Commentary Sophos Labs Insights
Stuxnet, The Nation's Power Grid, And The Law Of Unintended Consequences
The debate persists: Should the feds supply security oversight for utilities to stop the next Stuxnet? Or can they really go it alone?
In data security circles, Stuxnet is the stuff of urban legend. It's a legend, however, that shows no signs of wearing out its welcome or relevance.
In fact, Steve Kroft’s recent broadcast report on the venerable 60 Minutes news magazine about that highly sophisticated, centrifuge-specific stealth virus that briefly upset the country of Iran's nuclear apple cart (so to speak) raises important questions for both the security and power-generation industries in North America. For example, could future malware modeled on Stuxnet target other critical infrastructure, such as nuclear power plants or water systems? Also, who should be responsible for detecting it -- private industry or intelligence-gathering agencies within the federal government?
I guess that all depends on where your security bias lies and how your political dispositions shake out.
Taking the latter of those questions first (and presumably ripe fodder for the politicos among us), the Network World article in CSO, "Should US Intelligence Agency have a role in Protecting Electric Grid?" related the ongoing cybersecurity legislation debate in Congress and why it's suddenly reaching fever pitch. Turning up the heat is whether our power companies (if forced) would be able to implement new federally mandated network protections, or whether the U.S. government and National Security Agency (NSA) should step in, deploy, and enforce the requirements and monitor the results.
According to this article, a catalyzing event for this debate was how NSA director General Keith Alexander was recently taken to the Obama administration's virtual woodshed over comments that argued for more legal authority to defend the nation against cyberattack. In effect, power companies would be required to perform continuous scanning with threat data provided by NSA and turn over any evidence of cyberattacks to the government. As you'd imagine, post-Orwellian era outrage about threats to privacy deservedly abound.
In a similar vein, sentiments from panelists assembled for the recent RSA Conference in San Francisco to discuss the topic of protecting the U.S. power grid ranged from the decidedly hands-off to those that favored more of a proactive approach.
One of the panelists, attorney Stewart Baker, said, "This is not about protecting a super-secret interception system. It's not, however, necessary for NSA to do all the monitoring." Kevin Gronberg, senior counsel on the U.S. House Committee on Homeland Security, Capitol Hill, represented the Republican perspective -- "an extremely light touch" in dictating cybersecurity defense procedures to power-generating companies. He made it clear, however, that the smart grid initiative, in which billions are now being invested to enable new capabilities and to realize presumed efficiencies in electricity delivery, are being done "without sufficient security and increasing risk. "
Baker added that the smart grid effort represents "$50 billion in the U.S. in technology that will arguably make the grid less secure."
Which, ironically enough, is where the security element of this equation kicks in.
One of the key takeaways of the 60 Minutes piece: According to Sean McGurk, former head of cyberdefense at the Department of Homeland Security, is that Stuxnet has given countries like Russia and China, not to mention terrorist groups and gangs of cybercriminals for hire, a textbook on how to attack key U.S. installations. "You can download the actual source code of Stuxnet now and you can repurpose it and repackage it and then, you know, point it back toward wherever it came from," McGurk said.
The exchange between Kroft and McGurk that followed was utterly eye-opening, even disturbing: Kroft: If somebody in the government had come to you and said, "Look, we're thinking about doing this. What do you think?" What would you have told them?
McGurk: I would have strongly cautioned them against it because of the unintended consequences of releasing such a code. Kroft: Meaning that other people could use it against you?
These unintended consequences McGurk alluded to are especially telling. There’s the opportunity for anyone inclined to do it on their own or as a fee-for-hire arrangement to produce a strain of Stuxnet that is as virulent and transparent as its predecessor. There’s the opportunity to sideline complete regions of the country, isolating and literally leaving citizens powerless from coast to coast. There's also the challenge of trying to tame a virus that could be thousands of code lines long, replete with infinite permutations designed to frustrate IT security coders from eliminating, controlling, or even quarantining them before they spread.
On the other side of the equation are the utility companies. Let's be honest. It's beyond the ability of most power utility companies, however they're organized and in whatever part of the country they're located, to keep determined cyberinsurgents at bay, at least for very long. After all, they're in the business of delivering electricity with 100 percent assurance, 24/7/365, not suspecting an event of cyber-sabotage from an offline programmable logic controller (or whatever device on their network approximates a PLC, the kind targeted by Stuxnet). And, no slight intended, given Stuxnet's reputation as being near invisible, identifying it readily is also far beyond the means of most, if not all, rank-and-file power grid employees.
So let's say we split the difference. If you listen to anyone "in the know," the possibility of a cyberattack on our power grid increases incrementally with each passing week. The fallout (e.g., detritus) from Stuxnet -- presumably engineered by a government body somewhere -- is now being shouldered (either rightly or wrongly) on private utilities and the private citizens who run them and who must now pick up the pieces.
If we are to effectively combat the next Stuxnet -- and mostly I am a hands-off libertarian when it comes to government intervention of this magnitude -- it seems to me that the only way to do that effectively, even holistically, is for the private and public sectors to collaborate on security defense and data protection. Yes, limit the NSA's powers, but not to the point they're inert or, conversely, obnoxiously intrusive. In turn, require the power companies to share their data and security profiles, related databases, and protection policies with the NSA or its proxy. Vigilance and two-way communication -- a private-public partnership -- is clearly the "solve" for preserving the integrity of "the grid."
As British Prime Minister Winston Churchill said during World War II, "He who fails to plan is planning to fail." When it comes to protecting our power grid -- failure, clearly, is never an option.
Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and datacenter virtualization.