Biometric Authentication for SCADA Security
Ted Claypoole is a Member of the law firm Womble Carlyle Sandridge and Rice, in Charlotte, North Carolina, in the Intellectual Property Transaction group, and a senior member of its Privacy and Data Management Team. He has long concentrated on the business and legal implications of information security and computer crime, first as in-house corporate counsel for CompuServe, Inc. and as assistant general counsel for Bank of America. He now advises business clients and information security companies on contracting for data protection, allocating risk in digital certificate infrastructures and reacting to electronic threats. He has served on a U.S. Justice Department computer crimes task force and the Information Protection Committee for the Banking Industry Technology Secretariat. He has presented talks at the RSA Security Conferences in 2007 and 2008, including a talk on the ethics of pervasive biometrics.
Introduction
Securing the critical infrastructure in the United States requires authentication of people authorized to access the critical systems. These controls can regulate personal access to the physical sites housing the power stations, water facilities, or gas lines encompassing the critical infrastructure, or they may regulate access to either the remote or centralized systems comprising the SCADA networks. Limiting access to authorized personal has been a cornerstone of infrastructure security since its inception.
Technology now exists to tie the authentication of authorized individuals (and the exclusion of unauthorized people) directly to the physical being of the people seeking access. This is managed through a process called biometric security, which measures some physical aspect of any person seeking access to a sensitive element and reconfirms that physical aspect at the time access is requested. The biometric system may measure a person’s fingerprints, finger length and shape, head shape or facial features – any one or more of an infinite number of human body features – to confirm whether that person is the same one who has previously received authorization to enter the sensitive computer system or restricted area.
However, biometric technology is not a panacea for authentication and access issues. Like most security solutions, biometrics are appropriate solutions for some security problems and inappropriate answers to others. In addition, biometric authentication produces technical, business, social, and legal problems. Companies using biometrics must build additional security into their systems to protect the authorization databases and understand that such systems can provide strong authentication, but not infallibility.
This chapter will analyze biometric systems as they relate to critical infrastructure protection and SCADA security and discuss how the functioning and weaknesses of biometric systems affects their use to authenticate access to secure systems and locations. It will review vulnerabilities in biometric authentication and issues in system implementation. Finally, the chapter includes a discussion of the social and legal concerns surrounding the use of biometric identifiers for security purposes.
Understanding Biometric Systems and How They Are Best Used for SCADA Security
Biometric analysis is growing as a protection tool. Distance measurements of faces and voices are regular features of identification and authentication in banks and casinos throughout the United States. Law enforcement has used biometric readings for decades, but their utility as a tool against criminals is growing as the science of body measurement is better understood and the variety of distinct measurements grows.
Footprints to DNA Readings
From the footprint analysis by Scotland Yard more than a century ago to DNA capture and comparison in today’s crime labs, biometrics has become increasingly more important to the police. A Japanese company has begun selling a urinal to businesses that measures chemical levels in the liquid deposits so that those businesses can monitor employee drug use. Australia is using biometrics for an e-passport system.
Human Measurements Can Slow Machines
Security architects are finding biometrics useful in identifying and authorizing access to networks, computer terminals, and secure facilities. However, biometric technology is not a panacea for protecting valuable systems, and its shortcomings are especially noticeable when used for SCADA security. Most connections, instructions, and messages within the operational structure of SCADA systems must be made at nearly instantaneous speed, whereas the operational function of biometric comparisons is relatively slow. Use of biometrics to trigger operational responses or to provide answers within a SCADA system would be too slow to be productive.
Biometric comparisons work best for identifying human users of a system, authenticating the access rights and responsibilities of those users, and providing records of access and records for non-repudiation purposes. Therefore, in SCADA systems, biometric tools are best utilized to confirm human authentication to access the central systems and to permit and record human access to physical facilities, whether those facilities hold the central processing capabilities or lie in the most remote outpost of the protected system.
Biometric System Imperfections Are at Odds with Perception
Once biometric systems are installed, they still can be problematic. No system is infallible and biometric systems can fail in many directions. Many of these systems can be tricked at various points in the collection and comparison process. The system itself may be poorly installed or metrics may be chosen badly. The biometric readers may fail or the initial collections could be flawed. Temperature, humidity, precipitation, and dirt may affect the accuracy of readers.
