It Was the Smartest Bomb Yet...

The Senate Committee on Homeland Security and Governmental Affairs held a hearing Wednesday on securing critical infrastructure in the age of stuxnet. If you are one of those folks who has been working on national security and strategy issues for decades and hasn't spent a lot of time thinking about cybersecurity - you can no longer put off that obligation. Watch the webcast of the hearing - it's important.

Following the hearing, the Senate committee put out a statement.

At a hearing on the implications of the recently discovered malware known as Stuxnet, the Senators heard testimony describing the malware as potentially far more destructive than any previously known cyber threat. Senator Lieberman said that the discovery makes passage of cyber security legislation that he, Senator Collins, and Senator Tom Carper, D-Del., drafted and passed out of Committee all the more important. He promised it would be a top Committee priority in the 112th Congress since the White House and other key members of Congress did not engage sufficiently to pass the bill in the lame duck session.

“Stuxnet really takes the reality of the cyber threat to a new level and should awaken the skeptics,” Senator Lieberman said. “It is really chilling, in terms of its effect. I would compare it to a guided missile in conventional warfare… But the reality is that the current, porous state of our nation’s infrastructure means that it wouldn’t take malware as robust and sophisticated as Stuxnet to cripple many of our critical systems. We want to make sure we put proper security in place before a major attack.”

Senator Collins said: “Much attention has been paid to cyber crimes such as identity theft and to cyber attacks intended to steal proprietary information or government secrets. But lurking beyond those serious threats are potentially devastating attacks that could disrupt, damage, or even destroy some of our nation’s critical infrastructure, such as the electric power grid, oil and gas pipelines, dams, or communication networks. The newest weapon in the cyber toolkit was introduced to the world in June, when cybersecurity experts detected a cyber worm called Stuxnet.

“I believe that this problem is urgent,” Senator Collins continued. “We have introduced bipartisan, comprehensive legislation to deal with this threat. Unless this legislation becomes law, my fear is that we’ll wait until we have a successful ‘cyber 9/11’ before acting. So I’d like to see us be proactive on this issue and I believe our bill points the way.”

Stuxnet specifically targets computer systems that control electricity, water treatment, nuclear and chemical plants, pipelines, communications networks, transportation systems and other critical infrastructure, and it is unique in its complexity, flexibility, and resilience. Neither its creator nor its target is known.

Read the last sentence again and keep in mind - this nasty piece of code could have been written to disable an entire class of ships - and right now our adversaries are likely developing software based on lessons learned from this piece of code to do exactly that.

However, as far as that last sentence goes, I think it is pretty clear that Iran's nuclear program was the target, and the level of sophistication involved suggests that only a very small number of countries in the world could have developed this software - and one of those countries is the US.

Nicolas Falliere, Liam O Murchu, and Eric Chien of Symantec Security Response published new information in an updated paper last Friday that suggests the stuxnet virus was built for subtle nuclear sabotage.

According to Symantec, Stuxnet targets specific frequency-converter drives — power supplies used to control the speed of a device, such as a motor. The malware intercepts commands sent to the drives from the Siemens SCADA software, and replaces them with malicious commands to control the speed of a device, varying it wildly, but intermittently.

The malware, however, doesn’t sabotage just any frequency converter. It inventories a plant’s network and only springs to life if the plant has at least 33 frequency converter drives made by Fararo Paya in Teheran, Iran, or by the Finland-based Vacon.

Even more specifically, Stuxnet targets only frequency drives from these two companies that are running at high speeds — between 807 Hz and 1210 Hz. Such high speeds are used only for select applications. Symantec is careful not to say definitively that Stuxnet was targeting a nuclear facility, but notes that “frequency converter drives that output over 600 Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”

“There’s only a limited number of circumstances where you would want something to spin that quickly -– such as in uranium enrichment,” said O Murchu. “I imagine there are not too many countries outside of Iran that are using an Iranian device. I can’t imagine any facility in the U.S. using an Iranian device,” he added.

You can download a copy of the Symantec report in PDF format from Wired here. The document is technical, but to folks who are able to understand the technical explanations the document also reads like a New York Times best seller. This is the summary:

Stuxnet represents the first of many milestones in malicious code history – it is the first to exploit four 0-day vulnerabilities, compromise two digital certificates, and inject code into industrial control systems and hide the code from the operator. Whether Stuxnet will usher in a new generation of malicious code attacks towards real-world infrastructure—overshadowing the vast majority of current attacks affecting more virtual or individual assets—or if it is a once- in-a-decade occurrence remains to be seen.

Stuxnet is of such great complexity—requiring significant resources to develop—that few attackers will be capable of producing a similar threat, to such an extent that we would not expect masses of threats of similar in sophistication to suddenly appear. However, Stuxnet has highlighted direct-attack attempts on critical infrastructure are possible and not just theory or movie plotlines.

The real-world implications of Stuxnet are beyond any threat we have seen in the past. Despite the exciting challenge in reverse engineering Stuxnet and understanding its purpose, Stuxnet is the type of threat we hope to never see again.

I think it is a safe bet that we will see something like stuxnet again. I recently attended a small conference that discussed in great detail stuxnet, and the question the conference was specifically asking was in regard to the future impact stuxnet would have on the always evolving malware writing community. Several of the answers were compelling, if not only as a thought exercise:

• Stuxnet has raised the bar for the perception of hacking excellence by raising the bar for what is recognized as professional hacking.
• The multidimensional complexity and attention to detail within malware code could become a new norm
• The perception of value in collaborative efforts within a generation where social connectivity is the new norm may lead to more organized groups of malware developers in the future

My own take is this: data changes (sabotage) rather than data theft (espionage) represents an escalation of activity between competing organizations (including governments), and someone opened up this Pandora's Box at the state level and hit Iran's nuclear program with it. If the United States ever gets hit with something like stuxnet, the lessons to date only tells us two things. First, when these type of professional attacks hit, they hit hard. Second, we may not know who hit us hard.

Is the US resilient enough to take a mass casualty attack by an unknown enemy? I think that is the cyber question for every nation, and it comes with very few good political answers.