Come to Jesus moment for SCADA developers
Published January 22, 2012 | 
A couple of years ago, Firesheep created a come to Jesus moment for many of the most popular web sites on the internet. It demonstrated for anyone interested (no skill needed) that not using SSL was bad, and that anyone’s account could be hacked. All responsible websites have responded by increasing their security and the internet is a better place for it.
At the S4 Conference SCADA systems were put under the wire brush and found as insecure as those websites targeted by Firesheep. Iran learned the hard way that SCADA isn’t secure with Stuxnet.
SCADA is designed by industrial engineers for industrial engineers, and not by computer security experts… and it shows. At the conference flaw after flaw was exposed which if exploited could cost billions and even cost lives. Unlike a Facebook account, SCADA controls physical processes and when something goes wrong, bad physical things can happen. The conference attendees speculated that there will be a Firesheep moment for SCADA and that the industry will have to react.
I agree and disagree. I do think that if I were to buy a new SCADA system, I’d be able to find a wide range of improved security offered. I also think that I’d find systems that were upgradable and that could be easily patched in the future against evolving threats. What I don’t see is any reasonable expectation that the existing fielded systems will ever be fixed. The flaws extend beyond the server farm and into small control boxes scattered around power plants and industrial sites. This is more like IE 6 than Firesheep. No matter how much Microsoft has tried, IE 6 still lives on. It will take touching every single flawed box and potentially redesigning every single system to secure them. Firesheep was countered by using SSL at the servers. If countering required each user to replace their laptop, we would still hear about Firesheep.
I don’t know if there will ever be an event that causes industry to touch all of those boxes and to upgrade them. Those boxes are a sunk cost and they just work.. so why change them. It will be easier for industry to implement procedural changes to reduce (but not eliminate) the risk. Some industries such as nuclear power plants may make the effort, but will the dairy farm? Additionally, I doubt that any warranty associated with these boxes included this. They work as designed, so therefore the fact that they were designed without sufficient security isn’t something likely covered under warranty.
The people that wrote Stuxnet were targeting a specific set of SCADA controllers and intentionally prevented their software from attacking outside of a narrow set of parameters. They were unable to prevent collateral damage, but they did go out of their way to do so. The worse case scenario for the SCADA industry (both manufactures and users) is someone releasing a variant of Stuxnet that is as discriminating as a nuclear weapon. Remember the Conficker virus? You know, the one that infected 15 million windows computers. It didn’t care who you were. Now, put the Stuxnet payload on something as nondescript as that, and you’ll get the worlds attention. You will also cause physical damage across a wide range of industries.
It is unlikely that the industry will recall their boxes and replace them for free. It is also unlikely that most industries will pay to replace their SCADA systems with newer secure ones. The best we can hope for is that industries start building response plans for when their SCADA systems are compromised. At some point some virus is going to be released into the wild that does impact SCADA. It may be something that was designed to target a small population, but who’s controls were poorly designed. It may be something designed to show off the skills of some 15 year old hacker… I don’t know… but it will happen. The question isn’t if or when, but how will industries respond and how well are those contingency plans written.
Excellent Stuxnet Article
Published July 11, 2011 | Wired has an excellent Stuxnet article. The times are a changing.
Was the US involved in Stuxnet?
Published May 28, 2011 | Wired had an interesting article about an interview with Deputy Secretary of Defense William Lynn. He was asked point blank if the US was involved in the development of Stuxnet. Instead of a “no”, “yes”, or “no comment”, he tried his best to deflect the question and avoid answering it. Unfortunately for him, his response was interpreted as a “yes”.
So, we may have been involved. I don’t think that anyone will find this as a surprise since this was the speculation from the beginning. Now, his answer could have been made to hide who is really behind it by implicitly accepting responsibility, but I doubt that. More likely, we had some role.
This is a shame. I had some great conspiracy theories going around in my head that pointed the fingers at China or Russia. Now, I wasn’t the only one with different theories on who did it, but I liked the concept of either China or Russia being behind it. Why, because I hope that neither of them really want Iran to be a nuclear weapon state. I had hoped that since they see voting against sanctions and “apparently” supporting Iran is more of a ploy to counter US power than support Iran, doing something like Stuxnet would have enabled them to stand behind Iran’s right to nuclear power while at the same time covertly preventing such power. What a beautiful way to play both sides at the same time, while at the same time letting Israel or the US take the blame.
