Schneier on Security
A blog covering security and security technology.
« Is Cryptography Engineering or Science? |
| How Apple Continues to Make Security Invisible »
July 5, 2013
Sixth Movie-Plot Threat Contest Winner
On April 1, I announced the Sixth Mostly-Annual Movie-Plot Threat Contest:
For this year's contest, I want a cyberwar movie-plot threat. (For those who don't know, a movie-plot threat is a scare story that would make a great movie plot, but is much too specific to build security policy around.) Not the Chinese attacking our power grid or shutting off 911 emergency services -- people are already scaring our legislators with that sort of stuff. I want something good, something no one has thought of before.
On May 15, I announced the five semi-finalists. Voting continued through the end of the month, and the winner is Russell Thomas:
It's November 2015 and the United Nations Climate Change Conference (UNCCC) is underway in Amsterdam, Netherlands. Over the past year, ocean level rise has done permanent damage to critical infrastructure in Maldives, killing off tourism and sending the economy into freefall. The Small Island Developing States are demanding immediate relief from the Green Climate Fund, but action has been blocked. Conspiracy theories flourish. For months, the rhetoric between developed and developing countries has escalated to veiled and not-so-veiled threats. One person in elites of the Small Island Developing States sees an opportunity to force action.
He's Sayyid Abdullah bin Yahya, an Indonesian engineer and construction magnate with interests in Bahrain, Bangladesh, and Maldives, all directly threatened by recent sea level rise. Bin Yahya's firm installed industrial control systems on several flood control projects, including in the Maldives, but these projects are all stalled and unfinished for lack of financing. He also has a deep, abiding enmity against Holland and the Dutch people, rooted in the 1947 Rawagede massacre that killed his grandfather and father. Like many Muslims, he declared that he was personally insulted by Queen Beatrix's gift to the people of Indonesia on the 50th anniversary of the massacre -- a Friesian cow. "Very rude. That's part of the Dutch soul, this rudeness", he said at the time. Also like many Muslims, he became enraged and radicalized in 2005 when the Dutch newspaper Jyllands-Posten published cartoons of the Prophet.
Of all the EU nations, Holland is most vulnerable to rising sea levels. It has spent billions on extensive barriers and flood controls, including the massive Oosterscheldekering storm surge barrier, designed and built in the 80s to protect against a 10,000-year storm surge. While it was only used 24 times between 1986 and 2010, in the last two years the gates have been closed 46 times.
As the UNCCC conference began in November 2015, the Oosterscheldekering was closed yet again to hold off the surge of an early winter storm. Even against low expectations, the first day's meetings went very poorly. A radicalized and enraged delegation from the Small Island Developing States (SIDS) presented an ultimatum, leading to denunciations and walkouts. "What can they do -- start a war?" asked the Dutch Minister of Infrastructure and the Environment in an unguarded moment. There was talk of canceling the rest of the conference.
Overnight, there are a series of news stories in China, South America, and United States reporting malfunctions of dams that resulted in flash floods and death of tens or hundreds people in several cases. Web sites associated with the damns were all defaced with the text of the SIDS ultimatum. In the morning, all over Holland there were reports of malfunctions of control equipment associated with flood monitoring and control systems. The winter storm was peaking that day with an expected surge of 7 meters (22 feet), larger than the Great Flood of 1953. With the Oosterscheldekering working normally, this is no worry. But at 10:43am, the storm gates unexpectedly open.
Microsoft Word claims it's 501 words, but I'm letting that go.
This is the first professional -- a researcher -- who has won the contest. Be sure to check out his blogs, and his paper at WEIS this year.
Congratulations, Russell Thomas. Your box of fabulous prizes will be on its way to you soon.
History: The First Movie-Plot Threat Contest rules and winner. The Second Movie-Plot Threat Contest rules, semifinalists, and winner. The Third Movie-Plot Threat Contest rules, semifinalists, and winner. The Fourth Movie-Plot Threat Contest rules and winner. The Fifth Movie-Plot Threat Contest rules, semifinalists, and winner.
