Monday, December 27, 2010

The Short Path from Cyber Missiles to Dirty Digital Bombs









The short path from cyber missiles to dirty digital bombs

http://www.langner.com/en/2010/12/26/the-short-path-from-cyber-missiles-to-dirty-digital-bombs/

 

More and more details of the Stuxnet malware and its purpose become clear.

Stuxnet appears to be the first real cyber warfare attack in history, with

"real" meaning that the virus caused physical destruction of heavily

fortified military targets, some of them buried 75 feet underground. Plans

had been made to destroy these targets by air strikes when it became clear

that sanctions alone would not stop Tehran on its way to nuclear weapon

capability. Both Israel and the United States had not only planned for

military action, but, in the case of Israel, even done rehearsals.

 

Iran's president Ahmadinejad himself confirmed on November 29, 2010 that

uranium enrichment centrifuges had been damaged by Stuxnet. The Bushehr

nuclear power plant that was scheduled to go operational on August 21, 2010,

did not - because of "technical problems". Since the official explanation of

what these problems are (first, it was "severe hot weather", thereafter "a

leak") seem to be blunt attempts to fool the public, it can be suspected

that Stuxnet is also responsible for Bushehr's delay. Iran confirmed on

September 25, 2010 that computer systems in the Bushehr nuclear power plant

were infected by Stuxnet.

 

If we assume that Stuxnet managed to severely damage the steam turbine in

the Bushehr nuclear power plant, repairing or replacing that turbine may

cost a significant amount of money (up to several million dollars). The

material damage on the centrifuges depends on how many centrifuges have been

destroyed. Presently it looks like more than 1,000 centrifuges have been

damaged in the Natanz facility alone, with unknown damage in Fordow and,

certainly, in any unknown centrifuge plants. All this translates to another

multi-million dollar damage. And replacing the damaged parts takes time.

Parts for gas centrifuges and power plant turbines cannot be ordered on

Ebay. They won't be delivered by UPS overnight, but in some cases through

complex smuggling networks. Getting new parts on site may take many months;

in the case of the steam turbine probably over a year. During this

timeframe, the Iranian nuclear program is severely crippled.

 

But the situation is even worse for Tehran. After having discovered Stuxnet

on their control systems, the only reasonable course of action is to shut

down the affected plants until all systems have been cleaned up, which

appears to be the simple reason why Iran halted production in Natanz last

month, shortly before admitting being hit by Stuxnet. And cleaning up

systems from Stuxnet can take a long, long time. We have clients that are

infected with Stuxnet and need several months to get rid of the virus.

However, here we're talking about European corporations with efficient IT

operations and well-trained staff, along with a decent level of

documentation and discipline. All this cannot be assumed for the situation

in Iran. It can be estimated that the process of cleaning Stuxnet from all

infected systems in the Iranian nuclear program, including the systems of

contractors with site access, will take about a year. With an obvious lack

in IT security posture, the best course of action for Tehran would be to

simply scrap all computer systems involved - including those from

contractors. All in all, a delay of the nuclear program of approximately two

years should be expected. For the attackers, this would translate to

"mission accomplished".

 

According to David Sanger from the New York Times, an Israeli military

official had estimated that an air strike against the Iranian nuclear

program would cause a delay of two or three years. So it looks like Stuxnet

achieved pretty much what an air strike would have achieved, only at much

less cost, without known fatalities, and without a full-blown war in the

Middle East. We have estimated that the development cost of Stuxnet is

around ten million dollars. The cost of an air strike would have been a

multiple, only counting material, not fatalities and injuries. A modern

fighter jet has an acquisition cost around 30$ million. Assuming that only

one fighter jet would have been lost in a military campaign against Iran is

certainly naïve; there would have been several. And there would have been

many dead bodies and many injured, significant destruction by Iranian

missiles fired in retaliation, and a huge amount of collateral damage just

by the oil price jumping.

 

All this didn't happen with Stuxnet. Even though Stuxnet is the most

expensive piece of malware in history, in military terms it was a bargain.

