number of ways of generating cash from ransom demands to avoid attacks through to major fraud. Addressing this as a matter of urgency is surely an imperative.
About the author: Dr Dave Sloggett is an independent writer and authority on security intelligence and counter terrorism