This morning I woke up to the NPR story on the Stuxnet worm that brought down the uranium enrichment facility at Natanz in Iran. Though neither the U.S. nor Israel have taken credit for the cyberattack, the implication posed by most media asks, who else?
“Symantec’s analysis of where Stuxnet has been found supports the theory that it was intended for targets in Iran, as the following map illustrates.”
To answer that question, it may be helpful to go back and review what we do know. In 2010, Belorussian Sergey Ulasen, a software developer and security analyst, responded to an Iranian client about some BSOD’s which were quickly discovered to exist throughout the Iranian company’s Microsoft Windows network. After several days, Sergey and his client in Iran “eventually found the malware, and figured out its stealthy nature, strange payload and spreading techniques”; and further that, “it was using zero-day vulnerabilities that allowed Stuxnet to penetrate even well-patched Windows computers. And it was at this point we all agreed the digital certificate had been stolen.”
|SSL 101: A Guide to Fundamental Website Security|
In Sergey’s estimate, “the complexity of Stuxnet’s code and extremely sophisticated rootkit technologies led us to conclude that this malware was a fearsome beast with nothing else like it in the world, and that we needed to inform the infosec industry and community of the details ASAP.” So from there they inferred that this was no school kid noodling around on his own kit. Unsure what to do, they attempted to contact Microsoft, but, not surprisingly, they got no response.
Now that Sergey is warm and cozy at the great malware company Kaspersky, he has decided to stop going over the Stuxnet incidents and who can blame him. However, the last thing any of us should be is warm and cozy over what comes next.
NPR, not so much finished, they state: “Secretly launched in 2009 and uncovered in 2010, it was designed to destroy its target much as a bomb would. Based on the cyberworm’s sophistication, the expert consensus is that some government created it.
“Nothing like this had occurred before,” says Joseph Weiss, an expert on the industrial control systems widely used in power plants, refineries and nuclear facilities like the one in Iran. “Stuxnet was the first case where there was a nation-state activity to physically destroy infrastructure [via a cyberattack].”
Let’s face it, our intelligence and military experts haven’t had much luck stopping cyber crime, with school kids continuing to show them up and guys all over the world continuing to disrupt all sorts of networks. So is it not smart to ask the question who ordered this new weapon of mass destruction and find out what blowback risks face industry as well as freedoms?
According to Michael Assante, formerly the chief security officer for the North American Electric Reliability Corporation. “Stuxnet taught the world what’s possible, and honestly it’s a blueprint.”
Yet, our illustrious Congress and mute administration seems more interested in taking down pot smokers and out of work veterans who want to protest what is going on Wall street. What say you on these topics and how should industry respond to the risks?