Recently, @dangerroom posted about a computer virus infecting the software that manages the U.S. Air Force’s Predator and Raptor drones -- the ones that perform reconnaissance and attack insurgents in Afghanistan, Iraq and other hot spots. The software hasn’t prevented the drone program from continuing, but so far the Air Force has resisted attempts to remove it.
One source with some knowledge of the program noted that he thinks the malware is benign, but he doesn’t know for sure. He also doesn’t know if the software was introduced intentionally or accidentally, nor does he know how far the virus has spread. However, he does know that it has infected both classified and unclassified equipment, so, theoretically, top secret data may have been captured and transmitted over the internet.
It’s believed the drone software was infected through the use of USB drives used to share map updates and transport mission videos. While this practice is forbidden at most U.S. Air Force facilities, it was not at the affected facility.
What is surprising to me is that it is well-known to friend and foe alike that the drone systems have security flaws. In fact, @dangerroom notes that as far back as 2009, U.S. forces found drone video footage on the laptops of Iraqi insurgents...enabled by a $26 software package!
Bridge Over Troubled Waters
Just last week and closer to home, the public water district in Springfield, Illinois, reported that malware was responsible for pump failure at one of its plants. Utility officials were able to trace the malware to Russia and the intruder was allegedly able to get access to the district’s SCADA (secure control and data acquisition) system after stealing customer’s user names and passwords from a SCADA software provider.
Plus, Elinor Mills at CNET (@elinormills) reported that DHS and FBI officials contradicted the conclusions of the water district, stating burn-outs of the pumps were not caused by a cyber intrusion, although they didn’t explain the 'true' cause.
SCADA systems control facilities ranging from water, sewage treatment and electricity distribution systems to freight, light rail and passenger rail systems. The same type of intrusion that (allegedly) caused water pumps to fail could result in two oncoming Amtrak trains being diverted onto the same track with potentially disastrous results.
Many SCADA systems were not originally designed to be accessed online, nor were they designed with security in mind, which hackers also know.
Particularly pernicious about these two incidents are the inabilities to trace these attacks to the source, erase the virus or in any way know or predict the future behavior of these viruses. Sometimes, experts don’t even know when their networks have been hacked.
Money for Nothing
In today’s budget-constrained environment at the local, state and federal levels, government leaders are having difficulty getting visible projects funded – roads, schools, bridges, etc. They will be especially hard pressed to get funding for invisible systems, including state-of-the art security such as the updated SCADA software built to handle today’s more complex systems.
Mills’ article notes that utilities today also lack the forensics to inform IT teams about system performance and potential intrusions.
What is needed to address this point are systems that analyze and measure that software’s performance, both to assure that it is functionally optimal as well as to reduce or hopefully eliminate disruptions that can cripple a community.
In a previous post, I wrote at length about “technical debt,” and the need to manage this debt as a corporation or person would handle any other type of debt. In certain sectors of our economy, it appears we are very deep into technical debt, and at the brink of “technical default.” What's shocking, though, is that we are at the brink in networks that have a profound impact on the daily lives of vast numbers of people, both military and civilian, not to mention entire sectors of the economy.
As we near the end of the year and the time for New Year’s resolutions, I hope our leaders will resolve to ensure funding for not just the sexy projects that will get them re-elected but the critical systems of our infrastructure that keep our economy running and people safe. Otherwise, I predict 2012 will see the news continuing to "drone on" about software malfunctions and security breaches within our government and military.