Unfortunately, some commentators have assumed that a system that measures human features will provide the best possible security for facilities and networks. In truth, the complexity at which biometric systems operate can undercut their accuracy and utility for many important locations and functions of SCADA security. Choose and implement carefully if you plan to use biometrics in your SCADA system. Biometric comparisons could be a dream solution to your authentication problems, or they could create a nightmare of additional work and security issues.
What is Biometric Authentication?
Personal authentication is necessary to establish that the person operating a network or entering a secure facility has authority to do so. Authentication regimes tend to rely on the person seeking authentication to provide a token of proof to establish identity and permission. These tokens are called identity factors, and the more factors that are offered to establish identity, the greater the likelihood that the person claiming authorized access is truly the person he or she claims to be.
Multiple Factor Authentication
Most current security systems require one or more of the following factors. They will require that you demonstrate something you know (like a password), something you hold (like an identity card or an encryption token), or something you are (like a signature or a comparative picture). Other factors can include time of system entry and precise global location. For example, your bank requires two factor identifications for you to remove money from your own account at an automatic teller machine; the machine requires a card that you are holding and a personal identification number that you know. However, inside the bank, you may be required to offer two different factors of identity: a thumbprint along with your government-issues identification card for cashing certain kinds of checks.
What Parts of You Can Be Measured for Security Purposes?
Biometric systems measure “something you are” and compare it against a earlier sample of the same measurement. Your written signature is considered to be a biometric measurement because the way you write is a physical feature that is relatively unique and can be compared and evaluated to past samples. A state driver’s license contains an old-school biometric identifier – a picture of your face. Certain biometric samples must be offered voluntarily by the person wishing to gain access into a system. Fingerprints, hand geometry, and retinal or iris scans fall into this category and are the most likely to be used as part of a security system. Some biometric measurements like your face or your voice can be taken from a distance. This type of public biometric is used by law enforcement but is generally not part of biometric authentication systems.
Common Measurements for Current Biometric Authentication
The most common biometric security systems for unlocking computer systems and secure facilities compare fingerprints or other hand measurements. These systems require a person being measured or identified to press his or her finger against the reader. Some of these systems record and measure the veins beneath the skin on fingers and hands, either as a primary biometric measurement or as an affirmation of viability, so that the systems are less likely to be fooled. Similarly, some of the biometric security systems that use eye measurements require a close reading of the eyes, either for retinal vein patterns or for iris patterns. Sanitation of readers can be a significant issue when several people are required to authenticate themselves by pressing against readers.
How Does Biometric Comparison Work?
Biometric authentication tools are complicated systems that require detailed set-up and ongoing monitoring. A biometric check is not a simple “yes or no” answer like some other methods of security analysis. For example, when an automated teller machine requests a personal identification number, you either know the number and enter it correctly or you do not. If not, the security function refuses your entry. By contrast, in biometric analysis, the system first takes a sample of the biometric feature that the system administrator has chosen to measure. For the purposes of this example, we will assume that the system is capturing fingerprints.
Rather than an easily identifiable “yes or no” variable like the personal identification number, the biometric fingerprint reading system either captures a full picture of the fingerprint or it captures points of minutia, which are a number of points of detail on the curves and lines on the print. Nearly all biometric systems will request several initial samples so that a clean sample can be attained and validated. Later, when a person wishes to be authenticated under the biometric regime, he or she provides a fingerprint to the reader, which captures the print and compares it to the samples captured earlier. If the system finds the authentication sample matches the initial sample within acceptable parameters, then the person is authenticated by the system and allowed access to the protected network or facility.
Because biometric regimes operate by comparing samples and those samples often are provided on different capture devices under different conditions, the administrator of a biometric system must choose the parameters of comparison between the original (or “reference”) sample and the access sample. The fingerprint match may be considered complete if the authentication sample demonstrates twenty points of similarity with the original sample or maybe only ten points of similarity.
This begs the question of why all biometric systems are not organized and calibrated to establish the greatest functional degree of certainty that the person who is asking to be authenticated is truly the person who offered the initial sample held in the biometric system’s memory. The short answer to this question is that the calibration of biometric systems tends to mark a compromise between strong authentication capabilities and practical considerations. The stronger and more difficult the authentication, the more likely that the system will keep appropriately authorized people from accessing secure facilities or equipment, therefore causing difficult and sometimes expensive work-arounds and alternative access procedures.
