Guest Blog // Selected Security Content Provided By Sophos
What's This?
10:06 AM
Dark Reading
Dark Reading
Security Insights

Stuxnet, The Nation's Power Grid, And The Law Of Unintended Consequences

The debate persists: Should the feds supply security oversight for utilities to stop the next Stuxnet? Or can they really go it alone?

In data security circles, Stuxnet is the stuff of urban legend. It's a legend, however, that shows no signs of wearing out its welcome or relevance.

In fact, Steve Kroft’s recent broadcast report on the venerable 60 Minutes news magazine about that highly sophisticated, centrifuge-specific stealth virus that briefly upset the country of Iran's nuclear apple cart (so to speak) raises important questions for both the security and power-generation industries in North America. For example, could future malware modeled on Stuxnet target other critical infrastructure, such as nuclear power plants or water systems? Also, who should be responsible for detecting it -- private industry or intelligence-gathering agencies within the federal government?

I guess that all depends on where your security bias lies and how your political dispositions shake out.

Taking the latter of those questions first (and presumably ripe fodder for the politicos among us), the Network World article in CSO, "Should US Intelligence Agency have a role in Protecting Electric Grid?" related the ongoing cybersecurity legislation debate in Congress and why it's suddenly reaching fever pitch. Turning up the heat is whether our power companies (if forced) would be able to implement new federally mandated network protections, or whether the U.S. government and National Security Agency (NSA) should step in, deploy, and enforce the requirements and monitor the results.

According to this article, a catalyzing event for this debate was how NSA director General Keith Alexander was recently taken to the Obama administration's virtual woodshed over comments that argued for more legal authority to defend the nation against cyberattack. In effect, power companies would be required to perform continuous scanning with threat data provided by NSA and turn over any evidence of cyberattacks to the government. As you'd imagine, post-Orwellian era outrage about threats to privacy deservedly abound.

In a similar vein, sentiments from panelists assembled for the recent RSA Conference in San Francisco to discuss the topic of protecting the U.S. power grid ranged from the decidedly hands-off to those that favored more of a proactive approach.

One of the panelists, attorney Stewart Baker, said, "This is not about protecting a super-secret interception system. It's not, however, necessary for NSA to do all the monitoring." Kevin Gronberg, senior counsel on the U.S. House Committee on Homeland Security, Capitol Hill, represented the Republican perspective -- "an extremely light touch" in dictating cybersecurity defense procedures to power-generating companies. He made it clear, however, that the smart grid initiative, in which billions are now being invested to enable new capabilities and to realize presumed efficiencies in electricity delivery, are being done "without sufficient security and increasing risk. "

Baker added that the smart grid effort represents "$50 billion in the U.S. in technology that will arguably make the grid less secure."

Which, ironically enough, is where the security element of this equation kicks in.

One of the key takeaways of the 60 Minutes piece: According to Sean McGurk, former head of cyberdefense at the Department of Homeland Security, is that Stuxnet has given countries like Russia and China, not to mention terrorist groups and gangs of cybercriminals for hire, a textbook on how to attack key U.S. installations. "You can download the actual source code of Stuxnet now and you can repurpose it and repackage it and then, you know, point it back toward wherever it came from," McGurk said.

The exchange between Kroft and McGurk that followed was utterly eye-opening, even disturbing: Kroft: If somebody in the government had come to you and said, "Look, we're thinking about doing this. What do you think?" What would you have told them?

McGurk: I would have strongly cautioned them against it because of the unintended consequences of releasing such a code. Kroft: Meaning that other people could use it against you?

McGurk: Yes.

These unintended consequences McGurk alluded to are especially telling. There’s the opportunity for anyone inclined to do it on their own or as a fee-for-hire arrangement to produce a strain of Stuxnet that is as virulent and transparent as its predecessor. There’s the opportunity to sideline complete regions of the country, isolating and literally leaving citizens powerless from coast to coast. There's also the challenge of trying to tame a virus that could be thousands of code lines long, replete with infinite permutations designed to frustrate IT security coders from eliminating, controlling, or even quarantining them before they spread.

On the other side of the equation are the utility companies. Let's be honest. It's beyond the ability of most power utility companies, however they're organized and in whatever part of the country they're located, to keep determined cyberinsurgents at bay, at least for very long. After all, they're in the business of delivering electricity with 100 percent assurance, 24/7/365, not suspecting an event of cyber-sabotage from an offline programmable logic controller (or whatever device on their network approximates a PLC, the kind targeted by Stuxnet). And, no slight intended, given Stuxnet's reputation as being near invisible, identifying it readily is also far beyond the means of most, if not all, rank-and-file power grid employees.

So let's say we split the difference. If you listen to anyone "in the know," the possibility of a cyberattack on our power grid increases incrementally with each passing week. The fallout (e.g., detritus) from Stuxnet -- presumably engineered by a government body somewhere -- is now being shouldered (either rightly or wrongly) on private utilities and the private citizens who run them and who must now pick up the pieces.

If we are to effectively combat the next Stuxnet -- and mostly I am a hands-off libertarian when it comes to government intervention of this magnitude -- it seems to me that the only way to do that effectively, even holistically, is for the private and public sectors to collaborate on security defense and data protection. Yes, limit the NSA's powers, but not to the point they're inert or, conversely, obnoxiously intrusive. In turn, require the power companies to share their data and security profiles, related databases, and protection policies with the NSA or its proxy. Vigilance and two-way communication -- a private-public partnership -- is clearly the "solve" for preserving the integrity of "the grid."

As British Prime Minister Winston Churchill said during World War II, "He who fails to plan is planning to fail." When it comes to protecting our power grid -- failure, clearly, is never an option.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and datacenter virtualization.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/15/2012 | 10:04:09 PM
re: Stuxnet, The Nation's Power Grid, And The Law Of Unintended Consequences
The problem with any solution involving NSA is that they never play well with others. They do not willingly offer advice, because they prefer a world where everyone else has vulnerabilities they can potentially exploit. They're always afraid that telling others what is more secure lets the world know what THEY have problems with.

It's very like the difference between prosecutors and defense attorneys. Most attorneys don't do both things equally well. If the US really wants to be secure, building expertise into DHS would be better.
User Rank: Ninja
3/15/2012 | 2:53:14 AM
re: Stuxnet, The Nation's Power Grid, And The Law Of Unintended Consequences
Interesting though to juxtapose McGurk's comment with the comment from Gen. Hayden (former CIA), who said during the 60 Minutes program that Stuxnet was a good idea.
Brian Prince, InformationWeek/Dark Reading Comment Moderator-á
Register for Dark Reading Newsletters
White Papers
Latest Comment: nice post
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

Published: 2015-07-01
Heap-based buffer overflow in libwmf allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

Published: 2015-07-01
IBM PowerVC Standard Edition through does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report