Securing Critical Infrastructures

Copyright © 2020 by Professor Mohamed K. Kamara Ph.D.

All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from the copyright owner.

Any people depicted in stock imagery provided by Getty Images are models, and such images are being used for illustrative purposes only.

Certain stock imagery © Getty Images.

Rev. date: 03/13/2020

Xlibris

1-888-795-4274

www.Xlibris.com

811023

CONTENTS

About the Author

About the Editor

Acknowledgement

Preface

Introduction

Chapter 1

Access Control in Critical Infrastructures

The Need for Control

Control Principles

Control Environment

Control Categories

Types of Controls

Threats to Control

Control Services

Network Directory Services

Access Control Models

Discretionary Access Control (DAC)

Mandatory Access Control (MAC)

Role-Based Access Control (RBAC)

Intrusion Detection Systems (IDS)

Intrusion Prevention Systems (IPS)

Constrained User Interfaces

Access Control Matrix

Access Control Administration

Centralized Access Control Administration

Types of Centralized Access Control

DiameterRemote Authentication Dial in User Service (RADIUS)

Terminal Access Controller Access Control System (TACAS)

Diameter Protocol

Decentralized Access Control Administration

Problems in Controlling Access to Assets

Network Infrastructures Weakest Links for Attacks, Vulnerability, and Threats

Tools Used for Threats and Attacks

Chapter 1 Exercise

Chapter 2

Information Security Policies

Computers or Cyber Security Infrastructure and Network Assets that Require Protestation

Security Threats

1)Denial of Service

2) Impersonating a User

3) Disclosure of Information

4) Message Stream or Data Modification

5) Traffic Analysis

Sources of Security Threats

1) Employees/Insiders

2) Malicious Hackers

3) Natural Disasters

4) Foreign Adversaries

5) Hostile Attacks

Chapter 2 Exercise

Chapter 3

Potential Security Impact on Telecommunications Networks

Denial or Disruption of Service

Unauthorized Monitoring and Disclosure of Sensitive Information

Unauthorized Modification of Network Databases/Services

Fraud

US Networks as Targets

Growing Foreign Capabilities

Potential Actors and Threats in Securing Critical Infrastructures

1) Hackers

2) Hacktivists

3) Hackers for Hire

4) Industrial Spies and Organized Crime Groups

5) Terrorists

6) National Governments

Future Tools and Technology

Implications

Implications for Intelligence

Chapter 3 Exercise

Chapter 4

Database Security and Business Impact

Chapter 4 Exercise

Chapter 5

Cyber Security and the Healthcare Sector

STRENGTHS

WEAKNESSES

OPPORTUNITIES

THREATS

Chapter 5 Exercise

Chapter 6

The Cyber Threat on Satellites Supporting Critical Infrastructure

Analysis

Risk Management Framework Example

Chapter 6 Exercise

Chapter 7

Internet Vulnerability, Threats, and Risks

Internet of Things (IoT)

Continuous Monitoring (CM)

Artificial Intelligence (AI)

Machine Learning (ML)

IoT Will Lead to the Internet of Everything (IoE) (Big Data Will Lead to Big Problems)

Public Sector

Department of Homeland Security Information Network (DHSIN)

Department of Defense Information Network (DoDIN)

Private Sector

Robotics and Autonomous Operations

Cybersecurity and Resiliency

Chapter 7 Exercise

Chapter 8

Cybersecurity Critical Infrastructure on the Financial Services Sector

Chapter 8 Exercise

Chapter 9

Cyber-attacks on the Energy Sector

Analysis

Energy Sector

Simulations/Scenarios

Supervisory Control and Data Acquisition (SCADA)

Hackers

Attacks

Cyber-attacks

Predictive Threat Analysis

Chapter 9 Exercise

Chapter 10

Cybersecurity on Petroleum Subsector Critical Infrastructure

National Infrastructure Protection Plan (NIPP)

Cyber Security of Facility-Related Control Systems

Veeder-Root Vulnerability

Baku-Tbilisi-Ceyhan Pipeline Cyberattack

Analysis and Conclusion

Chapter 10 Exercise

Chapter 11

Encryption and Decryption Techniques in Cyber Security

Method 1: Additive Cipher Technique − Example 1

Multiplicative Cipher Technique, C = (P*K) MOD26 − Example 2

Brute Force Cipher Technique − Example 3

Affine Cipher Technique − Example 4

Frequency Character Analysis Cipher Technique − Example 5

Chapter 11 Exercise

Chapter 12

A Fresh Look at Windows Encrypted File System

How it works?

