The Fundamentals of Cloud Security Stress Testing

On the same subject

• 

  August 21, 2018 | International, Land

  US Army pursues alternatives for a Stryker-based active protection system

  By: Jen Judson WASHINGTON — While the U.S. Army has been working to qualify a Virginia-based company's active protection system for the Stryker combat vehicle, it is also in the process of evaluating several additional APS solutions for the platform beginning in November. “The Army will be executing a fourth non-developmental APS system evaluation,” Army spokeswoman Ashley Givens told Defense News in a recent statement. The evaluation will be on the Stryker platform, she confirmed, adding that the service has received three responses to a request for information released earlier this year asking for more Stryker-focused APS solutions. “At this time the Army is still reviewing the proposals of the vendors to confirm viability,” Givens said. More than a year ago, the Army determined it needed to field an interim APS solution for the Abrams tank as well as the Stryker and Bradley. The service decided to rapidly assess off-the-shelf APS systems to fulfill an urgent operational need after failing — over a 20-year period — to field an APS capability. The Army has since selected three different systems: Israeli company Rafael's Trophy system, which is deployed in the Israeli army, for Abrams; Iron Fist from IMI, another Israeli company, for the Bradley; and Herndon, Virginia-based Artis' Iron Curtain for Stryker. While the Army has stayed on track with Abrams, due to a combination of earlier funding availability and qualifying an already fielded system, it has struggled to stay on schedule with the other two configurations. In January, Col. Glenn Dean, the program manager for Stryker, who also manages the service's effort to install APS on combat vehicles, told Defense News that Iron Curtain's delay was partly due to a decision to replace the radar originally intended for the APS. “We've had some other issues," he said. "We have learned that that system probably is not as mature as originally envisioned, so the contractor had some difficulty getting to the point they were ready to start characterization, and then we had some, I will call it, friction on the test range.” At the time, Iron Curtain had roughly three weeks of testing left to wrap up government characterization. Dean said the program office would be ready to generate final reports and bring it to the Army for a decision in the March time frame. In April, the Army released a sources-sought notice looking for other APS solutions for Stryker and also received, in fiscal 2018, $25 million to qualify a fourth system as part of the interim APS program being called the Expedited Active Protection Systems activity. According to Givens, the program office has completed the installation and characterization phase of the ExAPS activity, but “we are currently awaiting an Army decision on the next phase of activity for Iron Curtain.” In January, Col. Glenn Dean, the program manager for Stryker, who also manages the service's effort to install APS on combat vehicles, told Defense News that Iron Curtain's delay was partly due to a decision to replace the radar originally intended for the APS. “We've had some other issues," he said. "We have learned that that system probably is not as mature as originally envisioned, so the contractor had some difficulty getting to the point they were ready to start characterization, and then we had some, I will call it, friction on the test range.” At the time, Iron Curtain had roughly three weeks of testing left to wrap up government characterization. Dean said the program office would be ready to generate final reports and bring it to the Army for a decision in the March time frame. In April, the Army released a sources-sought notice looking for other APS solutions for Stryker and also received, in fiscal 2018, $25 million to qualify a fourth system as part of the interim APS program being called the Expedited Active Protection Systems activity. According to Givens, the program office has completed the installation and characterization phase of the ExAPS activity, but “we are currently awaiting an Army decision on the next phase of activity for Iron Curtain.” The Army's evaluation process of additional systems is expected to come in the form of a live-fire “rodeo” — for lack of a better term — where the service has invited a small number of the RFI respondents with the most promising potential solutions to have their APS capability put to an initial limited test against a set of threats defined by the Army, according to a source familiar with the effort. The respondents are required to fund the demonstration primarily at their own cost, but some Army funding will be used to conduct the tests. At least two companies have been invited to participate in the rodeo, the source said. One those companies is likely Germany's Rheinmetall. The company has advocated hard for the Army to also qualify its Active Defense System, and the Army admitted, prior to receiving FY18 dollars, that it would want to qualify ADS if it had the funds. Full article: https://www.defensenews.com/land/2018/08/20/army-pursuing-possible-alternatives-for-a-stryker-based-active-protection-system

