By Dean Picciotti and Gregory Montanaro
The most recent battle in the New Cold War is being waged as you read this. It is a battle over nuclear weapons.
Claiming that more than 30,000 of their computers have been compromised by a nasty piece of malware dubbed Stuxnet, the Iranians say that electronic warfare is being waged against their state. Considered by many experts to be the best cyber virus ever, the Stuxnet virus plaguing Iran is a complex piece of malware-a short term for “malicious software,” created to infiltrate surreptitiously and take control of certain aspects of a computer system.
Michael Scheidell, Chief Technology Officer of SECNAP Network Security and a nationally recognized expert on cyber-infrastructure security, acknowledges that “Stuxnet’s complexity, multi-layered design, and range of technically disparate elements suggest that a large, well-funded team is responsible for its creation-possibly a nation-state. Some analysis also points to a highly specific target-a nuclear plant in Iran. So you could conclude that a powerful entity, organization or country created Stuxnet in retaliation against Iran. We may find another scenario at the end of the day, but this one looks good, given what we know now.”
As the world becomes increasingly interconnected and reliant on computers to run everything from our coffeemakers to our nuclear plants, cyberspace has emerged as the fifth domain of warfare, after Land, Sea, Air, and Space.
A cyberattack launched by one nation against another raises many questions. After a cyberattack, will there be retaliation? In what form: Another cyberattack? A more traditional military attack or an asymmetrical terror attack?
What of treaties? NATO’s lynchpin is that an attack on one member is an attack on all members. If a member of NATO is harmed via cyber-attack, does it trigger the obligation of fellow NATO members to declare war? The implications of cyber warfare are grave.
STUXNET: A POWERFUL, INDUSTRIAL-GRADE VIRUS
Stuxnet focuses on Supervisory Control and Data Acquisition (SCADA) systems which control the processes in many industrial and factory settings. Though it was first developed more than a year ago, Stuxnet was discovered in July 2010, when a Belarus-based security company found the worm on computers belonging to an Iranian client.
The Stuxnet virus is initially installed on a Microsoft workstation via the use of a USB memory stick, after which it immediately begins to search for a workstation running Siemens SIMATIC WinCC software.
Siemens, which boasts on its website that it is a “global powerhouse in the industry, energy and healthcare sectors,” is the manufacturer of the software that Stuxnet targets. Siemens will not confirm how many customers it has in Iran. However, earlier this year, Siemens said it planned to wind down its Iran
ian business-a 290-employee unit that netted $562.9 million in 2008, according to the Wall Street Journal. Critics say the company’s trade there has helped feed Iran’s nuclear development effort in spite of the U.S. embargo on Iran.
Stuxnet is highly complex malware that is capable of infecting equipment isolated from the Internet and which targets industrial processes employed in the energy, transportation and healthcare sectors. It specifically, targets the systems of a single manufacturer criticized for assisting Iran in its nuclear development efforts.
The suspicions of a pre-emptive military fifth domain attack may or may not be true, but they are certainly not far-fetched.
THE CONVERGENCE OF TECHNOLOGY
Two decades ago, in an attempt to save money in the growing software-based process control and automation industry, companies began to explore the logistics, implications and benefits of converging the pathways that control desktops, servers and industrial equipment. Stuxnet takes advantage of the inherent flaws in this convergence strategy.
One of the flaws in convergence is the introduction of USB Memory Sticks (the same ones you may carry on your keychain) to the factory floor. Industrial equipment rarely has USB ports, but because of convergence these devices, which now share networks with office-grade equipment, are integrated (knowingly or unknowingly) with desktop computers. As a result of this convergence, power plants, pipeline networks, refineries, mass transit, high-rise HVAC, elevator systems, water and sewage plants, grain elevators, communications networks and other large-scale SCADA applications are susceptible to USB stick-borne viruses, even if the network is completely isolated from the Internet.
Stuxnet leveraged the widespread appeal of convergence to infiltrate factories and, perhaps, nuclear facilities.
