Image via Wikipedia
Technology Thursday
I have always been a bit dubious of claims that an Internet Pearl Harbor is imminent. While there are obvious ways in which the Internet, and all infrastructure that relies on it, can be shown to be insecure, my working theory has always been that harm or damage stemming from attacks on the Internet will be fairly local/regional and/or short-lived. I know plenty of people who are not as sanguine as I am about this and who worry daily about targeted attacks that could bring down the net in a way that would be difficult to recover from. And of course cybersecurity is an increasingly important component of national security getting attention from the highest levels of U.S. policymaking - as opposed to only the technical community. Probably the biggest risk is to coupled systems. Systems that are not "the internet" but are connected to it or use it in some fashion. People usually point to the electrical grid and so-called SCADA systems as potential points of vulnerability. SCADA stands for "supervisory control and data acquisition. It generally refers to industrial control systems: computer systems that monitor and control industrial, infrastructure, or facility-based processes."
A recent Internet worm called Stuxnet gives me pause. Bruce Schneier - who is probably one of the most accessible and readable security experts around - recently wrote about this worm. No one knows where it came from, for sure. And it hasn't really done anything. But it's spooky. Check this out:
Stuxnet is an Internet worm that infects Windows computers. It primarily spreads via USB sticks, which allows it to get into computers and networks not normally connected to the Internet. Once inside a network, it uses a variety of mechanisms to propagate to other machines within that network and gain privilege once it has infected those machines. These mechanisms include both known and patched vulnerabilities, and four "zero-day exploits": vulnerabilities that were unknown and unpatched when the worm was released. (All the infection vulnerabilities have since been patched.) Stuxnet doesn't actually do anything on those infected Windows computers, because they're not the real target. What Stuxnet looks for is a particular model of Programmable Logic Controller (PLC) made by Siemens (the press often refers to these as SCADA systems, which is technically incorrect). These are small embedded industrial control systems that run all sorts of automated processes: on factory floors, in chemical plants, in oil refineries, at pipelines--and, yes, in nuclear power plants.
[...] Many [...] believe that Stuxnet is targeting a specific PLC, or a specific group of PLCs, performing a specific function in a specific location--and that Stuxnet's authors knew exactly what they were targeting.
[...] Stuxnet doesn't act like a criminal worm. It doesn't spread indiscriminately. It doesn't steal credit card information or account login credentials. It doesn't herd infected computers into a botnet. It uses multiple zero-day vulnerabilities. A criminal group would be smarter to create different worm variants and use one in each. Stuxnet performs sabotage. It doesn't threaten sabotage, like a criminal organization intent on extortion might.
There's more at the link.
Another security research who's also very good at writing about complicated technical issues accessibly is Steve Bellovin. He thinks this may be the first "weaponized software":
Stuxnet was written by a group very with impressive resources and a great deal of expertise, and was precisely aimed at a very high-value target. The existence of this code poses some fascinating issues, and poses both threats and opportunities. I will state categorically that I think that Stuxnet should settle the debate about the possibility of weaponized software; someone clearly has the ability to gather the intelligence and build the software necessary to achieve military goals. Whether or not this is such an incident is a separate issue; the capability demonstrably exists.
[...] What are the implications? One obvious conclusion is that there are a lot of systems that were previously thought to be safe that have to be considered at risk. Some unknown party has the ability to launch this grade of attack. Other enemies or potential enemies need to take this ability into account. One possible response, of course, is to develop their own cyberattack capabilities. In that respect, the very public analysis of Stuxnet is going to educate people: this is the way the pros do it. The specific holes exploited may not be worth much any more; the style of the attack will be very educational indeed. It is said that an entire generation of civilian cryptologists cut its teeth on DES, the first example of an NSA-approved cipher to be made public. Will the same thing happen here? If so, even the attacker is at greater risk now than before.
The ability to do precision targeting is quite intriguing. One concern about cyberwar is the potential for damage to civilian infrastructure, which is against international law. Stuxnet shows that (under the right circumstances) attacks can be very carefully directed. That, to my knowledge, had not been anticipated in writings on the subject.
Lots more food for thought at that link as well. There is little that everyday Internet users can do about these sorts of things. Practice good 'electronic hygiene' as best you can (use firewalls and virus protection, don't open attachments in weird-looking emails, have a good spam filter, and so on) to avoid your computer being co-opted into a botnet, but really, that's fairly weak tea. The virus detection developers are always playing catching up. There's really nothing consumer-grade that would make it easy for computer owners to protect their systems - it's all much more complicated than it should be. And who among us has time to stay on top of all of the latest cybersecurity/Internet security must-dos? And how much of a difference would it really make?
I don't have any great conclusions here. I find this stuff both interesting and depressing. And important to be mindful of, even if obvious action items individuals can take are unclear.
I don't worry about this stuff in terms of my home computer, really, but as more and more systems get run via computers -- from power grids to subways to phone systems, etc. -- it seems obvious that large swatches of civilization could be brought to a halt by an attack on computer systems (whether a virus like this or an EMF pulse or whatever). Specifically, I worry that we will forget how to run some of these same things without computers, or will have no computer-independent control systems available as back-ups.
As you say, nothing *I* can do about it, but I hope somebody in the right place is equally worried...
Posted by: acm | Thursday, October 14, 2010 at 10:41 AM
Do worry about this, it has the potential to wipeout powergrids, blow up nuclear plants, and a multitude of other things. One day of no internet, power, or control will set the U.S. into chaos, rioting, and possible war.
Posted by: DnD | Wednesday, October 20, 2010 at 07:03 PM
I think it really depends on the timeframe.
I don't think a *day* without the Internet or without power would cause mass rioting. A week or more could get weird.
And, while systems are perhaps more coupled than they should be, I think it would be hard to bring down the entire power grid at once. The possibility of no power and sabotaged control systems is most alarming to me when thinking about even short time frames, because of the potential for damage at nuclear plants and other toxic (but currently contained) sites.
Ultimately, though, terrorists have already shown that they don't need to do anything very sophisticated to cause a lot of damage to the United States. Just look at airport security indignities for proof, to say nothing of the emerging surveillance state.
Posted by: Lyn | Wednesday, October 20, 2010 at 09:03 PM