#SOURCEBoston: Geer warns against ‘all or nothing’ approach to critical infrastructure and the Internet

Critical infrastructure should not be connected to the Internet. But if it has to be that way, at least keep the manual fallbacks in place. That was one of the messages security luminary Dan Geer delivered at SOURCE Boston this morning.

“The wide open range of the Internet either must die, or critical infrastructure should not be connected to it,” Geer said. On the other hand, it’s unrealistic to expect that critical infrastructure will forever be divorced from cyberspace.

“It may no longer be possible to live without dependence on the Internet, even if you live at the end of a dirt road,” he said. “The source of risk is dependence. Those who choose to leave the Internet only get to say so in the first person. They are still dependent on it, unless they live in a pre-industrial society.”

In other words, you can’t just take it or leave it. And so, Geer said, the best middle course is to leave the manual controls.

“Everyone here knows that without redundancy there to save your bacon, you’re in big trouble,” he said, noting that there will always be need to keep humans in the loop. Or, as he put it, “put back into the loop.” He used the example of a deprovisioning system at a bank that receives 50 resignation notices in the course of an hour. “The system will stop working until a human intervenes,” Geer said.

He doesn’t see the manual fallbacks as an easy out, however. He noted that in government, intrusion prevention is ceasing to be an option and that the operative terminology is now “intrusion tolerance.” In the case of critical infrastructure, diversity and manual fallbacks are part of being able to tolerate attacks and failures that will still come.

The resistance to an all-or-nothing approach is consistent with what we’ve heard from Geer in the past. He was famously fired from @stake 9 years ago for co-writing a paper warning that a technological “monoculture” dominated by Windows products was a gathering threat. When I last spoke to Geer about the Microsoft monoculture four years ago, he was more optimistic than he had been. Here’s the exchange:

You’re probably immensely tired of this topic, but let’s revisit the Microsoft monoculture paper. It was, in hindsight, one of the best things for your career & 

That rather dark cloud had a rather big silver lining.

Much has happened with Microsoft security since then. Does the basic warning of that paper still stand, or is your position more relaxed given their security efforts? 

In my view they accepted the paper. The proof of that is how they addressed the location randomization that’s in [Windows] Vista. That’s a direct attempt to insert diversity in the name of creating as a side effect non-predictability. The argument in our paper was that there was a lack of diversity that produced a level of predictability [that could be easily figured out and exploited]. The change in Vista has made it so that a certain class of exploits has gone from easy to hard. Who can argue with that?

On the other hand, it’s only a drop in the bucket. There are other monocultures out there. Dan Kaminsky’s Domain Name System (DNS) flaw is an example of that, as is the fact that Cisco infrastructure is sitting atop the backbone of the Internet.

Looking at Geer’s observations about the Internet and critical infrastructure, the need for diversity still applies.