What We Don't Know is Hurting Us

by

Recently, @dangerroom posted about a computer virus infecting the software that manages the U.S. Air Force’s Predator and Raptor drones -- the ones that perform reconnaissance and attack insurgents in Afghanistan, Iraq and other hot spots. The software hasn’t prevented the drone program from continuing, but so far the Air Force has resisted attempts to remove it.

One source with some knowledge of the program noted that he thinks the malware is benign, but he doesn’t know for sure. He also doesn’t know if the software was introduced intentionally or accidentally, nor does he know how far the virus has spread. However, he does know that it has infected both classified and unclassified equipment, so, theoretically, top secret data may have been captured and transmitted over the internet.

It’s believed the drone software was infected through the use of USB drives used to share map updates and transport mission videos. While this practice is forbidden at most U.S. Air Force facilities, it was not at the affected facility.

What is surprising to me is that it is well-known to friend and foe alike that the drone systems have security flaws. In fact, @dangerroom notes that as far back as 2009, U.S. forces found drone video footage on the laptops of Iraqi insurgents...enabled by a $26 software package!

Bridge Over Troubled Waters

Just last week and closer to home, the public water district in Springfield, Illinois, reported that malware was responsible for pump failure at one of its plants. Utility officials were able to trace the malware to Russia and the intruder was allegedly able to get access to the district’s SCADA (secure control and data acquisition) system after stealing customer’s user names and passwords from a SCADA software provider.

Plus, Elinor Mills at CNET (@elinormills) reported that DHS and FBI officials contradicted the conclusions of the water district, stating burn-outs of the pumps were not caused by a cyber intrusion, although they didn’t explain the 'true' cause.

SCADA systems control facilities ranging from water, sewage treatment and electricity distribution systems to freight, light rail and passenger rail systems.  The same type of intrusion that (allegedly) caused water pumps to fail could result in two oncoming Amtrak trains being diverted onto the same track with potentially disastrous results.

Many SCADA systems were not originally designed to be accessed online, nor were they designed with security in mind, which hackers also know.

Particularly pernicious about these two incidents are the inabilities to trace these attacks to the source, erase the virus or in any way know or predict the future behavior of these viruses. Sometimes, experts don’t even know when their networks have been hacked.

Money for Nothing

In today’s budget-constrained environment at the local, state and federal levels, government leaders are having difficulty getting visible projects funded – roads, schools, bridges, etc. They will be especially hard pressed to get funding for invisible systems, including state-of-the art security such as the updated SCADA software built to handle today’s more complex systems.

Mills’ article notes that utilities today also lack the forensics to inform IT teams about system performance and potential intrusions.

What is needed to address this point are systems that analyze and measure that software’s performance, both to assure that it is functionally optimal as well as to reduce or hopefully eliminate disruptions that can cripple a community.

In a previous post, I wrote at length about “technical debt,” and the need to manage this debt as a corporation or person would handle any other type of debt. In certain sectors of our economy, it appears we are very deep into technical debt, and at the brink of “technical default.”  What's shocking, though, is that we are at the brink in networks that have a profound impact on the daily lives of vast numbers of people, both military and civilian, not to mention entire sectors of the economy.

As we near the end of the year and the time for New Year’s resolutions, I hope our leaders will resolve to ensure funding for not just the sexy projects that will get them re-elected but the critical systems of our infrastructure that keep our economy running and people safe. Otherwise, I predict 2012 will see the news continuing to "drone on" about software malfunctions and security breaches within our government and military.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Jonathan Bloom
Jonathan Bloom Technology Writer & Consultant
Jonathan Bloom has been a technology writer and consultant for over 20 years. During his career, Jon has written thousands of journal and magazine articles, blogs and other materials addressing various topics within the IT sector, including software development, enterprise software, mobile, database, security, BI, SaaS/cloud, Health Care IT and Sustainable Technology.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|