• 

  August 14, 2018 | International, C4ISR

  HOW HACKED WATER HEATERS COULD TRIGGER MASS BLACKOUTS

  WHEN THE CYBERSECURITY industry warns about the nightmare of hackers causing blackouts, the scenario they describe typically entails an elite team of hackers breaking into the inner sanctum of a power utility to start flipping switches. But one group of researchers has imagined how an entire power grid could be taken down by hacking a less centralized and protected class of targets: home air conditioners and water heaters. Lots of them. At the Usenix Security conference this week, a group of Princeton University security researchers will present a study that considers a little-examined question in power grid cybersecurity: What if hackers attacked not the supply side of the power grid, but the demand side? In a series of simulations, the researchers imagined what might happen if hackers controlled a botnet composed of thousands of silently hacked consumer internet of things devices, particularly power-hungry ones like air conditioners, water heaters, and space heaters. Then they ran a series of software simulations to see how many of those devices an attacker would need to simultaneously hijack to disrupt the stability of the power grid. Their answers point to a disturbing, if not quite yet practical scenario: In a power network large enough to serve an area of 38 million people—a population roughly equal to Canada or California—the researchers estimate that just a one percent bump in demand might be enough to take down the majority of the grid. That demand increase could be created by a botnet as small as a few tens of thousands of hacked electric water heaters or a couple hundred thousand air conditioners. "Power grids are stable as long as supply is equal to demand," says Saleh Soltan, a researcher in Princeton's Department of Electrical Engineering, who led the study. "If you have a very large botnet of IoT devices, you can really manipulate the demand, changing it abruptly, any time you want." The result of that botnet-induced imbalance, Soltan says, could be cascading blackouts. When demand in one part of the grid rapidly increases, it can overload the current on certain power lines, damaging them or more likely triggering devices called protective relays, which turn off the power when they sense dangerous conditions. Switching off those lines puts more load on the remaining ones, potentially leading to a chain reaction. "Fewer lines need to carry the same flows and they get overloaded, so then the next one will be disconnected and the next one," says Soltan. "In the worst case, most or all of them are disconnected, and you have a blackout in most of your grid." Power utility engineers, of course, expertly forecast fluctuations in electric demand on a daily basis. They plan for everything from heat waves that predictably cause spikes in air conditioner usage to the moment at the end of British soap opera episodes when hundreds of thousands of viewers all switch on their tea kettles. But the Princeton researchers' study suggests that hackers could make those demand spikes not only unpredictable, but maliciously timed. The researchers don't actually point to any vulnerabilities in specific household devices, or suggest how exactly they might be hacked. Instead, they start from the premise that a large number of those devices could somehow be compromised and silently controlled by a hacker. That's arguably a realistic assumption, given the myriad vulnerabilities other security researchers and hackers have found in the internet of things. One talk at the Kaspersky Analyst Summit in 2016 described security flaws in air conditioners that could be used to pull off the sort of grid disturbance that the Princeton researchers describe. And real-world malicious hackers have compromised everything from refrigerators to fish tanks. Given that assumption, the researchers ran simulations in power grid software MATPOWER and Power World to determine what sort of botnet would could disrupt what size grid. They ran most of their simulations on models of the Polish power grid from 2004 and 2008, a rare country-sized electrical system whose architecture is described in publicly available records. They found they could cause a cascading blackout of 86 percent of the power lines in the 2008 Poland grid model with just a one percent increase in demand. That would require the equivalent of 210,000 hacked air conditioners, or 42,000 electric water heaters. The notion of an internet of things botnet large enough to pull off one of those attacks isn't entirely farfetched. The Princeton researchers point to the Mirai botnet of 600,000 hacked IoT devices, including security cameras and home routers. That zombie horde hit DNS provider Dyn with an unprecedented denial of service attack in late 2016, taking down a broad collection of websites. Building a botnet of the same size out of more power-hungry IoT devices is probably impossible today, says Ben Miller, a former cybersecurity engineer at electric utility Constellation Energy and now the director of the threat operations center at industrial security firm Dragos. There simply aren't enough high-power smart devices in homes, he says, especially since the entire botnet would have to be within the geographic area of the target electrical grid, not distributed across the world like the Mirai botnet. But as internet-connected air conditioners, heaters, and the smart thermostats that control them increasingly show up in homes for convenience and efficiency, a demand-based attack like the one the Princeton researchers describes could become more practical than one that targets grid operators. "It's as simple as running a botnet. When a botnet is successful, it can scale by itself. That makes the attack easier," Miller says. "It's really hard to attack all the generation sites on a grid all at once. But with a botnet you could attack all these end user devices at once and have some sort of impact." The Princeton researchers modeled more devious techniques their imaginary IoT botnet might use to mess with power grids, too. They found it was possible to increase demand in one area while decreasing it in another, so that the total load on a system's generators remains constant while the attack overloads certain lines. That could make it even harder for utility operators to figure out the source of the disruption. If a botnet did succeed in taking down a grid, the researchers' models showed it would be even easier to keepit down as operators attempted to bring it back online, triggering smaller scale versions of their attack in the sections or "islands" of the grid that recover first. And smaller scale attacks could force utility operators to pay for expensive backup power supplies, even if they fall short of causing actual blackouts. And the researchers point out that since the source of the demand spikes would be largely hidden from utilities, attackers could simply try them again and again, experimenting until they had the desired effect. The owners of the actual air conditioners and water heaters might notice that their equipment was suddenly behaving strangely. But that still wouldn't immediately be apparent to the target energy utility. "Where do the consumers report it?" asks Princeton's Soltan. "They don't report it to Con Edison, they report it to the manufacturer of the smart device. But the real impact is on the power system that doesn't have any of this data." That disconnect represents the root of the security vulnerability that utility operators need to fix, Soltan argues. Just as utilities carefully model heat waves and British tea times and keep a stock of energy in reserve to cover those demands, they now need to account for the number of potentially hackable high-powered devices on their grids, too. As high-power smart-home gadgets multiply, the consequences of IoT insecurity could someday be more than just a haywire thermostat, but entire portions of a country going dark. https://www.wired.com/story/water-heaters-power-grid-hack-blackout/