These parameters are often calibrated to minimize false positive matches, in which case the parameters are tightly defined so fewer matches can occur, or to minimize false negative matches, in which case the parameters allow more leeway in matching samples. Biometric systems that authenticate consumers in financial transactions tend to be loosely calibrated, allowing more variation in the authentication sample to be considered matches of the reference sample. This is because consumers have demonstrated little or no tolerance for false negatives. Consumers will not tolerate seeing their real finger prints rejected when matched to reference samples.
Biometric captures and comparisons are not perfect and can be stymied by variations in the angle that a finger is offered to the capture device, variations in dirt or injury to the finger, or even inherent variations in the capture devices themselves. Consumers will rebel against a system that repeatedly holds up the speed of their transactions. And if consumers will no longer use their biometric authentication, then the company installing the system has lost customers and the significant money it takes to purchase, install, and train workers on a biometric identification regime. Therefore, companies using biometric systems for lower-level financial transactions tend to be willing to allow the risk of more false-positive matches so that they minimize the possibility of false-negatives.
By contrast, SCADA systems and other protections of vital infrastructure and facilities tend to organize their biometric system so that they minimize false positive readings. The risks of allowing intruders are greater in this case than the risks of an authorized person being forced to call in the supervisor or system administrator and achieve authorization in a more personal and time-and-resource-intensive manner.
It would be a mistake to think of biometric authentication regimes as simple toggle systems with no allowance for variation. In fact, these regimes are complicated in their structure and intricate in their application. The SCADA manager choosing such biometric authentication must be prepared to spend resources not only on equipment and software, but also on protecting the conn-ectivity between the various parts of the biometric capture and comparison infrastructures, on training the affected employees and contractors to correctly use the system, and on regular monitoring and calibration to assure the system works efficiently for its chosen purpose.
Where Are Biometrics Used in SCADA Systems?
No matter how advanced our technology, managing security for critical infrastructure always entails human contact. Whether it involves water systems, power grids, pharmaceutical manufacturing, or oil and gas, humans manage, maintain, and repair various parts of the system and control the overall network. Wherever humans must access the system, there lies an opportunity to use biometric authentication.
There are portions of SCADA security that are generally inappropriate for use of biometric readers. For example, any imposition of an additional review or authentication step within the internal readings and operations of SCADA systems would be likely to impede the progress of the automated checking system. Therefore, SCADA systems would not insert biometric readers, or any other human authentication step, into the automated checking process between the centralized control system and outlying objects being measured, monitored, and controlled. Furthermore, equipment or valve monitoring and control, or any other system that reads and reviews outlying and remote portions of the SCADA architecture, is unlikely to benefit from biometric authentication devices.
Instead, the parts of a SCADA system most likely to productively use this technology include any and all access points for human intervention in the SCADA world. This can include access to facilities or computers in the central SCADA control room where the operator of a critical infrastructure must regulate access so that only those people with authority to act as system managers can reach the controls. Similarly, the remote portions of critical infrastructure, whether pipelines, switching stations, or transformers, may have biometric readers placed on them for access control and accurate records. System operators are not only interested in stopping unauthorized parties from reaching the remote ends of critical systems, but also in recording each time someone reaches the system. Biometric readers provide an audit trail that is difficult to refute.
Choosing the Best Form of Measurement for Your System
The human body contains thousands of possible measuring points, and many of these are already used by companies for identification and authentication purposes. This portion of the chapter discusses the various available measuring methods and provides a method of analysis to determine the best measurement tool for your system. In the end, commercial considerations may ultimately control your choice, as some methods of physical analysis are available in a more cost effective format than others.
Another principal consideration may be whether the biometric measurement you choose for your system is in use by or familiar to another entity. In other words, industry or the government may reach a consensus that entire hand prints or the geometry of three fingers are the standard measurement for confirming the identities of people in certain situations. At the moment, no such standards exist. However, your decision to use a certain biometric system in your own security architecture may be influenced by the choice of industry standards or by the selection of biometric systems used by your customers, your regulatory agencies, or other portions of your own company.
Biometric Measurements Trigger Recognition
We have always identified each other from physical characteristics. You know your father is on the telephone because you recognize his voice. You hear your boss’s distinctive walk from down the hall and quickly try to look busy. You recognize a friend from a distance by the way he stands. A person’s whole face is the most common biometric identifier and is the one used for official identification; however, even facial recognition has its limitations. Readings depend on the light and the angle of recording, and changes in features like hair loss or facial hair can sometimes trick facial recognition systems.
