The short path from cyber missiles to dirty digital bombs
http://www.langner.com/en/2010/12/26/the-short-path-from-cyber-missiles-to-dirty-digital-bombs/
More and more details of the Stuxnet malware and its purpose become clear.
Stuxnet appears to be the first real cyber warfare attack in history, with
"real" meaning that the virus caused physical destruction of heavily
fortified military targets, some of them buried 75 feet underground. Plans
had been made to destroy these targets by air strikes when it became clear
that sanctions alone would not stop Tehran on its way to nuclear weapon
capability. Both Israel and the United States had not only planned for
military action, but, in the case of Israel, even done rehearsals.
Iran's president Ahmadinejad himself confirmed on November 29, 2010 that
uranium enrichment centrifuges had been damaged by Stuxnet. The Bushehr
nuclear power plant that was scheduled to go operational on August 21, 2010,
did not - because of "technical problems". Since the official explanation of
what these problems are (first, it was "severe hot weather", thereafter "a
leak") seem to be blunt attempts to fool the public, it can be suspected
that Stuxnet is also responsible for Bushehr's delay. Iran confirmed on
September 25, 2010 that computer systems in the Bushehr nuclear power plant
were infected by Stuxnet.
If we assume that Stuxnet managed to severely damage the steam turbine in
the Bushehr nuclear power plant, repairing or replacing that turbine may
cost a significant amount of money (up to several million dollars). The
material damage on the centrifuges depends on how many centrifuges have been
destroyed. Presently it looks like more than 1,000 centrifuges have been
damaged in the Natanz facility alone, with unknown damage in Fordow and,
certainly, in any unknown centrifuge plants. All this translates to another
multi-million dollar damage. And replacing the damaged parts takes time.
Parts for gas centrifuges and power plant turbines cannot be ordered on
Ebay. They won't be delivered by UPS overnight, but in some cases through
complex smuggling networks. Getting new parts on site may take many months;
in the case of the steam turbine probably over a year. During this
timeframe, the Iranian nuclear program is severely crippled.
But the situation is even worse for Tehran. After having discovered Stuxnet
on their control systems, the only reasonable course of action is to shut
down the affected plants until all systems have been cleaned up, which
appears to be the simple reason why Iran halted production in Natanz last
month, shortly before admitting being hit by Stuxnet. And cleaning up
systems from Stuxnet can take a long, long time. We have clients that are
infected with Stuxnet and need several months to get rid of the virus.
However, here we're talking about European corporations with efficient IT
operations and well-trained staff, along with a decent level of
documentation and discipline. All this cannot be assumed for the situation
in Iran. It can be estimated that the process of cleaning Stuxnet from all
infected systems in the Iranian nuclear program, including the systems of
contractors with site access, will take about a year. With an obvious lack
in IT security posture, the best course of action for Tehran would be to
simply scrap all computer systems involved - including those from
contractors. All in all, a delay of the nuclear program of approximately two
years should be expected. For the attackers, this would translate to
"mission accomplished".
According to David Sanger from the New York Times, an Israeli military
official had estimated that an air strike against the Iranian nuclear
program would cause a delay of two or three years. So it looks like Stuxnet
achieved pretty much what an air strike would have achieved, only at much
less cost, without known fatalities, and without a full-blown war in the
Middle East. We have estimated that the development cost of Stuxnet is
around ten million dollars. The cost of an air strike would have been a
multiple, only counting material, not fatalities and injuries. A modern
fighter jet has an acquisition cost around 30$ million. Assuming that only
one fighter jet would have been lost in a military campaign against Iran is
certainly naïve; there would have been several. And there would have been
many dead bodies and many injured, significant destruction by Iranian
missiles fired in retaliation, and a huge amount of collateral damage just
by the oil price jumping.
All this didn't happen with Stuxnet. Even though Stuxnet is the most
expensive piece of malware in history, in military terms it was a bargain.
In 2007, US Congress approved a budget of up to 400$ million for covert
operations against the Iranian nuclear program. Assumed that operation
Myrtus was part of that effort, it barely showed up in the books. And that's
the simple reason why we will see similar cyber attacks in the future. Many
reporters who interviewed me expressed concern about this new era of cyber
warfare. Well, if the alternative is conventional military strikes with
explosives or maybe even weapons of mass destruction, cyber strikes might be
the better deal, not only for the attacker, but especially for the attacked.
