Tuesday, December 14, 2010

Political Look at Stuxnet

Last week the folks at SCADASEC List published a link to a new look at the Stuxnet worm from an unusual source, the Congressional Research Service. Members of the technical community will find no new information in this report, but it wasn’t written with that community in mind. Rather than being a technical paper, the CRS has prepared an analysis that looks more at the political implications of this attack.

The CRS Report, “The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability”, summarizes the publicly available information about Stuxnet without delving into a significant level of technical information. So it quotes from news reports and white papers from Symantec and ESET, but ignores work by researchers like Ralph Langner.

The writers of this paper have been careful to provide a reasonably balanced approach to presenting the various viewpoints of the Stuxnet discussion. It notes that some industry observers mark Stuxnet as the effective start of cyber warfare, while others believe that the risk of attacks on cyber control systems is overblown in the discussion of Stuxnet. It addresses the issue of the potential sources of Stuxnet without reaching any conclusions.

It addresses the issues of whether or not Congress should pass legislation regulating the security of industrial control systems without making a definitive statement of whether or not such legislation should actually be introduced, or what form that regulation might take. Of course the CRS is not supposed to advocate legislative action, but to provide the information that legislators would need to take such actions.

From a political viewpoint, this is a slightly disappointing report. There is no real discussion of the potential options that legislators have in defining the types of regulatory schemes that they might consider in the coming 112th Congress. To be fair, there has not been much talk about legislation for regulating ICS security. To date there has only been one bill, HR 6423 (there was another bill introduced last week that may address the issue, S 4021, but I have not yet seen an actual copy of the bill), that specifically addressed ICS security issues. It would have been helpful if the provisions of that bill had at least been mentioned as a possible legislative response to the issue.

This document will have little impact on congressional discussions this year. There are just too many high-profile controversial issues remaining on the plate of the lame duck session of the 111th Congress for ICS security to be actively considered. This document will be useful to Congress when it comes back with new faces and new agendas in January.

1 comment:

heyjames4 said...

Whether or not there is a government regulation requiring it, owner/operators of industrial control systems (electric, sewer, and water utilities, chemical manufacturer's, etc.) should be interested in securing thier systems against malicious activity.

One of the big worries of a mal-ware attack against a facility with chemical stockpiles is the release of hazardous substances to cause damage and panic to the general public.

Under common law and existing regulatory and liability schemes, if a facility releases hazardous chemicals that could threaten its employees, neighbors, or the environment at large, then it is held responsible for damages and the cost of emergency response, cleanup, and corrective action; whether or not the release was intentional (due to negligence) or accidental (safe procedures exist but weren't followed).

A release due to sabatoge could be treated the same way, the operator being found 'guilty' of not doing everything feasible to prevent forseeable hazard.

/* Use this with templates/template-twocol.html */