Attack Models in the Physical World

A few weeks ago I parked my Ford Explorer (It's not a clunker!!) in a parking garage. On the way out I walked by the pipe shown in the picture at left. It looks like a pipe for carrying a fluid (water maybe?) "protected" by a metal frame.

I think the purpose of the cage is pretty clear. It's deployed to prevent drivers from inadvertently ramming the pipe with their front or rear car bumpers. However, think of all the "attacks" for which it is completely unsuited. Here are the first five I could imagine.

  • Defacement, like painting obscenities on the pipe

  • Cutting the pipe with a saw

  • Melting the pipe with a flame

  • Cracking the pipe with a hammer

  • Stealing water by creating a hole and tube to fill a container

So what if any of these attacks were to happen? Detection and response are my first answers. There's likely a camera somewhere that could see me, my car, and the pipe. Cameras or bystanders are likely to record some detail that would cause the intruder to be identified and later apprehended. Other people in the parking garage are likely to tell someone in authority, or better still, take video or a photo of the intruder in action and then provide that to someone in authority.

So, we can all laugh at the metal cage around this pipe, but it's probably doing just what it needs to do, given the amount of resources available for "defense" and the detection and response "controls" available.

If the defensive posture changed, it would probably not be the result of a security person imagining different attack models against plastic pipes. In other words, it wouldn't be only "decide -> act". Rather, changes would be prompted by observed attacks against real infrastructure. We'd have the full "observe -> orient -> decide -> act" OODA loop. For example, some joker would be seen cutting the pipe using a saw, so patrols and cameras would be enhanced, and possibly wire mesh or plating would be added to the cage to slow down the attacker in time for responders to arrive.


Anonymous said…
Funny - when I saw the picture I thought you were going to talk about design failure and cobbling things together as an afterthought. What idiot would run drainage (probably raw sewage!) through a parking garage outside of a wall? And then protect it with a cage, which, although is more expensive than the contents, is cheaper than repairing inadvertent damage I guess.

LOL - my word verification is "beers" that must mean it is Friday! :)
C said…
It likely is just simple floor drainage for the garage rather than sewage.

How sad is it that I saw that picture and immediately knew which garage that is?
Ben, feel free to do the "full risk analysis" then! This is a free blog and I reserve that level of effort for my employer.

Also, I didn't do a "threat analysis." That would mean analyzing the parties with the capabilities and intentions to exploit a vulnerability in an asset. Instead I thought in terms of attack models, where I imagined how this asset could be attacked.

I am also confident that it would be unacceptable for any of the attacks I listed to occur, regardless of any other "analysis" that is needed.
Anonymous said…
threat? Attack? it's a drain pipe. The metal cage is to protect against cars accidentally backing into it. I don't think anyone considered defense of their drainpipe. Unless the local culture changed and suddenly busting drainpipes became the thing to do, there's no reason to go further. Those other attacks are just not likely.
Wow, so now we have answers ranging from "do a full risk analysis" to "it's just a drain pipe." This is a great post!
John Ward said…
This comment has been removed by the author.
John Ward said…
Whoops... I wrote a response talking about poor design, then saw the first poster beat me to it :|
Graham said…
It's just a fun security brain exercise guys, come on now.
Most of those issues could be solved by actually running the drain pipe on the outside of the building - though it might ruin the aestethics.
Or, what if we run electricity through an open wire inside of it - it would deter potential users of metallic objects intent on damaging the pipe :)
Andrew Stephen said…
I think this is a great example of security doing what it should.

As many posters have pointed out, the pipe is probably carrying some type of waste water, with little or no value. The impact is limited to the cost and effort required to repair damage and clean up the mess.

The most likely threat is a clumsy driver hitting the pipe. I can't think of any other threat that is even remotely likely.

The control put in place by the building management is perfect - it acts as both a deterrent (I don't want my car to hit that!) and a preventative (Clunk!). It looks as though it was probably cheap to install.

As Richard says, there will already be detective controls in place - they're looking after people's cars for goodness sake.
Anonymous said…
This is a great example of engineers being engineers, waaaaaayyyyy overthinking things. I have a tree removal service, I charge engineers double, because I have to put up with them over analyzing every facet of what I do. Ha!

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics