Cyber-espionage protections in HR933

Someone snuck some pretty serious restrictions on government purchases of IT from Chinese-owned companies into the recently-approved continuing resolution. (Specifically: HR933, Division B, Title V, Sec. 516.)

Sec. 516. (a) None of the funds appropriated or otherwise made available under this Act may be used by the Departments of Commerce and Justice, the National Aeronautics and Space Administration, or the National Science Foundation to acquire an information technology system unless the head of the entity involved, in consultation with the Federal Bureau of Investigation or other appropriate Federal entity, has made an assessment of any associated risk of cyber-espionage or sabotage associated with the acquisition of such system, including any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China.

(b) None of the funds appropriated or otherwise made available under this Act may be used to acquire an information technology system described in an assessment required by subsection (a) and produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China unless the head of the assessing entity described in subsection (a) determines, and reports that determination to the Committees on Appropriations of the House of Representatives and the Senate, that the acquisition of such system is in the national interest of the United States.

My questions: Why does this only apply to Commerce, Justice, NASA, and NSF? What will the real impact be? Does this only apply to big-A Acquisition programs, or will it impact procurement?

I’m surprised this hasn’t gotten more publicity. I’m going to be very interested to follow how these restrictions are implemented.

Further reading:
U.S. law to restrict government purchases of Chinese IT equipment
Congress Bulls Into China’s Shop
New U.S. Cyber-Security Law May Hinder Lenovo’s Sales Growth


Resilient Military Systems and the Advanced Cyber Threat

The DOD Defense Science Board has just released a task force report, Resilient Military Systems and the Advanced Cyber Threat, and it’s been getting a lot of attention.

From the report:

  • The cyber threat is serious, with potential consequences similar in some ways to the nuclear threat of the Cold War
  • The cyber threat is also insidious, enabling adversaries to access vast new channels of intelligence about critical U.S. enablers (operational and technical; military and industrial) that can threaten our national and economic security
  • Current DoD actions, though numerous, are fragmented. Thus, DoD is not prepared to defend against this threat
  • DoD red teams, using cyber attack tools which can be downloaded from the Internet, are very successful at defeating our systems
  • U.S. networks are built on inherently insecure architectures with increasing use of foreign-built components
  • U.S. intelligence against peer threats targeting DoD systems is inadequate
  • With present capabilities and technology it is not possible to defend with confidence against the most sophisticated cyber attacks
  • It will take years for the Department to build an effective response to the cyber threat to include elements of deterrence, mission assurance and offensive cyber capabilities.

Serious stuff.


Supply Chain Solutions for Smart Grid Security

The US Resilience Project has released the report Supply Chain Solutions for Smart Grid Security: Building on Business Best Practices, based on results from their March 2012 workshop.

I attended the workshop in March and was very impressed at the time. I felt a little bit out of place–one of just a few engineers in a huge room full of executives–but I thought the resulting conversations were good. I’m glad they captured so much of that in this report.


Micro Book Review: Getting Started with D3

Getting Started with D3 by Mike Dewar reads like an online tutorial. If you fall into the very narrow niche of knowing what D3 is (because the acronym, Data-Driven Documents, is never defined in the book) and have no internet access and no computer, this book is for you. (As it happens, this was perfect for me).

The book is clear and concise, and I appreciated that the author used real-world data that is parsed and served with Python. Unfortunately, at just 70 pages the book feels unfinished. Getting Started with D3 is more cohesive and approachable than many online tutorials, but does not have much of an edge beyond that.


Industrial Control System Field Device Analysis

For anyone interested, here is a soft copy of the presentation John Mulder and myself gave at the IFIP Working Group 11.10 on Critical Infrastructure Protection at National Defense University last Spring: Industrial Control System Field Device Analysis


Protection of Mission Critical Functions to Achieve Trusted Systems and Networks

On November 5, DoD approved/released DoD Instruction 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN). The memo “Establishes policy and assigns responsibilities to minimize the risk that DoD’s warfighting mission capability will be impaired due to vulnerabilities in system design or sabotage or subversion of a system’s mission critical functions or critical components, as defined in this Instruction, by foreign intelligence, terrorists, or other hostile elements.”

