Thursday, August 13, 2009

Attack Models in the Physical World

A few weeks ago I parked my Ford Explorer (It's not a clunker!!) in a parking garage. On the way out I walked by the pipe shown in the picture at left. It looks like a pipe for carrying a fluid (water maybe?) "protected" by a metal frame.

I think the purpose of the cage is pretty clear. It's deployed to prevent drivers from inadvertently ramming the pipe with their front or rear car bumpers. However, think of all the "attacks" for which it is completely unsuited. Here are the first five I could imagine.

  • Defacement, like painting obscenities on the pipe

  • Cutting the pipe with a saw

  • Melting the pipe with a flame

  • Cracking the pipe with a hammer

  • Stealing water by creating a hole and tube to fill a container


So what if any of these attacks were to happen? Detection and response are my first answers. There's likely a camera somewhere that could see me, my car, and the pipe. Cameras or bystanders are likely to record some detail that would cause the intruder to be identified and later apprehended. Other people in the parking garage are likely to tell someone in authority, or better still, take video or a photo of the intruder in action and then provide that to someone in authority.

So, we can all laugh at the metal cage around this pipe, but it's probably doing just what it needs to do, given the amount of resources available for "defense" and the detection and response "controls" available.

If the defensive posture changed, it would probably not be the result of a security person imagining different attack models against plastic pipes. In other words, it wouldn't be only "decide -> act". Rather, changes would be prompted by observed attacks against real infrastructure. We'd have the full "observe -> orient -> decide -> act" OODA loop. For example, some joker would be seen cutting the pipe using a saw, so patrols and cameras would be enhanced, and possibly wire mesh or plating would be added to the cage to slow down the attacker in time for responders to arrive.

12 comments:

iamnowonmai said...

Funny - when I saw the picture I thought you were going to talk about design failure and cobbling things together as an afterthought. What idiot would run drainage (probably raw sewage!) through a parking garage outside of a wall? And then protect it with a cage, which, although is more expensive than the contents, is cheaper than repairing inadvertent damage I guess.

LOL - my word verification is "beers" that must mean it is Friday! :)

Chris said...

It likely is just simple floor drainage for the garage rather than sewage.

How sad is it that I saw that picture and immediately knew which garage that is?

Ben said...

hehe - it's funny, I'm with Chris on this one in all regards... I swear I've seen that pipe in that garage before... ANYway...

I'm a bit concerned, Richard, that you run to an argument like this without fully understanding the context or the risk. It's a bad practice in certain security circles, and endemic of someone who is too concerned about threats and vulnerabilities to realize that the value of the asset itself is just as important.

As Chris noted, it is likely just a floor drain, nothing nefarious. Moreover, I'd lay even odds that it was an add-on feature. Did you consider that this drain was added after completion of construction to address a more serious hazard or concern (pooling or dripping water)? What if it's actually addressing a greater risk, and it's compromise represents a fairly minor risk? Seems like a reasonable trade-off.

Rather than jump off the deep end and run to a threat analysis, you really ought to be doing a full risk analysis, which means starting with understanding the context more fully. It's too easy to throw stones in a glass room otherwise.

Richard Bejtlich said...

Ben, feel free to do the "full risk analysis" then! This is a free blog and I reserve that level of effort for my employer.

Also, I didn't do a "threat analysis." That would mean analyzing the parties with the capabilities and intentions to exploit a vulnerability in an asset. Instead I thought in terms of attack models, where I imagined how this asset could be attacked.

I am also confident that it would be unacceptable for any of the attacks I listed to occur, regardless of any other "analysis" that is needed.

Anonymous said...

threat? Attack? it's a drain pipe. The metal cage is to protect against cars accidentally backing into it. I don't think anyone considered defense of their drainpipe. Unless the local culture changed and suddenly busting drainpipes became the thing to do, there's no reason to go further. Those other attacks are just not likely.

Richard Bejtlich said...

Wow, so now we have answers ranging from "do a full risk analysis" to "it's just a drain pipe." This is a great post!

John Ward said...
This comment has been removed by the author.
John Ward said...

Whoops... I wrote a response talking about poor design, then saw the first poster beat me to it :|

Graham said...

It's just a fun security brain exercise guys, come on now.

paul said...

Most of those issues could be solved by actually running the drain pipe on the outside of the building - though it might ruin the aestethics.
Or, what if we run electricity through an open wire inside of it - it would deter potential users of metallic objects intent on damaging the pipe :)

Andrew Stephen said...

I think this is a great example of security doing what it should.

As many posters have pointed out, the pipe is probably carrying some type of waste water, with little or no value. The impact is limited to the cost and effort required to repair damage and clean up the mess.

The most likely threat is a clumsy driver hitting the pipe. I can't think of any other threat that is even remotely likely.

The control put in place by the building management is perfect - it acts as both a deterrent (I don't want my car to hit that!) and a preventative (Clunk!). It looks as though it was probably cheap to install.

As Richard says, there will already be detective controls in place - they're looking after people's cars for goodness sake.

Anonymous said...

This is a great example of engineers being engineers, waaaaaayyyyy overthinking things. I have a tree removal service, I charge engineers double, because I have to put up with them over analyzing every facet of what I do. Ha!