Tuesday, October 19, 2010
Bob Gourley

There are some important strategic changes occurring in the national security landscape.

A new kind of cyber attack has been noted, one that involves use of malicious code to attack infrastructure.  There are some important points in this attack that should be understood by national security decision-makers.

With the launch of the code the security community calls Stuxnet, an attack was made against a programmable logic controller (PLC) that runs a physical system.  This is a new degree of bad in cyber attacks.

This code is potentially (probably?) nation-state sponsored.  We might never know which country, but a review of the geo-political situation today can lead to some informed speculation.

Below is some Stuxnet context:

Background: A piece of malicious code called Stuxnet was discovered over the summer.  It was highlighted by security experts like Steve Bellovin in July 2010. Steve pointed out that the use of zero day attacks and the targeting of a SCADA system was of note.

Piece of Stuxnet Code as analyzed by Ralph Langner

Many other security researchers discussed this code but one of the better technical write-ups is captured by Ralph Langner in his report titled “Stuxnet is a directed attack– ‘hack of the century’

Key points made by Ralph Langner are that:

  • This was a directed attack, aimed at sabotage vice espionage or privacy attacks.
  • The full effect of the package only occurs at places where are targeted piece of equipment is located. This means knowledge of a specific target was used in designing this weapon.
  • Many other features point to heavy insider knowledge.
  • Although smart use of zero day attacks was used, the real expertise was with the specific control system. This was not some hacker or group of hackers. This is a group with knowledge of the target.

Some great analysis also comes from Gary McCraw of in a post at InformIT titled “Software [In]security: How to p0wn a Control System with Stuxnet.

Gary McGraw makes the points that:

  • Stuxnet seems to be proof of a sophisticated, narrowly targeted collection of malware controlled by a well resourced entity.
  • It was discovered accidently  by anti-virus researchers in June 2010, but may have been in the wild since early 2009.
  • Gary underscores that the delivery means is not what is key here.  An almost infinite number of delivery means could have been used, unfortunately. There is a deep well of zero day attacks waiting to be discovered.  The key thing is the ability of Stuxnet to inject code into a running control system.
  • Gary also clarifies that this attacks is NOT against the SCADA.  It is against the programmable logic controller (PLC) which runs the physical system directly.  This makes this attack much more sinister.

Some analysis and recommendations:

I should mention a disclaimer: I don’t have a clue about how hard it would be to write this code or insert it.  I don’t have any insider knowledge about this or have any idea who did it.  And, although I am certainly a student of technology my personal coding skills are so weak I could not offer any personal opinions that come close to those of McGraw, Bellovin or Langner.  Those guys are masters I hold in high regard, and they and many other experts are convincing me that this is unique.

  • It is possible that the code could have been written by one very smart coder, but it is more likely the result of a team.
  • The smart use of well prepared, unknown exploits makes this sophisticated, but that is just the delivery means.  The key point is the weapon- the piece that changes how a control system operates.
  • This, to me, points to a historical first. I believe, this is the first publicly available evidence of a piece of weaponized code being delivered to have an impact on a SCADA system.
  • This does not seem to have been designed, at all, to provide data out.  It is not built for espionage.  It is built to impact infrastructure.
  • And it is built to impact a very specific infrastructure, not all infrastructure.  It is targeted.
  • We are all put in the awkward position of being tempted to blame Israel for this attack.  If the code does what it seems to do, and if it was targeted against centrifuges at Natanz, then it is logical to assume Israel could benefit from this.  But in the cyber world it can be very hard to prove who is behind an attack. We should all be on guard for reports that claim to know where this came from (scrutinize any reporting so you know what the facts are).
  • If a country sponsors an attack against another country, is it an act of war?  Well, if a country bombs another country’s nuclear weapons program, is that an act of war?  Seems like this is an issue worth additional study.
  • If a country launches a weapon like this, does it mean they are ready for the “blow back” when other country’s launch weapons like that against them?  I don’t know of any country that is protected (or protectable) against these sorts of threats.  So why would any country launch an attack like this?

My recommendations:

  • If you are not already studying cyber issues, seems like now would be a good time to start.  There are many venue available for you to study cyber conflict.  One of my recommended places is the Cyber Conflict Studies Association (CCSA), but there are many other ways to get involved and get up to speed on these many dynamics of cyber conflict.  Depending on your interest and abilities you can join and learn from and advance the cyber conflict thinking at: SANS, AFCEA, INSA, IEEE, ACM, AAFS , CFR, and/or many others.  One thing I’m certain about is that we will need contributions from a wide range of experiences and viewpoints as we move forward into the future, so find your path and dive in.
  • I also recommend that you do what you know you need to do in your own enterprise.  Ensure you are mounting a vigorous defense in depth.
  • Oh, and don’t let anyone in your organization tell you that your SCADA systems are protected because they are not directly connected to the Internet. If they can be reached by any network or USB drive or other media, they are not isolated.

And a closing thought:

I think once again it is an important question for you to ask yourself:  Can you trust your toaster? More later.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.