This policy memo may look like the most boring thing ever, but it’s actually pretty exciting for my work. DoD has been blazing the trail for US Government supply chain risk management (at least, what’s what GAO says), but the high-level policies are still being developed. The memo formalizes a large part of DoD’s supply chain risk management program.


Congressional Report on Huawei and ZTE

From the House Permanent Select Committee on Intelligence report,
Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE:

I. The threat posed to U.S. national-security interests by vulnerabilities in the telecommunications supply chain is an increasing priority given the country’s reliance on interdependent critical infrastructure systems; the range of threats these systems face; the rise in cyber espionage; and the growing dependence all consumers have on a small group of equipment providers.

A. China has the means, opportunity, and motive to use telecommunications companies for malicious purposes.

B. Suggested “mitigation measures” cannot fully address the threat posed by Chinese telecommunications companies providing equipment and services to United States critical infrastructure.

The full report is actually a pretty good read.


Automatic Warhol-Style Serigraph Generation

We recently had a logo drawn up for a research project that I’ve been involved with for a couple of years. I’ve been planning on having a poster-size version printed, but I thought that simply printing a very large logo would be too easy. I’m a fan of pop-art, so I thought that an Andy Warhol-style serigraph of our logo would make a cool poster.

My first thought was that this should be pretty easy in Photoshop. I hit the Internet to find tutorials for making Warhol-style graphics from an image and started Photoshop. I quickly abandoned that idea; I don’t know Photoshop well at all, and the entire process appeared painfully manual. So, naturally, I decided to do it programmatically with the Python Imaging Library.

I used Warhol’s Che Guevara serigraph as a model.


Original Andy Warhol Che Guevara Serigraph

I used the colors in the original by manually picked them out from the original piece and saving them in a list of dictionaries:

# colors here are taken directly from Warhol's Che Guevara serigraph
# (in order left to right, top to bottom)
colorset = [ 
    {'bg' : (255,255,0,255), 'fg' : (50,9,125,255), 'skin': (118,192,0,255)},
    {'bg' : (0,122,240,255), 'fg' : (255,0,112,255), 'skin': (255,255,0,255)},
    {'bg' : (50,0,130,255),'fg' : (255,0,0,255),'skin': (243,145,192,255)},
    {'bg' : (255,126,0,255),'fg' : (134,48,149,255),'skin': (111,185,248,255)},
    {'bg' : (255,0,0,255),'fg' : (35,35,35,255),'skin': (255,255,255,255)},
    {'bg' : (122,192,0,255),'fg' : (255,89,0,255),'skin': (250,255,160,255)},
    {'bg' : (0,114,100,255),'fg' : (252,0,116,255),'skin': (250,250,230,255)},
    {'bg' : (250,255,0,255),'fg' : (254,0,0,255),'skin': (139,198,46,255)},
    {'bg' : (253,0,118,255),'fg' : (51,2,126,255),'skin': (255,105,0,255)}
]

Automatically Warholifying images is not straightforward for general pictures or images, but working on vector-style images with a couple of a assumptions is not very difficult. The assumptions I made for this were that the “face” color is white and the background is transparent.

The image I’ll use for this example is a vector version of the classic photo of Che Guevara from Wikimedia Commons. I modified this image by using a bucket fill tool to make the face area white, but did not have to make any other modifications.


Vector image of Che Guevara

First, we change the transparent background to be the bg_color specified and change everything else to be fg_color.

def color_bg_fg(image, bg_color, fg_color):
    '''change transparent background to bg_color and change
    everything non-transparent to fg_color'''
    fg_layer = Image.new('RGBA', image.size, fg_color)
    bg_layer = Image.new('RGBA', image.size, bg_color) 
    masked_image = Image.composite(fg_layer, bg_layer, image)
    return masked_image

bg_fg_layer = color_bg_fg(image, bg_color, fg_color)

Output:


Background changed to bg_color and all foreground changed to fg_color

Next we create a mask of the skin area. The first step here is to change the background from transparent to something non-transparent (I chose black):

def darken_bg(image, color):
    '''composite image on top of a single-color image, effectively turning all
    transparent parts to that color'''
    color_layer = Image.new('RGBA', image.size, color) 
    masked_image = Image.composite(image, color_layer, image)
    return masked_image

temp_dark_image = darken_bg(image, (0,0,0,255))

