-
See the Archives
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- February 2009
-
Filter by Category
- Business at risk
- Citadel in the news
- Citadel Information Security Guides
- Citadel: Guide to Blog
- Citadel: Thinking about Security
- Cloud Security
- Combatting Cybercrime
- Consumers at risk
- Cost of Cybercrime
- Cost of Piracy
- Credit card fraud
- Culture Change
- cyber security learning community
- Cyber Security Management
- Cyber War
- events
- Financial systems security
- Future of Cyberspace
- Healthcare
- Identity theft
- Information at Risk
- Insurance
- Internet badlands
- ISSA-LA
- Law Firms
- Legal
- Miscellany
- mobile banking
- mobile internet
- Mobile Security
- national security
- Not-for-Profit
- Online Privacy
- OWASP
- Privacy Matters
- Ray of Sunshine
- School security
- Security Alert: Vulnerability Management
- Security management
- Security Research
- Security Surveys
- Social Engineering
- Social networks
- Virtual Currency
What Does Stuxnet Say About the Future of Cyber Warfare?
Last July we started following Stuxnet, a sophisticated worm that targets industrial computer controllers manufactured by the German engineering conglomerate Siemens. Siemens is the world’s largest manufacturer of Supervisory Control and Data Acquisition (SCADA) systems, which control the machinery involved in industrial and infrastructure processes, including water treatment facilities, power plants, and factories. Last summer, no one knew who was behind Stuxnet or what its intended purpose was. Then, in November, Iranian uranium enrichment facilities suffered a major setback when nearly 1000 centrifuges were destroyed by the malware.
Earlier this week, The New York Times published a compelling article attributing the creation of Stuxnet and it’s highly targeted attack on Iran’s uranium enrichment program to a joint effort between the Israeli and US governments. The article concludes that the sophistication of the code and its high level of precision would have required resources and knowledge way beyond the reach of any private operation:
“The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.”
However, an article form eSecurity Planet last Tueday questioned the sophistication of Stuxnet as a whole, noting that while the core program in Stuxnet is highly sophisticated, the dropper component that actually targets and infects networks and machines reflects only an amateur level of sophistication. This, in addition to the multiple versions of Stuxnet floating around, suggests that the malware was developed by several different groups over a period of two or three years. Perhaps, as the eSecurity article speculates, the advanced parts of Stuxnet were written by a third party and sold to the programmers who “put the wrapper around it.” That we know what we know about Stuxnet suggests that key elements of its design were not highly sophisticated.
In spite of the imperfections in Stuxnet’s design, the backstory involving Siemens’s vulnerability testing in collaboration with the US Government, the sophisticated insider knowledge required to pull of such an attack, and the political expediency of doing so makes a strong case for US and Israeli backing. In addition, the Times contends that Stuxnet was actually tested at Israel’s Dimona nuclear weapons development facility in the Negev. The cumulative result: it now appears that Iran’s nuclear enrichment program has been set back by several years.
Of course, we are also attentive to what Stuxnet means for cyber security management and cyber warfare as an emerging reality.
Last Monday, The Data Center Journal published an article describing Stuxnet as the first known form of weaponized malware ever developed. They report:
“The traditional, malicious approach to damaging the [Iranian] facility would have been to use a conventional weapon (i.e., a bomb). The astonishing difference is that this malware was attempting to do mechanical damage to the facility without supplying the destructive mechanical force on its own. In other words, this was malware designed specifically to accomplish the work of a weapon. It has therefore earned the nefarious classification of weaponized malware.”
The article goes on to scrutinize how Stuxnet gained access to its target systems by exploiting up to 4 zero day vulnerabilities in Microsoft operating systems and using digital certificates to authenticate itself. It then analyzes the risk management landscape this malware portends:
“It is unquantified and unmanaged risk that allows Stuxnet to propagate and operate on a network. This situation represents bad management practice of a critical part of a layered security model. Digital certificates are widely used to authenticate and identify entities in a network. Poor management practices render digital certificates ineffective for their intended purpose. In fact, poor management in some cases creates an exploitation opportunity.”
From a management perspective, Stuxnet certainly emphasizes the vital importance of robust and forward thinking security management policies.
How worried should we be about malware like Stuxnet disrupting infrastructure here in the US? eSecurity Planet’s reporting echoes that of The Data Center Journal in suggesting that protecting SCADA systems demands strong security management policies and physical perimeters—measures that were either poorly developed or easily subverted in Iran. In general, US security measures are more sophisticated, and it is generally considered unlikely that Stuxnet itself would be able to infiltrate a high security US facility.
What exactly Stuxnet says about the future of cyber warfare in the 21st century, and our vulnerability on that front, is still an unfolding story. What we can say is that we have entered an era in which highly sophisticated and covert software, likely developed or funded by governments, can destroy physical targets with a precision equal to or greater than a mechanical weapon.
ISSA-LA and the Los Angeles OWASP Chapter will be co-hosting a Stuxnet update and demonstration on March 17th. More information will be posted on the organization’s websites as we get closer to March.