Famously, the United States Federal Bureau of Investigation (FBI) used facial recognition software to attempt to identify and catch criminals at the Super Bowl in Tampa, Florida, but were relatively unsuccessful in their attempts. However, they were using the technology in a different manner than your company would be if it attempted face recognition as a biometric identifier. The FBI was comparing the faces captured at certain access points in the Super Bowl to a broad database of tens of thousands of facial records and hoping to find a match.
Your company, by contrast, is likely to have the easier task of comparing a face captured in a controlled environment with a database of only a few authorized individuals to make a positive match. Your company will have the advantage of taking the first face picture in the same light and angle as the comparative sample, making a positive match more reliable and a false negative match unlikely.
Biometric Measurements Useful in SCADA Security Processes
Clearly the most accurate biometric measurement for truly identifying a person would be DNA sampling. However, most of us are queasy about providing this level of intimacy and this type of information to anyone. Once recorded for security purposes, DNA records could be used to investigate health risk and even propensities for alcoholism or other physical traits that relate to behaviors.
In addition, taking an accurate DNA sample can be an onerous process involving bodily fluids, skin scraping, or the removal of live hair follicles. The comparison can be expensive and time consuming, making DNA analysis impractical for most biometric security functions, such as permitting or denying access to secure facilities. Finally, your company is unlikely to need the incredibly high level of personal identification and authentication accuracy provided by DNA testing.
For the standard reasons that biometric authentication is used with SCADA systems, a company will not use a body measurement that is not readily readable when an employee is dressed for work. Therefore, it is likely that your company would use a biometric measurement that is taken from the hand, face, or voice.
Voice analysis generally involves the repetition of certain words and comparing them against the same words recorded earlier by the authorized person. Voice systems are not as accurate as some other measurements; some voice systems can be tricked by a good recording. But voice samples are easy to provide, are non-invasive, and can even allow telephone authentications.
Biometric comparisons have been taken of hand measurements for a century. Fingerprints are the most well-known measuring source because of their unique nature and the fact that they are easy to harvest from the subject. Fingerprint readers are commonly available in consumer situations, and fingerprints are being used by the United States Army in Iraq and by the United States Immigration Service at our borders.
Another easy hand biometric measures the geometry of blood vessels in the proffered finger. These vessels lie just beneath the skin’s surface and are unique to an individual. Capturing the measurements of sub-surface blood flow also provides the advantage of viability confirmation.
In other words, a finger severed from its original owner doesn’t lose its skin print of swirls and loops, but it does lose its blood flow, so measuring active sub-surface blood vessels of the finger confirms that the person seeking to be authenticated is the live owner of that finger. Another hand measurement currently in commercial use is hand geometry, an analysis of the size of a subject’s hand and the relation of fingers and thumb to each other and to the rest of the hand.
Disney theme parks are currently using a hand geometry biometric system to confirm the identity of ticket holders for admission to the parks. From palm lines to knuckle shapes, the hand provides several measurable, unvarying attributes that can be used as a basis for biometric authentication systems.
Similarly, the face offers a number of ready samples of unvarying, measurable features to be used in biometric authentication. One of the most common examples is the iris scan, which analyzes the colored tissue surrounding the pupil in a person’s eye and allows for over 200 points of comparison. Like fingerprints, iris patterns are set at birth and will not vary during an individual’s life.
Another option is retinal scans, which take photographic measurements of the blood vessel patterns in the back of the subject’s eye. Retinal scan technology requires a user to remove glasses, position the eye close to the measuring device, and then focus on a specific point. Retinal images are especially difficult to fake because anyone trying to fool the system would not find it easy to capture the retinal reading of another person. The high cost of proprietary hardware for retinal scans makes this an impractical measuring system for many applications. Other biometrics above the neck include facial geometry and ear shape analysis.
Identify Your System Priorities Before Choosing a Biometric Application
Choosing a biometric reader should be a function of your company’s priorities and the reader’s function in the SCADA system. Is your company’s most significant priority convenience of the biometric capture when a person requests system authorization? Many companies are concerned that the capture of biometric samples will slow access to vital facilities for repair and control functions; they therefore wish to find a system that, once implemented, can quickly and simply pass people through to their authorized destination.
