The Washington Post reported this morning on the latest development related to Stuxnet malware. The Stuxnet code was designed from the bottom up to attack Supervisory Control and Data Acquisition (SCADA) systems, or those used to manage complex industrial networks, such as systems at power plants and chemical manufacturing facilities. The malware, which has been the subject of much discussion over the last month or so in the security and cyber war community, is capable of taking over systems that control industrial plants. This is the first report of attacks against nuclear facilities.
The malware uses four different zero-day exploits, two stolen certificates to get proper insertion into the operating system and a multi-stage propagation mechanism, starting with infected USB-sticks, ending with code insertion into Siemens S7 SPS industrial control systems. One of the Zero-Days is a USB-stick exploit that infects the computer the stick is put into, regardless of the Windows operating system version – Windows 2000 to the most modern and supposedly secure Windows 7.
I think what’s interesting about this is not so much the technical sophistication and highly targeted nature of the malware, but the policy issues that surface as a result. The government is in the midst of trying to sort out the roles various agencies will play in dealing issues ranging from cyber weapons to espionage. Earlier last week the Department of Defense’s newly formed cyber command advocated creation the creation of a separate, secure computer network to protect civilian government agencies and critical industries like the nation’s power grid against attacks mounted over the Internet. The Department of Homeland Security also is chartered with protecting the nation’s infrastructure, but most in the security community see little understanding of the threats and even less in the way of effective defensive programs.
Unfortunately, the picture in the commercial sector is not much better. The threat landscape for large enterprises includes well funded efforts at cyber crime, as well as state-backed efforts associated with cyber espionage aimed at stealing intellectual property. The challenges in dealing with this threat landscape are not just technical but cultural. Most of the CIO’s and CISO’s in the commercial sector have been hired because they are good at keeping things running (ensuring availability) and keeping down costs. In light of the current threat landscape, I would claim at least equal attention needs to be placed on building resilient networks that resist attack.