Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
3/12/2012
10:06 AM
Dark Reading
Dark Reading
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

Stuxnet, The Nation's Power Grid, And The Law Of Unintended Consequences

The debate persists: Should the feds supply security oversight for utilities to stop the next Stuxnet? Or can they really go it alone?

In data security circles, Stuxnet is the stuff of urban legend. It's a legend, however, that shows no signs of wearing out its welcome or relevance.

In fact, Steve Kroft’s recent broadcast report on the venerable 60 Minutes news magazine about that highly sophisticated, centrifuge-specific stealth virus that briefly upset the country of Iran's nuclear apple cart (so to speak) raises important questions for both the security and power-generation industries in North America. For example, could future malware modeled on Stuxnet target other critical infrastructure, such as nuclear power plants or water systems? Also, who should be responsible for detecting it -- private industry or intelligence-gathering agencies within the federal government?

I guess that all depends on where your security bias lies and how your political dispositions shake out.

Taking the latter of those questions first (and presumably ripe fodder for the politicos among us), the Network World article in CSO, "Should US Intelligence Agency have a role in Protecting Electric Grid?" related the ongoing cybersecurity legislation debate in Congress and why it's suddenly reaching fever pitch. Turning up the heat is whether our power companies (if forced) would be able to implement new federally mandated network protections, or whether the U.S. government and National Security Agency (NSA) should step in, deploy, and enforce the requirements and monitor the results.

According to this article, a catalyzing event for this debate was how NSA director General Keith Alexander was recently taken to the Obama administration's virtual woodshed over comments that argued for more legal authority to defend the nation against cyberattack. In effect, power companies would be required to perform continuous scanning with threat data provided by NSA and turn over any evidence of cyberattacks to the government. As you'd imagine, post-Orwellian era outrage about threats to privacy deservedly abound.

In a similar vein, sentiments from panelists assembled for the recent RSA Conference in San Francisco to discuss the topic of protecting the U.S. power grid ranged from the decidedly hands-off to those that favored more of a proactive approach.

One of the panelists, attorney Stewart Baker, said, "This is not about protecting a super-secret interception system. It's not, however, necessary for NSA to do all the monitoring." Kevin Gronberg, senior counsel on the U.S. House Committee on Homeland Security, Capitol Hill, represented the Republican perspective -- "an extremely light touch" in dictating cybersecurity defense procedures to power-generating companies. He made it clear, however, that the smart grid initiative, in which billions are now being invested to enable new capabilities and to realize presumed efficiencies in electricity delivery, are being done "without sufficient security and increasing risk. "

Baker added that the smart grid effort represents "$50 billion in the U.S. in technology that will arguably make the grid less secure."

Which, ironically enough, is where the security element of this equation kicks in.

One of the key takeaways of the 60 Minutes piece: According to Sean McGurk, former head of cyberdefense at the Department of Homeland Security, is that Stuxnet has given countries like Russia and China, not to mention terrorist groups and gangs of cybercriminals for hire, a textbook on how to attack key U.S. installations. "You can download the actual source code of Stuxnet now and you can repurpose it and repackage it and then, you know, point it back toward wherever it came from," McGurk said.

The exchange between Kroft and McGurk that followed was utterly eye-opening, even disturbing: Kroft: If somebody in the government had come to you and said, "Look, we're thinking about doing this. What do you think?" What would you have told them?

McGurk: I would have strongly cautioned them against it because of the unintended consequences of releasing such a code. Kroft: Meaning that other people could use it against you?

McGurk: Yes.

These unintended consequences McGurk alluded to are especially telling. There’s the opportunity for anyone inclined to do it on their own or as a fee-for-hire arrangement to produce a strain of Stuxnet that is as virulent and transparent as its predecessor. There’s the opportunity to sideline complete regions of the country, isolating and literally leaving citizens powerless from coast to coast. There's also the challenge of trying to tame a virus that could be thousands of code lines long, replete with infinite permutations designed to frustrate IT security coders from eliminating, controlling, or even quarantining them before they spread.

On the other side of the equation are the utility companies. Let's be honest. It's beyond the ability of most power utility companies, however they're organized and in whatever part of the country they're located, to keep determined cyberinsurgents at bay, at least for very long. After all, they're in the business of delivering electricity with 100 percent assurance, 24/7/365, not suspecting an event of cyber-sabotage from an offline programmable logic controller (or whatever device on their network approximates a PLC, the kind targeted by Stuxnet). And, no slight intended, given Stuxnet's reputation as being near invisible, identifying it readily is also far beyond the means of most, if not all, rank-and-file power grid employees.

So let's say we split the difference. If you listen to anyone "in the know," the possibility of a cyberattack on our power grid increases incrementally with each passing week. The fallout (e.g., detritus) from Stuxnet -- presumably engineered by a government body somewhere -- is now being shouldered (either rightly or wrongly) on private utilities and the private citizens who run them and who must now pick up the pieces.

If we are to effectively combat the next Stuxnet -- and mostly I am a hands-off libertarian when it comes to government intervention of this magnitude -- it seems to me that the only way to do that effectively, even holistically, is for the private and public sectors to collaborate on security defense and data protection. Yes, limit the NSA's powers, but not to the point they're inert or, conversely, obnoxiously intrusive. In turn, require the power companies to share their data and security profiles, related databases, and protection policies with the NSA or its proxy. Vigilance and two-way communication -- a private-public partnership -- is clearly the "solve" for preserving the integrity of "the grid."

As British Prime Minister Winston Churchill said during World War II, "He who fails to plan is planning to fail." When it comes to protecting our power grid -- failure, clearly, is never an option.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and datacenter virtualization.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MSURESH441
50%
50%
MSURESH441,
User Rank: Apprentice
3/15/2012 | 10:04:09 PM
re: Stuxnet, The Nation's Power Grid, And The Law Of Unintended Consequences
The problem with any solution involving NSA is that they never play well with others. They do not willingly offer advice, because they prefer a world where everyone else has vulnerabilities they can potentially exploit. They're always afraid that telling others what is more secure lets the world know what THEY have problems with.

It's very like the difference between prosecutors and defense attorneys. Most attorneys don't do both things equally well. If the US really wants to be secure, building expertise into DHS would be better.
Bprince
50%
50%
Bprince,
User Rank: Ninja
3/15/2012 | 2:53:14 AM
re: Stuxnet, The Nation's Power Grid, And The Law Of Unintended Consequences
Interesting though to juxtapose McGurk's comment with the comment from Gen. Hayden (former CIA), who said during the 60 Minutes program that Stuxnet was a good idea.
Brian Prince, InformationWeek/Dark Reading Comment Moderator-á
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.