• 

  January 29, 2021 | International, Naval

  Rheinmetall, MBDA building high-energy lasers for Germany’s Navy

  By: Vivienne Machi STUTTGART, Germany — Rheinmetall and MBDA Deutschland have officially been tasked to build, test and field a high-energy laser weapon system for the German Navy over the next year. The consortium, dubbed ARGE, was awarded a contract “in the low double-digit million euro range” by Berlin's military procurement office, the Federal Office for Bundeswehr Equipment, Information Technology and In-Service Support (BAAINBw). Work will be conducted through the end of 2021, with trials scheduled for 2022 aboard the Navy frigate Sachsen, per a joint press announcement released Thursday. The work is to be split on a “roughly equal basis,” the companies said. Rheinmetall will be responsible for the laser weapon system, the beam guiding system, cooling, and integrating the weapon system with the overall laser source demonstrator. MBDA will focus on the operator console along with tracking technology and command-and-control system integration. Details have yet to be revealed about where the system's development will take place. This latest contract continues the companies' collaboration on high-energy laser efforts, which was first announced in August 2019. Rheinmetall and the Germany military have been testing high energy laser technologies in the maritime domain since 2015, a company spokesman told Defense News. “The contract marks a systematic extension of the functional prototype laser weapon successfully tested in recent years, with the experience gained now dovetailing into one of the most ambitious projects in the field of laser weapon development in Europe,” said Alexander Graf, head of Rheinmetall Waffe Munition's laser weapons program, and Markus Jung, who leads the company's laser weapon development segment. Once the demonstrator is installed, it will be used to test other aspects of the laser weapon system, such as the sensor suite and combat management system, and evaluate rules of engagement, said Doris Laarmann, MBDA's head of laser business development, in the release. The German arm of MBDA announced a restructuring of operations in late 2020, following mixed signals from Berlin regarding the status of the Tactical Air Defense System (TLVS) program. Executives have expressed skepticism that a contract award would emerge soon for the follow-on work of the former Medium Extended Air Defense System (MEADS). In 2015, the German government announced it would use MEADS as the basis for TLVS, which would eventually replace the nation's 1980s-era Patriot air defense systems. https://www.defensenews.com/global/europe/2021/01/28/rheinmetall-mbda-building-high-energy-lasers-for-germanys-navy