Classic novels range from 30,000 words (Animal Farm) to nearly 600,000 words (War and Peace). That suggests that reports written about Stuxnet in the past three months could make an impressive epic. Much of the writing analyzes the attack itself. But there are other concerns.
The attack has been reverse engineered to a chorus of adulation for its elegance and precision. Terms such as laser-like and weapons-grade are bandied. But lots of people can write stellar code that is complex and works. Wall Street technologies for stock valuation may dwarf Stuxnet in terms of complexity. Health insurance claim processing is arcane beyond description.
Equally impressive are the non-technical aspects of Stuxnet – understanding the operating culture of utilities, the relative isolation of many ICS consoles, even the self-imposed timing. This was an operation, a mission – not just malicious code set loose.
But here’s a problem. Stuxnet was almost certainly planned and executed by people deep inside the utility industry. Consider:
• The attackers understood well that their target(s) might be unreachable from the Internet, finding USB sticks an easy workaround
• The attackers understood the operations culture at utilities, where IT departments and their endless rules are often held in low regard – especially Cyber Security, which often gets in the way of actually getting anything done.
• Shortly after the SCADASEC listserv began discussing Stuxnet it endured a series of Denial of Service attacks. I speak frequently with Smart Grid Cyber Security experts and about 60% of the people I interview have never heard of SCADASEC. But apparently the attackers had.
While we talk about the “they” who executed Stuxnet, it is more likely one of us. Are the perpetrators of Stuxnet on the SCADASEC mailing list?
Those Denial of Service attacks are troubling. They were remarkably amateurish compared with the sleekness of the rest of the attack. Was that panic that the perfect crime had been uncovered? Was it misdirection to make the attackers look less skilled than they really are? Or perhaps it was an unrelated party simply making an opportunistic attack?
No matter what, it seems we’ve considered nearly every possible attacker except ourselves. As security experts we accept that the most effective attacks upon any system are often from the inside. There’s no reason to think that an attack as complex and focused as Stuxnet would be any different.
Let us consider also recent analysis which suggests that Stuxnet was designed to stop spreading in January, 2009 and may have delivered its payload as early as Spring, 2009. There are two obvious and troubling conclusions:
• Stuxnet was in the wild and executing for well over a year without anyone noticing
• If an attack this complex stopped spreading in January 2009 then it must have been conceived and developed early in 2008, possibly late in 2007.
While we admire the complexity of Stuxnet, let’s step back and realize that this attack is most likely three years old. That is two iterations ago of Moore’s Law. Stuxnet may be the most sophisticated attack we’ve seen so far. But it’s nearly impossible to conclude that an attack written when the BlackBerry Pearl was king is state-of-the-art. The attackers have had an additional three years to hone their craft.
We are quite likely facing attackers on the inside that have a three-year head start on our already helpless defenses. This of course is a worst-case scenario and argues for more urgency in erecting Cyber Security defenses, especially of ICS. As a start, I could suggest two things.
First, IT and Operations should bury the hatchet, accept that they will never be alike, agree to disagree when needed, and start collaborating on ICS defense before the whole discussion is made irrelevant by further attacks.
Second, a fair few Cyber Security vendors – following the money – have equated Smart Grid and Smart Metering. More focus is needed on the ICS side, by vendors and experts who understand the differences between IT networks and control networks. ICS is not as sexy as Smart Metering and does not offer multi-million endpoint deals. But better defenses on the ICS side can help ensure that Smart Meters continue to have something to meter.