IT’S ALL CONNECTED
The world is crisscrossed by networks of wires, cables, waves, pulses and signals. The computer systems that operate this world are all around us, yet just under the surface. Driven to design simplicity and ease of use into most systems, developers have learned to cleverly disguise the fact that you are even using a computer. But computers they are, in every imaginable size, supporting every conceivable application-and it is all connected. Just consider:
- Smartphones, laptops, mobiles, desktops
- ATMs, store barcode scanners, credit card swipe machines
- Telephone systems, television systems
- High-rise elevator and HVAC system controls
- Ordering systems, payment systems, money moving systems
- Factory production systems, assembly lines
- Food processing and packaging systems
- City water systems, sewage systems, rail lines, traffic signals
- Electric and gas utility processing/production and distribution
Imagine these systems infiltrated by malware, crashing, rendered useless, at least temporarily. The data grid falls. The power grid falls. The communication grid fails. The transportation grid fails. Imagine the potential for panic-financial and otherwise-in the face of cascading network failures.
FIRST CYBERATTACK OF THE NEW COLD WAR
The first shots in the cyberspace Cold War were fired by the Russians against Estonia and Georgia in 2007 and 2008. At that time, the cyber infrastructure in Georgia was suffering from the type of cascading system failure described above. This took place as Russian tanks were advancing across the Caucasus in 2008.
Perhaps it was a coincidence. We have never been able to trace the cyber denial of service (DoS) attacks directly back to the Russians. Regardless, due to widespread system failure the established government in Georgia was unable to coordinate any defense, and was isolated from the rest of the world to gain assistance.
Destabilizing a nation’s cyber-infrastructure is not an exact science. The results are not foreseeable or controllable necessarily. And neither is the potential for retaliation. However, forcing a nation-state into chaos without an identifiable adversary is a perfect tool for the asymmetric attacks of terrorists. There is little lead time. There is little chatter. Assembling the devices necessary rarely requires embargoed or highly regulated materials.
Was the United States or its allies behind the Stuxnet virus? We may never know. But we are no less a combatant in the New Cold War. The damage threatened in this war is tremendous to our country and way of life. We must continue to exert our influence in all domains-not only air, sea, land and space-but cyberspace as well.
U.S. DEFENSE AGAINST CYBER WARFARE
Our vulnerabilities are considerable in this country. But so are our defenses and our resilience. Despite economic woes, the Department of Homeland Security is spending significantly to bolster critical infrastructure. Rules regulating private industry are being revamped to require strong defenses of critical processes and data. These reforms are also being pushed by private industry, healthcare, the accounting and legal professions, and the financial industry. Federal regulation and those who enforce and interpret it are assisting our industries in bolstering their defenses.
As the most computer-reliant country in the world, the United States recognizes the threat posed by cyber warfare.
Twenty-five percent of all malware discovered this year is propagated through the use of USB sticks. Given the flaws of convergence, and the prevalence of USBs, it is not surprising that the Pentagon and Central Command were “hacked” via USB-borne malware in 2008. Since that time, the military has substantially bolstered its cyber defenses. The Federal Government has likewise taken giant steps in bolstering cyber security for non-military branches of government.
However, our government currently takes no official role in protecting private business and, outside of Homeland Security dollars, assumes no acknowledged role in protecting critical quasi-government infrastructure-such as power plants, pipeline networks, refineries, communications networks and other large-scale applications.
Cyber Command Chief General Keith Alexander has confirmed publicly that Cyber Command does not work with private industry. Recently, however, Alexander’s position seems to be morphing toward a more robust government involvement in protecting strategic infrastructure such as water, gas and electricity. The Cyber Command Chief envisions a team approach to security involving the Department of Defense, the Department of Homeland Security and the FBI. The FBI would investigate computer hacking, Homeland Security would work with industry and other critical areas. Alexander has emphasized that it will be critical for private industry and contractors to be involved if the proposed program is to be effective.
History is rife with the stories of new technologies that turned the tide in favor of one side in warfare. You don’t need to look back to the Longbow’s effect on the Hundred Year’s War in the 1400s for examples. You don’t even need to look back to World War II. The technology-driven unmanned drone program currently in use in Iraq and Afghanistan is exceedingly effective. The best technology often wins wars. And we are a nation at war. The responsibility to defend our nation is ours, on all fronts.
Dean Picciotti is an attorney and former Philadelphia Chief Information Officer of the Year. He is the Chief Executive Officer of Lexington Technology Auditing, Inc., a Philadelphia area based company that protects private and quasi-governmental critical computing infrastructure throughout the Northeast.
Gregory Montanaro is executive director of FPRI’s Center on Terrorism and Counter-Terrorism.