Posted on July 5, 2013 at 12:08 PM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Minor factual error with this, Jyllands-Posten is a Danish paper, not Dutch.
But at 10:44am the machine controlling the flood barrier says; "important updates have been installed - restarting your computer". Will our hero manage to click the 'postpone' message in time ?
"Web sites associated with the damns..."
Those damn dams!
Those damns would be from the aforementioned updates.
well, that is a "smart" plot, again some muslim is the bad guy :-P
we saw enough of it in "Homeland", "24" and and and....
"Like many Muslims, he declared that he was personally insulted" bla bla bla
"Also like many Muslims, he became enraged and radicalized in 2005 when the Dutch newspaper Jyllands-Posten published cartoons of the Prophet." bla bla bla
so, somebody here loves to generalize and has prejudices "against the usual suspects", even for a cyber-fiction plot, that is almost too much
Jyllands-Posten is Danish, not Dutch.
Note: jyllands-posten is danish, not dutch. With the recent calls to bomb Prague in retaliation for the Boston bombings, it is not unreasonable that others might be confused too, but it is worthy of a note.
Dutch, Danish, whatever. I see it as part of the stupidity of people who get upset by these sorts of things. A lot of people do (apparently) irrational things, and it's partly because they don't even have their facts right!
That someone would confuse Dutch and Danish is not surprising, nor is it that someone would confuse the two, and then get angry at the wrong target...
I think there are many cases of people hearing about some perceived insult from a second or third (or more removed) source, and then attacking the wrong target. (Though I can't just think of any as I type this.)
To the other comments: Yes, I made a factual error regarding the Jyllands-Posten newspaper. Its is Danish, not Dutch. Sorry about that.
Yes, there were a few passages that were clumsy, including "...many muslims...". Sorry about that. I wasn't really aiming to have the plot center on anti-western muslims. I should have cut the cartoon reference out. With another revision, I'd put more attention on how this new opportunistic alliance formed and was radicalized because they share a belief that then have been repeatedly victimized and marginalized.
Regarding "web sites associated with dams", that's just a reference to informational web pages that many public works departments provide, such as this: http://www.sfwater.org/index.aspx?page=92. This was suggesting simple defacement. I certainly wasn't implying any attack on control systems through it's web site.
Regarding technical means in general, I made a conscious choice not to be very specific about the technical aspects of the "cyber war". In a way, that is the least interesting and least important. What would make it a "war" is the will and capability of the adversarial parties to do maximum damage to each other, or at least severe damage, by electronic and digital means.
Regarding the word count, I'm probably guilty. I remember editing it repeatedly to get under the word count limit.
Thanks again, Bruce, and thanks, critics.
And, yes, I spelled "damn" wrong. Rushed work increases the error rate and spellcheck doesn't fix them all.
Congratulations! Nice one.
I do remember the Dutch actually had a fully automated system of controls for these gates with no manual override. I expect they have that stupidity fixed by now.
Muslim terrorists... rolls eyes.
I suppose Hollywood would love it, but that's not a compliment.
@Russell Thomas: Did you know the real phrase with the acronym SIDS? (Sudden Infant Death Syndrome) I'm wondering if your choice of acronym was based on that.
--That would be pretty clever if he meant that, comparing small nations to infants. One nice aspect to comms by acronyms; uncertainty.
@MingoV -- My use of SIDS had no relation to its meaning as Sudden Infant Death Syndrome. There really is an organization called Small Island Developing States and they really are asking for full funding for the Green Climate Fund, which has been established but not yet funded.
@Really? -- Like I said, with another revision I would have edited out or reduced the religious angle. That the protagonist was from Indonesia was important, given it's history under Dutch rule. That probably means he would be Muslim, also, and thus probably not so happy with the Friesian cow gift. (That comment about "...rudeness..." was made by a real person, but I forget the specifics.)
I am far too late to the party, but here is my entry: The British Prime Minister's last day in office.
It is not a sub-plot; it is an entire story. Cyber-war plays one part in the story and there is a second part regarding cyber-attacks, but cyber-stuff is not remotely the only subject. And it is far, far longer than 500 words.
