Over the past month, considerable attention has been directed at reports of a major cyberattack against the Iranian nuclear program. Allegedly, a highly complex piece of computer malware, called Stuxnet, affected the operations of the Iranian nuclear reactor at Bushehr and/or the uranium enrichment facility at Natanz. While we cannot be sure of details regarding possible accident scenarios at either of these facilities, reports have surfaced in the computer security community that the Iranian government is actively seeking talent familiar with the configuration and deployment of the process control computer systems. The pay: $20,000 a week.
So what is Stuxnet and why should we care (setting aside our Iran concerns)? Blogger Bryan McGrath has declared it “the first cyber smart bomb” and “600 kilobytes of War 2.0.” Much like a real smart bomb, Stuxnet was directed at a single target, limiting the potential for collateral damage. According to computer security software maker Symantec, nearly 60 percent of all Stuxnet infections were registered in a single country: Iran.
Stuxnet is a very small program, no bigger than a spreadsheet or document you might attach to an e-mail, but it does many things. It is able to rewrite instructions on programmable logic controller (PLC) computers, which are the brains of supervisory control and data acquisition (SCADA) process control systems. What does this mean? Take the analogy of the family automobile. Imagine someone was able to adjust the speed at which the belts or timing chain ran or shut off some of the fuel injectors or some other function of the engine by tampering with the onboard computer under the hood. Depending on how the car’s computer was tweaked, eventually you’d find yourself at the shop, maybe with the engine completely machine-gunned. Stuxnet does the same for computers attached to pipelines or assembly lines.
Industrial computer systems deliver instructions to real pieces of hardware on pipelines and electrical grids opening valves and flipping switches. This is work that used to be done by human beings, much like telephone calls used to be completed by real operators at switchboards. PLC computers take people out of the loop; they collect data from sensors and then activate resources in response. When we hear mention of items like “smart grid” or “smart field,” we are being told of how PLCs can more efficiently manage the distribution of resources and bolster the economic bottom line.
What is worrisome is to consider how these smart systems “phone home” to the management offices of the companies employing them. Desired in SCADA implementations is the capacity to see what is going on across the enterprise, to hold a clear picture of operations. Managers can investigate problems virtually and if necessary dispatch technicians to make a repair. But communications must pass in both directions, and to make the investment worth it, those communications should come at little cost. What this translates to is employment of the world’s communications backbone, the Internet.
While these communications may be cheap, those implementing Internet-enabled SCADA systems must confront the cost of opening their operations to the threats that may be delivered via the Internet. Stuxnet, the malware smart bomb giving the Iranians fits, may be deposited in two ways — by USB memory stick or propagation across the Internet. The instance of Stuxnet that hit the Iranians was most likely delivered by the former method, with some guileful clandestine operative plugging the USB stick into the effected PLCs. That should make for a good movie plot.
What will also make for good cinema, but a bad day for anyone affected, is when the next Stuxnet crashes out an electrical grid, upstream oil-and-gas operation or hospital medical data system here. We are taking critical infrastructure online, and while my colleagues and I argued some time ago in this newspaper that hacking the electrical grid was unlikely, the time for complacency has passed. Adding “smart” to our critical infrastructures does not necessarily make us safe. We should be prepared to put a great deal of thought and investment into the security of these systems as they are exposed to the risks involved in touching the Internet.
Source:http://www.chron.com/disp/story.mpl/editorial/outlook/7271330.html