Drawbacks of EFS

Finding Firewall Solutions in Your Organization

Key points for the right firewall:

Trusted security

Approachability

Homeland Security Preparedness and Planning

Center for Disease Control and Prevention (CDC)

Chapter 12 Exercise

Chapter 13

Manufacturers of the Automobiles Security failure

Introduction

What systems within automobiles can be hacked?

Is Hacking of Automobile Systems a Concern?

How safe are we in today’s automobile with this vulnerability?

What impact does this hacking threat mean for the automakers?

Will this threat have an impact on sales and the future of the auto industry?

How can we mitigate these vulnerabilities and threats to the automobile?

Chapter 13 Exercise

Chapter 14

The Active Cyber Defense Certainty Act: Should We Hack Back?

Introduction

Defining the Active Cyber Defense Certainty Act

Background of the Problem Cyber Threats in the United States

Alliance of Big Tech and Big Government

The Dark Web

Analysis: To Hack or Not To Hack The Case for Hacking Back

The Case Against Hacking Back

Chapter 14 Exercise

Chapter 15

Target data breach, its effects on the retail industry

Introduction

Where are the vulnerabilities on the cybersecurity databases?

Are the threats for these vulnerabilities significant?

What would an exploitation of the databases mean to the organization?

How easy was it to exploit the vulnerability and which tools were used?

What can be recommended to help mitigate these vulnerabilities and threats in computer network Critical Infrastructures?

Chapter 15 Exercise

Chapter 16

Unmanned Aerial Vehicles Cyber-Physical Security Vulnerabilities

Introduction

Chapter 16 Exercise

Chapter 17

Securing Electronic Voting Systems

Introduction

Chapter 17 Exercise

Chapter 18

Cloud Computing Vulnerabilities, Risks, and Threats

Introduction to Cloud Computing

Vulnerabilities

Significance

Impact

Accessibility

Chapter 18 Exercise

Glossary

List of Acronyms

ABOUT THE AUTHOR

Professor Mohamed K. Kamara earned his Ph.D. degree in Information Technology Security and Assurance. He did his coursework at George wMason University and dissertation research work at Walden University and earned his Ph.D. in 2013. Dr. Kamara earned his MSc. honor’s degree in Computer and Network Technology at Strayer University in 2004 and BSc. honor’s degree at Stavanger University – Norway in Telecommunications Engineering in 1993. He also earned diplomas in electronics, software engineering, computer hardware technology and networking from respectable poly-technique institutions.

Dr. Kamara has over 20 years of teaching experience both on campus and online in Computer Science, Cyber Security, Information Technology and Mathematics course from notable Universities such as the University of District of Columbia, Stratford University where he helped developed the graduate telecommunications’ curriculum, American College of Commerce and Technology where he was the chairman of the graduate council and presided over the accreditation committee for ABET and developed the Computer and Information Sciences Undergraduate Program, University of the Potomac and Webster University.

In addition to his teaching experience, Dr. Kamara has several years of professional hands-on field work experience in the IT industry. He worked in all levels of IT from help desk, network administration, and IT security coordinator to Project Management. He has a deep knowledge and hands-on experience in researching, developing, analyzing and implementing new software modules and hardware devices.

Dr. Kamara had won two awards for community building in higher education and is an author of three books:

1) The Implications of Internet Usage- 2013

2) The impacts of Cognitive Theory on Human and Computer Science Development - 2016

3) Securing Critical Infrastructures - 2020

Research Area: Security Violations in cloud computing using Mathematical Modeling and Complex Analysis of Software Module (Java Applet and MATLAB)

ABOUT THE EDITOR

Michael J. Piellusch (DBA, Argosy University, 2011) earned his bachelor’s degree in English

Literature from Fordham University. Believing in lifelong learning, he earned an MA degree in English Literature and an MBA in Data Systems (both from San Francisco State University), an MS degree in Software Engineering from National University, and an MS degree in Engineering Management and Leadership from Santa Clara University. He is a 2011 graduate of Argosy University with a DBA in International Business. He is currently an adjunct professor at University of the Potomac and a career technical writer. As a technical writer he has worked for various corporations and organizations including Control Data, Novell, Microsoft, Wind River, Polaris Networks, Information Gateways, and Ultra Electronics – ProLogic. He is currently a technical editor with the U.S. Army War College Strategic Studies Institute.