However, there is at least one reason why we shouldn't embrace cyber
warfare. Unlike bombs, missiles, and guns, cyber weapons can be copied. The
proliferation of cyber weapons cannot be controlled. Stuxnet-inspired
weapons and weapon technology will soon be in the hands of rogue nation
states, terrorists, organized crime, and legions of leisure hackers, some of
whom are just waiting for a better thrill than World of Warcraft. This is a
very distinctive difference to conventional (hardware) weapons. Even if it
is known, for example, how nuclear weapons are built, not everybody who
wants to possess them is capable of developing or even acquiring such
weapons. For cyber weapons, this will be different. Cyber weapons can and
will be copied, reused, and will be available for cheap money on the
Internet. At some point in time, they will even be available as freeware.
Such Stuxnet-inspired weapons will soon look different from the original.
Stuxnet was precisely designed for surgical attacks on distinct targets. It
is obvious from code analysis that the attackers had access to internal
product and installation details, and the engineering talent to turn such
technological insight into sophistically engineered attacks. There is
absolutely no reason to assume that follow-up attackers will follow the same
philosophy. Just to the contrary, other attackers will most likely not
invest the engineering effort for similar pinpoint attacks. It is much more
likely that we are going to see "dirty" digital bombs in the wake of
Stuxnet, meaning bombs that hit without nearly the precision as we see it in
Stuxnet. The real concerning threat of cyber weapons is not a surgical
military strike as we have just seen it with Stuxnet, it is the dirty
digital bomb. The dirty digital bomb is a cyber weapon that inflicts low to
medium damage to a large number of random targets. It doesn't require
experts. Any idiot can assemble and use it. And while the individual damage
that such dirty digital bombs can cause may not nearly be as big as in
Stuxnet's case, what makes them even more dangerous is the fact that small
damage in many power plants may be worse than big damage in one specific
power plant; small damage at many automotive suppliers may be worse than big
damage at one specific car maker.
One aspect that has often been ignored in discussions about critical
infrastructure protection is that in industrialized nations, targets for
Stuxnet-inspired attacks extend deep into the private sector. For example,
some economies depend to a large degree on few highly automated industries,
such as Germany on its automotive industry. Even though responsible for a
large portion of Germany's wealth, this industry is quite fragile. It
depends on complex supply chains that must work near real-time, with buffers
cut away for cost reduction. Just-in-time and just-in-sequence not only mean
big savings because so many storage facilities are no longer needed, it also
means a very high dependency on few suppliers. It is no secret and has often
been exploited by labor unions that because of the fragility of this system,
disruptions of few elements can cause big problems, very much comparable to
outages of power plants. For Germany, hitting the automotive industry hard
by a cyber strike could even be worse than a power plant outage.
So even though it is not the best time of the year for bad news, we have to
face the fact that the pure existence of the Stuxnet code in the Internet,
ready for download and dissemination by anyone, creates a national security
threat for highly industrialized nations, most notably for the United States
and Germany. The economy and public life of these nations is highly
dependent on undisturbed operation of the exact controller types that are
attacked by Stuxnet. An ICS-CERT advisory on Stuxnet from August 2, 2010
states: "These products are widely used in many critical infrastructure
sectors." In Germany, they can even be found in almost every factory. With
so plenty appealing targets in sight, it would be highly naïve to assume
that rogue nation states, terrorists, and organized crime would miss the
opportunity to re-use Stuxnet's digital weapon technology, especially after
it had proven so effective. If we account the risk of such follow-up attacks
as collateral damage from Stuxnet, the cyber warfare approach no longer
looks so smart and efficient after all.
Ralph Langner
--
Thanks for being part of "PoliticalForum" at Google Groups.
For options & help see http://groups.google.com/group/PoliticalForum
* Visit our other community at http://www.PoliticalForum.com/
* It's active and moderated. Register and vote in our polls.
* Read the latest breaking news, and more.
No comments:
Post a Comment