This Week in Security Jan 14th - 20th, 2023 What Infrastructure Do You Depend On?
This week seems to be filled with infrastructure news, or more accurately, I am full of infrastructure security concerns. From new books on the topic of infrastructure to federal bills to fix and enhance it, to attack and disruptions to it, detailed below, infrastructure has been on the forefront of the civic zeitgeist. This week we tour some infrastructure failures, providing evidence that security and infrastructure resilience go hand in hand. Some of these infrastructure issues are in information infrastructure, such as the NOTAM outage that grounded flights around the United States, the leak of the No Fly List, or tales of Southwest Airlines mishap. And others are in traditional infrastructure such as the power grid. Ultimately I hope you go away with dueling questions: What infrastructure does my security posture depend on, and what happens when that infrastructure goes away.
CommuteAir is a regional airline that flies Embraer ERJ-145 jets under the brand United Express, being one of United Airlines contract carriers for its feeder service. Reginal airlines operate in the United States based on either contracting with major airlines to provide feeder service using aircraft seating 50~100 people from low volume airports to the major's hubs, or by providing subsidized service, often with even smaller aircraft to even smaller airports.
Of course, this is the problem, as Bruce Schneier puts it, with having to give a copy of your secret list to lots of people. There are hundreds of scheduled airlines that are based in the US or fly to the US, so each of these airlines needs the list and its updates to check against passenger booking data to flag passengers, either denying them a ticket or as part of the process of giving their boarding pass the dreaded SSSS mark. While an airline may spend a lot of security effort on securing systems handling passenger and crew data, the leaked list was not found in those systems, but in testing infrastructure being used to develop those systems, and as happens time and again, real data is being used to test.
This all speaks to having robust and well defined data security policies, if real data needs to be used to test systems, those systems should have the same or more protection than the production systems working with the same data. I am a firm advocate of placing more protections around testing infrastructure than production infrastructure, because sometimes testing infrastructure needs to go without a WAF or other protections while the WAF policies are being developed or adapted to the new updates, or protections built in the application are unfinished or unused in testing.
Power Substation Attacks
A series of power substation attacks has plunged parts of the United States in to darkness. The first series of attacks were in North Carolina, where two substations in Moore County were attacked by currently unknown assailants. Analysis of the attack by Grady Hillhouse of Practical Engineering reveals potentially some inside knowledge by the attackers, having specifically attacked step-down transformers that serve as a link to Moore County with rifles. The resultant damage required several days of work to temporarily restore power while inspection of the damaged transformers and subsequent repair took quite a bit longer. The incident and subsequent incidents detailed below are under investigation by the FBI.
Some may remember an incident in 2013 where a sniper attacked a PG&E substation on the outskirts of San Jose, California. The sophistication of that previous attack has lead investigators to believe that the attackers had specific inside knowledge of both the power infrastructure and substation design, how that infrastructure connected to the wider grid and use of high powered rifles.
As Grady noted in the his analysis linked above, the massive size and spread of the US power infrastructure prevents any substantial preventative measures from being used, but also provides for its resilience. Despite these attacks spanning three states and a dozen power providers, the relative impact was small, only disrupting power for a fraction of those states' residents and businesses and restoration in some cases took mere hours.
So, what does this mean for your infrastructure? Time and again I have seen larger disasters turn a well planned disaster response plan into a mess, as the scope of the disaster exceeds what was planned for. In this case we can see an obvious issue right away: While you may have power protections in place, how long are they designed to last? You have diesel generators, but how many days or weeks of fuel do you have onsite? Do you have a plan for getting more? How long can your generators run without maintenance, do you have a plan for when you have to take them offline for planned or unplanned maintenance? Do you have a plan for your people's needs during a disaster?
Credit card canary tokens are a thing, allowing those who have some reason to store credit card numbers an opportunity to find out if those numbers were secretly stolen. You know, before your merchant bank drops the bad news.