ACKNOWLEDGEMENT

Many thanks to Dr. Michael Piellusch for his volunteer to proof read and edit my work. The publication of this book wouldn’t have been possible without his assistance.

To my wife and children for their rational support in the research process of this book.

PREFACE

This book explains the modern techniques required to protect a cyber security critical infrastructure. Three fundamental techniques are presented, namely: network access control, physical access control, encryption and decryption techniques.

The book is divided into eighteen chapters.

• Chapter 1 addresses the concepts of access control in a cyber security infrastructure.

• Chapter 2 explains the concepts of Information Security Policies.

• Chapter 3 explores the concepts of the Potential Security Impact on Telecommunications Networks.

• Chapter 4 examines the concepts of Database Security and Business Impact.

• Chapter 5 describes the concepts of Cyber Security and the Healthcare Sector.

• Chapter 6 probes the concepts of the Cyber Threat on Satellites Supporting Critical Infrastructure.

• Chapter 7 covers the concepts of the Internet Vulnerabilities, Threats, and Risks that are overwhelmingly penetrating Cybersecurity Infrastructure without effective monitoring systems.

• Chapter 8 deals with the concepts of Cybersecurity Critical Infrastructure of the Financial Services Sector.

• Chapter 9 considers the concepts of Cyber-attacks on the Energy Sector.

• Chapter 10 explains the concepts of Cybersecurity on Petroleum Subsector.

• Chapter 11 clarifies the concepts of Encryption and Decryption Techniques in Cyber Security.

• Chapter 12 explicates the concepts of Windows Encrypted File System.

• Chapter 13 addresses how manufacturers of the automobiles fail to consider the security risks involved when connecting the vehicles to the internet.

• Chapter 14 evaluates The Active Cyber Defense Certainty Act.

• Chapter 15 depicts the problem behind Target data breach and its effects on the retail industry.

• Chapter 16 futurizes on the Unmanned Aerial Vehicles Cyber-Physical Security Vulnerabilities issues.

• Chapter 17 considers the issues encountering in Securing Electronic Voting Systems.

• Chapter 18 navigates Cloud Computing Vulnerabilities, Risks, and Threats.

In this book, the author is eclectic in the interest of the reader to understand the significance of cyber security and the growing number of related issues. The philosophy and principles underlying the techniques used for securing organizational assets provide the framework for this book. The author does not assume that readers of this book have prior knowledge of this subject or the art of critical infrastructure architecture.

INTRODUCTION

The purpose and significance of this book is to take a fresh look at the techniques, policies and procedures, guidelines, and standards that are commonly required to protect data and information in our cyber world today. These techniques and procedures are necessary in every step of securing organizational assets because of their interdependencies. This exploration includes several forms of encryptions and decryptions, policy implementations which are distinctive types of business rules that are documented for the purpose of security procedures, as well as physical and logical network control mechanisms.

Several years ago, the need for data protection was not considered as important, let alone critical. When systems were disintegrated (not networked), managers believed that hacking was impossible, even unthinkable. They were reluctant to spend money on infrastructure security. If told to do, the only question they would ask was if the system is working, why do we have to secure it? Data protectionwas not taken seriously before the explosion of information-handling technologies such as Smart Phones, Two-Way Pagers, Mobile Computing, Personal Digital Assistants, Bluetooth and the integration of systems, along with the emergence of social media (Facebook, Twitter, WhatsApp, Instagram, Snap Chat, team-snap, and Musically) which increasingly reminded organizations about the need for cyber security due to frequent and ever-increasing hacking instances.

Those working in the business environment must have exclusive and definitive instructions that assist them in securing information in this complex and increasingly technological environment. Just as it is unthinkable that millions of automobile drivers would be on the road without laws about the right of way, it is also unthinkable that millions of business people would operate systems without information security policies. Top managers at many organizations are now appreciating the importance of business rules such as information security policies. All around them are projects that critically depend on clearly-articulated business rules. For example, many organizations may bear in mind that when a legacy application was moved from the mainframe to the Internet, one of the important steps permitting this transition was the documentation of business rules. Without clear business rules, those creating a new system cannot be sure they are building something that will perform as intended. Without information security policies and protection, management cannot be sure that information systems are operated in a secure manner. Managers who do not recognize the need for information security policies and protectionon their own recognizance are being enlightened, or at least awakened, by regulations

