Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
3/12/2012
10:06 AM
Dark Reading
Dark Reading
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

Stuxnet, The Nation's Power Grid, And The Law Of Unintended Consequences

The debate persists: Should the feds supply security oversight for utilities to stop the next Stuxnet? Or can they really go it alone?

In data security circles, Stuxnet is the stuff of urban legend. It's a legend, however, that shows no signs of wearing out its welcome or relevance.

In fact, Steve Kroft’s recent broadcast report on the venerable 60 Minutes news magazine about that highly sophisticated, centrifuge-specific stealth virus that briefly upset the country of Iran's nuclear apple cart (so to speak) raises important questions for both the security and power-generation industries in North America. For example, could future malware modeled on Stuxnet target other critical infrastructure, such as nuclear power plants or water systems? Also, who should be responsible for detecting it -- private industry or intelligence-gathering agencies within the federal government?

I guess that all depends on where your security bias lies and how your political dispositions shake out.

Taking the latter of those questions first (and presumably ripe fodder for the politicos among us), the Network World article in CSO, "Should US Intelligence Agency have a role in Protecting Electric Grid?" related the ongoing cybersecurity legislation debate in Congress and why it's suddenly reaching fever pitch. Turning up the heat is whether our power companies (if forced) would be able to implement new federally mandated network protections, or whether the U.S. government and National Security Agency (NSA) should step in, deploy, and enforce the requirements and monitor the results.

According to this article, a catalyzing event for this debate was how NSA director General Keith Alexander was recently taken to the Obama administration's virtual woodshed over comments that argued for more legal authority to defend the nation against cyberattack. In effect, power companies would be required to perform continuous scanning with threat data provided by NSA and turn over any evidence of cyberattacks to the government. As you'd imagine, post-Orwellian era outrage about threats to privacy deservedly abound.

In a similar vein, sentiments from panelists assembled for the recent RSA Conference in San Francisco to discuss the topic of protecting the U.S. power grid ranged from the decidedly hands-off to those that favored more of a proactive approach.

One of the panelists, attorney Stewart Baker, said, "This is not about protecting a super-secret interception system. It's not, however, necessary for NSA to do all the monitoring." Kevin Gronberg, senior counsel on the U.S. House Committee on Homeland Security, Capitol Hill, represented the Republican perspective -- "an extremely light touch" in dictating cybersecurity defense procedures to power-generating companies. He made it clear, however, that the smart grid initiative, in which billions are now being invested to enable new capabilities and to realize presumed efficiencies in electricity delivery, are being done "without sufficient security and increasing risk. "

Baker added that the smart grid effort represents "$50 billion in the U.S. in technology that will arguably make the grid less secure."

Which, ironically enough, is where the security element of this equation kicks in.

One of the key takeaways of the 60 Minutes piece: According to Sean McGurk, former head of cyberdefense at the Department of Homeland Security, is that Stuxnet has given countries like Russia and China, not to mention terrorist groups and gangs of cybercriminals for hire, a textbook on how to attack key U.S. installations. "You can download the actual source code of Stuxnet now and you can repurpose it and repackage it and then, you know, point it back toward wherever it came from," McGurk said.

The exchange between Kroft and McGurk that followed was utterly eye-opening, even disturbing: Kroft: If somebody in the government had come to you and said, "Look, we're thinking about doing this. What do you think?" What would you have told them?

McGurk: I would have strongly cautioned them against it because of the unintended consequences of releasing such a code. Kroft: Meaning that other people could use it against you?

McGurk: Yes.

These unintended consequences McGurk alluded to are especially telling. There’s the opportunity for anyone inclined to do it on their own or as a fee-for-hire arrangement to produce a strain of Stuxnet that is as virulent and transparent as its predecessor. There’s the opportunity to sideline complete regions of the country, isolating and literally leaving citizens powerless from coast to coast. There's also the challenge of trying to tame a virus that could be thousands of code lines long, replete with infinite permutations designed to frustrate IT security coders from eliminating, controlling, or even quarantining them before they spread.

On the other side of the equation are the utility companies. Let's be honest. It's beyond the ability of most power utility companies, however they're organized and in whatever part of the country they're located, to keep determined cyberinsurgents at bay, at least for very long. After all, they're in the business of delivering electricity with 100 percent assurance, 24/7/365, not suspecting an event of cyber-sabotage from an offline programmable logic controller (or whatever device on their network approximates a PLC, the kind targeted by Stuxnet). And, no slight intended, given Stuxnet's reputation as being near invisible, identifying it readily is also far beyond the means of most, if not all, rank-and-file power grid employees.

So let's say we split the difference. If you listen to anyone "in the know," the possibility of a cyberattack on our power grid increases incrementally with each passing week. The fallout (e.g., detritus) from Stuxnet -- presumably engineered by a government body somewhere -- is now being shouldered (either rightly or wrongly) on private utilities and the private citizens who run them and who must now pick up the pieces.

If we are to effectively combat the next Stuxnet -- and mostly I am a hands-off libertarian when it comes to government intervention of this magnitude -- it seems to me that the only way to do that effectively, even holistically, is for the private and public sectors to collaborate on security defense and data protection. Yes, limit the NSA's powers, but not to the point they're inert or, conversely, obnoxiously intrusive. In turn, require the power companies to share their data and security profiles, related databases, and protection policies with the NSA or its proxy. Vigilance and two-way communication -- a private-public partnership -- is clearly the "solve" for preserving the integrity of "the grid."

As British Prime Minister Winston Churchill said during World War II, "He who fails to plan is planning to fail." When it comes to protecting our power grid -- failure, clearly, is never an option.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and datacenter virtualization.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MSURESH441
50%
50%
MSURESH441,
User Rank: Apprentice
3/15/2012 | 10:04:09 PM
re: Stuxnet, The Nation's Power Grid, And The Law Of Unintended Consequences
The problem with any solution involving NSA is that they never play well with others. They do not willingly offer advice, because they prefer a world where everyone else has vulnerabilities they can potentially exploit. They're always afraid that telling others what is more secure lets the world know what THEY have problems with.

It's very like the difference between prosecutors and defense attorneys. Most attorneys don't do both things equally well. If the US really wants to be secure, building expertise into DHS would be better.
Bprince
50%
50%
Bprince,
User Rank: Ninja
3/15/2012 | 2:53:14 AM
re: Stuxnet, The Nation's Power Grid, And The Law Of Unintended Consequences
Interesting though to juxtapose McGurk's comment with the comment from Gen. Hayden (former CIA), who said during the 60 Minutes program that Stuxnet was a good idea.
Brian Prince, InformationWeek/Dark Reading Comment Moderator-á
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.