Kelly Engineering Analysis Scenario
Kelly Engineering Analysis
Global Engineering Analysis
High Technology Industry
This scenario is designed to explore the issues of response technology
for information networks. The main goal of the scenario is to explore the
space of possibilities for response for a fairly typical medium-sized
computer network. This is done in several phases to reflect situations of
different intensity and to stress various aspects of the response space.
Time is limited in each move to foster idea generation - at the expense of
in-depth analysis - and to get people thinking in terms of a real-world
situation rather than abstract concepts.
- The Kelly Engineering Analysis Group
- Kelly's Global Information Network
- Cyber-Threats to Kelly
- The 1998 Vulnerability Study
- The Consequences of Attacks
- Some Detected Incidents
- We are starting to detect
- How do we respond?
The Kelly Group
The Kelly group's core business is engineering analysis for high
tech industry. From bridge design verification to circuit simulation to
molecular analysis, Kelly provides world-class analytical capabilities.
Over the past 25 years, Kelly has grown from a small start-up to a 25
billion dollar firm with satellite offices in 25 countries and more than
Kelly's main information operations consist largely of feeding
huge design files from client systems into about 200 centralized design
verification systems. Collected data is analyzed by a set of major
interlinked data centers in the U.S. - primarily to find design flaws
and assess limitations of designs. There is also a substantial quantity
of video and computer aided design (CAD) conferencing with client
designers, and many small joint ventures with major clients and
competitors are connected to the Kelly network. Results of analysis are
typically passed back to clients as lists of flaws, and this normally
takes far less time and space than the collection and analysis process.
Kelly's global network consists largely of legacy systems
collected over the past 25 years. This includes just about every sort of
technology from its time. Large portions of the Kelly network are poorly
documented, and cost limits equipment upgrades, overhead for support, and so
forth. Big aging mainframe computers run age-old analysis code that was
custom built for those machines in their heyday, while new servers have been
added over time for all manner of functions - each a special case.
Almost every version of every operating system is in use at
Kelly, and because of the high cost, these systems are not updated for
security holes on an ongoing basis. It is all Kelly can do to keep most
of it working most of the time.
Kelly has a Network Operations Center (NOC) that provides
network control via off-the-shelf router control tools. There are about
2,500 routers, switches, hubs, and similar pieces of networking
equipment in use throughout the world in Kelly. While the NOC is tasked
with controlling the network and its switching and routing components,
servers are managed by ‘business unit owners and other nodes are run by
individual users. There is no central response process, but reports can
be made to the NOC and will be forwarded by the NOC as they see fit.
All manner of telecommunications systems are in use, with a wide variety
of CPUs, embedded systems, networks, and generally any other information
technology that has ever been used is somewhere in Kelly. There is even
a small PDP-8 shop still running in Pittsburgh, and rumor has it that
card punches are still used for data entry in some countries.
Cyber-Threats to Kelly
As a result of a story in the Wall Street Journal about attacks
on computer networks, top management at Kelly recently sponsored a
threat assessment by a start-up corporate intelligence firm with several
ex-Air Force officers as principals. They found the following elements
of a threat environment:
- Multinational corporate intelligence was considered a serious
threat, especially from competitors (many of whom have access to Kelly
computers via joint ventures).
- State-sponsored intelligence and terrorists were considered
threats both from a standpoint of physical destruction of information
systems and infrastructure (in one case a whole country was cut off from
the network for almost a year due to civil unrest) and from a standpoint
of trying to exploit weaknesses in the Kelly network for intelligence
gathering (Kelly has some classified government contracts as we will see
- Because Kelly uses information systems for billions of dollars of
financial transactions per year, insiders are considered a threat,
particularly from the point of view of financial theft or extortion.
- Planted corporate spies are a serious concern because a large
portion of Kelly's value lies in its information assets - particularly
its engineering analysis codes.
- Hackers and crackers from the Internet are considered a potential
threat largely because they have been in the media a lot lately and the
people doing the analysis figured they had to include it. Kelly does
use the Internet for much of its emerging low-bandwidth communications,
and doesn't know precisely what is and is not connected to where.
- Some of Kelly's analysis is for classified systems, and as a
result, high-grade threats apply to Kelly. The threat assessment didn't
specify this notion further.
The 1998 Vulnerability Study
A vulnerability study was done using another small startup firm
run by a guy who claims not to be an expert in information security (his
honesty was a large part of the reason he was chosen). This top-level
assessment showed the following results:
- Internal systems are vulnerable (the soft inside syndrome). In
essence, anyone who can gain access to any internal Kelly systems and
has access to tools from the Internet can easily take over large
portions of the Kelly network.
- Linkage to corporate partners is done via commercial off-the-shelf
(COTS) firewalls. While the configurations of these firewalls was not
verified, it is likely that there are some errors, however, the far more
serious limitation is their lack of content controls and the fact that
they are used largely to transmit design files and other similar
information that contains executable content.
- It appears highly likely that there are unknown (to the team doing
the assessment) Internet connections from computers within Kelly.
Several connections were identified during the study, however, this
seems to be an ad-hoc list, and did not include possible connections
from users at desk-tops, cell-links, and connections that might run
- Inter-site communications are pretty secure. They use dedicated
links and those links are encrypted with banking-quality encryption
devices (this was chosen because international legal requirements
allowed these systems to be used worldwide for Kelly's business).
