Attack Models in the Physical World

A few weeks ago I parked my Ford Explorer (It's not a clunker!!) in a parking garage. On the way out I walked by the pipe shown in the picture at left. It looks like a pipe for carrying a fluid (water maybe?) "protected" by a metal frame.

I think the purpose of the cage is pretty clear. It's deployed to prevent drivers from inadvertently ramming the pipe with their front or rear car bumpers. However, think of all the "attacks" for which it is completely unsuited. Here are the first five I could imagine.

  • Defacement, like painting obscenities on the pipe

  • Cutting the pipe with a saw

  • Melting the pipe with a flame

  • Cracking the pipe with a hammer

  • Stealing water by creating a hole and tube to fill a container


So what if any of these attacks were to happen? Detection and response are my first answers. There's likely a camera somewhere that could see me, my car, and the pipe. Cameras or bystanders are likely to record some detail that would cause the intruder to be identified and later apprehended. Other people in the parking garage are likely to tell someone in authority, or better still, take video or a photo of the intruder in action and then provide that to someone in authority.

So, we can all laugh at the metal cage around this pipe, but it's probably doing just what it needs to do, given the amount of resources available for "defense" and the detection and response "controls" available.

If the defensive posture changed, it would probably not be the result of a security person imagining different attack models against plastic pipes. In other words, it wouldn't be only "decide -> act". Rather, changes would be prompted by observed attacks against real infrastructure. We'd have the full "observe -> orient -> decide -> act" OODA loop. For example, some joker would be seen cutting the pipe using a saw, so patrols and cameras would be enhanced, and possibly wire mesh or plating would be added to the cage to slow down the attacker in time for responders to arrive.

Comments

Anonymous said…
Funny - when I saw the picture I thought you were going to talk about design failure and cobbling things together as an afterthought. What idiot would run drainage (probably raw sewage!) through a parking garage outside of a wall? And then protect it with a cage, which, although is more expensive than the contents, is cheaper than repairing inadvertent damage I guess.

LOL - my word verification is "beers" that must mean it is Friday! :)
8:13 AM
C said…
It likely is just simple floor drainage for the garage rather than sewage.

How sad is it that I saw that picture and immediately knew which garage that is?
11:38 AM
Richard Bejtlich said…
Ben, feel free to do the "full risk analysis" then! This is a free blog and I reserve that level of effort for my employer.

Also, I didn't do a "threat analysis." That would mean analyzing the parties with the capabilities and intentions to exploit a vulnerability in an asset. Instead I thought in terms of attack models, where I imagined how this asset could be attacked.

I am also confident that it would be unacceptable for any of the attacks I listed to occur, regardless of any other "analysis" that is needed.
11:59 AM
Anonymous said…
threat? Attack? it's a drain pipe. The metal cage is to protect against cars accidentally backing into it. I don't think anyone considered defense of their drainpipe. Unless the local culture changed and suddenly busting drainpipes became the thing to do, there's no reason to go further. Those other attacks are just not likely.
12:20 PM
Richard Bejtlich said…
Wow, so now we have answers ranging from "do a full risk analysis" to "it's just a drain pipe." This is a great post!
12:52 PM
John Ward said…
This comment has been removed by the author.
6:14 PM
John Ward said…
Whoops... I wrote a response talking about poor design, then saw the first poster beat me to it :|
6:15 PM
Graham said…
It's just a fun security brain exercise guys, come on now.
9:21 AM
Paul Poputa-Clean said…
Most of those issues could be solved by actually running the drain pipe on the outside of the building - though it might ruin the aestethics.
Or, what if we run electricity through an open wire inside of it - it would deter potential users of metallic objects intent on damaging the pipe :)
10:12 AM
Andrew Stephen said…
I think this is a great example of security doing what it should.

As many posters have pointed out, the pipe is probably carrying some type of waste water, with little or no value. The impact is limited to the cost and effort required to repair damage and clean up the mess.

The most likely threat is a clumsy driver hitting the pipe. I can't think of any other threat that is even remotely likely.

The control put in place by the building management is perfect - it acts as both a deterrent (I don't want my car to hit that!) and a preventative (Clunk!). It looks as though it was probably cheap to install.

As Richard says, there will already be detective controls in place - they're looking after people's cars for goodness sake.
6:35 PM
Anonymous said…
This is a great example of engineers being engineers, waaaaaayyyyy overthinking things. I have a tree removal service, I charge engineers double, because I have to put up with them over analyzing every facet of what I do. Ha!
8:10 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more