OS key to network security, speakers say

SANTA BARBARA, Calif. — The computer networks that control business transactions, transportation, electric power, defense, and confidential personal data are increasingly vulnerable to attack, according to speakers at the Green Hills Software Inc. Technology Conference here Dec. 4 and 5. Networks can only be secure, company representatives said, when the devices at the "endpoints" use secure operating systems.

Green Hills used the event to roll out its new Platform for Secure Networking, as well as Integrity 10, the next release of its Integrity real-time operating system (RTOS). Green Hills also claimed that its existing Integrity-178B, aimed at safety-critical applications such as avionics, is the first RTOS to undergo National Security Agency (NSA) testing for an ISO/IEC 15408 Common Criteria Evaluation Assurance Level (EAL) beyond EAL6.

"We can't live without our networks. That's our vulnerability," said Dan O'Dowd, Green Hills CEO. "The biggest vulnerability is the security of the operating systems at the endpoints."

O'Dowd noted that networks handle all business and financial transactions, hold personal data including medical and financial records, run the entire transportation system, maintain the electric power grid, and are responsible for much of the U.S. defense capability. "If an adversary can disrupt our networks, our entire system falls apart, we're so dependent on them," he said.

Potential adversaries, O'Dowd said, are not so dependent on networks. They use cash for business transactions, typically live in countries without reliable power or transportation, and their militaries use more primitive electronics. And this may give them an advantage. "In combat, a blind man will turn out the lights," O'Dowd noted.

O'Dowd presented various disaster scenarios, such as terrorists programming large numbers of traffic lights to turn green at the same time during rush hour, or hackers inserting viruses into automotive control systems through Bluetooth infotainment systems. He cited an incident in which a call center worker in India sold bank account details for 1,000 U.K. customers. He also pointed to a long list of Cisco vulnerabilities available on line.

Things aren't getting any safer. Christopher Harz, vice president of strategic planning at IPv6 Summit Inc., noted that IPv6 will bring about an orders-of-magnitude increase in the number of Internet addresses available. "Right now, there are a maximum of a couple of billion nodes in the world," he said. With IPv6, Harz said, "there may be a couple of billion nodes in your neighborhood."

As the number of nodes increases, he said, so do vulnerabilities. There will be many more network-centric operations, he said, and a much greater emphasis on mobile, wireless communications. Because the U.S. is behind on IPv6, Harz said, there will be a "massive infusion" of foreign-built hardware and software. And because IPv6 is new, he said, it will require a new generation of firewalls.

Aaron Turner, cyber security strategist for national and homeland security at Idaho National Laboratory (INL), started his talk by noting that there's much he can't say. "The list of vulnerabilities I can talk about is not very long, because there are no solutions today," he said.

While terrorists and unfriendly nations remain a threat, Turner said that the fastest-growing type of cyber-attack today comes from criminals out for financial gain. He said INL is investigating reports of criminal extortion from operators of SCADA (supervisory control and data acquisition) systems. "The adversary capability is growing tremendously versus our security capability," he said.

The INL, said Turner, has developed a very sophisticated simulation capability to predict the impact of possible cyber-attacks. But the economic impact of these attacks is very real, he said. Network vulnerability, Turner said, "is the next great crisis our society is going to confront."