Historically, those who have worked in the information security field often were considered to be people who slowed down processes. Some people thought that information security was incompatible with the rapid pace of business required by the new Internet-based economy. This viewpoint quickly changed as people came to appreciate that Internet business was not possible unless an organization provided excellent solutions in the information security area. To offer products or services through the Internet without adequately addressing information security is negligent and an invitation to security incidents that could severely damage an organization’s reputation (and bottom line). Information security is coming to be appreciated as an expediter. To the extent that an organization can codify its business rules and internal processes, it can automate or outsource these rules and processes, and enter into new business relationships (for example, extranets like SharePoint) based on these same rules and processes and otherwise move ahead technologically. For all of these projects and many others, information security policies provide clear-cut constraints defining a domain in which an acceptable solution can be found. The centrality of information security policies and protection to virtually everything that happens in the information security field is increasingly evident. For example, system administrators cannot securely install a firewall unless they have received a set of clear information security policies which stipulate the type of transmission services that should be or will be permitted.

CHAPTER 1

Access Control in Critical Infrastructures

Access control is generally the collection of security mechanisms that work collectively to administer and protect the behavior of subjects and objects in network and infrastructure environments.

The Need for Control

Access controls help protect against threats and vulnerabilities. Access controls enable management to:

• Specify which users can access the system

• Specify what resources they can access

• Specify what operations they can perform

• Provide individual accountability

Control Principles

Control principles stipulate the procedures and basic rules that must be followed in setting up a security control consisting of the following:

Separation of duties: This principle defines the elements of a process or work function and divides the elements across different functions

Least privilege: This control gives the ability to limit users and processes to access only resources necessary to perform assigned functions

Control Environment

Environment for access control into a cyber security critical infrastructure includes all levels of an organizational environment such as:

• Facilities

• Support systems

• Information systems

• Personnel

Control Categories

The following are the categories of access control that require attention to secure any critical infrastructure from an incidence (security breach).

• Deterrent – the act of discouraging incidences in an infrastructure

• Preventative − the ability to avoid the occurrence of any incidence in the infrastructure

• Corrective – are made to handle circumstances, mitigate damage and restore control in the facility

• Detective − must have the ability to identify incidences as they occur

• Compensating − must have an alternative way of control such as the use of supervision

• Recovery − must be able to restore conditions to normalcy immediately after an incidence occurs and is resolved

Types of Controls

Three fundamental types of control needed in securing cyber security facility are namely 1) administrative control which includes the making of policies, procedures and standards for instance, security clearances, background checks and network access privileges. 2) Technical/Logical Control − use of antivirus software, strong passwords, protection firewalls, and audit trails. 3) Physical Control – use of locks, cameras, badge systems, and smart card system (often with the use of biometrics and/or access codes).

Threats to Control

• Threats to control exist in various forms and require supervisory and monitory attention in daily bases. Listed below, are the most common threats to cyber security critical infrastructures.

• Denial of Service −an event that makes a computer network temporarily unfeasible.

• Buffer overflows −occurs when more data is sent to a fixed length of memory block than it can hold, a condition that can be exploited by malicious actors.

• Mobile code−software that is transmitted from a host to a client so that it can be executed or run. An example will be a virus and a worm are two common types of malicious mobile code.

• Malicious software– Includes viruses, worms, Trojan horses, and logic bombs.

• Password crackers – Programs that use trial and error and other methods to brute force or algorithmically decode or deduce a password.

• Spoofing −the creation of a message with a misleading sender’s address asking the recipient to open, and possibly take action, based on the contents of the message.

• Masquerading – the uses of a fake identity, such as a network identity, to gain unauthorized access to personal computer information through legitimate access identification.

• Sniffers–A sniffer or packet analyzer intercepts packet data flowing in a network. With a sniffer, traffic is shared when the sniffer (hardware or software) commands the Network Interface Card (NIC) to stop ignoring the traffic. The NIC reads communications between computers within a targeted segment allowing the sniffer to seize anything that is flowing in the network, which can lead to the unauthorized access of sensitive data.

• Eavesdropping–Eavesdropping is as an electronic attack where digital communications are intercepted by an unauthorized individual (not the intended recipient). This interception is done in two main ways: Directly by listening to digital or voice communication or