CYBEREYE

Cyberattacks on infrastructure are the 'new normal'

The ability to recover from attacks takes on greater importance in the new reality of cyber war

Because of its very nature, critical infrastructure should be resilient. It should be able to withstand disastrous events, mitigate their impact, fail gracefully and recover quickly. But in a new era in which cyber war is a reality, resiliency is becoming a strategic necessity.

“The critical infrastructure is in play,” Black Hat founder Jeff Moss said in opening the annual Black Hat Federal cybersecurity conference last week. “If your assets are in play, you’d better be able to respond and recover faster.”

What put these assets into play — or at least gave notice of the fact — was the Stuxnet worm, which Moss called “the topic that won’t die.” It was publicly revealed in July and since found to be a targeted attack against a specific process control system. It is widely believed to have been intended to disrupt Iran’s uranium enrichment program, which it might well have done, but 60,000 other infections have been identified around the world.


Related coverage:

Stuxnet is not Superworm, researcher says


Stuxnet is merely one example of a new reality, Moss said.

“I don’t believe this is the first one,” he said of the worm that appears to cross the line between cyber and kinetic warfare. “I believe it’s the first public one. This is the new normal. This is the new world we will be living in.”

Moss, best known as the founder of the Black Hat and DEF CON hacker conferences, also is a security consultant and a member of the president’s Homeland Security Advisory Council.

Just what Stuxnet is and how good it is still is being debated. As one Black Hat Federal presenter, Tom Parker, director of security consulting services at Securicon, pointed out, “the fact that we are talking about it now shows that the developers failed to some extent.” It apparently was never intended to circulate in the wild where it could be captured and analyzed.

However, it is sophisticated. Who made it is not known, but the consensus of analysts is that it was the work of a team with considerable resources. The effort would be measured in man-years. It required access to expensive and regulated hardware as a test bed, and apparently took advantage of detailed intelligence about its target. It was not done on the cheap.

On the one hand, this is alarming: We don’t know who made Stuxnet and nobody wants them crafting another worm to attack us. But on the other hand, there is some comfort here, not only in the fallibility of the developers but also in the apparent complexity and expense of the attack. Nobody pretends to know what Stuxnet cost to develop, but it was not a trivial exercise, and the attackers will have to consider the return on investment before unleashing it.

That is where resiliency comes in.

Hardening the country’s power grid or the control systems for critical utilities and services to the point that they are invulnerable to attack would be cost-prohibitive, if it were possible at all. But having the ability to mitigate the impact of an attack, fail gracefully and recover quickly — that is, being resilient — could be effective, because launching a Stuxnet-like attack might make little economic sense for the attackers.

The country’s critical infrastructure is far from what it should be, but past failures, such as the massive Northeast Blackout of 2003 that affected about 55 million people from the Hudson Bay to the Chesapeake show, that we can recover from catastrophic failures without catastrophic damage. Improving the infrastructure’s ability to defend against and respond to such failures will be an important strategic deterrence to attack.

Reader Comments

Tue, Jan 25, 2011 Michael Aisenberg D.C.

When you scrape the reporter-speak away from Mr. Jackson's story, his reportage of Mr Moss' thesis is a reflection of an emerging world view shared by a number of influential cyber practitioners. At a Commerce Department cyber forum last fall, DHS cyber security head Phil Reitinger posited a 21st Century in which cyber threats are the new norm, because as Mr. Moss observes, most critical infrastructures are cyber-dependent. "Bad guys"--those who seek to disrupt, those who see political advantage, those who seek to steal (following the Willie Sutton theory--go where the money is)will attack critical infrastructures, and use the cyber channel as the vector of attack. It is ubiquitous, it is available, and it is vulnerable. So, as Deputy Under Secretary Reitinger observed, DONT expect our need for cyber defense to go away, because cyber attack against CI will become as pervasive as bank robbery and retail robbery today. And major insults/attacks which can disrupt sectors, cities or nations will increasingly be vectors of ideological expression by terrorists, and nation state acts "ad bellum" or even outright warfare. It should come as no surprise, since it has been observed for some time; but what will surprise many citizens, especially in the U.S. and our peer "cyber intense" economies is why, in the face of all this knowledge about cyber indeed being the vector of choice, we are so slow in developing effective defense, global norms of behavior and remedies and strategies to identify, disable and punish cyber misdeeds from ALL sources. This was the subject of the 2d annual NATO Cyber Center of Excellence Conference in June 2010 in Tallinn Estonia, and a theme of a major National Academy study in 2009...Yet here we are in 2011, knowing both who the bad guys are and how they are likely to come at us, essentially unprepared both as critical sectors and in the aggregate, as a nation....If a "bad thing" happens, and lives are lost and our economy is disrupted for months, or years, there will be plenty of blame to go around.Rather than continuing the folly of $100 billion investment in rooting out A-Q in caves, maybe 10% of that per year put in to real cyber defense R&D would be money well spent...it would represent a 5-fold increase in current cyber defense R&D spending. Not a sermon, just a thought.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above