Interstate travel. Electric power. Clean, running water. We take these and other networked elements of our nation’s infrastructure for granted — until they’re disrupted. Then the results, even on a personal level, are catastrophic: How do we get from point A to point B? How do we check our E-mail, or keep the food in our refrigerator and freezer cold? Where do we get water to drink, or to wash with, or to bathe in?
Even before the September 11, 2001 terrorist attacks on the World Trade Center towers and the Pentagon, the U.S. Department of Defense began funding research in which investigators could study ways to protect the nation’s critical infrastructure.
UW-Madison received such a grant in spring 2001. Led by Professor Stephen Robinson, the five-year, $4.2 million project involves 11 researchers from four universities, including the University of Central Florida, Florida State University, and George Washington University.
On campus, investigators are focusing efforts on resource allocation, human factors, and information security. Professor Vicki Bier is studying how best to spend a limited budget on strengthening a system. Using a combination of game theory and reliability analysis, she has developed a number of rules of thumb that can apply to a variety of systems.
Foremost, Bier says, is understanding the attackers’ motivations, and anticipating what they are likely to attack — whether it be a system’s weakest point or an aspect that will do the most damage. “Does the attacker want to do the most damage? If so, they may target the Sears Tower instead of the Wisconsin State Capitol,” she says. “If the attacker doesn’t care about damage but only wants the highest probability of success, then maybe they’ll target some building in downtown Madison because it’s not going to be as well protected.”
Also important is whether the system contains backups or alternatives, such as two transportation routes to the same destination. “If I have two or more or several backups, then I can choose which one of them to harden based on which is the most cost-effective,” says Bier.
Conversely, “series” systems — for example, the Trans-Alaska Pipeline System, a single line that delivers 17 percent of the country’s domestic oil production — don’t offer that kind of flexibility. If the components in such a series system are of relatively equal value, she says, strengthen the weakest links; if not, strengthen the components that, if attacked, would be expected to cause the most damage.
An attacker who can make just one attempt probably will target the most attractive component, she says. But an attacker who has multiple tries at the system actually increases the defender’s flexibility, because the defender can spread resources around for the greatest effect.
Relying on secrecy and deception also can give a defender more flexibility, says Bier, citing the anthrax attacks in 2001. “If we put in a lot of really expensive sterilization equipment in the post office and everybody knows about it, it accomplishes nothing, because any attacker who wants to deliver anthrax can send it by Federal Express, by UPS, or bicycle courier,” she says. But if the post office installed the equipment secretly, a future attack could be thwarted.
Similarly, computer systems administrators often store critical data — such as customer credit card information — in files with mundane names in obscure parts of the server and create bogus, obvious files, or honey pots, called “credit card data” to confuse hackers.
In another aspect of the grant, Professor Mary Vernon and Mathematics Professor Thomas Kurtz are developing ways to make it difficult for people to access and disrupt computer networks, such as the one that connects all of the workstations in the university’s computer sciences department. “Because these things are very open — and have to be in order to do their job — people can come in and try to attack individual computers,” says Robinson. The department detects thousands of attacks within a two-week period, he adds.
On a larger scale, the Department of Defense wards off attacks from “recreational” hackers as well as more nefarious types looking for specific information. “Because of the scale of these attempted attacks, it’s not something you can react to,” says Robinson. “You have to be surveying the network all of the time automatically.”
Sophisticated statistical methodology is required to distinguish between normal traffic and someone who shouldn’t be there. “And so we have worked both in trying to improve the capability to survey the networks and also in developing statistical methods,” he says.
Professor Pascale Carayon‘s human factors studies intersect with both resource allocation and information security.
Her group has interviewed several network administrators and information systems managers to identify human and organizational issues related to computer and information system security. Collaborating with Vernon and the Computer Sciences Laboratory, the researchers have developed a human factors vulnerability analysis methodology to identify specific human and organization factors associated with specific vulnerabilities.
In addition, Carayon’s group is beginning to study per-formance of “red teams” at Sandia National Laboratories. “Red teams stress the infrastructure system by modeling adversary actions,” she says. “The red team looks for opportunities to combine system, organizational and architectural vulnerabilities to execute a successful attack.”
Because there are places — such as hospitals or airports — where it is impractical to use red teams, the group hopes its study will yield models of how the teams operate, and eventually, simulations that can uncover weaknesses safely.
Although Robinson is the project’s principal investigator and spends much of his time administratively, he is conducting studies in variational analysis, which deals with the math underlying optimization and game theory. “Eventually this kind of work results in better understanding of how to approach these things and how to solve them computationally,” he says.
Although the project began in May of 2001, he says the nation’s post-September 11 focus on protecting critical infrastructure is welcome. “I think that the problems are very big and a team like ours can make progress in some specific areas,” he says.