336 Part Two Information Technology Infrastructure INTERACTIVE SESSION: ORGANIZATIONS STUXNET AND THE CHANGING FACE OF CYBERWARFARE In July 2010, reports surfaced about a Stuxnet worm tems that follow industry best practices. Companies that had been targeting Iran's nuclear facilities. In need for interonnectivity between control systems November of that year, Iran's President Mahmoud make it nearly impossible to defend against a well- Ahmadinejad publicly acknowledged that malicious constructed, multi-pronged attack such as Stuxnet. software had infected the Iranian nuclear facilities And Stuxnet is not the only cyberweapon cur- and disrupted the nuclear program by disabling the rently at work. The Flame virus, released about facilities' centrifuges. Stuxnet had earned its place five years ago, has been infecting computers in in history as the first visible example of industrial Iran, Lebanon, Sudan, Saudi Arabia, Egypt, Syria, cyberwarfare. and Israel. While researchers are still analyzing the To date, Stuxnet is the most sophisticated program, the attack's main goal is stealing informa- cyberweapon ever deployed. Stuxnet's mission was tion and espionage. Flame is able to grab images of to activate only computers that ran Supervisory users' computer screens, record their instant messag- Control and Data Acquisition (SCADA) software ing chats, collect passwords, remotely turn on their used in Siemens centrifuges to enrich uranium. The microphones to record audio conversations, scan Windows-based worm had a "dual warhead." One disks for specific files, and monitor their keystrokes part was designed to lay dormant for long periods, and network traffic. The software also records Skype then speed up Iran's nuclear centrifuges so that they conversations and can turn infected computers spun wildly out of control. Another secretly recorded into Bluetooth beacons which attempt to down- what normal operations at the nuclear plant looked load contact information from nearby Bluetooth- like and then played those recordings back to plant enabled devices These data, along with locally stored operators so it would appear that the centrifuges documents, can be sent to one of several command were operating normally when they were actually and control servers that are scattered around the tearing themselves apart. world. The program then awaits further instructions The worm's sophistication indicated the work from these servers. of highly skilled professionals. Michael Assante, The Duqu worm, discovered in September 2011, president and CEO at the National Board of also aims to steal information by scanning systems. Information Security Examiners, views Stuxnet as a Duqu infects a very small number of very specific weapons delivery system like the B-2 Bomber. The systems around the world, but may use completely software program code was highly modular, so that it different modules for infiltrating those separate could be easily changed to attack different systems. systems. One of Duqu's actions is to steal digital Stuxnet only became active when it encountered a certificates used for authentication from attacked specific configuration of controllers, running a set of computers to help future viruses appear as secure processes limited to centrifuge plants. software. It is going largely undetected. Security Over 60 percent of Stuxet-infected computers are researchers believe Duqu was created by the same in Iran, and digital security company Kaspersky Labs group of programmers behind Stuxnet. speculates that the worm was launched with nation- The real worry for security experts and govern- state support (probably from Israel and the United ment officials is an act of cyberwarfare against a States) with the intention of disabling some or all of critical resource, such as the electric grid, financial Iran's uranium enrichment program. Stuxnet wiped systems, or communications systems. (In April out about one-fifth of Iran's nuclear centrifuges. 2009, cyberspies infiltrated the U.S. electrical grid, The damage was irreparable and is believed to have using weak points where computers on the grid are delayed Iran's ability to make nuclear arms by as connected to the Internet, and left behind software much as five years. And no one is certain that the programs whose purpose is unclear, but which Stuxnet attacks are over. Some experts who exam- presumably could be used to disrupt the system.) ined the Stuxnet software code believe it contains the The U.S. has no clear strategy about how the coun- seeds for more versions and attacks. try would respond to that level of cyberattack, and the According to a Tofino Security report, Stuxnet is effects of such an attack would likely be devastating. capable of infecting even well-secured computer sys- Mike McConnell, the former director of national intel- Chapter 8 Securing Information Systems 337 these capabilities are still evolving. Will the United States and other nations be ready when the next Stuxnet appears? ligence, stated that if even a single large American bank were successfully attacked, it would have an order-of-magnitude greater impact on the global economy than the World Trade Center attacks, and that the ability to threaten the U.S. money supply is the financial equivalent of a nuclear weapon. Many security experts believe that U.S. cybersecu- rity is not well-organized. Several different agencies, including the Pentagon and the National Security Agency (NSA), have their sights on being the leading agency in the ongoing efforts to combat cyberwar- fare. The first headquarters designed to coordinate government cybersecurity efforts, called Cybercom, was activated in May 2010 in the hope of resolving this organizational tangle. In May 2011 President Barack Obama signed executive orders weaving cyber capabilities into U.S. military strategy, but Sources: Brian Royer, "Stuxnet, The Nation's Power Grid, And The Law Of Unintended Consequences, Dark Reading, March 12, 2012 Thomas Erdbrink, 'Iran Confirms Attack by Virus That Collects Information, The New York Times, May 29, 2012; Nicole Perlroth, "Virus Infects Computers Across Middle East," The New York Times, May 28, 2012: Thom Shanker and Elisabeth Bumiller, "After Suffering Damaging Cyberattack, the Pentagon Takes Defensive Action," The New York Times, July 15, 2011; Robert Leos, "Secure Best Practices No Proof Against Stuxnet." CSO, March 3, 2011; Lolita C. Baldor, "Pentagon Gets Cyberwar Guidelines, Associated Press, June 22, 2011; William J. Broad, John Markoff, and David E. Sanger, "Ismael Tests on Worm Called Crucial in Iran Nuclear Delay," The New York Times, January 15, 2011; George V. Hulme, "SCADA Insecurity and Michael S. Mimoso, "Cyberspace Has Gone Offensive, ' Information Security's Essential Guide to Threat Management (June 14, 2011), and Silbhan Gorman and Julian A. Barnes, "Cyber Combat: Act of War," The Wall Street Journal, May 31, 2011. CASE STUDY QUESTIONS 1. Is cyberwarfare a serious problem? Why or why not? 2. Assess the management, organization, and technology factors that have created this problem. 3. What makes Stuxnet different from other cyberwarfare attacks? How serious a threat is this technology 4. What solutions for have been proposed for this problem? Do you think they will be effective? Why or why not