You can imagine that, noting an emergency in the water treatment facility, company management would not want its authorized employees to waste time in accessing the facilities that need immediate repair or analysis. In this case, any biometric reading that forces its subjects to hold still for several seconds would be problematic. Retinal capture is clearly not the best solution.
In this instance, it may be best for your company to capture the biometric reading from a distance. If so, then fingerprints or iris scans would be impossible and you should consider voice recognition or facial geometry software. The biometric sample comparison settings in this type of situation would probably allow significant variation between the original sample and the access sample, so that the system unlikely would render false negative readings.
Conversely, your company’s priorities may run toward the highest level of security possible for access to controls in a nuclear facility, leading your company to choose a biometric authentication process that minimizes the possibility of false positive readings. Your business would therefore select a system and sample readers that are least likely to be fooled by a terrorist attempting entry to the secure facility, and you would be willing to trade speed of access for certainty of authorization. In this case, a retinal scanning system may be the best match for access control, while distance face readers would not be.
Always remember that the biometric authentication is used as part of a larger, more complex system. If your company plans to implement an intense security regime, it could always measure different sets of biometrics at different locations. For example, they could use voice recognition to enter the facility, while requiring retinal scans at the door to the control room or fingerprint readers to access the control computers.
Of course, your company’s priorities in choosing biometric measurements may be driven by entirely administrative concerns, such as cost, available equipment, ease of implementation, the need for simplicity, or problematic environmental issues. No company can brag of limitless resources.
While many organizations aspire to implement the best possible security solutions, they may have the resources only for the lower-cost solutions. In addition, an enterprise looking to purchase a biometric authorization function for its SCADA security regime can choose only from the solutions available at the time from reputable vendors. Creating new hardware and software is likely to be economically impossible, therefore restricting choices to those available within a company’s price range.
Often, tried and true methods like fingerprint analysis may be the best solution. They can provide a high level of security while using equipment that has been tested in other environments.
Biometric technology is often viewed as a cutting edge solution, and people who ride the cutting edge are frequently hurt. They may suffer because the technology is untested and does not work as well as everyone had hoped. They may suffer because the technology is overly complex and does not integrate well into a SCADA security system. They may suffer because the technology is not easy to use and the company employees are constantly denied the access they need. The most valuable and practical decision may involve choosing a system that can demonstrate years of predictable behavior and that is understood by all participants.
The company must also consider where and how the biometric readers will be used in the overall security system. Important considerations for allowing access to SCADA security facility and systems can include how the biometric components work within the system. Where are the readers placed and how are they monitored? Will the person seeking access be likely to be carrying papers or tools and therefore not be able to offer free hands to the system? Then an eye or ear scanner or voice recognition system may be the best choice.
If the reader is installed in an outdoor environment, how will the equipment and the test subject be affected by the weather? An oil industry technician seeking access to a pipeline facility north of the Artic Circle should not be expected to remove his gloves and expose his hands when the temperature may be 50 degrees below zero. A power company technician attempting to reach a switching station during a hurricane should not be expected to hold still long enough for retinal scanners to confirm his identity.
Voices can be muffled and overridden in busy sites or by high winds on the open plains. The human element is not the only vulnerable variable when reading biometric signs outdoors. Biometric readers placed outside and exposed to the elements cannot be expected to continually function unaffected by their environment, whether those elements are excessive heat, cold, moisture, or corrosion.
When selecting the type of biometric measurement that your company will capture, all of the company’s priorities must be considered and weighed against the administrative realities of the SCADA system that your company is protecting and the budget that is available to spend. However, whether you decide to measure eyes, ears, faces, hands, or voices, the decision should match the objectives of your security system. Map your companies SCADA security priorities to the strengths and weaknesses of the many biometric capture options. Biometric security capture devices offer several choices to match the human authentication needs of any SCADA infrastructure.
Where are Biometric Authentication Regimes Vulnerable?
Biometric authentication systems have several points of vulnerability. This chapter does not address vulnerabilities common to any SCADA security system, like brute force attacks with a fire ax on the door of a secure facility or attempts to disable a system so that its backup methods can be exploited. While these may be common methods of attacking a SCADA security regime, this chapter will only examine those vulnerabilities unique to or characteristic of SCADA systems with biometric components. These include both physical attacks that attempt to replicate biometric impressions and software attacks that require sophistication in computer and database management.
