Case Studies

Chair: Randy Smith

Creating Failure Scenarios for Natural Gas Critical Infrastructure, Michael Locasto, SRI International
Abstract: One of the most critical questions facing asset owners and utilities is how their infrastructure could be made to fail by a variety of threat actors. Designing, enumerating, and analyzing such failure scenarios is a valuable way of exploring the assumptions made on the operational side, the value of current mitigations, and the need for certain types of protection mechanisms. We created 53 failure scenarios for the natural gas distribution critical infrastructure sector. These failure scenarios highlight a range of potential threats across the entire infrastructure, from transmission to distribution and home metering. As a collection, these failure scenarios provide utilities and operators a high-level sense of what could go wrong. The value proposition is twofold. First, the scenarios help assess the sufficiency of current safety and security measures. Second, the scenarios help assess the risk/reward of incorporating more intelligent electronic devices into natural gas infrastructure. In this case study, we will share the failure scenarios and their categories, the threat model they encompass, and the assumptions and caveats underpinning their creation. We will also discuss our process for designing and generating them – a process that necessarily begins with acquiring a thorough understanding of the specific kinds of equipment, protocols, and facilities used by the natural gas distribution sector. We will close with a consideration of lessons and takeaways for utilities and cybersecurity professionals interested in learning more about and contributing to the sector.

Bio: Michael E. Locasto, Ph.D., is a principal computer scientist at SRI’s New York City cyberanalytics research hub and a member of the Infrastructure Security Group. Locasto is the co-principal investigator for SRI’s Internet of Things Security and Privacy Center. He is also the principal investigator for SRI’s Threat Intelligence for Grid Recovery (TIGR) project under the Defense Advanced Research Projects Agencys Rapid Attack Detection, Isolation, and Characterization Systems (RADICS) program, which focuses on finding, characterizing, and removing malware in power grid equipment. He supports several cybersecurity and cyber-physical systems programs under SRI’s CRATES project for the Department of Homeland Security Science & Technplogy Directorate's (DHS S&T) cybersecurity R&D program.

Password Sequence (PSQ) - A Novel Approach for Implementing Long Passwords, Joseph D Scrandis, Towson University
Abstract: This case study presents a novel technique called Password Sequence (PSQ) to implement passwords. With PSQ it is possible to create a long complicated password without the need to remember a long string. PSQ allows for creativity in password creation and utilizes the entire keyboard and not just the character keys. The password would be a string that records every button pressed in order including character and non-character keys. Since the method outputs a string, PSQ can be used with all current password systems. Using PSQ can easily create a 20 or longer character password with ease. Plus, even if hacker are aware of this system, there are exponentially more possible password combinations than its predecessor.

Bio: Joseph Scrandis is a college student at Towson University who's work seeks to improve security through loss prevention techniques.

Encrypting Configuration Sections in ASP.NET 4.5 Using DPAPI: A Real Life Experience, Sercan Alabay, Uludag University, Turkey  TEXT
Abstract: This case study presents an approach for using encryption to protect configuration files.  Configuration files such as the App.config file are often used to hold sensitive information, including user names, passwords, database connection strings, and encryption keys. If we do not protect this information, the application is vulnerable to attackers or malicious users obtaining sensitive information such as account user names and passwords, database names and server names. In our real-life experience, we developed software for a local municipality which performs a data connection to a device responsible for several measurements related to weather conditions and presence of some substance in the air. The software also demonstrates real time measurements and other outputs of the device located in the main municipality building rooftop. In the initial version of the software, app.xml file (which can be accessed by the users) was not encrypted thus Sql Server credentials could easily be monitored. Using DPAPI, we are able to protect this critical file from malicious access.

Bio: Sercan Alabay is a research assistant in Faculty Of Education, in foreign languages and technology department, University Uludag situated North west of Turkey.