- Inadequate funding and priority is given to meet identified
security needs, but no major losses have been identified to date.
- It seems likely that Kelly would not be aware of attacks if they
were ongoing unless they created major losses. In combination with the
identified weaknesses and threat profiles, it seems likely that Kelly is
being attacked at some level and is unaware of it.
A strong desire was expressed by this firm to do a more in-depth
analysis because they suspected that there was ongoing criminal activity
within Kelly, but management decided not to do the follow-up because the
proposed cost was on the order of several hundred thousand dollars, and
because they did not really believe that any of Kelly's 20,000 global
employees could be disloyal to the company.
The Consequences of Attacks
An internal committee was asked to identify the possible
negative consequences of attacks against Kelly's information systems
without regard to the threats or the likelihood of events, and taking
into account everything from major global collapse (e.g., Y2K problems)
to local attacks by hackers from the Internet. They came up with the
following major concerns.
- Adverse publicity relating to large scale incidents at Kelly could
result in a loss of confidence by major clients who might transfer some
or much of their analysis business to competitors.
- Major information leaks could result in the total loss of federal
contracts which account for 25 percent of sales, and 50 percent of
- In some cases, there is a potential for liability for deaths
resulting from major flaws in designs not found during analysis.
Examples include large chemical processing plants, bridges, nuclear
reactors, and so forth. Liabilities for some errors and omissions are
uninsurable and could run into the billion dollar range.
- Global service outages would cost on the order of 100M dollars per
day, most of which is not replaceable or reschedulable because Kelly
runs at or near capacity and because, when systems are down, workers
still get paid. It is estimated that 5 days of continuous outage would
essentially put Kelly out of business, and Kelly would likely never
recover from such an outage.
Some Detected Incidents
Over the past year or two, the following incidents have been
detected within Kelly, essentially as a result of individual effort by
select systems administrators and, in some cases, by dumb luck.
- At least one case has been found where the classified and
unclassified networks were cross-connected. This could have resulted in
the leakage of classified information, but inadequate audit information
was available to determine what damage, if any, actually occurred.
- A contractor violated need-to-know (NTK) access controls during
off-hours by dialing in to a co-worker's account. Since NTK is
considered discretionary, no disciplinary action was taken other than a
private discussion with a supervisor about proper behavior.
- In an audit examination of an AS/400 system, it was found that a
vice president always logged in correctly - something that no other user
seemed able to accomplish. Upon further examination, it was found that
the VP had encoded their password into their PC - which was not
otherwise password protected. The VP was gently asked to not do this
and compliance was verified by several subsequent failed login attempts.
- A contractor who was no longer assigned to work at Kelly continued
accessing Kelly systems over a period of time. This was eventually
detected on an audit and the contractor was notified that this was
inappropriate. No records of what they had done during these accesses
- There have been many incidents in client networks that are
connected to Kelly via the firewalls, but Kelly is not aware of any of
these affecting Kelly itself.
- An unauthorized Internet connection to the unclassified network
was detected by accident when a user showed a firewall administrator
that he could indeed go to an Internet pornography site
(http://www.whitehouse.com/) despite purported access controls.
- Some internal analysis tools were found at a hacker web site as
"warez" (illegal copies of software stored on Internet systems without
the knowledge or consent of the owners of those systems). The cause of
this was never traced.
- Computer viruses are found on a regular basis, even in the
classified network. In some cases, macro viruses are known to have
entered the facility via email through the firewalls, while in other
cases, floppy disks are suspected as the mode of transmission.
Some Additional Information
The following additional information has been provided by the
internal security committee at Kelly:
- Kelly is starting a program of intrusion detection using COTS
intrusion detection systems (IDS) and detections are starting to roll
in, but there are inadequate resources to deal with detections, most of
which have been found to be false positives. As a result, the systems
are currently tuned so as to limit the number of detections to the
number that can be investigated by the part-time efforts of systems
administrators who are running the IDSs as part of their other duties.
- It has been found financially infeasible to prevent insiders from
attacking Kelly. As a result, a corporate decision has been made to use
reactive defenses as the core method of internal information protection
- Kelly is also moving toward switched technology (e.g., ATM) and
believes that this will help them mitigate much of the harm related to
current network attacks. Kelly is working with vendors to integrate
IDSs into their normal operating environment, but internal content
analysis seems to be very hard to do and it has become a stumbling point
for this technology.
- Kelly management has grudgingly budgeted $10M per year to this
effort. This is only 4 hundredths of one percent of total budget, but
management sees it as 1 percent of net and as having a negative return
on invetment. It is unlikely to be funded further, and this is roughly
the same as the corporate physical security budget for major facilities.
Things to keep in mind
A major question to be addressed is how Kelly can cost
effectively respond to attacks rather than try to prevent them.
- Kelly now detects more than 100 items of interest per day.
- More detections are expected as IDS technology becomes more widely
used in Kelly.
- How does Kelly cull the wheat from the chaff in their response
- Kelly believes they will detect 10,000 items of interest per day
worldwide in 2000.
- How does this culling process scale and distribute?
- How does the culled data get correlated to indicate the nature of the attack?
- How does Kelly respond when they think it's a real serious attack?
- What are the range of response options?
- What will work in the Kelly environment?
- How does Kelly keep costs as low as possible?
Specific scenario details associated with this background are unpublished
until the start of the strategic simulation/game.