In 2007, US Congress approved a budget of up to 400$ million for covert

operations against the Iranian nuclear program. Assumed that operation

Myrtus was part of that effort, it barely showed up in the books. And that's

the simple reason why we will see similar cyber attacks in the future. Many

reporters who interviewed me expressed concern about this new era of cyber

warfare. Well, if the alternative is conventional military strikes with

explosives or maybe even weapons of mass destruction, cyber strikes might be

the better deal, not only for the attacker, but especially for the attacked.

 

However, there is at least one reason why we shouldn't embrace cyber

warfare. Unlike bombs, missiles, and guns, cyber weapons can be copied. The

proliferation of cyber weapons cannot be controlled. Stuxnet-inspired

weapons and weapon technology will soon be in the hands of rogue nation

states, terrorists, organized crime, and legions of leisure hackers, some of

whom are just waiting for a better thrill than World of Warcraft. This is a

very distinctive difference to conventional (hardware) weapons. Even if it

is known, for example, how nuclear weapons are built, not everybody who

wants to possess them is capable of developing or even acquiring such

weapons. For cyber weapons, this will be different. Cyber weapons can and

will be copied, reused, and will be available for cheap money on the

Internet. At some point in time, they will even be available as freeware.

 

Such Stuxnet-inspired weapons will soon look different from the original.

Stuxnet was precisely designed for surgical attacks on distinct targets. It

is obvious from code analysis that the attackers had access to internal

product and installation details, and the engineering talent to turn such

technological insight into sophistically engineered attacks. There is

absolutely no reason to assume that follow-up attackers will follow the same

philosophy. Just to the contrary, other attackers will most likely not

invest the engineering effort for similar pinpoint attacks. It is much more

likely that we are going to see "dirty" digital bombs in the wake of

Stuxnet, meaning bombs that hit without nearly the precision as we see it in

Stuxnet. The real concerning threat of cyber weapons is not a surgical

military strike as we have just seen it with Stuxnet, it is the dirty

digital bomb. The dirty digital bomb is a cyber weapon that inflicts low to

medium damage to a large number of random targets. It doesn't require

experts. Any idiot can assemble and use it. And while the individual damage

that such dirty digital bombs can cause may not nearly be as big as in

Stuxnet's case, what makes them even more dangerous is the fact that small

damage in many power plants may be worse than big damage in one specific

power plant; small damage at many automotive suppliers may be worse than big

damage at one specific car maker.

 

One aspect that has often been ignored in discussions about critical

infrastructure protection is that in industrialized nations, targets for

Stuxnet-inspired attacks extend deep into the private sector. For example,

some economies depend to a large degree on few highly automated industries,

such as Germany on its automotive industry. Even though responsible for a

large portion of Germany's wealth, this industry is quite fragile. It

depends on complex supply chains that must work near real-time, with buffers

cut away for cost reduction. Just-in-time and just-in-sequence not only mean

big savings because so many storage facilities are no longer needed, it also

means a very high dependency on few suppliers. It is no secret and has often

been exploited by labor unions that because of the fragility of this system,

disruptions of few elements can cause big problems, very much comparable to

outages of power plants. For Germany, hitting the automotive industry hard

by a cyber strike could even be worse than a power plant outage.

 

So even though it is not the best time of the year for bad news, we have to

face the fact that the pure existence of the Stuxnet code in the Internet,

ready for download and dissemination by anyone, creates a national security

threat for highly industrialized nations, most notably for the United States

and Germany. The economy and public life of these nations is highly

dependent on undisturbed operation of the exact controller types that are

attacked by Stuxnet. An ICS-CERT advisory on Stuxnet from August 2, 2010

states: "These products are widely used in many critical infrastructure

sectors." In Germany, they can even be found in almost every factory. With

so plenty appealing targets in sight, it would be highly naïve to assume

that rogue nation states, terrorists, and organized crime would miss the

opportunity to re-use Stuxnet's digital weapon technology, especially after

it had proven so effective. If we account the risk of such follow-up attacks

as collateral damage from Stuxnet, the cyber warfare approach no longer

looks so smart and efficient after all.

 

Ralph Langner

 





--
Thanks for being part of "PoliticalForum" at Google Groups.
For options & help see http://groups.google.com/group/PoliticalForum
 
* Visit our other community at http://www.PoliticalForum.com/
* It's active and moderated. Register and vote in our polls.
* Read the latest breaking news, and more.

No comments:

Post a Comment