Cleantech Market Intelligence
Smart Grid Cyber Security – No Rest for the Weary
About two months ago this blog surmised that Stuxnet may have been created as long as three years ago – by looking at the attack from a project manager’s perspective. Since then I’ve seen blogs urging us to hurry and get Security countermeasures up to snuff, for now is the lull between Stuxnet and the next attack.
I couldn’t disagree more. Yes, we as the security community should do everything we can right now to upgrade our protection mechanisms to current capabilities. Deploy new technologies. Risk careers by asking for more funding to deploy new security technologies or upgrade old ones. Why not? After all, if attacks succeed because outdated security technology could not deal with them, careers will be at risk anyway.
But I do disagree that now is a lull in attack activity. We have no assurance that there is a lull. The fact that we are not discovering any new attacks simply means that we’re not finding anything. In the past five years we have witnessed a sea change in the type of attacks. Rather than widespread mischief, attacks now are most likely to be targeted at single companies, departments, even at specific individuals – as happened last year during the Aurora attacks, against Google and other large companies. In my research I have encountered a number of concerns about the security of hardware component manufacture. If processors have backdoors engineered into the firmware, what software is going to detect them?
A recent article describing Microsoft’s Second Tuesday patch release was headlined, “Microsoft puts Stuxnet to bed.” Hopefully true, but three years after its release seems quite a long interval. And putting one vulnerability to bed, even an important one at that, is good but not necessarily cause for celebration. We security experts are paid to be paranoid, after all.
Twice in the last month I’ve been asked the same question in almost the exact same words: Is Stuxnet the shot across the bow that will finally get everyone’s attention? Both times I was stunned at the question. Maybe it is but the real question is, why now – what took us so long? Why weren’t Slammer and Blaster – nearly eight years ago – warning enough?
As Stuxnet showed, if the attack is finely tuned to hit only a specific target, and well executed, an attack can exist in the wild for quite a long time without detection. What is the chance that there are attacks underway right now that are so focused that general detection tools cannot find them? It could be that there are attacks underway that are just too sophisticated or specialized to be detected. It should be an instinct for every security expert: if you’re not detecting anything, you need to dig deeper. If anyone tells you protection is complete and no more security is necessary, do not believe them. From here on out there will be no calm waters. As the saying goes, finished never is.