Output:


Background changed to black

We then change all of the white-ish areas of the image to be transparent.

def white_to_color(image, color):
    '''change all colors close to white and non-transparent
    (alpha > 0) to be color.'''
    threshold=50
    dist=10
    arr=np.array(np.asarray(image))
    r,g,b,a=np.rollaxis(arr,axis=-1)    
    mask=((r>threshold)
          & (g>threshold)
          & (b>threshold)
          & (np.abs(r-g)<dist)
          & (np.abs(r-b)<dist)
          & (np.abs(g-b)<dist)
          & (a>0)
          )
    arr[mask]=color
    image=Image.fromarray(arr,mode='RGBA')
    return image

skin_mask = white_to_color(temp_dark_image,(0,0,0,0))

Output:


White 'skin' areas changed to transparent

We then create an image the same size as our source file that is nothing but skin_color.

skin_layer = Image.new('RGBA', image.size, skin_color) 

Output:


Single color image

Finally, we composite bg_gf_layer with skin_layer, using skin_mask as a mask.

out = Image.composite(bg_fg_layer, skin_layer, skin_mask)

Output:


Complete serigraph-style image

Here is all the steps put together:

def make_warhol_single(image, bg_color, fg_color, skin_color):
    '''create a single warhol-serigraph-style image'''
    bg_fg_layer = color_bg_fg(image, bg_color, fg_color)
    temp_dark_image = darken_bg(image, (0,0,0,255))
    skin_mask = white_to_color(temp_dark_image,(0,0,0,0))
    skin_layer = Image.new('RGBA', image.size, skin_color) 
    out = Image.composite(bg_fg_layer, skin_layer, skin_mask)
    return out

Finally, we can call the make_warhol_single function with multiple color combinations and create a single image containing all of them.

def warholify(image_file):
    im = Image.open(image_file).convert('RGBA')

    warhols = []
    for colors in colorset:
        bg = colors['bg']
        fg = colors['fg']
        skin = colors['skin']
        warhols.append(make_warhol_single(im, bg, fg, skin))

    x = im.size[0]
    y = im.size[1]

    blank_image = Image.new("RGB", (x*3, y*3))
    blank_image.paste(warhols[0], (0,0))
    blank_image.paste(warhols[1], (x,0))
    blank_image.paste(warhols[2], (x*2,0))
    blank_image.paste(warhols[3], (0,y))
    blank_image.paste(warhols[4], (x,y))
    blank_image.paste(warhols[5], (x*2,y))
    blank_image.paste(warhols[6], (0,y*2))
    blank_image.paste(warhols[7], (x,y*2))
    blank_image.paste(warhols[8], (x*2,y*2))

    blank_image.save('out.png')

Output:


Final image

The full source code for this program is available on GitHub.


Control System Devices: Architectures and Supply Channels Overview

There’s been a ton of work on reverse engineering PLC firmware, but not a ton on the hardware or supply chain issues. This is a Sandia technical report I published with John Mulder, Jason Trent, and Will Atkins a couple of years ago.

Control System Devices: Architectures and Supply Channels Overview

Abstract
This report describes a research project to examine the hardware used in automated control systems like those that control the electric grid. This report provides an overview of the vendors, architectures, and supply channels for a number of control system devices. The research itself represents an attempt to probe more deeply into the area of programmable logic controllers (PLCs)—the specialized digital computers that control individual processes within supervisory control and data acquisition (SCADA) systems. The report (1) provides an overview of control system networks and PLC architecture, (2) furnishes profiles for the top eight vendors in the PLC industry, (3) discusses the communications protocols used in different industries, and (4) analyzes the hardware used in several PLC devices. As part of the project, several PLCs were disassembled to identify constituent components. That information will direct the next step of the research, which will greatly increase our understanding of PLC security in both the hardware and software areas. Such an understanding is vital for discerning the potential national security impact of security flaws in these devices, as well as for developing proactive countermeasures.


First post!

Welcome to Moses Schwartz Dot Com!

DISCLAIMER: The views expressed on this website are my own and do not reflect the the opinions of my employer.