Tricking the Biometric Capture Device
The most commonly considered access point to compromise a biometric system would be at the end reader. This is the point most easily accessible to any scammer and the closest point to the target. In other words, if the scammer seeking access to a secure facility knew a specific person who was authorized to access the facility (and whose biometric comparative data was stored for authentication purposes), then the scammer could attempt to steal or mimic the biometric reading that would pass comparison. If the scammer knew that the system required fingerprint access, he could try to recreate the fingerprint of the authorized person and offer it for comparison at the capture site.
Using complicated tools and resins to pick up, reverse, and resubmit a person’s fingerprint to the biometric reader without the person being present are the science fiction methods of Mission Impossible or CSI. Other methods of tricking the reader could include removing the finger that is needed for authentication or simply bringing the authorized person to the access point under duress and forcing him to proffer his print to be authenticated. A Japanese researcher made headlines when he demonstrated a method of scamming a certain brand of fingerprint reader using gummi bears to capture and offer the authenticating print.
Clearly, biometric readers that include viability confirmation, like eye scanners that shift light ranges and measure for pupil dilation or finger scanners that read for blood flow beneath the skin’s surface, are harder to fool by some of these methods. Similarly, certain voice capture systems include various tactics designed to thwart scammers using voice recordings to beat the system. Capture units that read internal measurements, like blood vessel patterns in the eye, hand, or earlobe, are much more difficult to beat, because capturing or even perceiving the biometric reading would take more than just a bold spirit and a few simple tools. Copying it would be nearly impossible.
Electronic Manipulation of the Authentication Process
This leads to the next point of vulnerability in biometric authentication: electronic sample or database manipulation. Up to this point, we have been discussing methods of faking or reproducing biometric samples. However, these security systems are ultimately networked computers that compare an electronic sample against a database.
Biometric authentication systems are based on comparisons of one electronic file (representing an original sample measurement of the person’s physical characteristic) with a second electronic file (also representing a measurement of a person’s same physical characteristic). A smart criminal with computer experience and access to the system could trick the system into fooling itself by suggesting that the files containing mismatched biometric samples actually match. Thus, rather than attempting to copy or spoof a real biometric measurement, a scammer’s best method of tricking the system may be to manipulate the electronics so that the computer perceives an electronic match when none exists.
This effect could be managed by building a loop inside the database so that the system software either compares the authorization sample with an exact duplicate of the same file or conversely compares the initial test sample against an exact duplicate of itself. The system would register an authorized sample whether or not one existed, allowing system or facility access to an unauthorized person.
Another method of tricking the system would be to short circuit the reader so that every file looked like a match. A long time might pass before SCADA systems administrators would recognize that the remote reader at the door of the secure room was never turning away any person who asked for authorization. In most cases, only people who are authorized would request to be confirmed by the biometric capture device, meaning that it would not be out of the ordinary for the system to proceed for days or even weeks without denying access to anyone.
If the system administrator trusted the software, then this hack could allow repeated access to the secure facility without system denial. Similarly, the database of initial biometric samples could become compromised if a criminal found a way to bypass the entire database and send a message of affirmative match every time a person offered a biometric sample to the capture devices.
Similarly, the computer-literate scammer wishing to fool a biometric system could also electronically plant a file in the database that he knew he could match at the biometric scanning device. This method could allow the criminal to insert his own fingerprint file or retinal scan so that he would be granted access when he offered his body for measurement. Once again, unless the system’s own internal controls were strong, the system administrator may never know that the database was compromised, and the scammer could come and go as he pleased without being detected.
Finally, data files in the initial sample database could be stolen, examined, and copied, so that the criminals would know exactly what to offer the capture device. This method of trickery is not entirely internal to the biometric system, but it could not be accomplished without compromising data security within the system software.
None of these methods of defrauding biometric systems would be simple, and most involve highly specialized knowledge and a manner of accessing the internal workings of a biometric system; however, each vulnerability can be exploited unless the biometric system and the security regime as a whole contain internal checks to confirm the continued integrity of the data and of the operational software.
Identity Theft with Biometric Files: Capturing Your Essence
Some exploitations of vulnerabilities within biometric systems are not necessarily aimed at compromising the security of the SCADA security structure. In this world of increasing identity theft, the capture of another person’s biometric signature profile may be the ultimate form of identity theft.