For those of you, e.g. moviecritics, who think that all plots must be politically-correct and not insult Muslims, I recommend that you not read my story. Someone who holds any of the last three presidents in high regard should also not read my story.
Bravo, Russell Thomas... a fine effort and a well-deserved prize that evoked a few thoughts, some motivated by the comments that follow the announcement:
1) The insinuation of Islamophobia in some comments is well-taken if perhaps a bit hyperbolic, but might your scenario also serve as a platform to examine the particular risks of false flag operations in the cyberterrorism/cybersecurity 'space'?
2) Having spent the last twenty years of the 20th century in SCADA system design and deployment, an interesting question is whether the greater risk to these systems are those elements, whether 'hard' or 'soft' that 'survived' the Y2K checklists or whether the newer "internetworked things" that are the main source of discussion these days (and in some cases, the willy-nilly replacement of the former by the latter...).
3) As for the specific targets in your scenario - water management systems, in general - and the "Delta Works", in particular - it is always interesting to ponder just how much effort goes into the security of these facilities from the perspective of managers and designers who conceive of the projects and of the contractors (and subcontractors) who implement those designs.
It would have been unreasonable to fit these ancilliary questions in the 500 word quota offered by Bruce, but they still remain pertinent... particularly when they may not have been given a high priority initially.
Kudos and thanks are due to Bruce for the interesting, constructive, and sometimes amusing exercise...
@Edward -- thanks for your praise and your fine comments.
Re: false flag operations -- I find it much more credible that "cyber war" would be initiated by some combination of forces and interests that are less than a nation-state, perhaps even without any coordinating authority or control point. Their only common interest might be opportunistic anarchism, with perhaps an ambition to ignite a war among nation-states.
Re: relative vulnerability of new "internetworked things" vs. Old School SCADA -- having started my career several decades ago working on industrial control computers used for SCADA, I believe they have many fragile security features in addition to a fairly long list of vulnerabilities. Examples: hard coded passwords, undocumented admin accounts, "magic" front panel codes, and so on. I'd imagine that a persistent attacker could find these if they took the time to gather old documentation, and to experiment and reverse engineer the system using "scrapped" devices, etc.
The vulnerabilities in the new "internetworked things" have a different nature, I think. I'm far from an expert so I will not comment. I do imagine that persistent attackers find it a target-rich environment.
Re: security by design in water management systems, I don't know exactly how it is architected, designed, and implemented. It wouldn't surprise me if it was common that they use a "fortress" design approach, featuring "bad guys on the outside" and "good guys on the inside". This is in contrast to the "assume you are already compromised" design philosophy that promotes moving targets, frequent authentication, continuous and frequent access adjustment, etc.
... Well, I posed my points as questions out of an idle hope that you or some of Bruce's readers would find a logic to answer in more positive terms.
Unfortunately, I must agree with your responses. My experience both in defense and industrial environments has led me to the same conclusions, which is one reason that I cannot defend the unabashed presumptuousness of Snowden, Assange, and Bradley except to the degree that they have exposed these realities to which we must adapt in the years to come if we are to avoid a truly tragic event along the lines of your scenario...
... but how to do that without existing in constant doubt of one's colleagues and neighbors is the big question. Your formula that presumes vulnerability reminded me of a defense technology assessment analyst in government with whom I worked early in my career who stated that the golden rule was to presume that your adversary was aware of your success at finding every one of the secrets that you thought you had uncovered discretely and that the converse applied to one's own secrets the moment that one was formulated!
Hardly a basis for sleeping soundly at night... and at some point it would seem that the process of keeping secrets naturally becomes primary to the nature of the secrets being kept... and so on.
Holland isnt a nation, it's The Netherlands. You may think this is quibbling but just ask the Dutch....
