Transmissions

Real "Cyberwar"

by Dragorn

The news has been yelling at us about "cyberwar" for what, a decade?

The wars of the future will be fought with "computers" on "the Internet."  I think I saw an episode of SeaQuest with this in the early-1990s, right when the show got really crappy and time-travely.

The idea that some poor suckers we're carpet bombing will DDoS Amazon and keep me from ordering my sample of uranium (seriously, go look it up) may be annoying, but isn't particularly frightening.  Anonymous didn't manage to take Amazon out (though they did manage to make life highly annoying for a lot of other companies), and I'm fairly sure most of the countries we've decided not to share the playground with have less bandwidth available than the anonymous collective.

The typical tit-for-tat behavior of various hacker groups in feuding countries hacking the opponent's website and leaving the usual defamation messages isn't very interesting, either.  There isn't any significant damage (besides that of pride) usually.

For things to get really interesting, we need to start looking at infrastructure-level attacks.  "But," you cry, "No one would ever hook critical infrastructure up to the Internet.  Surely, we know it's vital to insulate networks!"

Unfortunately, we don't learn.

We're built by the lowest bidder, the cheapest contractor, the boss's nephew who needs a summer job.  We love our Facebook, email, Twitter, Wikipedia, and office-time BitTorrenting.

It's so damn inconvenient to have to walk from the control workstation running the power plant, electrical grid, factory floor, etc., and go to the external system.  It's such a pain not to be able to RDP directly into the management console to keep an eye on things from the road.  And no one wants to pay for two workstations anyhow, right?

As we erode the air gap between critical infrastructure and the great unwashed Internet, we expose the infrastructure to greater and greater risk.  The first shots have already been fired - Obviously, we can't ignore (((Stuxnet))), but that's hardly the first case of extremely advanced attacks against infrastructure systems.

For example, in 2005, the voice switches for Vodafone Greece were Trojaned with an advanced, run-time patched piece of code, which tapped into the wiretap functionality to snoop on over a hundred government officials, company executives embassy officials, and military officers.

The perpetrators were never found: State actors?  Organized crime groups?  Suddenly, we're well beyond the purview of pranksters.  (For an excellent complete chronology of the Greek phone hack, go read spectrum.ieee.org/telecom/security/the-athens-affair (Mirror).  We'll be here when you get back.)  I don't know if this is the first publicly disclosed network attack against critical governmental services, but it's a very interesting data point.

Of course (((Stuxnet))) is still making news, a year after it was discovered, analyzed, debated, debated, fingers pointed, headlines made, debated further.  Shockingly complex, specifically targeted, and subtly disruptive of a very specific piece of equipment, which just happens to be the heart of a hostile nation's nuclear program?

Iran blames the U.S. and Israel.  The U.S. winks and says it's sure unfortunate for Iran, and isn't it such a shame.  Israel is accused of building duplicates of the facilities in Iran for testing just such an attack.

No one is officially accepting ownership of (((Stuxnet))).

No one wants to be the ones to fire the first shot in a real, proper, "cyber attack."  The real question left to me is: are we any more secure?  I highly doubt it.  Factories, power plants, even the "smart grid" being pushed by regional power companies use similar control systems, systems which were not necessarily designed to be hardened from external attacks.  Some control systems likely predate the Internet and networks as we know them.

Changing software is fairly easy.

Changing hardware is significantly less so.  It's easy (for some relative definition of easy) to roll out a Windows patch on a Tuesday to close a hole, but when there are a thousand control systems over acres of a facility or hundreds of thousands of customers' homes, sharing a network where someone just brought a laptop back from the coffee shop, the next generation of specifically crafted worms may have a field day, and there's no simple way to change all those devices.

Siemens recently announced a group of vulnerabilities in its SCADA control systems which would not be publicly disclosed for reasons of national security; I have to wonder how similar they were to the same vulnerabilities (((Stuxnet))) was taking advantage of.