Once biometric signatures become more commonly used for identification in financial and governmental transactions, then stealing biometric profiles may become an important crime. As governments increasingly demand biometric proof for trans-border travel and financial services companies require biometric signatures for large transactions, identity thieves will need to consider stealing biometric measurements.
Presumptions of Accuracy
Unfortunately, due to the general assumption that biometric systems are always accurate, it would be very difficult to prove that you did not participate in a transaction if your biometric signature was used to complete the transaction. When faced with the fact that the person receiving a certain loan presented your fingerprint as verification of identity, how do you combat the presumption of your presence? This possibility is not simply theoretical, as we learned when the FBI detained an Oregon man for participating in the Madrid terrorist train bombings based on a similarity of fingerprint evidence, when, in fact, the suspect was thousands of miles away at the time of the bombing.
How Can We Replace That Finger?
In addition, theft of a biometric signature is even more dangerous than any other data theft for both the person it identifies and the company holding and using the biometric file. If other security data is stolen, like a bank-issued personal identification number or the customer-chosen password, then both sets of numbers can be changed. However, when a photograph of a person’s right index finger print is stolen and used to fraudulently authenticate identity, that person cannot be issued a new fingerprint. Once the biometric genie leaves the bottle, there may be no chance to force it back.
The consequences are similarly tragic for the company whose biometric database has been compromised. If the company has spent hundreds of thousands of dollars building an authentication system around fingerprint files and those files are completely compromised, then the biometric system may no longer be trustworthy, and fixing the problem is not likely to be easy. The company may have to scrap the entire system because it can no longer be trusted, and it can not be reorganized to accept a different form of biometric reading. Even worse is a loss of trust. Once a biometric system is compromised, then its users may never trust it again, even if the system can be technically rehabilitated.
Measuring Minutia Can Be Safer Than Storing a Whole Biometric Photograph
For these reasons, operators of biometric authentication systems must build policies and procedures to ensure the integrity of the data within the network, and must create special barriers to access of the biometric data files. Choosing a system that operates by analyzing various points of minutia from a fingerprint or an iris, rather than a full picture of the biological feature makes it more likely that your company could survive a loss or theft of biometric data with the system intact.
When your company uses minutia, it could change the number and type of data collected to make the compromised data worthless to anyone who might steal it. While shifting the system in this manner would entail taking new readings from all biometric authentication system participants, it would not necessarily involve scrapping the entire system. Whereas, if a full photograph of the biometric attribute was stolen from a security system, the entire system may not be able to be rehabilitated.
Anticipating Legal and Policy Changes That Will Affect Biometrics
When choosing the elements of a SCADA security system, the security executive must consider how the system components work together and what special issues each component brings into the picture. What aspects of the SCADA security create the most significant risks for administration and trust in the system?
Biometric components offer a level of complexity that can be problematic for implementation and operation. Biometric readers are famously more fickle and more sensitive to environmental factors than simpler input devices. Unlike password systems that operate in a clear “ match or no match” environment, biometric systems provide a sample comparison that must be calibrated between the need to avoid both false positives and false negatives.
However, unlike nearly all other forms of data entry and verification for authenticating people, biometric security brings a non-technical, social element to your defenses. Whenever people are forced to offer and leave a piece of themselves in the system, they will worry what that system is taking from them.
For the past several years, the California legislature has introduced bills to limit or stop the use of biometrics. Soldiers have sued the U.S. military to stop the use of biometric identification programs, and labor unions have sued companies to stop the forced biometric capture of workers’ physical data for security purposes. As personal privacy becomes a recognized right under the laws of the United States, then the potential harm of forcing people to participate in biometric capture and storage gains the attention of privacy advocates.
Currently, United States privacy laws leave a significant loophole related to biometric capture and maintenance of personal data. The Health Insurance Portability and Accessibility Act of 1995 (HIPAA) carved out a sphere of privacy in personal health care information. Doctors and hospitals must now protect all personally identifiable health care data received from their patients.
The data relating to a person’s medical condition cannot be used for any purpose beyond its original function for diagnosing or treating the person, unless the patient gives permission to use it in another specific manner. This law applies to other information receivers in the health care universe, such as drug stores, insurance companies, and the administrators of company health plans.