Being a Dutchman whose grandparents lived through the 1953 flood, this movie plot really scares me. That flood (simply called 'The Disaster', especially in the south-west of the country) killed 1800 people. This could have been much more had the Rotterdam area flooded, which nearly happened. Opening the Oosterscheldekering during a severe storm could be very dangerous indeed, although obviously also the 'normal' dikes are much stronger than they were in 1953.
Apart from the small mistake about the Danish newspaper, all facts in this story seem correct to me. For good measure, I would also have included an attack on the flood barrier in de Nieuwe Waterweg, which blocks the entrance to the Rotterdam harbour in case of high water, and on the sluices in the Afsluitdijk. The latter would threaten Amsterdam and the big polders in the IJsselmeer.
O yeah, Rick, personally I don't mind if The Netherlands is called Holland, as long as it is done by foreigners :-).
@David Bakker -- thanks for validating the scariness and realism of the plot. Yes, adding attacks on more flood barriers would be even better and right in line with the plot. If I had given myself more time, I would have learned more about the flood barrier system, the dike systems, the monitoring and controlling instruments, and the like.
@Rick -- this is a movie plot for a contest, not a formal paper. As such, it can be useful and interesting to substitute informal or alternative names for the formal, e.g. "America" for "United States", "Britain" or "England" for "United Kingdom" and so on. And, even so, it was the Holland region of The Netherlands that was attacked in this particular plot.
The proper name of the area in both Dutch and English is "Holland". "Holland" is a part of the Netherlands. "Holland" is informally used in English and other languages, including sometimes the Dutch language itself, to mean the whole of the modern country of the Netherlands. (This example of pars pro toto or synecdoche is similar to the tendency to refer to the United Kingdom as "England".)
@ David Bakker and Russell Thomas re surge barrier
It's interesting that you two are talking about that: the flood barrier David mentioned is a commonly cited success story of formal methods for assured safety. The system is certified to Safety Integrity Level 4. That requires much rigour in requirements, design, implementation and testing of control systems. They used quite a few tools in that project and the paper gives the details.
Of course, safety is not security. Although, there is enough overlap that researchers are looking into apply lessons from one to the other. Assured safety-critical systems often prevent many problems that would become vulnerabilities. They lack the main assumption of security: problems stemming from an adversarial, human brain. I bet it would be interesting to compare a thorough security assessment of that system to the safety assessment.
Quick stats: "The BOS system was delivered on time and within budget and is fully operational since October 1998. Its development took three years and about 25 man-years of effort. It resulted in 20,000 lines of formal specification and in 450,000 lines of (a safe subset of) C++ code."
Common claim in these case studies: "More errors were found through the process of formalization (making a formal description) than in later stages through the validation of the formal specifications. Formal derivation or proof of code was not used at all. Yet, we conclude that the use of formal methods was profitable. Their use provides precision, structure and consistency that help in the prevention and early detection of errors."
@Nick P -- very interesting!
The points you raise reinforce my decision to avoid technical details in my movie plot. I simply don't know enough about where the vulnerabilities might be and how attacks might be carried out.
I'm no expert on safety engineering. However, like you, I'd suspect that their formal models are based on static threats from Nature rather than adaptive, intelligent threats from people, including insiders.
I wanted to suggest in my movie plot that the attack came from a quasi-insider. It doesn't take much imagination to think of vulnerabilities and attacks that would by-pass the formal methods used in safety engineering. The simplest vulnerability example I can think of is an administrative or maintenance account that is left open with default password and access privileges.
Formal methods and proofs of correctness (or trust) are good and useful in some contexts, but so far they don't fully embrace the *full* open system, which includes people and business processes. No silver bullet.
@ Russell Thomas
It's good that you left out the details. A malicious insider would have the best chance of doing something here. The specifics would depend on how they've set everything up. If the plot happened for real, one side effect I'd expect to see is a discussion between safety and security engineers on how to ensure safety-critical projects have a certain amount of protection. Or the safety-engineers would say, "That wasn't really our job." Who knows. ;)
I've just written a new movie plot related to the Energy Sector. I'm using it in my presentation tomorrow at the EnergySec Summit in Denver. Enjoy.
2017 Texas Heat Wave
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.