The UK National Air Traffic Service ground to a halt as its computerised systems shut down and manual backup systems had to take over, crippling UK air space. The failure has been blamed on a malformed flight plan that got introduced into the system. But can data alone bring down a complex system? No.
It’s not the data that failed here—it was the software handling the data. The software was designed to shut down if it found bad input data, and it did. The failure was that the software did not handle the bad data gracefully, for example by rejecting the original input.
This is the essence of a data drive cyber-attack, though in this case it seems it was just accidental bad input. Inappropriate or malformed data triggering undesirable behaviour in software. This happens because the software is too complex to fully understand and control its behaviour in all circumstances. It’s not just the input data that matters, but the state of the system when it arrives – combine those and the number of possibilities to worry about heads towards infinite. That means the developers don’t really stand a chance of eliminating all the bugs.
The alternative is to guard the inputs. This is what happens with critical systems connected to risky networks such as the Internet. Whether it is defence, intelligence, or critical infrastructure, such high-risk connectivity is carefully controlled to make sure only data that is needed and properly formed is allowed to pass. With the inputs nailed down, the protected system need only be tested against good inputs, not the infinite variety of bad inputs.
But that’s not enough, because the controls are themselves complex and they face the external threat – there’s nothing to protect them against bad inputs. What stops these defences from failing, leaving the protected system unprotected? This is where security engineering comes in—a Cross Domain Solution in military speak. This involves identifying the most critical part of the defence, making it simple, and separating from the rest of the defence. The simplicity of the critical function makes it possible to get it right, and the separation means even if other parts fail it will continue to work. All this is why Forcepoint’s Cross Domain Solutions are widely used to protect critical systems from the threats they must connect to.
If this divide-and-conquer approach is done well, the critical function becomes so simple that it can be implemented in hardware logic. While software needs a complex stack of operating system and libraries to run, logic runs directly on the hardware, so simple functions can be implemented simply. And unlike software, logic doesn’t modify itself, so once it is right it stays right.
This is the approach taken with Forcepoint’s High Speed Verifier. It implements the critical data verification function in simple logic, while software is used to interface this to the applications that provide and consume the data. This not only keeps bad data out, but also protects itself from attacks to complete the defence.
Would such an approach have saved the air traffic system? Maybe not, as by all accounts that was not due to a cyber-attack. But perhaps a cyber-attack could be mounted along similar lines, in which case it might be wise to make sure it cannot happen.