Late yesterday Dale Peterson at DigitalBond.com posted “[o]ne more Stuxnet post before we move on.” As typical, Dale’s blog post provides us with some valuable in-sight into Stuxnet. I certainly hope, though, that he isn’t implying that this will be the last post on the matter. He has been a good source of updated information about Stuxnet, explaining things that he and others have found out about the operation of Stuxnet.
In this post Dale isn’t really looking at the details of Stuxnet; rather he is looking at how the industrial control system network responded to one of the most creative and complex assaults on system security. In his analysis ICS-CERT and Siemens come off looking bad while Langner Communications and Symantec received some well deserved praise.
Dale’s complaints about ICS-CERT are particularly important. This DHS office is the one charged with supporting cyber security activities in the industrial control sector. Since most companies using these control systems do not have the resources to watch out for, investigate, and formulate a response to sophisticated attacks like Stuxnet we turn to the Government for this type of support.
Dale points at possible political issues hampering a more aggressive public ICS-CERT response to Stuxnet. Unfortunately he doesn’t explain what stopped them from being able to “clear the bureaucratic hurdles required to release more information”. If Stuxnet was actually an Israeli attack on Iranian nuclear fuel processing as Dale and others have suggested as being a plausible explanation for the sophistication of the attack (and I agree that it does sound extremely plausible), then the intelligence community would have been reluctant to see that information released.
That would have been a piss poor (though entirely predictable) reason to restrict the spread of information about Stuxnet. Once Iran was identified as having an unusually large number of Stuxnet infections it didn’t require a great deal of ‘jumping to conclusions’ to start to think that Israel might have discovered a new means to execute offensive operations against a target that they have publicly warned that they intend to attack before Iran could produce a nuclear weapon.
Actually I suspect that the ICS-CERT failure in this situation was more based upon resources and a lack of imagination than the lack of political will. While DHS is a large organization their manpower is spread thin. Their lack of depth is further aggravated by the political necessity of having a huge amount of manpower involved in the symbolic protection of commercial air traffic. We continue to see understaffed agencies ‘protecting’ high-risk chemical facilities, Hazmat pipelines, and toxic freight rail targets. Until those targets are actually hit, the politicians will continue to only provide token monies to support those programs.
As we continue to hear discussions about cyber warfare and governmental cyber attacks, this Stuxnet incident points out a unique problem with cyber weapons, once they are employed in the wild, they become public property. While Langner Communications and Symantec have done some valuable work explaining what Stuxnet does and how it works, we must not forget that every government in the world with a modicum cyber expertise has been hard at work doing the same thing.
Dale touches briefly on this in his posting, but I think that this deserves more attention. The developers of Stuxnet (Mosad, the Russian Mob, a bored pimply-faced kid, who ever) has done the hard work. They developed the tools to attack Siemens-based control systems. Those installed systems will now be forever suspect of being vulnerable to attack. And any government, any large criminal organization, will have access to the tools necessary to execute those attacks.
We are now at the cyber equivalent of August 1945, with the Stuxnet shaped cloud rising on the horizon, proclaiming that the world will never be the same again. If this was an attack on the Iranian nuclear program, the irony is totally appropriate. With the potential ability to conduct anonymous attacks on civilian and military infrastructure at will we are heading into a dangerous new era of international politics.
Unfortunately, it will be the private sector in the United States that will bear the brunt of the damage and cost of this new type of warfare. The targets will largely be owned by private companies and they will bear the brunt of both defending against and responding to the results of those attacks.
The world has become an even more dangerous place and there’s not much we can do about.