Friday, December 10, 2010

Cyberwar: "The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability" - Congressional Research Service


"The experts at the Congressional Research Service have just issued a chilling report entitled The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability. Unfortunately, the title is a statement; there's no question mark at the end. The Stuxnet's initial target was apparently Iran's nuclear program, and it's obvious that someone, somewhere is developing insidious computer programs that could change life as we know it:

"From the perspective of many national security and technology observers, the emergence of the Stuxnet worm is the type of risk that threatens to cause harm to many activities deemed critical to the basic functioning of modern society...Depending on the severity of the attack, the interconnected nature of the affected critical infrastructure facilities, and government preparation and response plans, entities and individuals relying on these facilities could be without life sustaining or comforting services for a long period of time. The resulting damage to the nation's critical infrastructure could threaten many aspects of life, including the government's ability to safeguard national security interests.""

Time: Swampland blog - If You Think WikiLeaks Is Significant...

----

"Summary

In September 2010, media reports emerged about a new form of cyber attack that appeared to target Iran, although the actual target, if any, is unknown. Through the use of thumb drives in computers that were not connected to the Internet, a malicious software program known as Stuxnet infected computer systems that were used to control the functioning of a nuclear power plant. Once inside the system, Stuxnet had the ability to degrade or destroy the software on which it operated. Although early reports focused on the impact on facilities in Iran, researchers discovered that the program had spread throughout multiple countries worldwide.

From the perspective of many national security and technology observers, the emergence of the Stuxnet worm is the type of risk that threatens to cause harm to many activities deemed critical to the basic functioning of modern society. The Stuxnet worm covertly attempts to identify and exploit equipment that controls a nation’s critical infrastructure. A successful attack by a software application such as the Stuxnet worm could result in manipulation of control system code to the point of inoperability or long-term damage. Should such an incident occur, recovery from the damage to the computer systems programmed to monitor and manage a facility and the physical equipment producing goods or services could be significantly delayed. Depending on the severity of the attack, the interconnected nature of the affected critical infrastructure facilities, and government preparation and response plans, entities and individuals relying on these facilities could be without life sustaining or comforting services for a long period of time. The resulting damage to the nation’s critical infrastructure could threaten many aspects of life, including the government’s ability to safeguard national security interests.

Iranian officials have claimed that Stuxnet caused only minor damage to its nuclear program, yet the potential impact of this type of malicious software could be far-reaching. The discovery of the Stuxnet worm has raised several issues for Congress, including the effect on national security, what the government’s response should be, whether an international treaty to curb the use of malicious software is necessary, and how such a treaty could be implemented. Congress may also consider the government’s role in protecting critical infrastructure and whether new authorities may be required for oversight.

This report will be updated as events warrant."


Congressional Research Service - The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability (.pdf file)

----

Funny how computer attacks and cyber warfare have moved up the media food chain...

Here's some more of the text of the actual report:

"ICS Vulnerabilities and Critical Infrastructure

Vulnerabilities in industrial control systems have long been an issue of concern to both the security and technology communities.36 Modern critical infrastructure facilities rely on computer hardware and software continuously to monitor and control equipment that supports numerous industrial processes, including nuclear plant management, electrical power generation, water distribution and waste control, oil and gas refinement, chemical production, and transportation management. The Department of Homeland Security (DHS) categorizes 18 critical infrastructure sectors as “essential to the nation’s security, public health and safety, economic vitality, and way of life.”37 The advent of the Stuxnet virus has raised questions on the vulnerabilities of national critical infrastructure. In the absence of specific information on the full impact of Stuxnet, one can speculate that all these sectors may be at risk.

Many observers fear that a successful infiltration and attack could degrade or stop the operation of a critical infrastructure facility that delivers water, gas, or other essential utility, or affect multiple facilities due to the interdependent nature of the nation’s infrastructure sectors responsible for providing essential services. Sean McGurk, the Department of Homeland Security’s Acting Director of the National Cybersecurity and Communications Integration Center stated during a November 2010 hearing, “We have not seen this coordinated effort of information technology vulnerabilities and industrial control exploitation completely wrapped up in one unique package. To use a very overused term, it is a game-changer.”38 Unclassified reports suggest that the Stuxnet worm was specifically developed to seek out and exploit vulnerabilities in software that manages ICSs found in most critical infrastructure facilities. One type of ICS, a Supervisory Control and Data Acquisition (SCADA) system,39 is a computer that controls industrial processes and infrastructures. SCADA systems can be accessed and managed directly at computer terminals, either from remote locations that are connected to the control system, or through the emerging trend of controlling these systems from mobile wireless devices.

In 2009, DHS conducted an experiment that revealed some of the vulnerabilities to cyber attack inherent in the SCADA systems that control power generators and grids. The experiment, known as the Aurora Project, simulated a computer-based attack on a power generator’s control system that caused operations to cease.40 The same vulnerabilities are said to exist in other critical infrastructure, which, if disabled, could both cripple the economy and have physical consequences; an electrical blackout for a prolonged period of time could potentially lead to loss of life if essential services were not restored."


Does everyone remember that "smart grid" technology that is ever so green and energy saving? Looks like I will have to dust off some of my articles about the security and privacy vulnerabilities of the "smart grid".

(I still support the implementation of the "smart grid" even with the potential problems)

How about the "smart home"? You know, the one where you can turn on your oven from a web page at work? Remember those ads?

Just sayin'...

No comments:

Post a Comment