However, the protections apply only to data captured in the process of delivering health care. They do not apply to data captured for the purposes of security authentication. Therefore, if your employer takes a sample of your DNA as part of a diabetes screening sponsored by the company health plan, then that DNA sample is protected from disclosure under HIPAA.
Conversely, if the same company takes a DNA sample from you for the purpose of identification and authentication in a biometric security system, then that DNA sample is not protected under HIPAA or any other current federal law in the United States, and the company may be able to use the data for other purposes or even to sell it to other companies.
This leaves a gaping hole in protections for personal data relating to a person’s body, health, or other physical traits, and the hole in data protection can be applied to the most personal and private data about a person. Physical information, especially any sample that allows harvesting of DNA, can reveal an enormous amount of sensitive information, from race and parentage, to likelihood of heart disease or high cholesterol, to behavioral propensities. Personal data about individuals has a value, and a company capturing this data may be tempted to use it in ways never intended by the person who offered it.
At some point, the law is likely to change to protect biometric samples. In the meantime, privacy activists and other people concerned about loss of their personal data could create a hostile environment for use of biometrics in security. In this case, collecting biometric signatures would be more difficult for the security department. In addition, various U.S. states have introduced laws to regulate biometric capture and storage. Your company should include the possibility of regulation in its risk calculations when deciding whether to include biometric components into its SCADA security system.
Summary
Biometric authentication regimes can solve important problems within your company’s SCADA security system, but they are not helpful in all situations, and they present the system administrator with unique issues and risks. In a SCADA security network, biometric components are useful only at the edges of the network where people interact with the SCADA security and where secure facilities and equipment need authorized access. The variety of biometric readings, both invasive and remote, demonstrates that biometric security can meet a wide array of priorities within your overall security program.
However, each biometric authentication capture device provides its own set of choices, such as whether it is more important to your company to allow ready access in an emergency or whether it is more important take extreme steps to exclude any unauthorized people from accessing secure facilities. These devices are not foolproof and can be beaten at a number of different points of vulnerability, including tricking the scanners or reworking the system software. Storage and protection of biometric samples can also be hazardous. Finally, biometric systems are not yet so widespread that the law and regulations for biometric capture can be expected to remain constant over the several years of your company’s investment in these systems.
Solutions Fast Track
Learn About Your Biometric System’s Vulnerabilities
Systems mteasuring physical characteristics external to the body may be fooled by presenting a false sample.
Biometric systems may be attacked through their software systems.
Data and software integrity is critical and must be monitored and confirmed on a regular basis in biometric scanning and comparison systems.
Prepare for Social and Legal Changes
Some people refuse to provide invasive biometric samples for any purpose, including security.
Current U.S law contains loopholes relating to storage and use of physical data for security purposes.
Expect changes in law and regulation of biometrics that could affect the use of this technology in your SCADA security system.
Frequently Asked Questions
Q What is biometric security authentication?
A It is application of the science of measuring living beings, humans in this case, and identifying/authenticating a person using some physical characteristic so that the person may interface with the system in an authorized manner.
Q Where can biometric authentication be used in SCADA security?
A Biometric authentication regimes are appropriate anywhere that humans interact with the system, but are most often used in authorizing access to secure facilities and equipment, either central or remote.
Q What physical characteristic should my company be measuring?
A This depends on your company’s security and administrative priorities. Fingerprint capture is common among vendor systems and is well-accepted by the general public. Voice and face recognition can be taken from a distance. Retinal scanning is difficult to spoof.
Q Where are biometric authentication systems vulnerable to fraud?
A Biometric capture systems may be attacked by providing a false but similar sample for authentication. Ultimately, biometric security is based on software comparisons of electronic files, where the files represent a physical characteristic of the measured person. Therefore, the systems are vulnerable to several types of software and database integrity attacks.
Q How is security measured in biometric authentication systems?
A A biometric authentication system is considered secure if it does not produce a level of false-positive readings or false-negative readings that are unacceptable to the system manager.
Q What can a system manager do to minimize the possibility that a biometric database will be compromised with biometric files stolen?
A The manager could choose a system that stores its biometric files separately and remotely. The manager could also choose a system that only measures certain minutia of a characteristic, so that the loss of that data will not compromise the entire regime.
Q What United States laws or regulations address the privacy of biometric samples taken for security purposes?
A At this writing, biometric samples taken for security purposes are not explicitly treated as protected private information by U.S. statutes or regulations.