But maybe the US and Israel was involved as expected. Kinda of a bummer if you ask. If this is true, then the US has a powerful cyber weapon available, and is willing to use it even in peacetime. The last time I checked we were not at war with Iran, yet, we unleashed a weapon that has the potential of destroying their infrastructure. Does Stuxnet rise to the level of an act of war? There are many unanswered questions on the legality of cyber weapons with respect to war or espionage. Is it war, or is it spying? If we reserve the right to use our military in response to a cyber attack on the US, have we just given the Iranians legitimacy if they chose to attack US personnel in the Middle East?
I still don’t know if the US was really behind Stuxnet or not. While I can speculate due to one politicians lack of answers and significant squirming, that doesn’t make it fact. I just hope that if we did, we have put in place the doctrine on how we will respond when someone uses such a weapon against us. We are likely very vulnerable to the same type of attacks, and we have now possibly legitimized at least Iran’s use of such weapons against our own infrastructure.
Did Israel create Stuxnet?
Published February 17, 2011 | Several stories have come out over the past couple of days highlighting that General Gabi Ashkenazi, implied that Israel was behind the Stuxnet attack on Iran. If true, then the General should be in an Israeli prison for giving away state secrets. If false, what a way to get a frenzy up about it being Israel. Since it wasn’t an outright confession, this would be an excellent way of implying that it “may or may not” be Israel.
I don’t know if it was Israel or the US, or someone else. I do think that the world will be speculating for years to come. At this point it may not matter, and what may matter is whom will be the next target, and what else do these folks have up in their sleeve.
Chasing Stuxnet
Published December 28, 2010 | Wired had an interesting article on the Microsoft team responsible for chasing down Stuxnet. It is an interesting cross section of detective work, computer forensics, and being under the gun by management. Glad they were able to pull it off. It does highlight the multi-disciplinarian team that is necessary to effectively analyze this type of complex and blended threat. It does make me wonder how non-Microsoft security companies can do this type of forensics, and how more impressive if they can without having that Microsoft expertise.
My take on Stuxnet
Published October 2, 2010 | There has been a lot of news coverage of the Stuxnet worm that has infected several thousand computers around the world. This is probably the most sophisticated worm ever captured in the wild. I don’t know if it is actually the most sophisticated worm ever written as there may be others in the wild that we do not know about.
The Stuxnet worm is either the work of a very good organized crime syndicate or a nation state. It simply has too much logic in it to represent what is reasonable for one programmer to write. It is theoretical that this could be the work of a lone hacker, but it is unlikely. However, now that it is out in the wild, undoubtedly hackers will learn from it and employ similar techniques.
Is the the beginnings of cyberwar? No, cyberwar has been on-going for quite some time. But it does represent an advancement of the weapons used in cyberwar. I’m impressed on how the Stuxnet worm is designed, and clearly someone put significant thought in how to maximize the possibility of successfully attacking their target while minimizing collateral damage. There is still collateral damage, but it is much lower than it could have been. I won’t re-iterate how the worm is designed as others have done a great job doing so, but what does this mean for the rest of us.
First of all, it is a lesson to hackers and nations alike as to the art of the possible in cyberwarfare. It is designed to be an attack platform with a replaceable target payload. It will likely breed many imatators.
It teaches us that our infrastructure is at risk. Many have said so for years, but for the most part they were marginalized. Now, we have a case where a SCADA system is successfully being attack via a commercial grade operating system (Windows). Why a commercial grade operating system is even allowed to connect to critical infrastructure is another question. So, there will be a panic and new rules will be passed to try to secure our critical infrastructure costing us billions of dollars… and after that, we’ll learn that some of it was never updated due to a variety of reasons and we’ll remain vulnerable despite spending all of that money.
We learned that our computer security sucks. This thing was smart, and smart code can outsmart dumb security any day of the week. I doubt that any intrusion detection system or anti-virus would have mattered in this case. What will only work is core operating systems that do not have the vulnerabilities in the first place. This represents the continued failure of Microsoft of writing secure code. I’d rather spend the money spent on anti-virus to rewrite the Windows operating system to remove the vulnerabilities that the anti-virus protects us against.
Finally, it reminds us that just because you can connect two networks, doesn’t mean that you should. Why would someone connect a SCADA network with windows? Yes, it would make it easier to use, but looks where’s that got us. Perhaps a better option would be to VPN into the SCADA network and run the SCADA through a virtual client.
The Stuxnet worm represents a watershed moment in cyberware. Whether or not it was the US, Israel, or some other nation going after Iran really doesn’t matter to me. We are unlikely to ever know the truth. What does matter is that this is certainly only the first sophisticated worm that has been caught in the wild. Soon, I fear, that stories like the Stuxnet will be common.